OWASP Developer Day 2024

Managing the risk from thousands of open source dependencies is the most difficult challenge of our time. Software Composition Analysis (SCA) tools help understand the risk profile using data collected about "known" vulnerabilities. But what about the "unknown" bugs?


Imagine the scenario in which you know about bugs in your open source dependencies before they become vulnerabilities with a CVE. You can design and execute a remediation plan even before the information is public and threat becoming imminent. This will have a fundamental impact on the security posture. 

The Alpha-Omega project under the Linux Foundation has been challenged with the task of making the most popular Open Source libraries safe for everyone. We are enabling the proposed reality by proactively scanning and finding previously unknown bugs in open source projects. This will open up the opportunity for you to proactively respond in the time window before a CVE is public. 

This session will explore the use of open-source large language models (LLMs) to automate code and security reviews at every commit. Attendees will learn how to integrate LLMs into their CI/CD pipelines, ensuring continuous and automated code quality and security assessment. The session will demonstrate practical implementations, share real-world examples, and provide actionable insights for enhancing code review processes with AI. We will also explore how such approaches can augment Security Champions roles and help scale the AppSec Program.

In today's fast-paced software development environments, the feedback loop between code creation, security validation, and issue remediation is often cumbersome and inefficient. Developers face the challenge of addressing security vulnerabilities identified during automated Static Application Security Testing (SAST) scans, only to see lower-severity issues relegated to the dreaded backlog. This backlog, a repository of technical debt, grows unchecked as management prioritizes feature development over security maintenance.




When developers do venture into the backlog, they encounter a time-consuming process of reacquainting themselves with the context of the code of each SAST finding, hindering productivity. However, there's a solution: automated source code remediation. By seamlessly integrating automated fixes into the developer workflow, this approach not only addresses security vulnerabilities but also closes the feedback loop from Pull Request creation to SAST finding resolution.




In this talk, we'll demonstrate the influence of developers' context switching on the security of their organization, and on the whole security industry. We'll also introduce some easy and revolutionary ideas on how to cope with this challenge, to dramatically improve security and productivity.

In the era of Cloud Native Distributed Systems, Generative AI (GenAI), and Large Language Models (LLMs), APIs have become more integral to modern applications than ever before. However, this increased reliance on APIs brings new security challenges that require innovative solutions. This talk will explore the evolving landscape of API security, focusing on how advanced technologies like eBPF (extended Berkeley Packet Filter) can enhance API Security and protection. Attendees will learn about the benefits of eBPF for API security, real-world use cases, and how to integrate these technologies into their security practices to mitigate risks effectively.

In this technical deep dive, security experts Domko and Dabah will uncover aspects of the design and implementation of Rabbit R1's data security architecture, which safeguards sensitive customer data. As AI agents increasingly rely on personal data, its protection becomes paramount. Both speakers separately led product security in various companies and want to share their experience in building secure applications. Join them as they will get on the stage together for the first time and it’s gonna be fun.

We will cover the following topics:

1. The inadequacy of perimeter security in safeguarding cloud data

2. The importance of data privacy and its practical impact on data security

3. Building secure-by-design architectures to fortify data

4. Examples of do's and don'ts of data handling in code

5. The challenges of scaling data security in large organizations and potential solutions

This talk will cover a broad spectrum of topics, including engineering, architecture, security, and privacy. Drawing on my experience leading security over hundreds of software engineers, breaking systems, and working with customers to build secure applications.

Traditional manual threat modeling methods used today fall short, as they simply cannot scale to meet the growing demands of a continuously evolving modern security landscape. We must rethink the future of threat modeling, embracing automation and advanced technologies to ensure we rise to meet the next sophistication of attacks that is looming on the horizon as AI is weaponized against us.  


Through AI and graph databases, threat modeling can adapt to future challenges, providing scalable, comprehensive, and efficient security solutions at a scale that is simply beyond human capability. This will not only level up our ability to manage threats but also democratize security expertise, making it accessible to all development teams regardless of their security proficiency.

In the fast-paced and competitive landscape of today's economy, the ability to harness and integrate an organization's diverse knowledge base is a critical driver of sustained value creation. However, the persistence of operational silos often impedes this integration, stifling innovation and collaboration. Bridging these silos is essential for unlocking the full potential of an organization’s workforce. Transformation is only possible when employees are provided with opportunities and tools to collaborate effectively across departmental and cultural boundaries.


Leadership plays a pivotal role in this process by deploying cultural brokers who facilitate connections and understanding between disparate groups. These brokers encourage employees to ask insightful questions, enabling a deeper comprehension of the diverse perspectives and challenges faced by their colleagues. As employees begin to ask better questions, they become better positioned to appreciate and leverage the full spectrum of organizational knowledge.