Is speaking at
Tuesday, December 11, 2018
2:00 PM
2:25 PM

Securing a web app: business security VS the OWASP top 10

The risks inside an application go beyond the OWASP top 10. The attacks that represent the most significant business risks for our organizations are often attacks targeting sensitive business functions of the applications. But unlike the OWASP top 10, there is no checklist for this. The answer needs to come from inside our organizations, where an excellent business knowledge helps figuring out what are the known fraud use cases and threats. And the shift to DevSecOps is making this change possible. This talk is for DevSecOps practitioners and will show how to create a security automation tool that helps to prevent business logic attacks. Sensors are added to the application source code, business events collected in an analysis engine and automated responses are pushed back to the application at runtime. The presented tool is based on open source libraries, and easily extensible and pluggable to existing monitoring solutions. The talk will include concrete business examples to help the audience protect their applications' business logic, including real attacks that could be avoided using application level sensors. It will also give tips to navigate and empower the various teams (fraud, developers, product, …) that know the business complexity and together own a different piece of this security puzzle.
Open Banking, API Security and Monitoring
Room Ada Lovelace (Floor 2)
  • Jean-Baptiste AVIAT (SQREEN)