Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Josh Grossman
OWASP AppSec Israel 2017
How to get the best
AppSec test of your life
Josh Grossman
OWASP AppSec Israel 2017
How to get the best
AppSec test of your life
The data
Sky
Shady side of pyramid
Sunny side of pyramid
I can doez pen testing
I can doez pen testing
Who am I?
• 10 years of IT Security, IT Risk and development experience
• Last several years focused on Application Securi...
Disclaimer
• Thoughts and opinions are my own and do not represent my employer
Today’s Goals
• Something for everyone
• Defenders/Builders – Ideas, ideas, ideas
• Breakers – Are you ready?
• Questions ...
https://www.flickr.com/photos/purpleslog/2907496392/in/photostream/
Principle 1:
“Anything worth doing, is worth
doing right”
- Hunter S. Thompson
Principle 2 –You get what you put in
Principle 3:
Three opportunities
1.Scoping
2.Preparation
3.Reporting
Security to the left
• The earlier, the easier
• Architecture review
• Key design decisions
S1 S2 S3 S4 S5
P1 P2 P3 P4 P5
...
• Value, not realism
• More coverage, more quality, less time
• Improvement process, not an exam
The whitest white box
S1 ...
An expert comes from outside
Smart suit
Know
it-all
From
outside
Realtor
Intruder
Your boss
Expert
• Shiny report is more ...
Old hand or a Fresh Start?
• Yes!
• Old hand for a few cycles
• Then a fresh pair of eyes later
S1 S2 S3 S4 S5
P1 P2 P3 P4...
A full project?
S1 S2 S3 S4 S5
P1 P2 P3 P4 P5
R1 R2 R3 R4 R5
A full project
Scoping
Detailed
overview
(Mini design
review)
Testing
supported by
source code
Deliver report
Explanatory
...
Scoping
1.Security to the left
2.The whitest white box
3.An expert comes from outside
4.Old hand or a Fresh Start
5.A full...
http://rickvandenbosch.net/blog/security-workshop-hack-yourself-first/
Plus credit to Jeremiah Grossman,Troy Hunt and Aver...
S1 S2 S3 S4 S5
P1 P2 P3 P4 P5
R1 R2 R3 R4 R5
• Vulnerabilities already in the backlog
• Also areas you are concerned about...
Security by non-testability
• Great security technologies exist
• We want to test the app, not them
• If necessary, check ...
https://imgur.com/gallery/MKk5l
The testing setup
• No 100% safe test
• Ideally, dedicated environment
• Let us use our te...
Be ready
• Agree a start date
• Get a written request list
• Test it all
S1 S2 S3 S4 S5
P1 P2 P3 P4 P5
R1 R2 R3 R4 R5
Preparation
1.Hack yourself first
2.Disclose known vulnerabilities
3.Security by non-testability
4.The testing setup
5.Be ...
Progress reports
• Status vs Findings
• Problems and Critical findings –
ASAP
• Everything else – later
• Ongoing comms is...
Executive Summary
1.3 Graph of Findings
1.4 Detailed Findings List
ACME Corp – Security Test Report
Nation-state
levelTLS ...
Clearly explained with specific actions
https://my2ndheartbeat.files.wordpress.com/2017/08/blah-blah-blah.jpg
• Easy to un...
Prioritised action plan
• Include testers and R&D
• Balance urgency and difficulty
• Maybe include short and long
term fix...
Assistance with fixes
http://www.picturesinboxes.com/2014/09/04/superman-jerk/
• Discuss the fix with the tester
• Avoid m...
Reporting
1.Progress reports
2.Executive Summary
3.Clearly explained with specific actions
4.Prioritised action plan
5.Ass...
1. Security to the left
2. The whitest white box
3. An expert comes from outside
4. Old hand or a Fresh Start
5. A full pr...
Key takeaways:
1. Every little helps, not all or nothing
2. Efficiency, efficiency, efficiency
3. Build a dialogue
joshg@c...
Upcoming SlideShare
Loading in …5
×

