David Lindner, profile picture
Uploaded byDavid Lindner
PDF, PPTX414 views

AppSec in an Agile World

The document discusses the integration of application security (AppSec) within Agile and DevOps methodologies, emphasizing the need for executive support, governance, and collaboration among teams. It outlines the transition from traditional waterfall development to Agile practices and highlights the importance of security tools and processes throughout the software development lifecycle. Key points include the necessity of threat modeling, secure design principles, and continuous security integration into development and deployment processes.

Embed presentation

Download as PDF, PPTX
AppSec in an Agile World Wednesday, May 16 11:00AM 2018 Secure360 Twin Cities @secure360 www.Secure360.orgfacebook.com/secure360 David Lindner
Who is this guy? class Speaker { let name = “David Lindner” let title = “Chief Strategy Officer” let company = ”nVisium" let twitter = “@golfhackerdave” var hobbies = [“Dadding”, ”Golf”, “IoT/Mobile”, “Fishing”] }
• Dev Types • Security and the SDLC • Integrating AppSec into Process Agenda
• Need for executive level support • Need for a program with governance, people, process, and tools • Collaborative relationships between teams • Authentication/Authorization, Input handing, crypto, logging… • Need for Threat Models, Secure Design, etc. • Still write code, for the most part… What hasn’t changed
• Architecture patterns • Development methodologies have changed • The speed of development/deployment • The need for tooling and automation has greatly increased • The infrastructure that applications live on • Who is responsible for the infrastructure What has changed
The Changing State of Development Waterfall Agile DevOps Monolithic Apps Physical Bare Metal Physical Bare Metal VMs Containers Public/Private N-Tier Apps Microservices & APIs
Waterfall 1. Concept 2. Requirements 3. Design 4. Code 5. Test 6. Deploy 7. Support (maybe)
• After development • Usually perform yearly assessments • Standalone tools • Manual assessments • Time consuming • No real understanding of current security posture Waterfall and Application Security
Agile 1. Design • Stories 2. Build 3. Test • Unit Tests • Security Tests 4. Release
• Early 1990s referred to as ”the application development crisis” • Time between business need and application was about 3 years • Snowbird meeting in Utah in 2001 • The Agile Manifesto Agile Development
• Many different methodologies • Extreme Programming (XP) • Scrum • Crystal • Dynamic Systems Development Method (DSDM) • Lean Development • Feature-Driven Development (FDD) • And more…. Agile Methodologies
Agile and Application Security
DevOps
DevOps
• Everyone is responsible for security • Security as code • Ensure data security DevSecOps
So you say security…..
Systems used to look like this Client (Web Browser) Web Application + Apache Tomcat Database Monolithic
• Authentication • Username • Password, MFA • Account Management • Authorization • Role-Based Access Control • Attribute-Based Access Control • Rule-Based Access Control • Input Handling • Test input for type, length, context • Output encode contextually • Privacy • Need to know access to customer/client data • Cryptography • Standard algorithms, strengths, and modes • What data to encrypt at rest/in transit • Third-party libraries • Maintain list of 3rd party dependencies • Monitor updates to known dependencies • Logging/Audit • Standard format • Criteria for what to/not to log and when • Criteria for who should review and when • Error and Exception Handling • Criteria for error messages (include/not include) • When to fail open/closed Security Standards should be technology agnostic. They should be fairly static, however, if vulnerabilities are found without a matching standard, consider updating them. Security Standards
• Understand the inherent risk of an application • Prioritize resources and security investments • Gain a better understanding of the risk presented by the applications • Process for completion and maintenance of application catalog • Inherent Risk “…is an assessed level of raw or untreated risk; that is, the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of controls.” Gregory Monahan (2008). Enterprise Risk Management: A Methodology for Achieving Strategic Objectives. John Wiley & Sons. • 20-25 Question survey to measure: • People • Process • Infrastructure • Data Application Risk Categorization
• Least-Privilege • Default-Deny • Economy of Mechanism • Complete Mediation • Open Design • Separation of Concern • Least Common Mechanism • Psychological Acceptability • Defense-in-Depth • And more… Secure Design Principles Resources: OWASP Security by Design Principles https://www.owasp.org/index.php/Security_by_Design_Principles IEEE Avoiding Common Security Design Flaws http://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf
Threat Modeling
• Scoping and Rules of Engagement • In scope and out of scope targets • Contact information • Debriefing schedule Scoping and Rules of Engagement Pre- engagement and Recon Vulnerability Analysis Exploitation and Post Exploitation Reporting Testing and Verification
• Pre-engagement and Recon • Black box or white box? • Permission to test all in scope targets? • OSINT and Recon Testing and Verification Scoping and Rules of Engagement Pre- engagement and Recon Vulnerability Analysis Exploitation and Post Exploitation Reporting
• Vulnerability Analysis • Tools • Manual discovery Testing and Verification Scoping and Rules of Engagement Pre- engagement and Recon Vulnerability Analysis Exploitation and Post Exploitation Reporting
• Exploitation and Post Exploitation • Create or recreate any exploits • Document exploits • Perform agreed upon level of post exploit activities • Clean up exploit data Testing and Verification Scoping and Rules of Engagement Pre- engagement and Recon Vulnerability Analysis Exploitation and Post Exploitation Reporting
