OWASP 2023 Global AppSec Dublin

When you’re hungry it’s hard to focus and some even get hangry (portmanteau of hunger + anger). This session will feed the brain with methodology for how to analyze vulnerabilities given their context. When there is too much data our brains strain to find patterns, organization, and categorization. Context, frequency mapping, and using data to tell a larger story via trend analysis helps us parse the signal to noise ratio into something meaningful and into something actionable.

This talk seeks to share a methodology for categorization of vulnerabilities gathered from open source data and bug bounty data from 2022. The methodology focuses on how to categorize those vulnerabilities, and then once categorized how to connect meaningful context for defenders and builders.

All of the vulnerabilities that will be covered in this talk are related to application security and each will be mapped to the most recent OWASP Top Ten list (2021). The vulnerabilities will be grouped into 2 case studies. The first case study will focus on vulnerabilities found in the Google Project Zero report and other Open Source Intelligence (OSINT) sources that relate to Application Security. The second case study will focus on disaggregated and anonymous data that the presenter has access to related to a bug bounty program. All the vulnerabilities shared from this data will connect with Application Security and they will all be mapped to OWASP Top Ten. Then a cumulative trend and frequency analysis will be discussed.

To provide additional context, when data is available and known, it will be shared if the vulnerability was also being actively exploited in the wild, if there is a published proof-of-concept (PoC), and if there is a mitigation plan. Be prepared for visualization of data and story based data telling. At the end of the talk, the speaker will share resources for research and further development for skills around OSINT, threat intelligence, and vulnerability management.

The content of this talk could be used by devops to further understand the context behind vulnerabilities that affect the platforms they are building, vulnerability management teams, threat modelers, cyber threat intelligence teams, and incident responders.