OWASP 2022 Global AppSec San Francisco

When there is too much data our brains strain to find patterns, organization, and categorization. Context, frequency mapping, and using data to tell a larger story via trend analysis helps us parse the signal to noise ratio into something meaningful and into something actionable. This talk seeks to share a combination of open source data and bug bounty data about vulnerabilities from 2021 and 2022, how to categorize those vulnerabilities, and then once categorized, how to connect meaningful context for defenders and builders.

All of the vulnerabilities that will be covered in this talk are related to application security and each will be mapped to the most recent OWASP Top Ten list (2021). The vulnerabilities will be grouped into 3 case studies. The first case study will focus on vulnerabilities found in the Google Project Zero report and other Open Source Intelligence (OSINT) sources that relate to Application Security. The second case study will focus on impactful vulnerabilities from 2022, such as those listed on open sources like MITRE’s CWE Top 25 list. The final case study will focus on disaggregated and anonymous data that the presenter has access to related to a bug bounty program. All the vulnerabilities shared from this data will connect with Application Security and they will all be mapped to OWASP Top Ten. Then a cumulative trend and frequency analysis will be discussed.

To provide additional context, when data is available and known, it will be shared if the vulnerability was also being actively exploited in the wild, if there is a published proof-of-concept (PoC), and if there is a mitigation plan. Be prepared for visualization of data and story based data telling. At the end of the talk, the speaker will share resources for research and further development for skills around OSINT, threat intelligence, and vulnerability management.

The content of this talk could be used by devops to further understand the context behind vulnerabilities that affect the platforms they are building, vulnerability management teams, threat modelers, cyber threat intelligence teams, and incident responders.