The presentation by Narudom Roongsiriwong at the ASEAN IT Security Conference highlights the shift in attackers' focus towards applications, with increasing availability of exploit toolkits. Major breaches in 2015 targeted applications, revealing security weaknesses in most web and mobile apps. Key takeaways emphasize the importance of implementing proactive application security controls and frameworks, such as the OWASP Top 10 and Microsoft Security Development Lifecycle.

1. Application Security
Last Line of Defense
Narudom Roongsiriwong, CISSP
ASEAN IT Security Conference 2016
Critical C-Suite Security Knowledge Conference
July 27, 2016
The Westin Grande Sukhumvit, Bangkok, Thailand

2. About Me
• Head of IT Security and
Solution Architecture,
Kiatnakin Bank PLC (KKP)
• Consulting Team Member
for National e-Payment
project
• Consultant for OWASP
Thailand Chapter
• Committee Member of
Cloud Security Alliance
(CSA), Thailand Chapter.
narudom.roongsiriwong@owasp.org

3. Internet Lines of Defense
Source: IBM Software Group, Rational Software

4. Does Firewall Really Prevent the Intrusion?
Source: Jeremiah Grossman, BlackHat 2001

5. Does SSL/TLS Really Prevent the Intrusion?
Source: Jeremiah Grossman, BlackHat 2001

6. Attackers have shifted their focus to target
applications.
Improving user
accessibility and
ease of use also
increases ease of
access for
attackers.
Application
exploit toolkits
are increasingly
available on the
attack
marketplace.
Many major
breaches in 2015
targeted
applications.
Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise

7. Most Web And Mobile Apps Contain Security
Weaknesses that Can Open the Door to
Attackers.
Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise

8. Key Takeaways for Application Security
Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise

9. What Are Application Security Risks?
Source: OWASP: Open Web Application Security Project

10. www.owasp.org

11. OWASP Top 10 2013 Risk
Source: OWASP: Open Web Application Security Project

12. Security controls
cannot deal with
broken business logic
such as A2, A4 and A7
Software
weaknesses
reduction down to
zero is possible
Reduce Security Weaknesses vs Increase
Security Controls

13. So Where Do You Go from Here?

14. OWASP Top 10 Proactive Controls
C1: Verify for Security Early and Often
C2: Parameterize Queries
C3: Encode Data
C4: Validate All Inputs
C5: Implement Identity and
Authentication Controls
C6: Implement Appropriate Access
Controls
C7: Protect Data
C8: Implement Logging and Intrusion
Detection
C9: Leverage Security Frameworks and
Libraries
C10: Error and Exception Handling
https://www.owasp.org/index.php/OWASP_Proactive_Controls

15. Microsoft Security Development Lifecycle
https://www.microsoft.com/en-us/sdl

16. Software Assurance Maturity Model
Source: OWASP’s Software Assurance Maturity Model (OpenSAMM)
https://www.owasp.org/index.php/OpenSamm