►
From YouTube: Security Does Not Need to Be Fun: Ignoring OWASP to Have a Terrible Time - Dwayne McDaniel
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Security Does Not Need to Be Fun: Ignoring OWASP to Have a Terrible Time - Dwayne McDaniel, GitGuardian
Everyone loves getting security exactly right, every time for their applications. Identifying issues and possible gaps early in the design phase makes implementing security best practices a breeze. No doubt you have been working safely, employing checklists and testing throughout the code delivery process. As hard as it might be to imagine, some teams are actively struggling with security throughout the SDLC. For folks who might not have security completely honed in, it can be overwhelming to even know how to start thinking about security for your web applications. Fortunately, there is an awesome nonprofit community of security-focused professionals who have done a lot of work making it straightforward to correctly design and implement secure apps: Open Web Application Security Project, aka OWASP! This talk will guide you through various tools OWASP makes freely available to test your application and make sure your apps stay secure.
A
Hey
everybody
Welcome
to
the
last
session
of
the
first
day
of
cloud
native
security,
con
I
expected
a
round
of
applause.
For
that
yeah.
You
got
the
right
idea,
yeah
I
know
it's
the
last
session
of
the
day.
Thank
you
all
for
coming,
there's
just
too
many
of
it.
It
was
like
three
less
people,
I
just
go
around
and
we
just
have
a
conversation
instead
of
doing
this
talk.
But
there's
just
enough
do
the
talk.
I
do
have
stickers
up
here.
A
So
if
you
want
this
logo
sticker,
the
shiny
one
or
one
that
says,
get
guardian
come
up
and
get
them
afterward
take
as
many
as
you
want,
because
I
got
to
haul
them
back
with
me
if
I
don't
get
rid
of
them,
but
let's
jump
in
so
I'm
doing.
I
live
in
Chicago
I
flew
out
here,
for
this
I've
been
a
developer
Advocate.
This
is
about
2016.
I
used
to
work
for
a
company
called
Pantheon
that
guy
over
there
did
as
well.
A
This
guy's
just
walking
in
hit
me
up
on
Twitter
or
Mastodon
and
MC
Dwayne
I'm
on
Macedon
social.
But
if
you
look
at
my
Twitter
directs
you
to
Mastodon
social,
have
you
talk
about
anything
Tech,
but
I'll?
Also
like
talk
about
improv
and
punk
rock
rock
and
roll
in
general
karaoke,
everybody
wants
to
do
karaoke
later.
Let
me
know:
I
work
for
a
company
called
get
Guardian
anybody
here,
no
get
Guardian
awesome.
A
A
Instead,
I
got
a
crash
course
in
this
stuff
over
the
last
six
months
of
my
life
and
that's
what
inspired
this
talk.
So
what
does
good
security
actually
look
like
I
think
it
looks
like
this
yeah
absolutely.
This
is
I'm
not
worried.
The
alarms
are
going
to
go
off
at
three
in
the
morning.
I'm
not
worried.
My
perimeter
has
been
breached.
A
Good
security
means
I
can
go
camping
and
not
worry
about
the
house
burning
down
because
I
go
to
my
favorite
concerts
and
not
have
to
leave
before
the
main
act
or
The
Encore,
because
an
alarm
bell
went
off
and
ultimately
I
get
to
spend
time
with
people.
I
love
doing
something
that
I
want
to
do.
Look
a
look
on
those
kids
faces.
They
are
so
happy
to
have
their
parents
home.
That's
what
good
security
looks
like
to
me,
because
all
technology
has
a
human
cost
Associated,
whether
we
admit
it
or
not.
A
A
Well,
I'll
invoke
Tolstoy.
Here
all
happy
families
are
alike,
but
each
unhappy
family
is
unhappy
in
its
own
way,
but
there
are
some
commonalities:
we've
all
lived
through,
Apache
Vlog
for
Shell
I
won't
beat
this
up
anymore.
It's
very
old
at
this
point
2021.,
but
Uber
from
last
year,
who
remembers
this
is
a
19
year
old
kid
in
the
lapsis
group,
pwned
Uber,
just
because
he
could
he
got
another
slack
Channel,
even
bragged,
hey
I
own
this
thing.
