2. Agenda
• Why listen to us?
• What is AppSec?
• Do I need AppSec?
• I want to but..
• Presenting Affordable AppSec
• Still got hit?
2
3. Why listen to us?
• No choice!
• We collectively represent [OWASP+Null]
Delhi/NCR Chapter’s Management Team.
• We are employed, so this is not a donation pitch!
• We know lots of bits about AppSec Programs from current and past
experience.
• Vendor-neutral recommendations.
3
4. What is AppSec?
• Application Security or Software Security
• Conducting security activities through the development cycle in an
attempt to improve the product’s security assurance posture.
• Simply put, reducing the chances of breaches, hacks through exploitation of
vulnerabilities in your underlying codebase (and the underlying environment
in CI/CD setup).
4
5. Do I need AppSec?
• Maybe not today but eventually you will! Why?
• Compliance or regulatory requirements.
• Client are increasingly demanding proof
(supply chain assurance).
• Reputational risk.
• M&A mandate.
• etc.
• I’ll take care of it later then.
• Trash that philosophy as it builds security debt. So?
• Adds up and when left unchecked, becomes difficult to manage.
• Damage potential is directly proportional.
• So, Start AppSec early to build a solid foundation!
5
6. I want to but..
• ..the list of things to be done is way too long.
• ..its a NFR (Non-Functional Requirement).
Clients don’t really care.
• …I’m a Start Up and could use the funds
for something better.
• …I’m on Agile, little time, 2 week Sprints.
• …I’m a CI/CD shop, Lean StartUp (MVP), and
deploy only 50 times a day.
6
7. Presenting Affordable AppSec
• Use latest versions of 3rd party components esp. open source ones.
• OpenSSL. Remember HeartBleed (www.heartbleed.com) in 2014.
• Are you still using one of the affected versions? E.g.: 1.0.1 – 1.0.1f
• Are you using a really old (but unaffected) version and happy that you are secure? E.g.:
0.9.8
• Use OWASP Dependency Check to simplify this process.
(https://www.owasp.org/index.php/OWASP_Dependency_Check).
• Use security protections provided by application frameworks and
security libraries. E.g.: Microsoft Anti-XSS library in .NET, jsoup
whitelist sanitizer, OWASP’s ESAPI etc.
7
8. Presenting Affordable AppSec (contd.)
• Learn about Proactive Security Controls -
https://www.owasp.org/index.php/OWASP_Proactive_Controls
• Build them into your frameworks to create a Secure By Default state for
developers. Eg: Preventing SQL injection by using parameterized queries.
• Invest in getting your developers regularly trained (and tested) on
secure coding and QA team on security testing.
• SAFECode’s Guidance for Agile Practitioners -
http://www.safecode.org/publication/SAFECode_Agile_Dev_Security
0712.pdf
• OWASP Testing Guide –
https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
8
9. Presenting Affordable AppSec (contd.)
• Deploy a WAF (Web Application Firewall). E.g.: ModSecurity.
• Use compiler security flags. E.g.: For Buffer Overflows in C/C++ (/gs
/nxcompat, /dep, /safeseh).
• Keeping your servers (production, CI/CD, build etc.), dev. tools etc.
patched. Why?
• Network attacks – shells – oops!
• CI/CD pipeline gives an automated way to deploy changes to production.
• Talking about CI/CD..
• Code-driven configuration management. E.g.: Puppet, Chef, Ansible
• Pen Testing frameworks. E.g.:Gauntlt, mittn
9
10. Presenting Affordable AppSec (contd.)
• Manual code review of highly risky code – sensitive data, 3rd party
interaction etc.
• Eg: Symantec Decomposer vulnerability
(http://googleprojectzero.blogspot.in/2016/06/how-to-compromise-
enterprise-endpoint.html).
• Symantec runs their unpackers in the Kernel – Excessive privileges!
• Pre-deployment:
• Internal CTFs (Capture-The-Flag) contests L1/L2 manual penetration tests.
• Pre-deployment configuration checks. E.g.: <debug> tags.
10
11. Still got hit?
• Measures described previously would significantly reduce the attack
surface, cannot make it zero. Why?
• All complex attack scenarios or business logic flaws cannot be predicted.
• So, why spend time on AppSec?
• ..to improve your chances by making you a less attractive target for attackers.
• Start AppSec early!
11