Picking up a clear signal at OWASP 2023 Global AppSec Dublin
After a long break, in-person OWASP Global AppSec returned to Dublin in 2023. The event gathered top experts from the application security community, including Invicti’s Frank Catucci and Dan Murphy, who gave a talk about the OpenSSL vulnerability that caused a few sleepless nights back in October 2022.
Your Information will be kept private.
Your Information will be kept private.
The first in-person European edition of OWASP’s event in years kicked off on February 15th, 2023. Bringing together web application security leaders representing both the open-source community and commercial organizations, OWASP Global AppSec is not a typical trade show but a real crucible of application security expertise. Invicti’s Frank Catucci and Dan Murphy were there to talk shop with other AppSec experts and also present a deep dive into last year’s OpenSSL vulnerability. We sat down with them to catch up on the topics that are making the biggest waves in the security community.
A special place to talk AppSec
“I personally love OWASP events for a few reasons,” said Frank Catucci, CTO and Head of Security Research at Invicti. “Most of the attendees, vendors, and presenters are AppSec specialists, security focused developers, or experts. They always have three or four relevant talk tracks (Builders, Breakers, Defenders, and sometimes DevOps) that focus on very relevant technical content. OWASP is also a vendor-neutral non-profit organization that contributes to the AppSec industry to better the world’s software security.”
Invicti’s Distinguished Architect, Dan Murphy, agreed that although European Global AppSec events are typically much smaller compared to those in the US, it is crucial to maintain relationships and presence in the wider security community. “The event was focused compared to other larger industry events,” he explained. “This made for a very tight-knit experience. Unlike some other industry gatherings, there was a very high signal-to-noise ratio when talking to people on the event floor, at talks, and in hallway conversation. Attendees were highly technical and were very familiar with the present state of the industry.”
Cutting through the noise around a Heartbleed wannabe
As one of the event sponsors, Invicti contributed a presentation analyzing last year’s OpenSSL vulnerability (CVE-2022-3786). This particular issue raised multiple red flags and sent the security community scrambling to investigate and patch what at first glance could have been the next Heartbleed, compromising the security of the entire web. The presentation featured a detailed technical deep dive into the vulnerability to show where the flaw originated and why the initial critical severity was soon downgraded to high:
“The presentation that Dan and I gave received very positive feedback,” said Catucci. “This was not only in person but also on LinkedIn and in personal communications and messages after the event.” Dan Murphy was especially impressed with the quality of feedback following the presentation: “The caliber of those attending was high. We had a question from an audience member who was the Vice President of the French CERT-IST and asked topical questions about the severity classification.”
Everyone wants clear data, but few are getting it
OWASP Global AppSec events bring together industry experts, so participants were aware of the major security testing technologies in the market today and also wary of typical vendor claims and overclaims. “I think very close to 100% of attendees had a decent grasp of DAST,” Catucci confirmed. “These were all AppSec experts, and there was some skepticism regarding Invicti’s ‘zero noise’ claim specifically. After further clarification of Proof-Based Scanning for some detections, there was better understanding.”
Any security professional knows the realities of working with uncertain data, whether in terms of doubtful results or not knowing if you’ve really covered everything. When adding new tools, workflows, and data sources, there is always a nervous cost-benefit analysis: will this be worth the extra effort and investment? “Accuracy and false positives were very much top of mind for attendees,” Murphy observed. “Walking around the vendor hall gave a sense of the glut of tools that face modern organizations that want to cover all of their bases, and of the challenges of prioritizing all of the inputs.”
AppSec maturity now means more signal and less noise
With the scale and opacity of modern application architectures and deployments, it’s now a given that organizations get more security data than they can handle. Filtering and prioritizing to pick out what really matters is the order of the day, and tool maturity translates to the ability to show you less data, not more. Dan Murphy noticed this same trend repeated all across application security: “There was a theme of talks that looked into security findings in depth, including looking back at historical data. One talk in particular highlighted the differences in the security findings for mature vs. immature projects that had graduated through the CNCF. Raw comparisons were fairly noisy, but when the lens of analysis was used, the differences between mature and immature projects became more apparent.”
Despite the relentless drive towards change and innovation in web technologies, web application security now finally has a real hope of keeping pace both with threat actors and with development. As the industry matures, ensuring data quality at scale is becoming the top concern for both users and vendors. Reflecting on the analysis from a particular talk, Dan Murphy concluded: “That analysis was very indicative of how in modern AppSec, you sometimes need to look at results, findings, and data with a critical eye to find the signal in the noise.”