Now,
because
I
you
left
your
passwords
and
Powershell
scripts.
They
didn't
believe
them.
A
So
we
went
to
the
New
York
Times
and
that's
how
we
found
out
about
it,
just
Kidd,
causing
trouble
and
then
who
fell
victim
to
this,
who
has
circled
CI
in
their
infrastructure
somewhere,
probably
not
anymore.
Waking
up
on
January
12th
to
be
have
all
your
tokens
just
revoked
I,
don't
know.
Fourth
was
when
the
revoke
happened
like
that
affected
my
company,
like
all
of
a
sudden
the
system
just
wasn't
there
anymore,
because
there
wasn't
able
to
access
it
because,
hey
we
got
compromised,
we
just
had
to
rotate
this
stuff
still
ongoing
investigation.
A
The
full
scope
of
this
still
isn't
known,
who
all
has
affected
what
customers
with
circles?
Yeah
have
been
affected,
still
a
mystery,
but
we
can
all
agree.
These
are
pretty
unhappy
people
overall,
because
they're
dealing
with
this-
and
these
are
24-hour
shifts
of
like
figuring
out
what
to
do
and
dealing
with
really
really
unhappy.
Customers
and
security
teams
are
really
outnumbered
out.
There
Alex
rice
said
it
very
succinctly:
in
the
best
of
organizations,
developers
outnumber
security
teams
100
to
1.
A
A
So
what
do
we
do?
We
just
shift
left.
Let's
make
everyone
wear
the
security
hat,
that's
I,
think
the
fear
of
Shifting
left,
like
what's
shifting
left
is
supposed
to
mean,
is
a
little
bit
different
than
how
I
think
a
lot
of
people
interpret
it,
especially
from
the
gut
reaction
of
developers
who
are
like
okay,
it's
one
more
thing
on
my
plate:
okay,
like
I've,
done
one
more
thing
to
implement
one
more
API
to
worry
about
one
more
dashboard,
one
more
and
I'm.
A
Already
fighting
kubernetes
full
time
because
man,
everybody
loves
kubernetes,
it's
only
so
many
hours
in
the
day
so
from
the
depth
perspective
like
I,
can't
just
focus
on
that
and
from
the
business
perspective
who's
paying
for
this
stuff.
This
is
perspective.
I
think
looks
like
this
to
security.
I,
think
it's
getting
better
as
more
Executives
and
more
boards
know
what
like
us.
A
Bombs
are
thanks
to
a
presidential
executive
order,
but
it
security
simply
looks
like
that:
hey
we
got
breached,
let's
focus
on
security,
hey
everything
else
slowed
down;
let's
speed
it
back
up
and
this
go
through
that
vicious
cycle
until
well.
That's
where
we're
at
and
sure
there's
a
tool
for
that
somewhere.
A
If
you
haven't
read
Alice
in
Wonderland
and
Through,
the
Looking
Glass
read
them
they're
tremendously,
good
books,
it's
a
brain,
cleanser
they're,
just
nonsense!
It's
wonderful!
Wonderful
mathematic
nonsense,
but
it's
true:
we
have
to
run
as
fast
as
we
can
just
to
stay
where
we're
at
and
get
anywhere
else.
We
gotta
run
twice
that
fast,
that's
exhausting
and
that's
why
I
think
the
industry
has
such
crazy
high
turnover.
That's
why
everyone
is
like
90
of
people
in
America
are
looking
for
another
job
right
now.
A
This
is
why
I
think
in
part
and
I
think
everyone
that
just
saw
all
of
that
is
processing.
It
is
thinking
in
their
head.
Well,
what
would
it
be
nice
if
they're,
just
a
group
of
really
nice
people?
That
just
would
help
me
with
all
of
this?
Well,
there
is
it's
called
a
wasp.
Who
here
is
a
member
of
wasp
yay.
You
probably
didn't
need
to
come
to
this
talk.
