OWASP Ottawa April 19th 2023:Passing Compliance with DevSecOps,GraphQL with Burp
Details
This is the second of two events for OWASP Ottawa in the month of April.
Welcome to our in Person Meetup at the University of Ottawa
In-Person Location:
150 Louis-Pasteur Private, Ottawa,
University of Ottawa
Room 117
Health Notice:
Based on the Ottawa Public Health Guidelines we strongly recommend that attendees wear a mask while not presenting. This will reduce the risk of transmission and protect members who may have compromised immune systems.
Live Stream:
We will continue to Live Stream on our YouTube channel. (https://www.youtube.com/channel/UCxSU-KvNmYusZEq6v4YK5Lw). Subscribe to our YouTube channel, set a reminder and you’ll get a notification as soon as we go live!
YouTube Live Stream Link: https://www.youtube.com/watch?v=mf3-pPYpnr0
6:00 PM EDT Arrival, setup, mingle
6:30 PM EDT Technical Talks
- Introduction to OWASP Ottawa, Public Announcements.
- Passing Compliance Audit with DevSecOps is Easier than You Think. Here’s How.
Abstract:
Business people may not always understand all the technicalities of cyber threats and vulnerabilities, but rest assured they know what will happen if they don’t comply with applicable laws and regulations which can easily result in hefty fines, revoked licences, losing customers, or even going to jail.
The challenge that many small, medium and even large companies that practice DevOps face is how to pass a compliance audit quickly and painlessly without breaking the bank on manual labour or spending months ferociously fighting auditors. It took almost a decade for IT to meld Dev and Ops into one cohesive consonance, but getting compliance, risk and audit folks to understand and accept DevOps as a new and unavoidable way of developing and running software sometimes creates an even greater challenge.
In this presentation, Simon Sulyma will explain where traditional compliance audits fell short in today’s modern environments and explore how DevOps processes and tools can be used to effectively audit controls.
Bio:
Simon is a network administrator turned cyber security and risk professional, an avid hiker and mountain biker, a self-made chef, and a recovering ice cream addict. Simon is also raising two teenage kids, so you can't scare him. Simon spent his last 17 years designing, building, securing and auditing complex IT systems and networks, mostly at big banks. Simon is currently leading a team of eight amazing folks who do threat risk assessments at a large insurance company. He is a big fan of vendor-neutral certifications that start with "C" and holds a number of them as he thinks they look good in his resume. - We Taught Burp to Speak GraphQL: Automated Security Scanning of Your GraphQL API With Burp
Abstract:
Rest APIs have been the backbone of webapps for over a decade now, and it’s treated us well. Inevitably, a challenger has approached and is gradually becoming the new industry standard. That is GraphQL, a query a language for your API. But shifts in tech trends also bring another inevitability, new and interesting ways to hack stuff. GraphQL is a growing target, and the pentesting tools have yet to keep up, leaving the criminals with more time and opportunity to probe and exploit vulnerabilities in your web apps.
Burp Suite has been the defacto tool for Application Security professionals running DAST scans and penetration tests against web apps, and it’s amazing Active Scan feature badly needed to be able to parse GraphQL. Our new plugin for Burp Suite allows the Active Scanner to competently point it’s library of payloads at a GraphQL API, giving the defenders a chance to detect vulnerabilities before the criminals do.
Bio:
Jared Meit, OSWE, has always had a passion for taking things apart, learning how they work, and forgetting how to put them back together. He was a professional software developer for 12 years before shifting his focus to Application Security 5 years ago. His dev experience allows him to create tools that developer's will actually want to use.
