Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Pushing Left, Like a Boss
Application Security Foundations
Tanya Janca
Tanya.Janca@owasp.org
OWASP Ottawa Chapter Leader
O...
About Me
Who am I?
I’m Tanya Janca; Application security evangelist, web
application penetration tester and vulnerability ...
The current state: Everyone is “getting hacked”
The current state: We looking the wrong way.
What is “AppSec”? In plain English
The current state: Penetration Testing
The current state: CIA
About Me
Pushing Left, Like a Boss!
An AppSec Program: The Main Course
An AppSec Program: The Main Course
• Vulnerability (VA) Scans and Assessments
• Threat Modeling
• Secure Code Reviews (Sta...
An AppSec Program: The Gravy
An AppSec Program: The Gravy
• Educating Developers on Secure Coding
Practices with workshops, talks, lessons
• Secure Cod...
An AppSec Program: Dessert!
An AppSec Program: Dessert!
• Bug Bounty Programs
• Capture The Flag (CTF) contests
• Red Team Exercises
The big question…
YOU pushing left: testing your code
YOU pushing left: testing your code
• Most people use a web proxy security
scanner to test their web applications
• It sit...
YOU pushing left: testing your code -CAUTION
YOU pushing left: testing your code -CAUTION
• Ensure you have permission from your boss
before you start, there may be po...
YOU Pushing Left: Threat Modelling
YOU Pushing Left: Threat Modelling
• Figuring out negative use cases, and
ways to defend against them
• Basically a brains...
YOU Pushing Left: Reviewing your code
YOU Pushing Left: Reviewing your code
• Most people use a static code analyzer,
but this can also be done manually
• Searc...
YOU Pushing Left: Writing better code
YOU Pushing Left: Writing better code
• Train yourself on secure coding practices
• There are tons of quality online
resou...
OWASP: Your new BFF
Open Web Application Security Project
Tanya Janca
Tanya.Janca@owasp.org
OWASP Ottawa Chapter Leader
OWASP DevSlop Project Leader
@SheHacksPurple
ANY
QUESTION
S?
Pushing left like a boss - OWASP Version
Upcoming SlideShare
Loading in …5
×

Pushing left like a boss - OWASP Version

192 views

Published on

With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease.  “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process.  From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left', like a boss.

Published in: Technology
  • Be the first to comment

Pushing left like a boss - OWASP Version

  1. 1. Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @sheHacksPurple
  2. 2. About Me Who am I? I’m Tanya Janca; Application security evangelist, web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, OWASP Ottawa chapter leader, OWASP DevSlop project leader, effective altruist, software developer since the late 90’s. I have been paid to be geeky for over 20 years! I want software to be more secure so that I can use the internet safely. Seriously.
  3. 3. The current state: Everyone is “getting hacked”
  4. 4. The current state: We looking the wrong way.
  5. 5. What is “AppSec”? In plain English
  6. 6. The current state: Penetration Testing
  7. 7. The current state: CIA
  8. 8. About Me
  9. 9. Pushing Left, Like a Boss!
  10. 10. An AppSec Program: The Main Course
  11. 11. An AppSec Program: The Main Course • Vulnerability (VA) Scans and Assessments • Threat Modeling • Secure Code Reviews (Static Code Analysis) • Penetration Tests (PenTests) • This applies to both Custom Apps and COTS
  12. 12. An AppSec Program: The Gravy
  13. 13. An AppSec Program: The Gravy • Educating Developers on Secure Coding Practices with workshops, talks, lessons • Secure Coding Standards • Responsible/Coordinated Disclosure • Secure code library and other reference materials
  14. 14. An AppSec Program: Dessert!
  15. 15. An AppSec Program: Dessert! • Bug Bounty Programs • Capture The Flag (CTF) contests • Red Team Exercises
  16. 16. The big question…
  17. 17. YOU pushing left: testing your code
  18. 18. YOU pushing left: testing your code • Most people use a web proxy security scanner to test their web applications • It sits between your browser and the internet • It will automate tests for you, tell you what to fix, and, if it's a good one, HOW to fix the issues • There are paid and free options available • Don't use a scanner on an app you don't have permission to test, it's illegal
  19. 19. YOU pushing left: testing your code -CAUTION
  20. 20. YOU pushing left: testing your code -CAUTION • Ensure you have permission from your boss before you start, there may be policies against it (ask the security team too!) • Be considerate, scanners can hog resources • Be careful, scanners can be destructive • Back up your data before hand • This is an activity that requires some learning before you can start, to ensure you don't cause any damage or tick anyone off •
  21. 21. YOU Pushing Left: Threat Modelling
  22. 22. YOU Pushing Left: Threat Modelling • Figuring out negative use cases, and ways to defend against them • Basically a brainstorming session with programmers and security to figure out how someone may try to abuse your app • Search you code for these threats • Thinking like an adversary can not only uncover potential issues, it can be fun and educational.
  23. 23. YOU Pushing Left: Reviewing your code
  24. 24. YOU Pushing Left: Reviewing your code • Most people use a static code analyzer, but this can also be done manually • Search for your threat models • Even the most expensive tool produces many false positives, the 'work' in this exercise is figuring out what is a real issue and what is not • OWASP Dependancy check • You can find more than just security bugs
  25. 25. YOU Pushing Left: Writing better code
  26. 26. YOU Pushing Left: Writing better code • Train yourself on secure coding practices • There are tons of quality online resources, free and paid, as well as courses and conferences • Check online for the best and most secure way to do things, before you start coding • Become the security expert on your dev team, and help the rest of your team learn
  27. 27. OWASP: Your new BFF
  28. 28. Open Web Application Security Project
  29. 29. Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple ANY QUESTION S?

×