Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Gold [clear filter]
Thursday, October 11


Authentication as a Microservice: Portable Customer Identity Management
Authentication is a core piece of many applications but it has traditionally been handled in a monolithic manner. Foreign keys to the user table and join tables for roles and permissions is the most common mechanism that applications use to manage user data. Moving to microservices means that applications now need to decouple authentication, user management, and user data. To accomplish this, a portable identity model is required.
In this session, we will discuss the advantages of a microservice architecture, as well as the most common pitfalls including increased network chatter and various security issues. I’ll cover the basics of authentication and authorization as a microservice and JWT revocation. The goal is to allow developers to primarily focus on code and move away from infrastructure concerns.

avatar for Brian Pontarelli

Brian Pontarelli

CEO, FusionAuth and CleanSpeak
Brian Pontarelli is founder and CEO of Inversoft, a Denver-based provider of platform technologies built to help companies manage, moderate and engage their customers. These technologies include Passport, a modern identity and user management API that provides login, registration... Read More →

Thursday October 11, 2018 10:15am - 10:50am
  • NEW FIELD 1 Track 3
Friday, October 12


Human factors that influence secure software development
Software is written by people, either alone or in teams. Ultimately secure code development depends on the actions and decisions taken by the people who develop the code. How do we account for the “human factors” that contribute to application security?

By its very nature both automated and manual application security testing are performed retroactively on code that has already been written. Automated AppSec testing can speed up that process to provide security analysts and developers with timely information about the security state of their code, thereby closing the time gap between committing code and discovering weaknesses in it. But automated testing is still performed after code has been committed. Furthermore, both manual and automated source code analyses are done without much prior knowledge about where the vulnerabilities are likely to appear in the code base.

What would happen if we could point to specific code that is more likely to be vulnerable based on other factors, such as the environment (time of day, distracting noise, time pressure) under which the code was written or the characteristics of the individual developers (experience, training, focused attention) or the teams (size, diversity, level of collaboration) that developed the code? This information would allow us to orient our manual code analyses and automated static analyses towards susceptible code. It would also allow us to change up the conditions that are contributing to the introduction of vulnerabilities, and intervene before these conditions impact the security of the code under development.

This is a definitive way to shift security to the left. Become so aware of the factors that contribute to the introduction of vulnerabilities that an organization can mitigate their introduction by changing up the conditions under which the code is being developed.

This session will review the types of research being conducted, and the initial findings, from an emerging area of application security research: the human dimensions that relate to secure code development. We will also open up a discussion with the audience about innovative ways that could be used to further study the human factors that affect secure code development in ongoing projects, not just through historical analyses of well-established repositories.

avatar for Anita D'Amico

Anita D'Amico

CEO, Code Dx, Inc.
Anita D’Amico, PhD is CEO of Code Dx, Inc. which provides open-source and commercial application security solutions based on advanced technologies developed by Secure Decisions, an R&D organization which she had also directed. Her roots are in experimental psychology and human factors... Read More →
avatar for Chris Horn

Chris Horn

Senior Researcher, Secure Decisions
Chris Horn is a Senior Researcher at Secure Decisions, an R&D division of Applied Visions, Inc. He has 18 years of experience in research, software systems, and new product development. Currently, he leads cybersecurity research & development projects and focuses on developing technology... Read More →

Friday October 12, 2018 10:15am - 10:50am
  • NEW FIELD 1 Track 3