My picks for Shifting Left: ‘21
What to watch for developers, ML enthusiasts, and hackers
Here at ShiftLeft, we are gearing up for Shifting Left: ’21, a one-day application security conference for developers and security practitioners on Jan 28, 2021. I’ve been a huge fan of security conferences ever since I attended my first security conference, NorthSec in Montreal. This time, I am excited to be on the organizer’s side and present this conference to you.
Shifting Left: ‘21 is entirely online and free to register here. Now let’s get into it! Here are a few sessions I am most excited about and what you should attend if you like machine learning, developing secure applications, or hacking into applications.
Automatic vulnerability discovery with machine learning approaches
How do security scanners work? There are two main types of security scanners. Static analysis tools scan code for vulnerabilities without executing the program. Whereas dynamic analysis tools find vulnerabilities by monitoring a program’s execution and interacting with it. These tools are all about automating security knowledge: static analysis tools receive vulnerable code patterns from security researchers and apply them to large codebases. Whereas dynamic analysis tools feed attack payloads (crafted by researchers) into an application.
The bottleneck of this process is that a security expert needs to identify and specify these vulnerable patterns manually. Can we speed up this process by automatically inferring vulnerable code patterns using machine learning? In this talk, Fabian will talk about how to use unsupervised machine learning for vulnerability discovery.
Graph Databases for Code Analysis
Here at ShiftLeft, we are developing a code analysis tool using code property graphs (CPGs). Code property graphs are a way to represent different pieces of your code and the ways they interact with each other. You can then use this graph to search for patterns that indicate a vulnerability. For example: is any user input displayed back to the user without going through sanitization? If so, we have found an XSS. In this talk, Michael will explain the details of how the technology works.
Interactive bug hunting with ShiftLeft Ocular and Joern
by Suchakra Sharma and Niko Schmidt
Suchakra and Niko will also demonstrate how to use this technology (CPGs) to hunt for bugs in source code efficiently.
Solarwinds live analysis with ShiftLeft Ocular
What exactly happened with Solarwinds? In this session, Chetan is going to explain Solarwinds with a live forensics code analysis. He will also speak about techniques organizations can use to detect security flaws early in the development process.
Prioritized Software Composition Analysis
by Alok Shukla and Prabhu Subramaniam
Software composition analysis (SCA) is the process of scanning a project’s open-source dependencies for vulnerabilities. However, most SCA solutions report all CVEs found in open source packages without factoring in whether the vulnerable component is actively used or is reachable by an attacker. This leads to a lot of false positives that eat up precious development time. In this talk, Alok and Prabhu will present a solution that allows developers to focus on exploitable open source vulnerabilities.
Developer workflow for CSharp apps in Azure DevOps
by Preetam Jinka and Matthew Brandman
How do you integrate security scanning into a busy developer’s workflow? In this session, Preetam and Matthew will explore a typical C# developer’s workflow using .NET on Azure DevOps. They will discuss security vulnerabilities in C# applications and implement build rules in the workflow to prevent security issues from sneaking into production code.
The State of Application Security
Panel by Adam Fletcher, Enrique Salem, James Ransome, Shaleen Devgun, and Manish Gupta
Finally, the panel “The State of Application Security” will focus on critical challenges the application security industry faces and how we, as practitioners, can convey its value to stakeholders. The panel will also discuss how application security professionals can uplift security across the industry.
And those are my picks for Shifting Left: ‘21! Again, the conference is entirely virtual and free to register here. I am excited to see you there!
Before then, feel free to connect with me on Twitter: https://twitter.com/vickieli7.
