Setting up a cost effective Application Security program from scratch by Tusnin Das

OWASP Delhi
Security Researcher at Adobe, Chapter Leader at OWASP & null
Dec. 5, 2015
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
Setting up a cost effective Application Security program from scratch by Tusnin Das
1 of 14

Setting up a cost effective Application Security program from scratch by Tusnin Das

Dec. 5, 2015
Download to read offline
Technology

OWASP Delhi September Meet - Setting up a cost effective Application Security program from scratch by Tusnin Das

OWASP Delhi
Security Researcher at Adobe, Chapter Leader at OWASP & null

Recommended

SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital4.1K views1 slide
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey2.1K views29 slides
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd726 views18 slides
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital1.1K views26 slides
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotCigital783 views27 slides
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA WebinarWaratek Ltd848 views27 slides

More Related Content

Slideshows for you

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack3.3K views30 slides
Owasp and friendsOwasp and friends
Owasp and friendsMažvydas Skuodas114 views45 slides
Kaseya Connect 2012 - Kaseya Security Solutions UpdateKaseya Connect 2012 - Kaseya Security Solutions Update
Kaseya Connect 2012 - Kaseya Security Solutions UpdateKaseya931 views14 slides
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon607 views15 slides
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries4.3K views33 slides
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams1.3K views41 slides

Slideshows for you(20)

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack3.3K views
Owasp and friendsOwasp and friends
Owasp and friends
Mažvydas Skuodas114 views
Kaseya Connect 2012 - Kaseya Security Solutions UpdateKaseya Connect 2012 - Kaseya Security Solutions Update
Kaseya Connect 2012 - Kaseya Security Solutions Update
Kaseya931 views
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon607 views
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries4.3K views
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams1.3K views
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital803 views
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys1.9K views
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45993 views
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life
OWASP638 views
Manual Code ReviewManual Code Review
Manual Code Review
n|u - The Open Security Community2.6K views
API Security SurveyAPI Security Survey
API Security Survey
Imperva7.4K views
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
Andy Hoernecke739 views
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
Dinis Cruz2.1K views
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon227 views
Testing Tools and TipsTesting Tools and Tips
Testing Tools and Tips
SoftServe363 views
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony2.2K views
RSA 2018- What’s Hot in the Cyber Security SpaceRSA 2018- What’s Hot in the Cyber Security Space
RSA 2018- What’s Hot in the Cyber Security Space
SBWebinars130 views
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.5.2K views
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai451 views

Viewers also liked

Ống kính và cảm biến trong hệ thống CCTVỐng kính và cảm biến trong hệ thống CCTV
Ống kính và cảm biến trong hệ thống CCTVPhuongVietCamera615 views12 slides
Lt+preschool+program+designLt+preschool+program+design
Lt+preschool+program+designkaylabfarley209 views6 slides
All consuming newsAll consuming news
All consuming newsJack740228 views5 slides
Roca bathroomRoca bathroom
Roca bathroomfountaindirect737 views12 slides
Lifestyle Holidays Vacation Club Announces Whale Season In The Dominican Repu...Lifestyle Holidays Vacation Club Announces Whale Season In The Dominican Repu...
Lifestyle Holidays Vacation Club Announces Whale Season In The Dominican Repu...Lifestyle Holidays Vacation Club357 views4 slides
Pop-Up the Ladder and Own a BarPop-Up the Ladder and Own a Bar
Pop-Up the Ladder and Own a BarTales of the Cocktail1.8K views60 slides

Viewers also liked(12)

