OWASP AppSec Dublin 2022
I had an opportunity to attend OWASP global App Sec held in Dublin from the 13th to the 17th of Feb 2023. It was an event with so much learning and an opportunity to meet and talk to some wonderful people working in cyber security.
The initial first 2 days I was attending a hands-on training on Threat Modeling by none other than Adam Shostock. I liked the content and the way we approached the topic. Two days were more on discussions and hand on.
We learned the DFD, the threat modelling using STRIDE and kill chain ( kill chain was new for me and I loved this approach ) and risk mitigation.
A lot of people who were already doing TM were mostly concerned are they doing it right and they came to this training to understand how to do it correctly.
Adam had a very solid line for us "All models are wrong and some are useful".
We realized that it doesn't matter as long as we talk about it in a group, do whiteboarding and document the risks and mitigation.
Another beautiful concept we learned was the 4 question model. This is one of the most powerful tools I feel especially when you are new to TM.
What are we working on?
What can go wrong?
What can we do about it?
Did we do a good job?
These four questions will always keep you on the right path.
At the end of two days, we were all very confident and were ready to take it to our organization and team.
At the end of the training, I was a lot more confident about TM but was unsure how to take it forward. I was thinking about this in my mind while I head for the conferences.
When I looked at the conference list, I was happy to see there were few talks on Thread modelling and exactly addressing the question which was in my mind. I was very happy and went to the conference,
The day started with a brilliant keynote from Kim watt on Privacy threat modelling. It was a whole new perspective and along with STRIDE, i had LINDUNN added to my dictionary.
The keynote was so effective and easy to understand that anyone not even coming from a security background would start appreciating the necessity of privacy threat modelling.
Day started with a whole new perspective, now I was looking at the conference list and ooh so many conferences and they were all at the same time. It was a tough decision to attend and skip which one.
The first conference I choose was was "Threat modelling Far from greenfield" by Sarah-Jane Madden and the reason is obvious. I assumed the topic seem related to the questions wondering in my mind. She introduced us to the real world and I realized the taking TM to the team is a different game. Learnt effective ways to take this to higher management and team and get everyone's buy-in. Also the steps and challenges we will face in this journey. My doubts and questions started to get clear. Awesome talk for me.
Next I headed to a talk by Jeff Williams the topic was Trusting Software - Runtime Protection Is the Third Alternative. This was a new way of thinking to me where we apply runtime protections to safeguard ourselves. After listening to him I realized Oh man why I never thought about these obvious fixes. I played with the Opens source tool created by Jeff called JOT ( java observability toolkit ), I am very impressed with it and the concept RASP (Runtime application self-protection) .
The next way I started with the same dilema , started with talk called Developer Driven Security in high-growth environments by Jakub Kaluzny from Snokwflake. The talk was more towards the ci-cd pipeline and how security is embedded inside it. Their pipeline was all automated backed by database and all event are tracked , altered and reported. One point of time I started to feel dizzy by just imagning the pipeline in production. Such a passionate work and so much focus on security while building the stuff. Really impressed with the scale. He also told us that they were managing Threat Model in Gherkin language which was like very surpriding for me and it made a lot of sense. Another arsenel in my TM dictionary.
The next conference I headed was How to have visibility and security OF a CICD pipeline by Pramod Rana. He introduced us to an open source tool he created called "CI-CD Guard" . We talked about the overall overview of differnt things lying in our ci cd and how to detect security misconfigurations and be on top of it.
The last conference I attended was When is a vulnerability not a vulnerability? Overcoming the inundation of noisy security alerts by Adam Berman. Talked about the noises we see in our SAST tools and how to pay attention and avoid getting into never ending cycle of upgrades.
Apart from the conferences I opted to visit the booth by sponsers , had a discussion regarding their product and the problem they are solving. We also touched upon some of the problem we have in our organization and how the product can help us. We digged really dip and had very good conversation and promised to touch base again when we return to our base.
This was a very enlighting 4 days where I learnt so much and promised myself that I will continue my jouney in cyber security.