Eradicating Vulnerability Classes: Embracing Secure Defaults and Invariants

Explore a revolutionary approach to application security in this 45-minute OWASP Foundation talk. Learn how to shift from traditional Static Application Security Testing (SAST) to implementing secure defaults and invariants. Discover strategies for eradicating entire vulnerability classes, evaluating which vulnerabilities to prioritize, and establishing safe patterns as defaults. Gain insights into using tools for enforcing secure patterns, implementing continuous scanning best practices, and identifying escape hatches. Delve into the power of secure defaults combined with type systems, and understand how to address business logic vulnerabilities beyond the OWASP Top 10. Examine the importance of empowering developers as part of the security team and explore the potential of autofix solutions in enhancing application security.

Intro
A Different Way to Approach Security
Outline
Quiz: Does this app have XSS?
Task vs Effort Required
Your Internal Dialogue?
Compounding Effects of Killing Bug Classes
Evaluate which vulnerability class to focus on
Select a Safe Pattern and Make it the Default
Use Tools to Enforce the Safe Pattern
Continuous Scanning: Related Work
Continuous Scanning: Best Practices
How to Find Escape Hatches?
Secure defaults + types
Beyond OWASP Top10: Business Logic
If developers don't security team...
So make developers security team!
#3 Autofix