OWASP 20th Anniversary Event

Abstract:
Over the last 20 years, exponential growth in technology and technological advancement has led to a significant increase in an application or software attack surface. If these applications become part of an organisation's internal or external facing infrastructure, it inherently increases an organisation overall attack surface.
Interestingly a vast majority of security bugs the industry have been dealing with these days have been around for at least two decades.

Suppose you are responsible for ensuring application security for your organisation or a vital member of the software engineering team and dealing with known security issues affecting these applications year after year. In that case, there are few critical questions to ask yourself.

Is it challenging to entirely eradicate any known application security bugs in a single application and across all the applications in your organisation? Does your product team observe the nature of security bugs identified and mitigated in a particular application/software release, continues to surface back in future releases? Have you made a move to DevSecOps, or considering migrating away from Waterfall and Agile with the hope that it would take care of all the security bugs in your applications/software.

If the answer to either or all of the above questions is "Yes", then this talk is for you.

This talk will have no fancy demos; instead, this talk will cover some of the crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored.
The key to ensuring maximum possible security resilience in an application/software against known and unknown threats is hidden in past events. Therefore, there will be past examples covered during the talk to learn from and retrospect to fix future security problems in an application/software.

It is quite possible to eliminate known security bugs entirely across all the applications in an organisation and prevent them from reoccurring. While achieving 100% resilience against zero-day threats for your software is less likely, it is quite possible to achieve at least 99.99% security resilience in application/software to defend against variants of know security bugs.

This talk will provide some food for thoughts on how to steer software security engineering in an organisation to achieve such results. Among all the solutions I'd cover, none of those will lead to DevSecOps. You'll find out why during the talk.