September 2018 OWASP Chapter Netherlands Meetup

18:30 - 19:00 Dinner
19:00 - 19:15 Welcome, OWASP update
19:15 - 20:00 Serverless Security – Functions-as-a-Service (FaaS) by Niels Tanis
20:15 - 21:00 Building a security test automation framework by Riccardo ten Cate
21:00 - Closing

Serverless Security – Functions-as-a-Service (FaaS)
Serverless is a design pattern for writing scalable applications in which Functions as a Service (FaaS) is one of the key building blocks. Every mayor Cloud Provider has got his own FaaS available. On Microsoft Azure there is Azure Functions, AWS has got Lambda and Cloud Functions can be used on the Google Cloud. All of these have a lot of similarities in the way they allow developers to create small event driven services. From security perspective there are a lot of benefits when moving to a serverless architecture. There is no need to manage any of the machines and the underlying infrastructure. Dealing with updates, patches and infrastructure is the responsibility of the platform provider. FaaS are short lived processes which will be instantiated and destroyed in a matter of milliseconds making it more resilient to denial-of-services (DoS) and also makes it harder to attack and compromise. But will all of this be sufficient to be ’secure’ or should we be worried about more? With serverless there is still a piece of software that will be developed, build, deployed and executed. It will also introduce a more complex architecture with corresponding attack surface which also makes it hard to monitor. What about the software supply chain and delivery pipeline? There still will be a need to patch your software for vulnerabilities in code and used 3rd party libraries. In this talk we will identify the security area’s we do need to focus on when developing serverless and define possible solutions for dealing with those problems.

Building a security test automation framework
Either to implement in your SSDLC, or you just want to have a security test automation framework to i.e periodically scan your infrastructure?

In this talk, I am going to present some best practices for how to build a "security test automation framework". These best practices derived directly from all the pitfalls I encountered from implementing these type of solution for my customers.

This talk teaches how to create an agnostic and scalable solution with Docker and Kubernetes. Dockerize your favorite security tooling Deploy these containers in your Kubernetes cluster This talk teaches how to manage your findings effectively with a vulnerability management solution
- Use Defect Dojo to manage your vulnerabilities
- Use Defect Dojo for Delta reporting
- Use Defect Dojo for false positive suppression
This talk teaches how to prevent key sprawl and manage your secrets with a Keyvault
- Store and manage your API keys
- No more hardcoded secrets in your application
- Even use it to build TOTP (Time based one time passwords)
This talk teaches you everything you need to know to get started with security test automation and how to implement your favorite security tooling into different CI/CD platforms (Jenkins, VSTS, Travis, etc) and into their pipelines.

Speakers info:
Niels Tanis has got a background in .NET development, pentesting and security consultancy. He also holds the CSSLP certification and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of languages and technologies related to Veracode’s Binary Static Analysis service. He is married, father of 2 and lives in a small village just outside Amersfoort, The Netherlands.

Riccardo ten Cate, a penetration tester from the Netherlands, specialized in web application security and has extensive knowledge in securing web applications in multiple coding languages. Riccardo also has expertise on implementing security test automation in CI/CD pipelines and is a project leader of the OWASP Security knowledge framewor