Who
here
is
familiar
with
a
wasp
Yeah,
the
more
hands?
Who
here
could
explain
owas
to
an
audience?
A
Well,
that's
what
I'm
doing
literally
so
that
I
hope
I
can
do
it.
Oasp
stands
for
the
open
web
application
security
project
started
over
20
years
ago.
In
fact,
this
is
the
20th
year.
21St
year
depend
on
money,
count
dates
and
how
that
all
that,
but
anyway
there
are
vanilla,
vanilla,
they're,
a
nice
group
of
people
that
do
nice
things.
They
have
a
mission,
no
more
insecure
software,
but
as
we
saw
from
one
of
the
Keynotes
there's
no
such
thing
as
secure
software,
all
software
isn't
secure.
A
But
if
you
start
out
with
the
mission
of
like
hey,
we
got
to
stop
and
secure
software.
That's
a
good
mission,
because
that
is
a
Non-Stop
mission
and
why
not
get
there?
It's
a
journey,
not
a
hey,
we'll
one
day
reach
the
peak.
If
you
go
read
their
mission
statement,
it's
really
well
thought
out.
They
argued
a
lot
in
meetings
over
this
I'm
sure
for
years,
but
they
got
to
this
I'm
not
going
to
read
it
out
loud.
It's
pretty
long,
but
you
read
this:
you
go
to
the
website.
A
You
find
this
and
then
I
think
everyone
I've
talked
to
that
has
hit.
Their
website
says
this
yeah.
But
what
do
I
do
with
this
there's
a
great
website
and
all
how
do
I
navigate
this
thing.
Even
Mark
Julie
Charlie
give
me
just
a
second
Mark
chirpery
chirpees
Mark,
trophies
sorry
about
that
said.
In
a
interview
last
year
he
was
one
of
the
founders
of
owasp
said.
A
The
organization
has
become
a
Byzantine
Labyrinth
that
new
people
cannot
navigate.
That's
one
of
the
reasons
he
stepped
away.
I,
don't
think
it's
that
bad
I
think
it
breaks
down
to
like
hey.
They
do
these
five
things
and
all
these
five
things
are
really
really
deep,
and
that's
like
why
I
think
when
people
get
confused
so
I'm
gonna
break
these
down
and
then
talk
about
how
to
get
started
from
where
you're
sitting
so
first
is
projects.
A
This
is
the
thing
they're
known
for
the
big
one
they're
known
for
is
their
top
ten
we'll
get
to
that
in
a
bit.
But
basically
a
project
is
just
an
open
source
repo.
You
can
contribute
to
or
go
pull
code
from
or
go
look
at,
go
examine,
volunteers
built
it.
Some
of
those
people
are
experts
been
doing
this
for
20
some
years.
A
A
A
They
have
a
website,
they
got
a
bunch
of
stuff
in
their
repos,
but
they're
not
quite
ready
to
be
like
this
is
what
owasp
is
known
for,
but
they
still
have
a
lot
of
value,
but
some
of
these
are
very
specific
to
languages
like
Python
and
whatnot.
Then
you
have
incubators.
These
are
on
the
way
to
be
in
lab
a
lot
more
of
them.
A
If
you're
going
to
go,
make
an
impact
in
an
open
source
organization.
Those
are
where
I
would
direct
you.
First.
All
of
these
have
pull
requests
that
are
waiting
to
happen.
All
these
have
beginner
friendly.
They
need
documentation
like
crazy,
it's
almost
underway
and
then
there's
a
whole
bunch
that
just
don't
fit
in
there.
So
that's
the
first
way
that
they
organize
them
is
by
projects.
A
A
These
numbers
add
up
to
more
than
157.
I.
Remember
I
said
earlier:
there's
157
in
the
usable
state.
Why
is
that
I?
Don't
know
I
wish.
Someone
could
explain
that
to
me
if
you
know
the
answer
to
that,
please
have
a
conversation
with
me
afterward,
but
this
is
the
state
of
oasp
right
now,
but
but
they
said,
hey
I
recognize.
This
is
a
problem.