How to get the best AppSec test of your life

49 views

Published on

Talk I presented at OWASP AppSecIL 2017 on 18 October 2017

Published in: Software
  • Be the first to comment

  • Be the first to like this

How to get the best AppSec test of your life

  1. 1. Josh Grossman OWASP AppSec Israel 2017 How to get the best AppSec test of your life
  2. 2. Josh Grossman OWASP AppSec Israel 2017 How to get the best AppSec test of your life
  3. 3. The data Sky Shady side of pyramid Sunny side of pyramid
  4. 4. I can doez pen testing
  5. 5. I can doez pen testing
  6. 6. Who am I? • 10 years of IT Security, IT Risk and development experience • Last several years focused on Application Security and Cloud • Team Lead in the AppSec Department at Comsec Global. • Married + 2, living in Modi’in
  7. 7. Disclaimer • Thoughts and opinions are my own and do not represent my employer
  8. 8. Today’s Goals • Something for everyone • Defenders/Builders – Ideas, ideas, ideas • Breakers – Are you ready? • Questions at the end please 
  9. 9. https://www.flickr.com/photos/purpleslog/2907496392/in/photostream/
  10. 10. Principle 1: “Anything worth doing, is worth doing right” - Hunter S. Thompson
  11. 11. Principle 2 –You get what you put in
  12. 12. Principle 3:
  13. 13. Three opportunities 1.Scoping 2.Preparation 3.Reporting
  14. 14. Security to the left • The earlier, the easier • Architecture review • Key design decisions S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  15. 15. • Value, not realism • More coverage, more quality, less time • Improvement process, not an exam The whitest white box S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  16. 16. An expert comes from outside Smart suit Know it-all From outside Realtor Intruder Your boss Expert • Shiny report is more persuasive • Should push your concerns • Both sides benefit S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  17. 17. Old hand or a Fresh Start? • Yes! • Old hand for a few cycles • Then a fresh pair of eyes later S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  18. 18. A full project? S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  19. 19. A full project Scoping Detailed overview (Mini design review) Testing supported by source code Deliver report Explanatory meeting to present findings Assist developers with finding solutions Perform retesting and prepare for next project Zero day card (credit Haroon Meer, 44con 2011) S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  20. 20. Scoping 1.Security to the left 2.The whitest white box 3.An expert comes from outside 4.Old hand or a Fresh Start 5.A full project cycle S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  21. 21. http://rickvandenbosch.net/blog/security-workshop-hack-yourself-first/ Plus credit to Jeremiah Grossman,Troy Hunt and AverageSecurityGuy • Catch low hanging fruit • It’s fun and tools are cheap • But…requires time Hack yourself first S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  22. 22. S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5 • Vulnerabilities already in the backlog • Also areas you are concerned about • Not a competition, we want efficiency! Disclose known vulnerabilities https://www.youtube.com/watch?v=7t0EtKlQxyo
  23. 23. Security by non-testability • Great security technologies exist • We want to test the app, not them • If necessary, check findings afterwards S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  24. 24. https://imgur.com/gallery/MKk5l The testing setup • No 100% safe test • Ideally, dedicated environment • Let us use our testing builds, please! S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  25. 25. Be ready • Agree a start date • Get a written request list • Test it all S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  26. 26. Preparation 1.Hack yourself first 2.Disclose known vulnerabilities 3.Security by non-testability 4.The testing setup 5.Be ready S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  27. 27. Progress reports • Status vs Findings • Problems and Critical findings – ASAP • Everything else – later • Ongoing comms is important S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  28. 28. Executive Summary 1.3 Graph of Findings 1.4 Detailed Findings List ACME Corp – Security Test Report Nation-state levelTLS stuff XSS More XSS No last login time False positives 2017T10RC1A7 Insufficient Attack Protection FINDINGS BYTYPE • Summarise report • Should look good and be client friendly! • Business impact crucial S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  29. 29. Clearly explained with specific actions https://my2ndheartbeat.files.wordpress.com/2017/08/blah-blah-blah.jpg • Easy to understand the finding • Have full repro information • How many instances? • Specific and relevant recommendations S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  30. 30. Prioritised action plan • Include testers and R&D • Balance urgency and difficulty • Maybe include short and long term fixes S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  31. 31. Assistance with fixes http://www.picturesinboxes.com/2014/09/04/superman-jerk/ • Discuss the fix with the tester • Avoid misunderstandings • Fix should address the risk • Worst case is fixing wrong S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  32. 32. Reporting 1.Progress reports 2.Executive Summary 3.Clearly explained with specific actions 4.Prioritised action plan 5.Assistance with fixes S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5
  33. 33. 1. Security to the left 2. The whitest white box 3. An expert comes from outside 4. Old hand or a Fresh Start 5. A full project cycle 1. Hack yourself first 2. Disclose known vulnerabilities 3. Security by non-testability 4. The testing setup 5. Be ready 1. Progress reports 2. Executive Summary 3. Clearly explained with specific actions 4. Prioritised action plan 5. Assistance with fixes 1. Scoping 2. Preparation 3. Reporting
  34. 34. Key takeaways: 1. Every little helps, not all or nothing 2. Efficiency, efficiency, efficiency 3. Build a dialogue joshg@comsecglobal.com joshcgrossman@gmail.com @JoshCGrossman #TrevorForget S1 S2 S3 S4 S5 P1 P2 P3 P4 P5 R1 R2 R3 R4 R5

×