Abstract

The discipline of AppSec has evolved tremendously since the founding of OWASP in 2001. As software development methodologies have advanced, AppSec has struggled to keep pace with innovation.

Some foundational issues, like reliable SCA, have now been solved by the industry. But certain thorny problems, like software attestation, risk-based prioritisation, SAST accuracy, and DAST correlation, remain elusive.

Join our session for a discussion of the current state of application risk management and the unsolved issues that still limit the full potential of developer-focused security.

Outline/Structure of the Talk

Agenda

1. Origins and Fundamental Challenges
- In the beginning..
- The Three Fundamental Challenges of AppSec
- Process: Event Horizon
- Technology: Emergent Complexity
- Different Sized Loops
- Where is security on the critical path?

2. Largely Solved Problems as of 2024
- Event Horizon: Accurate Dependency Resolution for SCA
- Emergent Complexity: Cloud-Native Application Asset Visibility
- Different Sized Loops: Shifting Test Responsibility to the Left

3. Exciting Near-Term Possibilities
- Event Horizon: Reachability Analysis from Runtime Signals
- Emergent Complexity: Attestable Software Lineage Artifacts
- Different Sized Loops: Shifting Meaningful Context and Fix Advice Left

4. Thorny Unsolved Issues
- Event Horizon: Correlation of Unlike Signals (Dynamic to Static)
- Emergent Complexity: Threat Modeling / Declarative Security "By Design"
- Different Sized Loops: Setting The Right Incentives (Turning Chickens into Pigs)

5. What's the Future of AppSec?

Learning Outcome

The common thread of all Application Security success is that Security is in the natural critical path of software engineering. The long term future of Application Security is changing the definition to finally address longstanding challenges.

Target Audience

Security Professionals and Application Developers