Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Are You Ready for the Worst? Application Security Incident Response

1,967 views

Published on

No matter the size of your IT shop, if the first time you think about the security of the software is during a major incident, it’s not going to go well. I will teach developers and security teams to prepare for, manage, and hopefully prevent, application security incidents. Starting with preparation; do you have a proper application inventory? How do you manage your technology stack? Disaster Recover? Backup strategy? Do you have a WAF? Monitoring? Tools that are at the ready when the s* hits the fan? During an incident; who’s managing the incident? Do you know? What is triage? Who does the investigation? Do you have a “safe” place to do potentially destructive testing? This talk outlines an immediate plan for the audience to get started, with a list of open source tools the security team and/or developers will use to ensure that they are ready, for the worst.

Published in: Technology
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Are You Ready for the Worst? Application Security Incident Response

  1. 1. @SheHacksPurple
  2. 2. Not even in the slightest. @SheHacksPurple
  3. 3. 1. Incident preparation 2. During an incident @SheHacksPurple
  4. 4. This is me. I’m Tanya Janca. @SheHacksPurple AKA: @SheHacksPurple
  5. 5. This is me. I’m a Senior Cloud Developer Advocate at: What does THAT mean? @SheHacksPurple
  6. 6. This is me. I’m a Senior Cloud Developer Advocate I work to make security features easier to use. It means I help developers use our products more securely. I provide feedback to make our products more secure. @SheHacksPurple I do security research and share it with the community. Security research, such as this presentation, OWASP DevSlop, and much more.
  7. 7. This is me. Application Security Evangelist @SheHacksPurple
  8. 8. This is me. Application Security Evangelist @SheHacksPurple
  9. 9. This is me. Ethical hacker I want to know how things work. @SheHacksPurple
  10. 10. This is me. I’m obsessed with OWASP! @SheHacksPurple Open Web Application Security Project An international non-profit that operates chapters, projects and conferences all over the globe, in efforts to help everyone create more secure software.
  11. 11. This is me. OWASP Ottawa Chapter Leader @SheHacksPurple
  12. 12. This is me. OWASP DevSlop Project Leader @SheHacksPurple
  13. 13. @SheHacksPurple This is me. Software Developer (since the late 90’s) That’s over 20 years! AHHHHHHHHHHHH! @SheHacksPurple
  14. 14. This is me. Goal: to change the way we make software so that the easiest way to do something is also the most secure way. @SheHacksPurple
  15. 15. Let’s do this. @SheHacksPurple
  16. 16. @SheHacksPurple
  17. 17. @SheHacksPurple ’Pushing Left’ means doing security from the start, and continuing the whole way through. Requirements Design Code Testing Release
  18. 18. @SheHacksPurple Incidents are the most expensive, embarrassing and damaging situation to deal with a vulnerability. Requirements Design Code Testing Release
  19. 19. @SheHacksPurple
  20. 20. @SheHacksPurple A security event is when something strange has happened or you suspect something is wrong. A security incident is when you are certain something bad has or is happening. Example; you find your data for sale on the dark web. THAT is an incident!
  21. 21. @SheHacksPurple An organized approach to addressing and managing the aftermath of a security breach or IT incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. http://searchsecurity.techtarget.com/definition/incident-response
  22. 22. @SheHacksPurple
  23. 23. @SheHacksPurple
  24. 24. @SheHacksPurple “An Ounce of Prevention is Worth a Pound of Cure”
