18:15 – Gathering
18:30 – Open Source Security
Danny Grander, Co-Founder, Snyk
Open source modules, maven and python packages, ruby gems and especially npm, are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your users' data.
The security risk from vulnerable open source binaries is well understood. While still often mishandled, there are good practices for tackling it, and industry trends like Serverless & PaaS all but eliminate it.
In this talk I’ll share details and insights from our research into open source security, and demonstrate how it is possible to automatically identify and track publicly known vulnerabilities from the CVE database, source code hosted on GitHub, and various other interesting sources.
19:15 – Break
19:30 – OWASP Glue
Omer Levi Hevroni, Security Champion, Soluto
We all know that running security tests on a CI can gives us a lot of value. And we all know already a few good security tools that we are running or planning to run continuously to ensure our app stays secure. But integrating those tools into the CI is not a simple task. Each one of those tools has it's own API and does not always support all the features we want. For example, we might want to report the finding of each tools as TeamCity tests, or maybe we are using Jira and want to open a new issue for each finding. And what about filtering false positives? Any automated tool will produce false positive findings, but how can we filter them? In this talk I'll demo OWASP Glue - a tool that aims to ease the integration of various security tools into the CI/CD pipeline.
20:00 - END