Successfully reported this slideshow.

A journey into Application Security

2

Share

Nov. 18, 2015
2 likes 1,175 views
Upcoming SlideShare
Wfuzz for Penetration Testers
Wfuzz for Penetration Testers
Loading in …3
×
1 of 49
1 of 49

A journey into Application Security

Nov. 18, 2015
2 likes 1,175 views

2

Share

Download to read offline

Technology

A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.

A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.

Technology

Recommended

More Related Content

Viewers also liked

Path of Cyber Security
Satria Ady Pradana
External to DA, the OS X Way
Stephan Borosh
Web Security Workshop : A Jumpstart
Satria Ady Pradana
Malware analysis, threat intelligence and reverse engineering
bartblaze
WTF is Penetration Testing
Scott Sutherland
DC612 Day - Hands on Penetration Testing 101
dc612
Thick Application Penetration Testing - A Crash Course
NetSPI
Attack All the Layers - What's Working in Penetration Testing
NetSPI
Windows Threat Hunting
GIBIN JOHN
Operation Buhtrap - AVAR 2015
ESET
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
Penetration testing, What’s this?
Dmitry Evteev
Extracting Credentials From Windows
NetSPI
Fuzzing and You: Automating Whitebox Testing
NetSPI
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
H@dfex 2015 malware analysis
Charles Lim
Billions & Billions of Logs
Jack Crook
Real World Application Threat Modelling By Example
NCC Group

Similar to A journey into Application Security

Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
5 principles-securing-devops-veracode-whitepaper
wardell henley
Obsidian Agile DevOps
David A. Callner
Enabling Enterprises Adopt DevOps
WhiteHedge Technologies Inc.
DevOps introduction
Sridhara T V
DevOps Offerings at WhiteHedge
WhiteHedge Technologies Inc.
Dev ops
farzanehvar
Scrum and DevOps training
Alberto Gonzalez
Agile & DevOps - It's all about project success
Adam Stephensen
Successfully Implementing DEV-SEC-OPS in the Cloud
Amazon Web Services
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
An introduction to DevOps
Andrea Tino
SAST in the SDLC: Building a plan for 'going left'
WHSZachJones
Test Data Management and Its Role in DevOps
TechWell
AppSec How-To: Achieving Security in DevOps
Checkmarx
Agile or DevOps? What is Your Calling for Custom Software Development?
Jai Mehta
White paper quality at the speed of digital
rajni singh
Patterns and Practices of a Successful DevOps Transformation
Chef
Iac evolutions
Prancer Io
[Whitepaper] Culture of Security
Flevy.com Best Practices

More from Christian Martorella

OSINT 2.0 - Past, present and future
Christian Martorella
Offensive OSINT
Christian Martorella
Python for Penetration testers
Christian Martorella
Playing in a Satellite environment
Christian Martorella
A fresh new look into Information Gathering - OWASP Spain
Christian Martorella
2011 and still bruteforcing - OWASP Spain
Christian Martorella
All your data are belong to us - FIST Conference 2007
Christian Martorella
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Christian Martorella
Tactical Information Gathering
Christian Martorella

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate Rose George
(4/5)
Free
Carrying the Fire: 50th Anniversary Edition Michael Collins
(4.5/5)
Free
Island of the Lost: An Extraordinary Story of Survival at the Edge of the World Joan Druett
(4/5)
Free
The Basics of Bitcoins and Blockchains: An Introduction to Cryptocurrencies and the Technology that Powers Them (Cryptography, Derivatives Investments, Futures Trading, Digital Assets, NFT) Antony Lewis
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free

