Turning Engineers into Extended Blue Team Members - Security Strategies

Explore strategies for transforming software engineers into an extended blue team in this OWASP Global AppSec Tel Aviv conference talk. Learn how to empower engineers with tools, techniques, and processes to enhance security across the organization's infrastructure. Discover methods for evolving threat models using real-world incidents, creating incremental and rapid threat models, and implementing security tests to validate these models. Gain insights on leveraging Behavior-Driven Development (BDD) tests, contributing to the OWASP Cloud Security project, and educating product owners and project managers about threat vectors. Examine the benefits of proof-of-concept attack vectors, such as Cloudfront subdomain hijacking, for further model evolution and security awareness training. Understand how to build, evolve, and transfer ownership of threat models to engineering teams, create effective security champion programs, and integrate rapid threat modeling into the Software Development Life Cycle (SDLC).

Intro
Proof of Concepts
Security Test
Local Tests
Flask Web App
Dennis Cruz
Dennis
Attack Trees
Attack vectors
Elevation of privilege
Clouded cards
Open source tools