A Recap of the SF OWASP Meetup, Hosted by Semgrep and Jit

On February 15th, our friends at Semgrep hosted a meet up for the OWASP community at their beautiful office in San Francisco. 

Application security professionals and developers in the San Francisco tech community showed up to discuss what has been working for them, what isn’t working, and upcoming trends in the world of application security.

In this short recap, we’ll explore some of the topics discussed by Semgrep’s Kyle Kelly and our very own Aviram Shmueli.

Kyle Kelly from Semgrep discusses prioritization for software supply chain vulnerabilities

There are plenty of Software Composition Analysis (SCA) tools available to scan open source libraries for known vulnerabilities. Kyle discussed tools like npm audit and OSV Scanner (some of our favorites), which catalog every open source component in your codebase, and cross references these components with vulnerability databases like the National Vulnerability Database (NVD) to flag security issues.

While these tools can surface vulnerabilities that would have otherwise gone unnoticed, they also list vulnerabilities that may not be exploitable in production.

Given the time constraints of engineers, they can’t remediate every security issue, so it's best practice to focus their attention on the highest security risks.

Kyle discussed the importance of focusing engineering efforts on the vulnerabilities that are actually exposed and exploitable in production, so that engineers can effectively mitigate the highest security risks.

To learn more about Kyle’s point of view on application security, check out his blog for more!

Aviram Shmueli from Jit presents effective metrics for monitoring DevSecOps initiatives

Aviram began his talk discussing DORA metrics, which is a common way to measure DevOps efficiency. DORA metrics monitor the amount of releases per day, the mean time to recovery from production incidents, and other metrics. 

DORA metrics are a good example of adapted monitoring to focus on today’s development trends. He then raised the question, how could we rethink security monitoring metrics to provide more valuable insights into the progress of DevSecOps initiatives?

Here are some of the metrics he discussed:

• Unresolved vulnerabilities per team and per repo: unresolved vulnerabilities in production don’t provide many actionable insights for remediation. Instead, by monitoring unresolved vulnerabilities per repo and per dev team, managers can more effectively identify gaps and highlight areas of improvement.
• Scan detection rate: monitoring the rate of scans that surface vulnerabilities can show how developers are improving the security of their code on their own.
• Exposure window: the exposure window measures the amount of time a vulnerability remains unresolved in production. This can be an effective way to gauge an organization's risk tolerance for software and cloud infrastructure vulnerabilities.
• Mean time from detection to remediation (MTTR): Similarly to the DORA metric that measures mean time to recovery for production issues, MTTR measures the average time needed to remediate vulnerabilities after they’re detected. This can gauge an organization’s ability to quickly address new security vulnerabilities.

What’s coming up next?

We’re looking forward to the upcoming events we’ll be attending, including DevOps Live in London on March 6-7, AWS Summit in Paris on April 3rd, and Boston Application Security Conference (hosted by OWASP) on April 6th.