A journey into Application Security

  1. 1. A  Journey  into  Application   Security Christian  Martorella ISACA  Italy  2014 Venezia,  3rd October
  2. 2. Who  am  I • Principal  Program  Manager,  Product  Security Skype  – Microsoft • Edge-­‐Security:  Wfuzz,  theHarvester,  Metagoofil,  Webslayer • Presented  in  many  Security  conferences:  Hack.lu,  BlackhatArsenal,   Source,  OWASP  Summit,  OSIRA • CIS(A,M,SP),  OPS(T,A)  
  3. 3. My  background • Started  as  internal  security  auditor  (Offensive) • System  and  network  security  responsible  of  a  small  ISP  (Defensive) • Penetration  tester  -­‐>  Team  leader  (Offensive) • Practice  lead  for  Threat  and  Vulnerability  in  EMEA  (Offensive) • Product  Security  Analyst  in  Skype  (Defensive)
  4. 4. Introduction This presentation is about the evolution of software development and the relation with Applicationsecurity. How application security teams adapted over time and the challenges we are facing
  5. 5. Waterfall  development
  6. 6. Waterfall  development • Originated  from  the  manufacturing  and  construction  industries.   • Hardware  oriented  model  adapted  to  Software  development • Sequential  design  process • Introduced  by  Winston  Royce  in  the  ’70
  7. 7. Waterfall  development • Make  sure  each  phase  is  100%  complete  and  absolutely  correct   before  proceeding  to  the  next  phase • Emphasis  on  documentation • Project  span  across  long  period  of  time • Time  spent  early on  making  sure  requirements and  design are  correct saves  much  time  and  effort  later.
  8. 8. Application  Security Microsoft  Secure  Development  Lifecycle  (SDL) Set  of  software  development  process  improvements Born  in  2002  and  established  in  2004,  as  result  of  MS  Trustworthy  Computer   (TWC)  initiative. More  than  50%  less  vulnerabilities  in  shipped  code
  9. 9. SDL  Methodologies
  10. 10. SDL  evolution
  11. 11. Security  approach Influence  in  the  Design  phase: • All  functional  and  design  specifications,   regardless  of  document  size,  should   contain  a  section  describing  how  the  component  impacts  security • Threat  Modeling:  Understand  assets  to  protect,  threats  and  vulnerabilities   to   the  product  and  how  will  be  mitigated.  Critical  to  create  a  secure  software Most  important  phase  in  Waterfall
  12. 12. Security  approach Development  phase: Implement  security  tools:   • Static  analysis,  Banned  Apis,  FxCop,  /Analyze Implement  security  checklist Secure  coding  best  practices Verification  /  Release  phase: Fuzzing Verify  /  validate  Threat  Model Final  security  review  (FSR) Security  testing  by  another  team  or  third  party
  13. 13. Challenges • Lack  of  security  requirementsin  design  phase  will  make  it  difficult  to  add   them  in  later  stages • Non  iterative  nature  makes  difficult  to  fix  issues  identified  in  advanced   stages  of  development • Issues  detected  in  the  Final  review,  will  be  expensive  to  fix
  14. 14. Agile  development
  15. 15. Agile  development • Cross  functional  teams,  self  organizing • Short  time  boxed  development  iterations • Delivery  of  small  functional  stories • Listen  to  customer  needs  and  adapt • Usually  low  in  documentation
  16. 16. Agile  Manifesto Individuals  and  interactionsover  processes  and  tools Working  software  over  comprehensive  documentation Customer  collaboration  over  contract  negotiation Responding  to  change  over  following  a  plan That  is,  while  there  is  value  in  the  items  on the  right,  we  value  the  items  on  the  left  more.
  17. 17. Challenges • SDL  too  complex  to  fit  in  each  release/Sprint • Design,  requirements  evolve  over  time • New  interactions  with  third  parties  are  not  known  in  advance • Teams  usually  don’t  have  an  Application  Security  specialist • Teams  move  faster  than  Waterfall • New  code  is  being  pushed  to  production  every  week  or  even  days. • Low  on  documentation
  18. 18. SDL  for  Agile
  19. 19. SDL  for  Agile The  categorization  of  SDL  requirements  into: • every-­‐sprint • one-­‐time • Three  bucket  groups  (Verification,  design,  Response) is  the  SDL-­‐Agile  solution  for  dealing  with  SDL  in  Agile  environments
  20. 20. Recommendations • Training  the  teams  and  providing  them  with  tools  is  the  most   important  aspect  in  order  to  implement  SDL  in  Agile  teams • Security  specialist  assigned  to  a  few  teams,  to  provide  consultancy • Useful  to  participate  in  Sprint  planning  to  understand  what  is  going   on • Sprint  Security  Checklist  (FSR),  after  Sprint  planning • Get  familiar  with  Agile  tools,  backlog.
  21. 21. SDL  for  Agile • Continuous  Integration  (Automation):   Secure  Code  analysis Security  unit  test Vulnerability  scanning Secure  configuration
  22. 22. Happiness
  23. 23. Cloud  fotos
