OWASP Vancouver Chapter

Thank you to Venture Labs for hosting, and Spring Financial for sponsoring this event! 🙏

Move Fast and Secure Things: A Guide to Scaling Security with Greg Sienkiewicz

Scaling security isn’t just about checking boxes - it’s about evolving from survival mode to a mature, developed program. Startups move fast, but as you scale, customers demand trust, compliance becomes mandatory, and security debt turns into real risk.
This is real talk from the trenches - we’ll share exactly how we evolved our security program from one built around reactive chaos to proactive resilience. If you’re scaling fast, these lessons will help you move fast - without breaking trust.

Greg Sienkiewicz is a DevSecOps engineer at Rewind, an Ottawa-based scale-up focused on protecting SaaS and cloud data. He holds multiple industry certifications, including ISC2 Certified Cloud Security Professional (CCSP) and AWS Certified Security - Specialty. He is a long-time supporter of OWASP - holds a Lifetime Membership - and is actively involved in the Ottawa chapter.

Turning the dial on SAST: Reducing False Positives with Call Graph–Driven LLM Reasoning with Vrushal Nedungadi

Static analysis tools are an integral part of modern-day software development processes to find bugs and security vulnerabilities. However, they suffer from a drawback: false positive findings. False positives are findings that are incorrectly identified by the static analysis tools as a vulnerability. Such alerts may waste developers' time and effort since these are not exploitable and need no patching. A substantial number of false positives can lead to developer fatigue and reduce the adoption of static analysis tools within software development teams. This may cause real vulnerabilities to go unnoticed, and thereby increasing the software's overall attack surface. Therefore, it is imperative that false positives from SAST findings, and the noise that it creates, be reduced significantly.

In an attempt to realize this objective, we propose a novel approach that combines inter-procedural call graph analysis with large-language model reasoning to identify false positives in SAST findings. Our approach constructs precise call-graphs with bidirectional execution context (caller chain and callee chain) to help the LLM conduct a comprehensive data flow analysis. To help the LLM reason better, our method guides the LLMs using CWE-specific prompts which drives more accurate results.

The system detects over 90% false positives for specific CWEs like CWE-22 (Path Traversal) and CWE-89 (SQL Injection). Our research demonstrates that inter-procedural call graph analysis coupled with LLM reasoning powered by CWE-specific prompting can significantly reduce the number of false positives in SAST findings, thereby increasing the usability of SAST tools.

OWASP Vancouver are joining in with the Lower Mainland's biggest cyber security social event of the year! Bringing together security professionals and enthusiasts for an evening of appetizers, drinks, networking and good times!
​
Wear your holiday/hacker/tech-themed outfits and socialize with industry peers.
​
🎟️ Visit https://luma.com/b5suj1te to book your ticket! 👈

Use the code HTH-OWASP-25CRTX to get $25 off as part of our OWASP Vancouver Community