OWASP Italy November 2023 Meetup
The OWASP Italy November 2023 Meetup has been held as a virtual event on November 24th, 2023. This was a free, informal event, aimed at increasing awareness and knowledge of web application security. The event was primarily intended to appeal to security professionals, software developers, software quality engineers, and computer science students with a strong interest in computer security. The goal of the event was to stimulate interest in web application security, secure software engineering practices and foster new initiatives within organizations.
PROGRAM
The event has taken place from 4 PM to 6 PM (CET time) over Zoom. We are delighted to announce a strong program featuring two distinguished experts in the field of cybersecurity:
| Time | Speakers | Title |
|---|---|---|
| 16.00 - 16.15 | Stefano Calzavara (Università Ca’ Foscari) and Matteo Meucci (IMQ Minded Security) | Welcome and opening by the OWASP Italy chairs |
| 16.15 - 17.00 | Luca Compagna (SAP Security Research) | Testability Patterns for Web Applications – an OWASP project |
| 17.00 - 17.45 | Claudio Merloni (Semgrep) | Scaling your AppSec program with secure defaults |
SLIDES
REGISTRATION
Registration is now closed OWASP Italy Meetup. We encourage participants to subscribe to the meetup to be informed about future events organized by the chapter.
SPEAKERS
Luca Compagna - Senior Scientist / Research Architect at SAP Security Research
Title: “Testability Patterns for Web Applications – an OWASP project”
Abstract: Static application security testing (SAST) is a common essential step in the development lifecycle of software companies. It enables detection of critical vulnerabilities in an application source code before deployment, when fixing the problem is the least expensive. While SAST have many known limitations, the impact of coding style on their ability to discover vulnerabilities remained largely unexplored and the following questions emerge:
(1) What does it mean when a SAST tool reports the green traffic light indicating that no vulnerability was detected?
(2) Was the entire source code fully analysed or were there any code areas left unexplored, leaving dangerous vulnerabilities uncovered?
To answer the above questions, we experimented with a combination of commercial and open source SAST tools, and compiled a list of over 270 different code testability patterns capturing challenging code instructions—we refer to these as tarpits—that, when present, impede the ability of state-of-the-art SAST tools to analyse application code. In other words, a tarpit for SAST is just a set of code instructions that may confuse SAST tools in their analysis. By discovering the presence of these tarpits during the software development lifecycle, our approach can provide important feedback to developers about the testability of their code. It can also help them to better assess the residual risk that the code could still contain vulnerabilities even when static analysers report no findings. Finally, our approach can also point to alternative ways to transform the code to increase its testability for SAST.
Our experiments show that testability tarpits are very common. For instance, an average PHP application contains over 21 of them and even the best state-of-art static analysis tools fail to analyze more than 20 consecutive instructions before encountering one of them. To assess the impact of tarpit transformations over static analysis findings, we experimented with both manual and automated code transformations designed to replace a subset of patterns with equivalent, but more testable, code. These transformations allowed existing SAST tools to better understand and analyze the applications, and lead to the detection of 440 new potential vulnerabilities in 48 projects. We responsibly disclosed all these issues: 31 projects already answered confirming 182 vulnerabilities. Out of these confirmed issues– that remained previously unknown due to the poor testability of the applications code– there are 38 impacting popular Github projects (>1k stars), such as PHP Dzzoffice (3.3k), JS Docsify (19k), and JS Apexcharts (11k). 25 CVEs have been already published and we have others in-process.
Motivated by our promising research results and by their successful initial evaluation in industrial settings, we have also started an OWASP project to make our code Testability Patterns for SAST available to the entire community: https://owasp.org/www-project-testability-patterns-for-web-applications/
Claudio Merloni - Security Research Manager at Semgrep
Title: “Scaling your AppSec program with secure defaults”
Abstract: Over the past decade, how software is written has changed drastically, with widespread adoption of Agile, DevOps, and cloud providers, among other shifts. These changes have required security teams to adapt. Automation of security tools has made it possible to identify software vulnerabilities faster and earlier. Unfortunately, this evolution hardly shows any reduction in the prevalence of vulnerabilities. One key shift is that modern application security teams are de-emphasizing trying to Find All The Bugs, and instead are focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks can enable organizations to solve classes of vulnerabilities by construction, preventing bug whack-a-mole. In this session, we explore how to make an impactful change. We investigate the processes, people, and technology involved and propose an approach to guarantee better software security throughout the SDLC
ORGANIZERS
- Matteo Meucci, OWASP Italy Chair & IMQ Minded Security
- Stefano Calzavara, OWASP Italy Chair & Università Ca’ Foscari Venezia
Back to the OWASP-Italy Chapter