HCL SW Blogs
Select Page

Dublin. City by the sea. Capital of Ireland. Home of Guinness. And, most recently, host to the OWASP 2023 Global AppSec Conference. This four-day event in mid-February included educational training, a conference of security industry professionals, and an exhibition hall with booths by many technology providers including HCL AppScan .

OWASP (Open Worldwide Application Security Project®) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, with hundreds of local chapters worldwide, the OWASP Foundation is the source for developers and technologists to secure the web.

In the field of security, OWASP is best known for The OWASP Top 10, a standard awareness document for developers and web application security practitioners that represents a broad consensus about the most critical security risks to web applications.

Application programming interfaces

Among the event’s highlights was a series of speakers covering a wide array of application security topics including threat modeling, hacking, defending APIs (Application Programming Interfaces), artificial intelligence, and much more.

One talk that stood out was Ten DevSecOps Culture Failures by Chris Romero, CEO of Kerr Ventures and host of the Application Security Podcast. Chris drew on his 25 years of experience for a high-level discussion of how to improve the role of security in the overall DevOps culture. Here are some key takeaways from this talk.

  1. Teach a foundation of security to everyone (developers) but also teach coding to security. Chris was emphatic that the days of security teams working separately from developers and DevOps are long gone and that successful DevSecOps requires a more collaborative approach where everyone understands each other’s roles and responsibilities.
  2. “Drop the no; try yes, if…” Security needs to identify less as gatekeepers and find ways to let developers bring forward innovative ideas that still include security best practices. Chris suggested that practicing empathy was a key component of this change and encouraged the audience to spend time sitting with developers while they work to better understand the challenges they face when using security tools.
  3. Never waste anyone’s time with security findings that don’t matter. Tune the tools you have and introduce new tools with a minimal policy so developers aren’t overwhelmed with hundreds of tickets that don’t represent critical vulnerabilities. Chris was clear that if security wants developers to use a tool, they need to like it first, and that’s better accomplished by delivering fewer and more impactful findings.

Other interesting topics covered included the importance of threat modeling and the integration of SCA (Software Composition Analysis) and other tools to protect the pipeline from vulnerabilities in third-party applications. In his final comments he predicted that in fifty years, the DevOps culture and the values and methodologies it contains will be far more impactful than the ever-changing security tools themselves.

Click here to hear the entire talk on YouTube.

HCL AppScan is committed to developing application security testing tools that enable everyone in the development pipeline to be part of the solution when it comes to developing secure software. Visit us online for more information or sign up for a free trial today.

Comment wrap
Further Reading
Key Finding from Recent Application Security Trends Report
Automation | February 23, 2023
Key Findings from Recent Application Security Testing Trends Report
The recently published 2022 Application Security Testing Trends Report has generated a lot of interest in the application security community.
HCLSoftware Vice President Rajesh Iyer speaks about trends in application security and the release of HCL AppScan 360º
Secure DevOps | June 8, 2023
Interview: HCL AppScan 360º and Trends in Application Security
Dario Debarbieri, Vice President and Head of Marketing, sat down with HCLSoftware Executive Vice President Rajesh Iyer for a wide-ranging discussion on trends in application security and why he is so excited about the role that HCL AppScan 360º will play in the future.
Filters result by