We
need
to
make
it
more
usable
for
everyone
at
home.
A
So
this
is
the
software
development
life
cycle
in
their
opinion,
if
you
go
look
at
it,
it's
a
nice
map
interactive,
you
can
say
all
right,
I
am
at
the
design
phase.
Those
four
projects
might
help
me
out.
I'll
go
investigate
there.
First,
this
is
on
their
website.
You
can
go
play
around
with
it
along
the
way
of
building
this.
They
invented
the
cre,
the
common
requirement.
Enumeration
cre
became
a
project
into
itself
like
everything
else
opencre.org.
A
If
you
don't
visit
any
other
website
after
this
put
this
like
third
on
your
list,
but
it's
a
way
to
very
quickly.
See
hey
I,
have
a
high
level
concern
a
high
level
topic:
I
need
to
drill
into
quick
way
to
see
inst
and
cwes
and
all
the
other
acronyms
they
strung
it
together
and
one
nice
resource
for
you.
A
A
Maybe
the
better
way
in
is
get
involved
in
the
community
and
don't
worry
about
the
global.
The
history
20-year
history
of
projects
and
just
go
talk
to
people
chapters
all
over
the
world
and
just
like
we're
here
in
Seattle,
you
can
just
go
hang
out
with
people.
This
is
what
it
looks
like
in
Paris
back
in
October.
This
is
in
the
get
Guardian
offices
you
get
Guardians
based
in
Paris,
but
this
is
the
oauth
meet
up
in
in
Paris
who
here
lives
in
Seattle.
A
One
person
yeah,
you
got
a
luncheon,
learns
coming
up
on
this.
This
coming
Wednesday,
it's
online,
so
you
can
everyone
in
the
room
can
join
join
in.
In
fact,
a
lot
of
the
community
meetups
are
online,
or
some
of
them
are
I
should
say
it
used
to
be
a
lot
more,
but
then
they've
slowly
been
transitioning.
I
was
going
to
like
the
Visa
or
the
Ottawa
chapters
for
a
while,
but
then
they
stopped
doing
them
online.
A
They
also
hold
events,
the
big
Global
events
app
SEC
days,
which
are
smaller
events
and
then
partner
events
where
they
don't
actually
run
the
event,
but
hey.
If
you're,
no
lost
member,
you
get
a
discount
or
something
nice
happens.
Next,
big
one
is
in
Dublin
in
two
weeks:
whole
bunch
of
training,
but
the
app
SEC
day
is
in
the
next
big
app
SEC
day.
I
should
say
is
in
Ireland,
educational
training,
you
just
Google
or
DuckDuckGo
or
u.gov
or
whatever.
A
You
want
to
use
search
for
OAS
educational
training,
you're
going
to
run
into
a
list
like
this
and
you're
going
to
find
wow
there's
a
lot
of
resources,
because
every
good-hearted
Soul,
who
I
wish
more
people
knew
about.
This
probably
started
a
project
at
one
time
and
started
trying
to
train
people
on
that
specific
topic,
but
there's
one
org:
they
partner
with
and
I'm,
not
here
to
sell
you
on
them,
but
secure
flag's,
awesome
just
flat
out
state
it.
They
have
a
partnership
with
the
WASP
OAS
membership
is
really
cheap.
A
It's
500
bucks
for
a
lifetime
or
50
bucks
a
year
to
be
a
full-blown
member
of
O
wasp
and
if
you're
a
member
of
oasp,
you
have
full
unlimited
use
of
this
platform
and
you
can
go.
Take
dozens
I.
Think
100
I
forget
the
exact
numbers
over
100
types
of
trainings
on
here,
like
full-on
capture
the
flag
events,
a
whole
Community
exists
around
this
alone.
A
A
A
Yeah,
so
they
do
a
lot
and
you're,
probably
still
thinking
like
all
right.
What
do
I
do
with
this
I
could
go
and
spend
four
hours
of
my
life
digging
through
the
projects
hoping
to
hit
on
something
I
think
there
are
four
ways,
then
that
are
really
really
simple
and
actually
practical
day
to
day.
