AppSec USA 2017 has ended
Back To Schedule
Friday, September 22 • 9:00am - 9:45am
What We Learned Remediating XSS in GitHub Open Source Projects

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Our goal was to fix as many high-risk vulnerabilities throughout the GitHub Open Source project portfolio as we could with a minimum of effort. The intent was to simulate portfolio wide remediation in a large and diverse organization within a context that allows sharing concrete statistics and experiences.


Fixing XSS throughout a portfolio of applications is more challenging than fixing a single application. In addition to the remediation work required for a single application, fixing a portfolio requires getting developer buy in, complying with various coding style guides, integration with each project’s existing processes, testing, metrics, and more.


This presentation will discuss how we did it, lessons learned, as well as some alternatives. Three things that made our scaling approach unusual was:

1) Focusing on risk broadly across application portfolios instead of a single application.

2) Focusing on adding missing security controls instead of the exploitability of vulnerabilities.

3) Automating JSP source code modification


We will compare the approach that we used on this project to more traditional manual and automated techniques that focus on vulnerability detection, as well as scaling through training, and scaling through building offshore capabilities.

avatar for Mike Fauzy

Mike Fauzy

Founder, CTO, FauzyLogic
Mike Fauzy has been writing and assessing web applications since 1997. He helped write components of OWASP ESAPI, as well as minor contributions to Scrubbr, JavaSnoop, and other web app security projects. He also builds, trains, and expands automated web application security teams... Read More →
avatar for Demetria Robertson

Demetria Robertson

COO, FauzyLogic
Demetria Robertson's background straddles data science, applied analytics, and software product management. She has held leadership roles in building analytics programs ranging from Fortune 500 to startup companies. Her credentials include data science certificates from Johns Hopkins... Read More →

Friday September 22, 2017 9:00am - 9:45am EDT
Coronado K