  24. 24. Cloud • “We  want  to  start  using  Cloud  services”
  25. 25. Challenges • Security  of  the  data • Security  of  the  servers • Who  is  responsible  for  the  servers • Where  is  the  data  located • Encryption  at  rest • Disks  reutilization
  26. 26. Security  Approach • New  Security  policy  for  Cloud  services • Security  Onboarding  for  teams • Inventory  of  cloud  services
  27. 27. DEVOPS
  28. 28. Why  Devops? • Continuous  software  delivery   • Faster  delivery  of  features • Faster  resolution  of  problems • Less  complex  problems  to  fix More  Deploys  Means  Faster  Time  to  Market  and  Continual  Improvement
  29. 29. Challenges • Rapid  releases  cycles  (every  day,  multiple  times  a  day) • Autonomous  teams   • Teams  are  doing  development  and  operations  now • Infrastructure  also  changes  fast
  30. 30. Development  cycles Waterfall Agile Devops
  31. 31. Surviving  Devops • Providing  security  training  to  teams • Provide  security  policies,  guidelines • Security  and  abuse  stories,  driven  by  business • Situational  awareness:   • What  do  we  have? • Changes,  alerts. • Attack  surface,  priorities
  32. 32. Surviving  Devops • Automation: • Integrate  testing  into  continuous  integration  and  release  process  (Chef  &   Puppet) • Integrate  and  extend  production  configuration  monitoring • Develop  your  own  security  testing  tools,  more  focused  and  adapted  to  your   particular  needs
  33. 33. Surviving  Devops Situational  awareness  &  Automation  example: -­‐Source  code  Product  attack  surface  analyzer,  alerts,  prioritization  of   efforts.   -­‐Internet  footprint,  scanning  and  inventory.  Updated  every  hour.
  34. 34. Surviving  Devops • Integrate  InfoSec  and  IR  into  the  Ops/Devs escalation  process • Harden  the  production  environment • Provide  guidelines/baselines   on  what  is  a  hardened  environment • Automate  hardening  (Chef/Puppet) • Tolerate  failure  in  production  environments  (Chaos  Monkey)
  35. 35. Surviving  Devops • Metrics:   • Identify  if  teams  are  repeating  certain  type  of  vulnerabilities,   train  them  to   prevent  repeating  again.   • Prioritize  training • Modify  policies  and  baselines • Tune  tools • Interact  more  closely  with  teams,  attend  to  standups • Be  more  flexible  and  adapt  to  team  processes   • mesh  with  the  unique  development  cultures  of  individual  teams
  36. 36. The  Future? Rugged  software “Rugged”  describes  software  development  organizations  which  have  a   culture  of  rapidly  evolving  their  ability  to  create  available,  survivable,   defensible,  secure,  and  resilient  software Rugged  is  NOT  a  technology,  process  model,  SDLC,  or  organizational   structure.  It’s  not  even  a  noun.
  37. 37. Rugged  software Rugged  describes  staying  ahead  of  the  threat  over  time “We  are  convinced  that  negative  and  reactive  approaches  to   application  security  cannot  scale  and  are  doomed  to  fail.  These   approaches  primarily  rely  on  finding  vulnerabilities  and  fixing  them.”
  38. 38. Rugged  Manifesto I  am  rugged  and,  more  importantly,  my  code  is  rugged. I  recognize  that  software  has  become  a  foundation  of  our  modern  world. I  recognize  the  awesome  responsibility   that  comes  with  this  foundational  role. I  recognize  that  my  code  will  be  used  in  ways  I  cannot  anticipate,  in  ways  it  was  not  designed,   and  for  longer  than  it  was  ever  intended. I  recognize  that  my  code  will  be  attacked  by  talented  and  persistent  adversaries  who  threaten   our  physical,  economic  and  national  security. I  recognize  these  things  – and  I  choose  to  be  rugged. I  am  rugged  because  I  refuse  to  be  a  source  of  vulnerability  or  weakness. I  am  rugged  because  I  assure  my  code  will  support  its  mission. I  am  rugged  because  my  code  can  face  these  challenges   and  persist  in  spite  of  them. I  am  rugged,  not  because  it  is  easy,  but  because  it  is  necessary  and  I  am  up  for  the  challenge.
  39. 39. Conclusion • Development  methodologies  and  processes  changed  considerably   over  time • More  things  happening  in  shorter  period  of  time • Security  tools  and  techniques  needs  to  adapt  to  this  situation • Automation  is  key  in  Devops environment • Security  professionals  need  to  be  flexible  and  engage  more  than  ever   with  development  teams
  40. 40. ?
  41. 41. Thank  you cmartorella@edge-­‐security.com
  42. 42. Resources • Microsoft  SDL  -­‐ http://www.microsoft.com/security/sdl/default.aspx • Rugged  Software  -­‐ https://www.ruggedsoftware.org/ • http://labs.securitycompass.com/appsec-­‐2/the-­‐cultural-­‐challenges-­‐of-­‐ application-­‐security/ • http://devops.com/features/the-­‐unexpected-­‐benefits-­‐of-­‐devops/ • http://newrelic.com/devops/benefits-­‐of-­‐devops

×