  25. 25. • Upgrade your frameworks!!!&$#(@#*~!!! • Patch your servers!!#&^$@#&!!!!! PLEASE. PLEASE. PLEASE. @SheHacksPurple THIS IS NOT FINE!
  26. 26. @SheHacksPurple
  27. 27. @SheHacksPurple NIST Computer Security Incident Handling Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublicati ons/NIST.SP.800-61r2.pdf (Section 2.1) SANS (page 2-5): https://www.sans.org/reading- room/whitepapers/incident/events-incidents-646
  28. 28. @SheHacksPurple
  29. 29. @SheHacksPurple
  30. 30. • Programming Languages • APIs • Libraries • Server OS • Configurations • Firewall Rules • Inputs/outputs and integrations (No, seriously, you need to know all of this.) @SheHacksPurple
  31. 31. • Consider a threat feed • Follow the CCIRC RSS Feed • Review CCIRC security bulletins and technical reports • US-CERT RSS https://www.us-cert.gov/ncas/alerts.xml • SWAMP-In-A-Box (more advanced) https://continuousassurance.org/swamp-in-a-box/ @SheHacksPurple
  32. 32. • Register to known software/ vendors as RSS feed: https://www.cvedetails.com/ vulnerability-feeds-form.php • Listen to podcasts, monitor Twitter InfoSec Circles • Sign up for security and update notifications for every product and framework in your tech stack • Monitor recent breaches of other companies, to see if you can learn from it • Anything else you can think of @SheHacksPurple
  33. 33. @SheHacksPurple Web Application Firewall
  34. 34. @SheHacksPurple OSI Model What is a WAF? Traditional Firewall
  35. 35. @SheHacksPurple What is a WAF?
  36. 36. @SheHacksPurple • Firewalls • Admin Rights Lockdown • Malware Defenses/Antivirus • Perimeter Protections • Monitoring • Logging • IPS/IDS/HIPS • Etc.
  37. 37. @SheHacksPurple
  38. 38. @SheHacksPurple • Metasploit (for live exploits in the wild) • Nessus/Nexpose/OpenVAS • Burp Suite Pro & OWASP Zap • Log Viewer Software • Don’t forget training and access!
  39. 39. @SheHacksPurple • If you write custom apps, they need to do logging. • Whom - system part or user executed event • What - event type • When (date time stamp - IN UTC) • Where (i.e. in what part of app to event occur) • Successful/unsuccessful • Do not log sensitive info such as passwords, SINs, etc. • Logs need to be saved to a different server than your app, and, preferably, be consumable by the SIEM
  40. 40. @SheHacksPurple • Database Logs • Web Server Logs • Source Code • Credentials • Log Viewer software • Code Review Software • A safe place to do destructive testing • Other items mentioned on the Tools Slide • Schedule fire drills to test access (creds, roles, etc) • Documentation of where each tool is
  41. 41. @SheHacksPurple • Business Continuity Plan (basic Risk Management) • Backup Locations? Cold, Warm or Hot? Cloudy? • What if Critical Infrastructure goes down? • Cell Phones? Landlines? • “We’ll do it on paper”
  42. 42. @SheHacksPurple At least once per year
  43. 43. Then beg people to fix what you found. @SheHacksPurple
  44. 44. • Secure Coding • Secure Design • Threat Modelling • Code Review • VAs & PenTests • Developer Education • So much more… Chat me up later about AppSec, this is my fav topic! @SheHacksPurple
  45. 45. @SheHacksPurple “What now?”
  46. 46. @SheHacksPurple
  47. 47. @SheHacksPurple
  48. 48. @SheHacksPurple
  49. 49. @SheHacksPurple
  50. 50. @SheHacksPurple
  51. 51. @SheHacksPurple
  52. 52. @SheHacksPurple
  53. 53. @SheHacksPurple
  54. 54. @SheHacksPurple AppSec is HARD
  55. 55. @SheHacksPurple
  56. 56. @SheHacksPurple https://aka.ms/GettingStartedWithAppSec
  57. 57. @SheHacksPurple Twitter: @SheHacksPurple https://medium.com/@shehackspurple
  58. 58. @SheHacksPurple QUESTIONS? Cloud Developer Advocate, Microsoft OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader Tanya Janca Tanya.Janca@Microsoft.com Tanya.Janca@owasp.org @SheHacksPurple

×