Large-Scale Application Attack Surface Management - Fariskhi Vidyan

Description Organizations face the daunting challenge of securing their extensive application portfolios, which encompass a wide range of APIs, web services, and mobile applications. This presentation aims to delve into the realm of application attack surface analysis and management, highlighting its significance, challenges, and various approaches, while drawing from valuable lessons learned through research and implementation in large-scale applications. There have been numerous discussions and resources focusing on application attack surface management, primarily emphasizing API analysis, black-box dynamic analysis, and network analysis for inventory gathering. However, this presentation takes a more comprehensive approach with a DevSecOps mindset. It highlights the importance of security reviewers understanding the specific requirements and nuances of applications, while developers can enhance the security testability of their codebase to facilitate the attack surface enumeration process. Additionally, the presentation addresses attack surfaces specific to mobile applications, such as deep links and exposed components, apart from standard attack surfaces like web APIs. The discussion covers the approach to manage the attack surfaces of a substantial number of web applications and less common techniques to identify these attack surfaces using static code analysis and runtime instrumentation. It is crucial for organizations to recognize that they may require customized solutions that surpass the capabilities of general attack surface management tools. Through the example of scalable application attack surface management architecture and the advantages gained from the implementation, organizations can derive valuable lessons and determine an application attack surface management program that aligns with their strategies and yields benefits. Speaker Fariskhi Vidyan, Traveloka, Security Engineering Manager - Managed by the OWASP® Foundation https://owasp.org/