First
is
top
ten.
Who
here
knows
or
heard
of,
or
even
looked
up
ever
or
saw
reference
somewhere,
they'll
ask
top
10.
A
every
hand
in
the
room
almost
every
hand
in
the
room.
Some
people
are
asleep,
that's
fine!
It's
the
end
of
the
day.
10
types
type
10
types
of
attacks
going
on
in
the
world
vulnerabilities
out
in
the
world,
I
say
type
10,
10
types
of
attacks.
They
don't
say
that
that's
me,
but
that's
a
good
way
to
think
about
it.
Like
all
right,
I'm
worried
about
my
app
being
secure.
A
What
are
the
top
ways?
I
know.
I
should
secure
it.
Well,
it's
top
10
list.
Every
year
it
changes.
They
haven't,
come
out.
The
2022
list
yet
coming
out
later
this
year,
I'm
actually
really
curious
to
wear
cryptographic.
Cryptographic,
cryptographic,
failures.
Well,
Falls
this
year,
if
it
goes
up,
it's
gone
up.
Every
year
it's
been
on
the
list,
broken
Access
Control,
it's
going
to
probably
stay
the
top,
but
this
is
again
me
saying
this:
the
top
eight
are
based
on
industry
data.
A
The
last
two
are
based
on
surveys
of
members,
saying
hey
what
should
also
be
on
this
list.
So
servicide
request
forgery
isn't
by
data
one
of
the
biggest
threats
in
the
world,
but
all
the
members
said
hey.
This
should
be
on
the
list.
People
should
know
about
this,
so
it's
not
just
a
list
and
like
hey
good
luck,
it's
a
project,
there's
a
repo
for
this.
It
goes
really
deep.
A
I
think
the
most
important
part
of
it.
Is
this
one:
how
to
prevent,
there's
a
whole
section.
So
if
you're
building
an
application
and
you're
thinking
hey
how
do
I
secure
this
thing
go
to
the
top
ten
go
to
how
to
prevent
for
every
single
one
run
through.
It
may
just
make
a
checklist,
a
big
believer
that
the
best
security
tool
ever
invented
is
Excel
spreadsheets,
because
you
can
make
a
checklist
real
easy
did
we
do
it
or
not?
Is
the
Box
checked
make
a
big
check
box?
It's
from.
A
Probably
somebody
already
did
that
with
this.
You
probably
just
Google
that
so
that's
top
10.
won't
spend
any
more
time
on
that
cheat
sheets.
Man,
I
love,
cheat
sheets
cheat
sheet
series
that
oasis.org.
This
is
the
one
you
should
definitely
visit.
If
you
don't
visit
anything
else,
because
you
want
to
be
an
expert
in
10
minutes
on
any
subject,
good
enough
for
your
CIO
CSO
or
your
CIO.
A
This
is
a
website
for
you
that
can
walk
in
and
say,
hey
tell
me
about
kubernetes
security
and,
while
you're
talking
to
them,
you
can
slowly
Google
or
get
to
the
oauth
cheat
sheet
and
then
a
quick
scan
over
the
page,
like
okay
I
understand
how
this
works.
Now
it's
a
Bare
Bones
like
as
fast
as
you
can
go
as
fast
as
you
can
read
it
overview
of
all
the
issues
known.
A
Is
it
complete
and
100
thorough?
No,
is
it
good
enough
to
make
you
sound
like
an
expert
in
10
minutes?
Yes,
should
you
do
this
on
the
regular?
Probably
not,
but
this
is
a
good
way
to
start
if
you've
just
taken
a
course
in
something
and
like
all
right,
I
need
a
cheat
sheet
to
hang
out
with
me
to
remind
me
of
the
key
things
they
already
wrote.
One
for
you,
that's
my
point.
So
cheat
sheets
definitely
look
them
up
the
goats.
The
goats
are
great.
A
Goats
are
not
the
grace
of
all
time.
Maybe
they
are
but
deliberately
insecure
applications.
You
want
to
go
see
how
not
to
build
an
application.
They
already
did
it.
