This slide set describes developing an AppSec culture in your projects. This includes how to implement security risk assessment program, threat modeling and security designs and tools for security Automation.
2. A bit about Me
I’m a Senior Security Engineer & Pentester. I have nearly three years of experience in
Information Security and Secure Software Development.
Educational Background
• BSc. Eng (Hons) in Computer Science and Engineering - University of Moratuwa, Sri Lanka
• MSc in Security Engineering (Reading) - University of Moratuwa, Sri Lanka
Certifications
Web application Penetration Tester (eWPT) - eLearnSecurity
Certificate ID: EWPT-343
Certified Ethical Hacker (CEHv9) – EC Council
Certification Number: ECC39012388466
Certified Information Security Expert (CISE) – Innobuzz
License Number: 30471
3. Why AppSec is a major concern?
From https://www.akamai.com/
(2018/08/12 – 2018/08/19)
4. Why web application attacks occur?
Application Developers
and QA Professionals
Don’t Know Security
“As an Application
Developer, I can build
great features and
functions while
meeting deadlines,
but I don’t know how
to develop my web
application with
security as a
feature.”
Steve Carter
6. • Periodic Assessments – Once in every quarter ( Recommended)
Vulnerability Assessments
• Twice a year
Penetration Testing
• Twice a year
Security Code Reviews
9. Security in Agile
• Dedicated sprint focusing on application security
• Stories implemented are security related
• Code is reviewed
Security
Sprint
Approach
• Similar to Microsoft Security Development
Lifecycle (SDL)
• Consists of the requirements and stories
essential to security
• No software should ever be released without
requirements being met
Every Sprint
Approach
12. It is a structured
approach that
enables you to
identify,
quantify, and
address the
security risks
associated with
an application Step 4 Validate
Step 3 Determine countermeasures
and mitigation
Step 2 Identify threats
Step 1 Diagrams
16. Case Study:
• A Norway based professional company uses a software application
which can allow users to book professionals (Electrician, Plumber)
and request professional services through the company.
• They wanted a new feature in this application which can allow users
to upload and download property documents and maintenance
documents. Access to these documents must be strictly restricted to
relevant users.
17. • Since last week, the dev team is designing the new feature for the
website, that will enable authenticated users to upload and download
property documents.
• The architects will reuse the existing infrastructure whenever possible
(they already have user accounts).
• One of the board members got to know about these cyber attackers
and the crazy attacks they perform which can easily damage the
business and its reputation.
18. • He also heard about the threat modeling which helps project teams
to identify major threats and take necessary security measures before
they even start implementation.
• He hired you to help project team with this.
20. What can go wrong?
Microsoft’s STRIDE Model
• Spoofing - Impersonate User
• Tampering - Maliciously change/modify persistent data, such as
persistent data in a database, and the alteration of data in transit
• Repudiation - Perform an illegal action and deny it.
• Information Disclosure - Read a file that one was not granted access
to, or to read data in transit
• Denial of Service - Deny access to valid users
• Elevation of Privilege - Gain privileged access or gain unauthorized
access
Appsec plays a major role in the current cyber world
Linkedin breach –password cracking attacks
A small breach can cause huge damage to the business
We ignore security. And we don’t consider security as a part of business requirement
Secure software development life cycle. Security testing is part of that process.
If you already built a software product, you have to establish a security assessment methodology.
3 popular assessment methodology for security.
Impact – What are the consequences or damages if the vulnerability is exploited.
Likelihood- how easy it is to exploit the vulnerability ( exploits available on the net)
How you can handle these security risks?
This can be done either beginning of the software development or at the end.
What are the possible ways to break the system ?
Once the basic threat agents and business impacts are understood, we should try to identify the set of controls that could prevent these threat agents from causing those impacts.