Ống kính và cảm biến trong hệ thống CCTVỐng kính và cảm biến trong hệ thống CCTV
Ống kính và cảm biến trong hệ thống CCTV
PhuongVietCamera615 views
Lt+preschool+program+designLt+preschool+program+design
Lt+preschool+program+design
kaylabfarley209 views
All consuming newsAll consuming news
All consuming news
Jack740228 views
Roca bathroomRoca bathroom
Roca bathroom
fountaindirect737 views
Lifestyle Holidays Vacation Club Announces Whale Season In The Dominican Repu...Lifestyle Holidays Vacation Club Announces Whale Season In The Dominican Repu...
Lifestyle Holidays Vacation Club Announces Whale Season In The Dominican Repu...
Lifestyle Holidays Vacation Club357 views
Pop-Up the Ladder and Own a BarPop-Up the Ladder and Own a Bar
Pop-Up the Ladder and Own a Bar
Tales of the Cocktail1.8K views
Jeremiah Jones Resume SBAJeremiah Jones Resume SBA
Jeremiah Jones Resume SBA
Jeremiah "Jay" Jones421 views
Minority business solutionsMinority business solutions
Minority business solutions
Jack740183 views
Dealer direct iq the auto channelDealer direct iq the auto channel
Dealer direct iq the auto channel
bob gordon297 views
Healthync hospitalsHealthync hospitals
Healthync hospitals
Jack740210 views
Telecommuting 101 - Tips and Tricks for working from homeTelecommuting 101 - Tips and Tricks for working from home
Telecommuting 101 - Tips and Tricks for working from home
Seth Fendley256 views
Raport: poczucie atrakcyjności PolekRaport: poczucie atrakcyjności Polek
Raport: poczucie atrakcyjności Polek
esexy718 views

Similar to Setting up a cost effective Application Security program from scratch by Tusnin Das

Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys555 views30 slides
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen790 views38 slides
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker861 views39 slides
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC843 views27 slides
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams2.4K views25 slides
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball509 views11 slides

Similar to Setting up a cost effective Application Security program from scratch by Tusnin Das(20)

Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys555 views
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen790 views
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker861 views
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC843 views
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams2.4K views
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
Larry Ball509 views
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana3.4K views
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company3.1K views
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.258 views
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja413 views
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
Jaap Karan Singh59 views
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
sebastianschinzel476 views
香港六合彩香港六合彩
香港六合彩
baoyin564 views
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group3.5K views
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps.com44 views
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm399 views
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps for Enterprise Systems205 views
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn183 views
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys603 views
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd888 views

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi649 views17 slides
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeoverOWASP Delhi277 views22 slides
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report WritingOWASP Delhi623 views20 slides
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air GapOWASP Delhi311 views29 slides
UDP HunterUDP Hunter
UDP HunterOWASP Delhi102 views14 slides
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container EscapesOWASP Delhi337 views12 slides

More from OWASP Delhi(20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi649 views
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
OWASP Delhi277 views
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
OWASP Delhi623 views
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
OWASP Delhi311 views
UDP HunterUDP Hunter
UDP Hunter
OWASP Delhi102 views
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
OWASP Delhi337 views
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
OWASP Delhi388 views
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
OWASP Delhi260 views
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi1.2K views
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi4.4K views
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi1.7K views
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
OWASP Delhi211 views
DMARC OverviewDMARC Overview
DMARC Overview
OWASP Delhi1.3K views
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
OWASP Delhi305 views
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi5.9K views
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi148 views
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
OWASP Delhi516 views
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
OWASP Delhi507 views
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi1.5K views
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi429 views

Recently uploaded

AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...DianaGray1048 views38 slides
INASLA_AI and Landscape Architecture.pptxINASLA_AI and Landscape Architecture.pptx
INASLA_AI and Landscape Architecture.pptxJonathon Geels66 views26 slides
GDSC SRMCEM Info Session 2023GDSC SRMCEM Info Session 2023
GDSC SRMCEM Info Session 2023HariOM Dwivedi56 views8 slides
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...takuyayamamoto180014 views25 slides
Generative AI PotentialGenerative AI Potential
Generative AI PotentialKapil Khandelwal (KK)25 views68 slides
An Introduction To Using ChatGPT For BusinessAn Introduction To Using ChatGPT For Business
An Introduction To Using ChatGPT For BusinessPaul Nguyen56 views25 slides

Recently uploaded(20)

AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
DianaGray1048 views
INASLA_AI and Landscape Architecture.pptxINASLA_AI and Landscape Architecture.pptx
INASLA_AI and Landscape Architecture.pptx
Jonathon Geels66 views
GDSC SRMCEM Info Session 2023GDSC SRMCEM Info Session 2023
GDSC SRMCEM Info Session 2023
HariOM Dwivedi56 views
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
takuyayamamoto180014 views
Generative AI PotentialGenerative AI Potential
Generative AI Potential
Kapil Khandelwal (KK)25 views
An Introduction To Using ChatGPT For BusinessAn Introduction To Using ChatGPT For Business
An Introduction To Using ChatGPT For Business
Paul Nguyen56 views
Doorsvision-The-Future-of-Smart-Communities gama adj.pdfDoorsvision-The-Future-of-Smart-Communities gama adj.pdf
Doorsvision-The-Future-of-Smart-Communities gama adj.pdf
Mustafa Kuğu84 views
NoSQL Data Migration Masterclass - Session 1 Migration Strategies and ChallengesNoSQL Data Migration Masterclass - Session 1 Migration Strategies and Challenges
NoSQL Data Migration Masterclass - Session 1 Migration Strategies and Challenges
ScyllaDB53 views
Mitigating Common CloudStack Instance Deployment FailuresMitigating Common CloudStack Instance Deployment Failures
Mitigating Common CloudStack Instance Deployment Failures
ShapeBlue109 views
Future of Virtual realityFuture of Virtual reality
Future of Virtual reality
mdpavel413 views
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a MigrationNoSQL Database Migration Masterclass - Session 2: The Anatomy of a Migration
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a Migration
ScyllaDB31 views
Stanford AI Report 2023Stanford AI Report 2023
Stanford AI Report 2023
Kapil Khandelwal (KK)19 views
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptx
SnehaAggarwal40119 views
AWS Toolkit.pptxAWS Toolkit.pptx
AWS Toolkit.pptx
Brandon Minnick, MBA54 views
#11 DataWeave Extension Library using Visual Studio Code#11 DataWeave Extension Library using Visual Studio Code
#11 DataWeave Extension Library using Visual Studio Code
AnoopRamachandran1379 views
NTGapps DTB Platform.pdfNTGapps DTB Platform.pdf
NTGapps DTB Platform.pdf
Mustafa Kuğu165 views
AI and ML Series - Introduction to Generative AI and LLMs - Session 1AI and ML Series - Introduction to Generative AI and LLMs - Session 1
AI and ML Series - Introduction to Generative AI and LLMs - Session 1
DianaGray10179 views
Sell&Buy.pdfSell&Buy.pdf
Sell&Buy.pdf
Danielle9510955 views
What’s new in Kotlin 12-08-2023 Google IO Cairo 23What’s new in Kotlin 12-08-2023 Google IO Cairo 23
What’s new in Kotlin 12-08-2023 Google IO Cairo 23
Ahmed Nabil66 views
[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf
[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf
William Caban45 views

Setting up a cost effective Application Security program from scratch by Tusnin Das

  1. Enterprise Application Security Program : A cost-effective hack! Tusnin Das Ram Awasthi

  2. Ingredients of an Enterprise Application Security Program •SAST •DAST •Security Analyst •Reporting & Aggregation tools Application Vulnerability Management Security Operation (Application Level) •WAF •Log Monitoring

  3. Have you thought about the cost? SAST ,DAST & WAF COST YOU

  4. What do you do when you have nothing?

  5. What options do we have? SAST DAST Security Vulnerability Remediation Testing & Deployment Traditional Approach Our Approach Doing the right thing Across the application

  6. What does it mean? • Fix codes that result in security vulnerability (How do I identify that?) • Address it across the application with 100% coverage (Is it possible?) • Make it an iterative process

  7. how do we do it? Threat Modeling Address each category one by one Checklist • XSS • XSRF • SQL Injection • Privacy violation • Open redirects • Header Injection

  8. how to do it…continues Checklist Action SQL Injection Get rid of dynamic queries XSS Output encoding across the application XSRF •Identify forms •Implement page token Header Injection •Input validation •Output encoding Privacy violation Analyze DAR & DIM for sensitive data Open Redirects •Input validation •Output encoding Configuration & Deployment •Get rid of default configurations • Run dependency checker to identify vulnerable packages/ libraries

  9. how to do it…continues • The IDE is not just editor. It is a powerful search tool • Use the search and replace function for coverage • Use regex to optimize your search

  10. how to do it…almost there • Make it a part of your SDLC • Make it iterative • People dependent ..however can be scaled • Does it mean the applications do not have any more vulnerabilities after this exercise?

  11. In scope v/s out of scope In Scope Out of scope Code level flaws Session related flaws Business validation flaws

  12. Security Operations • Web Application Firewall (WAF) • Log Analysis

  13. Poor man’s arsenal • Mod Security WAF • ZAP Proxy / Burp Proxy • OWASP Dependency checker • ThreadFix • Bugzilla • Jenkins

  14. Wake up. It’s Over! Questions ?