GitHub + OWASP Bay Area Security Meetup for September

For our September Meetup we are partnering with GitHub once again.

Important Note: Registration is here and not through the meetup app. GitHub requires that you enter your email address for access to their location but it will not be used for any other purpose.

Don't miss the opportunity to gain valuable insights straight from the stage with engaging talks from GitHub, LinkedIn and Apiiro.

Drop by for education, mingling, food, crafted cocktails and of course some GitHub swag!

The first 50 people to register for the event will get a GitHub Security Champion hoodie. Following registration confirmation, we will reach out to you for your size.

Date | Wednesday, September 20, 2023

Time | 5:00 p.m. - 8:00 p.m.

Guest Check-in

GitHub

275 Brannan Street

San Francisco, CA 94107

Agenda

• 5:00 - Check in, grab some food/drinks and network
• 5:45 - Introductions
• 6:00 - 6:20 - Building a Robust Secret Scanning Pipeline (LinkedIn)
• 6:30 - 7:00 - GitHub Advisory Database Alerts (GitHub)
• 7:00- 7:30 - Stop Thinking "Vuln": Quantifying Risk to Optimize your AppSec Program (Apiiro)
• 7:30 - Networking
• 8:00 - Conclusion

## About the Sessions

6:00pm - 6:20pm

Building a Robust Secret Scanning Pipeline

Speakers:

Aashna Sethi, Security Engineer, LinkedIn

Francis Alexander, Staff Security Engineer, LinkedIn

Emmanuel Law, Senior Staff Security Engineer, LinkedIn

Leakage of Secrets is one of the most common problems organizations face and often acts as the starting vector for the majority of the attacks. In this talk, we delve into the implementation of how we rolled out secret scanning capabilities within LinkedIn and outline the steps taken to establish an effective secret scanning pipeline.

Our talk navigates you through the complete lifecycle of the secret scanning pipeline starting from identifying secrets, verifying them through our custom validation service, managing the security alert lifecycle alongside developers, and ultimately focusing on the prevention of secrets. Join us to gain understanding of the intricacies and lessons learned while building a robust secret scanning pipeline, from inception to execution.

6:30pm - 7:00pm

GitHub Advisory Database Alerts

Speaker: John Maroney, Security Analyst III, GitHub

The GitHub advisory database powers security alerts delivered through dependabot. The data itself is curated by the GitHub security lab and is made available for free for everyone forever. Come learn about the curation process and see how the sausage is made.

7:00pm - 7:30pm

Stop Thinking “Vuln”: Quantifying Risk to Optimize your AppSec Program

Speaker: Idan Plotnik, CEO of Apiiro

Not all vulns are created equal. Whether surfaced via a tool (SAST, SCA, DAST, container, IaC security, etc.) or a human-led process (bug bounty, pen test, etc.), a vulnerability may or may not actually pose a risk to your business. Is it in deployed code? Is that code internet-facing? Is it exploitable? Is it in a high business impact application? More often than not, it’s non-trivial to answer those questions to understand how risky it is and prioritize it amongst the mountain of other tasks on our plate.

Multiply that across dozens of alert feeds, a constantly-changing application attack surface, and different types of application weaknesses (misconfigs, exposed secrets, API weaknesses, etc.)...There has to be a better way.

In this talk, we’ll explore the many dimensions of risk and the factors you need to determine whether a vulnerability, misconfiguration, exposed secret, etc. is a real risk, vaguely following the industry-standard risk matrix (also used in the OWASP Risk Rating Calculator). We’ll cover the different likelihood and impact indicators you need to quantify risk and how to get that context programmatically, proactively, and automatically to drastically cut down your backlog and prevent critical risks from being deployed—without overburdening your developers.

Please complete the form linked above by Tuesday, September 19, 2023 6pm PDT to reserve your spot. Space is limited.

Super important note: Do not join the waitlist as you will not be registered that way!