About this event
The Security Meetup, hosted by GitHub and OWASP, is a great occasion to connect with other security researchers, developers and managers, by discussing all things security, sharing tips and tricks and networking.
Don't miss the opportunity to gain valuable insights straight from the stage with engaging talks from LinkedIn and Apiiro.
Drop by for education, mingling, food, crafted cocktails and of course some GitHub swag!
Please complete the form below to reserve your spot.
Date | Wednesday, September 20, 2023
Time | 5:00 p.m. - 8:00 p.m.
275 Brannan Street
San Francisco, CA 94107
- 5:00 - Check in, grab some food/drinks and network
- 5:45 - Introductions
- 6:00 - 6:20 - Building a Robust Secret Scanning Pipeline (LinkedIn)
- 6:30 - 7:00 - GitHub Advisory Database Alerts (GitHub)
- 7:00- 7:30 - Stop Thinking "Vuln": Quantifying Risk to Optimize your AppSec Program (Apiiro)
- 7:30 - Networking
- 8:00 - Conclusion
About the Sessions
6:00pm - 6:20pm
Building a Robust Secret Scanning Pipeline
Aashna Sethi, Security Engineer, LinkedIn
Francis Alexander, Staff Security Engineer, LinkedIn
Emmanuel Law, Senior Staff Security Engineer, LinkedIn
Leakage of Secrets is one of the most common problems organizations face and often acts as the starting vector for the majority of the attacks. In this talk, we delve into the implementation of how we rolled out secret scanning capabilities within LinkedIn and outline the steps taken to establish an effective secret scanning pipeline.
Our talk navigates you through the complete lifecycle of the secret scanning pipeline starting from identifying secrets, verifying them through our custom validation service, managing the security alert lifecycle alongside developers, and ultimately focusing on the prevention of secrets. Join us to gain understanding of the intricacies and lessons learned while building a robust secret scanning pipeline, from inception to execution.
6:30pm - 7:00pm
GitHub Advisory Database Alerts
John Maroney, Security Analyst III, GitHub
The GitHub advisory database powers security alerts delivered through dependabot. The data itself is curated by the GitHub security lab and is made available for free for everyone forever. Come learn about the curation process and see how the sausage is made.
7:00pm - 7:30pm
Stop Thinking “Vuln”: Quantifying Risk to Optimize your AppSec Program
Idan Plotnik, CEO, Apiiro
Not all vulns are created equal. Whether surfaced via a tool (SAST, SCA, DAST, container, IaC security, etc.) or a human-led process (bug bounty, pen test, etc.), a vulnerability may or may not actually pose a risk to your business. Is it in deployed code? Is that code internet-facing? Is it exploitable? Is it in a high business impact application? More often than not, it’s non-trivial to answer those questions to understand how risky it is and prioritize it amongst the mountain of other tasks on our plate.
Multiply that across dozens of alert feeds, a constantly-changing application attack surface, and different types of application weaknesses (misconfigs, exposed secrets, API weaknesses, etc.)...There has to be a better way.
In this talk, we’ll explore the many dimensions of risk and the different likelihood and impact indicators you need to quantify the risk of a vulnerability, misconfiguration, exposed secret, etc., loosely following the industry-standard risk matrix (also used in the OWASP Risk Rating Calculator). We’ll also explore how the newest AppSec solution category—application security posture management (ASPM)—aims to programmatically, proactively, and automatically contextualize alerts to drastically cut down your backlog and prevent critical risks from being deployed—without overburdening your developers.
Please complete the form below by Tuesday, September 19, 2023 6pm PDT to reserve your spot. Space is limited.
Looking forward to connecting at the Security Meetup 🔒