Loading…
This event has ended. Create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, September 22 • 9:00am - 9:45am
What We Learned Remediating XSS in GitHub Open Source Projects

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.

Our goal was to fix as many high-risk vulnerabilities throughout the GitHub Open Source project portfolio as we could with a minimum of effort. The intent was to simulate portfolio wide remediation in a large and diverse organization within a context that allows sharing concrete statistics and experiences.

 

Fixing XSS throughout a portfolio of applications is more challenging than fixing a single application. In addition to the remediation work required for a single application, fixing a portfolio requires getting developer buy in, complying with various coding style guides, integration with each project’s existing processes, testing, metrics, and more.

 

This presentation will discuss how we did it, lessons learned, as well as some alternatives. Three things that made our scaling approach unusual was:

1) Focusing on risk broadly across application portfolios instead of a single application.

2) Focusing on adding missing security controls instead of the exploitability of vulnerabilities.

3) Automating JSP source code modification

 

We will compare the approach that we used on this project to more traditional manual and automated techniques that focus on vulnerability detection, as well as scaling through training, and scaling through building offshore capabilities.



Speakers
avatar for Mike Fauzy

Mike Fauzy

Founder, CTO, FauzyLogic
Mike Fauzy has been writing and assessing web applications since 1997. He helped write components of OWASP ESAPI, as well as minor contributions to Scrubbr, JavaSnoop, and other web app security projects. He also builds, trains, and expands automated web application security team... Read More →
avatar for Demetria Robertson

Demetria Robertson

COO, FauzyLogic
Demetria Robertson's background straddles data science, applied analytics, and software product management. She has held leadership roles in building analytics programs ranging from Fortune 500 to startup companies. Her credentials include data science certificates from Johns Hop... Read More →


Friday September 22, 2017 9:00am - 9:45am
Coronado K

Attendees (19)