In an earlier post, we went over the application-security threats being addressed at RSA Conference 2023. Now here's a look at the AppSec solutions to keep an eye out for at RSA this year.
Rise of the machines
Thanks to the debut of ChatGPT, for the past several months artificial intelligence has been the obsession of the tech industry and, at times, the mainstream media. Nearly 30 RSAC 2023 presentations plan to discuss AI, including at least two keynotes.
What isn't being explicitly addressed are the effects AI and other forms of machine learning will have on application security and DevSecOps. It's been aptly demonstrated that AIs can be used to write malware and phishing emails, can leak sensitive information and can introduce vulnerabilities into code development, both accidentally and as the result of crafty "hallucination squatting" attacks.
The potential security issues raised by AI in AppSec are so new that few solutions have yet presented themselves. But we're nonetheless looking forward to Invicti's presentation on 2023 vulnerability trends, which we hope will delve into the issue.
Likewise, the keynote address by We Hack Purple CEO and founder Tanya Janca, "DevSecOps Worst Practices," and a talk by former Security Journey CEO Christopher Romeo called "The Application Security State of the Union" may touch upon AI in AppSec.
Opening the IDOR to attackers
In a blog post last month, Invicti's Zbigniew Banach discusses the mounting issue of insecure direct object references (IDORs) in application security.
An IDOR is what results when a web application lets an attacker find an online asset by iterating a URL, then neglects to block access to that asset with an authorization check. IDOR flaws appear to have been behind the Optus data breach in Australia last fall, Banach writes, and are especially dangerous because application-scanning tools often won't pick them up.
"The only way to eliminate IDOR vulnerabilities is to design and enforce appropriate access control for all internal application objects, such as customer records," Banach writes — in other words, security built into application development as early as possible.
We hope that Janca addresses secure coding and "shifting left" in her keynote, and it seems likely that Roche Director of DevSecOps Kayra Otaner will do so in his talk, "Implement ZeroTrust with Dedicated DevSecOps Pipelines." Also promising is a session titled "A Journey in Building an Open Source Security-as-Code Framework" to be presented by Oak9 CTO Aakash Shah.
SBOMing the supply kill chain
The SolarWinds hack, also known as the Sunburst attack, and ongoing Log4j problems are still fresh in defenders' minds, and several sessions do plan to address supply-chain attacks. Chief among them is a presentation by Microsoft Principal PM Manager of Secure Software Supply Chain Adrian Diglio that will walk us through Redmond's Secure Supply Chain Consumption Framework (S2C2F), which has already been adopted by the Open Source Security Foundation.
One oft-cited solution for mitigating supply-chain vulnerabilities is a software bill of materials (SBOM), which is being addressed in at least three RSAC 2023 presentations.
Josh Corman, formerly of I Am the Cavalry and now vice president of cyber safety strategy at Claroty, will be questioning the arguments against SBOMs in a session called "The Opposite of Transparency." JPMorgan Chase Product Security Director Rao Lakkakula will helm a session titled "Scaling Software Supply Chain Source Security in Large Enterprises." Finallly, Kate Stewart, VP of Dependable Embedded Systems at the Linux Foundation and Chris Blask, Chief Evangelist at Cybeats, will ask us to envision "The World on SBOMs."
The best of the rest
Several other talks plan to explore other areas of application security and DevSecOps. Jennifer Czaplewski of Target and Kathryn Pimblett of A.P. Moller Maersk will explain how their organizations have boosted AppSec using "The Psychology of DevSecOps."
The Open Worldwide Application Security Project (OWASP), whose draft of the 2023 update to the API Security Top 10 Risks list has been posted on GitHub, will discuss how to do AppSec on the cheap in "Application Security Pipeline On 14 Cents a Day." Along the same lines, David Melamed of Jit and Luke O'Malley of Semgrep will list "5 Open Source Security Tools All Developers Should Know About."
Finally, there are several AppSec and DevSecOps sessions that most RSAC 2023 attendees can go to, but journalists (meaning us here at SC Magazine) cannot.
That's because they are discussions that will follow the Chatham House Rule, which means that participants cannot be named nor their affiliations made public, although what is discussed may be made public. The idea is to promote frank and open dialogue without fear of retribution, and as such no media are allowed and the sessions will not be recorded.
These talks include one led by Brenna Leath of the SAS Institute dealing with "Open Source vs. Proprietary for Product Security Vulnerability Management"; another led by Abhay Bhargav, founder of we45 and AppSecEngineer on "The Convergence of AppSec, Cloud Security and DevSecOps"; and two led by keynote speaker Tanya Janca, one on "Creating a Great DevSecOps Culture" and the other co-presented with Clint Gibler of R2C bearing the ambitious title of "Adding SAST to CI/CD, Without Losing Any Friends."
Check out SC Magazine's full coverage of RSAC 2023 before, during and after the conference.