There's
a
bunch
of
them
pie,
goat,
lab
projects,
wrong
Secrets
is
awesome,
I'm,
a
very
big
fan
of
that
one.
We've
done
a
whole
webinar
with
them
with
the
maintainer
and
it's
how
not
to
store
your
secrets.
A
A
A
One
of
my
favorite
talks,
I've
seen
in
the
last
year,
is
on
YouTube
from
from
Bjorn
that
breaks
down
how
to
use
it.
So
Juice
Shop
looks
like
this.
This
is
around
my
local
and
yeah.
It's
just
a
it's
a
Juice
Shop,
but
it
can
I
was
driving
myself
scripting
in
here,
no
I
don't,
but
if
you
go
to-
and
this
is
like
the
secret,
this
is
the
thing
like
you
open
up
like
I.
Don't
know
what
I'm
doing
it's
a
built-in
CFT
or
Capture
the
Flag
CTF
built
in.
A
A
It's
amazing,
so
Juice
Shop
go
check.
It
out,
definitely
should
have
it
running.
Zap
who's
ever
run
the
ZET
attacks
proxy
cool.
We
got
one
back,
yes,
yes,
zap
is
a
tool
you
should
be
running
or
at
least
run
occasionally
only
against
things
that
you
control
that
you
own,
you
have
permission
to
attack.
A
A
So
yeah
there's
only
nine
alerts
but
like
the
cross
domain,
can
this
configuration
there's
40
in
instances
that
oh,
this
is
against
Juice
Shop
by
the
way?
This
is
how
insecure,
Juice
Shop
is
so
yeah
across
great
site.
Scripting
session
ID
URL
rewrites,
there
are
a
lot
of
known
bugs
without
with
zap
and
that's
why
it's
not
in
the
production,
ready,
Camp
right
now
and
I'm.
A
Previous
conversations
is
like
well,
this
tool
isn't
built
for
the
Enterprise,
but
at
the
same
time
it
is
built
for
the
Enterprise.
Anyway,
oh
zap
is
Awesome
download,
it
run
it.
These
are
the
four
ways
in,
but
all
right,
I'm
gonna
wrap
up
it's
dangerous
out
there.
There
is
a
group
of
people
that
want
to
help
you
they're
called
a
wasp
they've
been
around
for
a
long
time.
A
A
They
don't
want
you
to
sleep
better
at
night
and
have
better
security
and
stop
writing
insecure
apps
and
I
would
start
here
before
last
week.
I,
probably
wouldn't
have
said
start
with
juice
shop,
but
Juice
Shop
is
just
fun.
I've
been
having
a
lot
of
fun
with
it.
Lately,
when
you
get
to
the
advanced
things,
it's
like
wow
I've,
never
even
thought
of
that
for
application.
Security
zap
is
a
much
quicker
way
to
get
to
like
how
do
I
make
my
application
secure.
Not.
A
How
do
I
learn
how
to
not
write
applic
bad
applications,
but
but
that's
it,
and
if
you
don't
know
the
top
10,
that's
one.
You
should
bookmark
and
every
time
you
think,
of
building
your
application
or
changing
your
application.
Just
go
review
the
list
anyway,
I've
been
Dwayne
I'm.
A
developer
Advocate
have
been
for
a
few
years.
Hit
me
up
on
Twitter
about
anything
rock
and
roll
b-sides.
Tech
I
gotta
fix
that.
But
I
do
love,
b-sides,
they're,
awesome
organization
and
that's
my
talk.
A
When
I
I
say
the
the
bug
list,
I
mean
the
issue
queue
and
it's
still
there.
That's
that's
the
common.
That's
the
conversation
that
literally
the
same
conversation
I
had
in
West
Virginia
about
about
zap
is:
is
an
Enterprise
ready
according
to
them
yeah?
Can
you
automate
it?
Oh
there's
problems
with
that.
There's
issues
known
issues
with
it,
unfortunately,
but
they
do
accept,
pull
requests
and
they
are
open
source.
So,
if
you
can
make
it
work,
you
can
make
it
work,
but
that's
not
a
great
answer.