Podchaser Logo
Episode from the podcastAppSec Builders

Framework Security with Ksenia Peguero: the paved road foundation

Released Wednesday, 4th November 2020
Good episode? Give it some love!
In this episode I’m joined by Ksenia Peguero, Sr. Research Lead at Synopsys, for a discussion around frameworks and the foundational effect they have on the security of your application. We’ll share concrete tips for upgrading your security through your framework, choosing the best framework for app security, performing a framework migration, and how to spot and fix security blind spots in your frameworks.
About Ksenia
Ksenia Peguero is a Sr. Research Engineer within Synopsys Software Integrity Group, where she leads a team of researchers and engineers working on static analysis and security of different technologies, frameworks, languages, including JavaScript, Java, Python, and others. Before diving into research, Ksenia had a consulting career in a variety of software security practices such as penetration testing, threat modeling, code review, and static analysis tool design, customization, and deployment. During her decade in application security, she performed numerous engagements for clients in financial services, entertainment, telecommunications, and enterprise security industries. Throughout her journey, Ksenia has established and evolved secure coding guidance for many different firms, developed and delivered numerous software security training, and presented at conferences around the world, such as BSides Security, Nullcon, RSA, OWASP AppSec Global, TheWebConf, and LocoMocoSec. She has also served on review boards of OWASP AppSec USA, EU, and Global conferences.
https://www.linkedin.com/in/kseniadmitrieva/ (https://www.linkedin.com/in/kseniadmitrieva/)
https://twitter.com/kseniadmitrieva (https://twitter.com/kseniadmitrieva)
Ksenia Presentations:
https://www.youtube.com/watch?v=Ku8mPXmX7-M (https://www.youtube.com/watch?v=Ku8mPXmX7-M)
https://www.slideshare.net/kseniadmitrieva/how-do-… (https://www.slideshare.net/kseniadmitrieva/how-do-…)
Additional Resources:
Passeport, Flask login
http://www.passportjs.org/ (http://www.passportjs.org/)
https://flask-login.readthedocs.io/en/latest/ (https://flask-login.readthedocs.io/en/latest/)
Sails CSRF protection
https://sailsjs.com/documentation/concepts/securit… (https://sailsjs.com/documentation/concepts/securit…)
Express CSRF plugin
https://github.com/expressjs/csurf (https://github.com/expressjs/csurf)
Django / React security pagehttps://docs.djangoproject.com/en/3.1/topics/security/ ( https://docs.djangoproject.com/en/3.1/topics/secur…)
https://guides.rubyonrails.org/security.html (https://guides.rubyonrails.org/security.html)
Ksenia Angular listing ruleshttps://github.com/synopsys-sig/tslint-angular-security ( https://github.com/synopsys-sig/tslint-angular-sec…)
W3C security WG
https://www.w3.org/2011/webappsec/ (https://www.w3.org/2011/webappsec/)
Levels of vulnerability mitigation: https://image.slidesharecdn.com/javascriptframewor… (https://image.slidesharecdn.com/javascriptframewor…)
Episode 2 Transcript:
[00:00:02] Welcome to App Sec Builders, the podcast for practitioners building modern AppSec hosted by Jb Aviat.

Jb: [00:00:10] Hello Ksenia, nice to meet you

Ksenia: [00:00:14] Hi, Jb, how are you doing? 

Jb: [00:00:20] I'm great, thank you. So, Ksenia, you're a senior research engineer at Synopsis.

Jb: [00:00:24] You led a team of researchers and engineers working on static analysis. Before Synopsys. You've had a consulting career where you did penetration testing, threat modeling, code review, and you are also a seasoned speaker at various app security conferences across the world, such as the famous OWASP AppSec. So could you tell...