Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pushing Left, Like a Boss

567 views

Published on

With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease.  “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process.  From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left', like a boss.

Published in: Technology
  • Positions Available Now! We currently have several openings for writing workers. ♣♣♣ http://t.cn/AieXS62G
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • My partner says the difference is incredible! My partner has probably punched me a hundred times to get me to roll over and stop snoring. I have been using your techniques recently and now my partner has told me that the difference is incredible. But what has amazed me the most is how much better and more energetic I now feel after a good night's sleep! Thank you so much! ■■■ http://t.cn/AigiN2V1
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Pushing Left, Like a Boss

  1. 1. Pushing Left, Like a Boss @SheHacksPurple Application Security Foundations Tanya Janca CEO and Co-Founder – Security Sidekick
  2. 2. What is “Pushing Left”? @SheHacksPurple If you imagine the SDLC written out on a piece of paper, the further left you go, the earlier you are in the System Development Life Cycle. ’Pushing Left’ means the security team wants to be invited to the party earlier, and stay until the end. Requirements Design Code Testing Release
  3. 3. What are we going to talk about today? The foundations of Application Security @SheHacksPurple
  4. 4. This is me. I’m Tanya Janca. AKA: @SheHacksPurple WoSEC CEO & Co-Founder! Je suis bilangue.
  5. 5. Let’s do this! @SheHacksPurple
  6. 6. @SheHacksPurple
  7. 7. @SheHacksPurple The current state: Everyone is “getting hacked”
  8. 8. @SheHacksPurple The current state: We’re looking the wrong way.
  9. 9. @SheHacksPurple @SheHacksPurple
  10. 10. @SheHacksPurple The current state: Penetration Testing
  11. 11. @SheHacksPurple@SheHacksPurple The current state: CIA
  12. 12. What is “Pushing Left”? @SheHacksPurple If you imagine the SDLC written out on a piece of paper, the further left you go, the earlier you are in the System Development Life Cycle. ’Pushing Left’ means the security team wants to be invited to the party earlier, and stay until the end. Requirements Design Code Testing Release
  13. 13. @SheHacksPurple Pushing Left…. Like a Boss!
  14. 14. @SheHacksPurple An AppSec Program: Main Course
  15. 15. @SheHacksPurple • Vulnerability (VA) Scans and Assessments • Threat Modeling • Secure Code Reviews (Static Code Analysis) • Penetration Tests (PenTests) • This applies to both Custom Apps and COTS An AppSec Program: Main Course
  16. 16. @SheHacksPurple An AppSec Program: The Gravy
  17. 17. @SheHacksPurple • Educating Developers on Secure Coding Practices with workshops, talks, lessons • Secure Coding Standards • Responsible/Coordinated Disclosure • Secure code library and other reference materials, creating custom tools @SheHacksPurple An AppSec Program: The Gravy
  18. 18. @SheHacksPurple An AppSec Program: Dessert!
  19. 19. @SheHacksPurple • Bug Bounty Programs • Capture The Flag (CTF) contests • Red Team Exercises @SheHacksPurple An AppSec Program: Dessert!
  20. 20. How can YOU ‘push left’? @SheHacksPurple The Big Question…
  21. 21. @SheHacksPurple YOU Pushing Left: Testing Your Code
  22. 22. @SheHacksPurple • Most people use a web proxy security scanner to test their web applications • It sits between your browser and the internet • It will automate tests for you, tell you what to fix, and, if it's a good one, HOW to fix the issues • There are paid and free options available • Don't use a scanner on an app you don't have permission to test, it's illegal @SheHacksPurple YOU Pushing Left: Testing Your Code
  23. 23. @SheHacksPurple YOU Pushing Left: Testing Your Code Caution
  24. 24. @SheHacksPurple • Ensure you have permission from your boss before you start, there may be policies against it (ask the security team too!) • Be considerate, scanners can hog resources • Be careful, scanners can be destructive • Back up your data before hand • This is an activity that requires some learning before you can start, to ensure you don't cause any damage or tick anyone off • Inform security when you start and finish YOU Pushing Left: Testing Your Code Caution
  25. 25. @SheHacksPurple YOU Pushing Left: Threat Modelling
  26. 26. @SheHacksPurple • Figuring out negative use cases, and ways to defend against them • Basically a brainstorming session with programmers and security to figure out how someone may try to abuse your app • Search you code for these threats • Thinking like an adversary can not only uncover potential issues, it can be fun and educational. YOU Pushing Left: Threat Modelling
  27. 27. @SheHacksPurple YOU Pushing Left: Reviewing your code
  28. 28. @SheHacksPurple • Most people use a static code analyzer, but this can also be done manually • Search for your threat models • Even the most expensive tool produces many false positives, the 'work' in this exercise is figuring out what is a real issue and what is not • OWASP Dependancy check • You can find more than just security bugs YOU Pushing Left: Reviewing your code
  29. 29. @SheHacksPurple YOU Pushing Left: Writing better code
  30. 30. @SheHacksPurple YOU Pushing Left: Writing better code • Train yourself on secure coding practices • There are many quality online resources, free and paid, as well as courses and conferences • Check online for the best and most secure way to do things, before you start coding • Become the security expert on your dev team, and help the rest of your team learn @SheHacksPurple
  31. 31. Resources: Open Web Application Security Project @SheHacksPurple #OWASPlove https://owasp.org
  32. 32. @SheHacksPurple Women of Security welcomes you! @WoSECtweets Canada, France, USA, India, Switzerland, Kenya, South Africa, Sweden, Spain Paris, Ottawa, San Francisco, Singapore, Dallas, Houston, Austin, Vancouver, Portland, Ottawa, Chicago, Bangalore, Boise, Montréal, Zurich, Nairobi, Johannesburg, Stockholm , Victoria, Milwaukee, Detroit, Denver, Barcelona, Madrid
  33. 33. Resources: Mentoring Monday @SheHacksPurple #MentoringMonday EVERY MONDAY
  34. 34. Resources: ME! @SheHacksPurple Twitter: @SheHacksPurple https://medium.com/@SheHacksPurple https://dev.to/SheHacksPurple https://YouTube.com/SheHacksPurple https://mailchi.mp/e2ab45528831/shehackspurple
  35. 35. Resources: Security Sidekick! @SheHacksPurple Follow us? Twitter: @SecSideKick SecuritySidekick.dev/blog/ https://www.youtube.com/channel/ UC3KyuI83jt0l14q8xyffC2A
  36. 36. Tanya Janca Security Sidekick CEO and Co-Founder @SheHacksPurple @SecSidekick @WoSECtweets

×