• Reporting • When and how long was the testing • What process was followed • What was found and what are the risk levels • How can issues be recreated • How can issues be fixed Testing and Verification Scoping and Rules of Engagement Pre- engagement and Recon Vulnerability Analysis Exploitation and Post Exploitation Reporting
• Do you know what code is in your applications and who put it there and when? • Intentional malicious code • Unintentional malicious code • Open Source with unfriendly licensing • Dependency Squatting • Embarrassed Developer Software Integrity
• Git • Build a process to review with pull requests • Restrict access to the Master branch (If not Github, make the Git repo only writeable by one user, and make it readable by all others. That way they can fork and issue a PR to the master.) • Provide reviewers with review baseline • Sign commits with PGP • Ensure that all users are only internal accounts • If using GitHub, ensure that SSH keys are not shared across accounts. • Standard Review Baseline • Develop a baseline to review commits • Certain functions, keywords, size • Initially not all commits would need to be reviewed • Automate many checks in later phases • Code Signing • Verify code is what it should be • Verifiable update mechanism • Do you check for signature? • Hash? Software Integrity Examples
Security Tooling • Static Code Analysis § FindSecurityBugs § Brakeman § ESLint § Phan § etc • Dynamic Scanning § ZAP § BurpSuite § Sqlmap § ssllabs-scan
Security Tooling • Dependency Mgmt § Dependency Check § Bundler-Audit § Retire.js • IDE Plugins § DevSkim § FindSecurityBugs § Puma Scan § Sonar Lint
• Secure DevOps Toolchain and SWAT • https://www.sans.org/security-resources/posters/appsec/secure-devops- toolchain-swat-checklist-60 Security Tooling
• So we have all these security practices…. • How do we go from Waterfall AppSec to a more continuous security model? • Tools are only so good • False Positives • Can’t handle assessing Access Control or Environmental controls • Manual is normally slow and a hindrance What’s Next?
Continuous Integration What problem does CI solve?
• Not Continuous Deployment • All changes “could” go to production but may not • How can we provide security benefit with CD? Continuous Delivery
Building a Secure CI/CD Pipeline
Discovery • Review what you have, what you want to do, what tools work best for you • Make it an interactive process with artifact reviews, face to face conversations, white boarding
Integrate Teams
Implement Automation • Use CI triggers to determine when scanning activity is required • Work with development teams to implement unit-tests in the language or testing framework already in use • Determine how best to utilize messaging services, notify the security teams as to when scans begin and when the results should be reviewed
Automation Develop Test Build Security Deploy
Determine Risk and Actions Risk Rating Testing Method Action Taken High, Medium, Low Unit-Tests (All environments) Failing unit-tests should mean that code will not be deployed until all the unit-tests pass, whether or not the unit-test fails because it is broken or because the application is vulnerable. High, Medium Dynamic Scanning - Production Env Code should not enter production. The security team should be notified immediately. Low Dynamic Scanning - Production Env Remediation should be prioritized by an agreed timeline between the security team and product managers. High, Medium, Low Dynamic Scanning - Alpha Env Unless the vulnerability is a known false positive or an issue that the security team has accepted as a necessary risk, the code triggering new issues should be resolved prior to moving any further in the development pipeline.
Security Implementation • Integrate security testing into automation • Create a system with early detection and efficient remediation of security vulnerabilities that are part of the development process • Eliminate existing duplicate dependencies in order to de- duplicate outstanding tickets and updated outstanding tickets in JIRA.
• Current security issues • With details • Fixed issues • New threats • All tracked in bug tracker Issue Tracking
OLD Security and the SDLC
OLD SDLC and Security Process The old way to do it was to have a separate SDLC and security process with different tracking systems. Who still does this? UX Workflow Design Coding Testing QA SDLC Bug Tracker Report Scope Recon Analyze Exploit Document Security Security Issues Tracker
• What is your application’s current security posture? • What is current? 1 year? 1 month? 1 day? Current Security Posture?
• Scrum • Analysis • Planning • Design • Coding • Testing • Releases NEW Secure SDLC Process Integrate security into a defined process, don’t attempt to create a parallel security process. Many activities within the SDLC process simply need to be done with a security mindset, checklist, guide, or similar support. Business Analysis Define User Stories Refine Feature List -Business Requirements -User Requirements -Estimate -Scoping Sprint Planning Meeting Daily Work Sprint Review UX Workflow Design Coding Testing QA SDLC Threat Modeling Secure Design Principles IDE Tooling Security Automation Change Management Defect Tracker
• What is your application’s current security posture? • What is current? 1 year? 1 month? 1 day? Current Security Posture?
Process Integration Application Security is not a unicorn
Process Integration – Risks of Gating
Process Integration Integrate into the processes and existing workflows. If they don’t exist, help create them. Design Design Review Code Review Test Deploy
Relationships & Collaboration
What did we learn? • Application Security is hard, but we need to keep trying • There is no easy button or one stop shop for everything you may need • Every org has different needs and requirements • We all need to work together
@secure360 www.Secure360.orgfacebook.com/secure360 david.lindner@nvisium.com @golfhackerdave https://linkedin.com/in/dlindner Questions?

More Related Content

PDF
The Joy of Proactive Security
byAndy Hoernecke
 
PPTX
Static Analysis Security Testing for Dummies... and You
byKevin Fealey
 
PPTX
Application Security Logging with Splunk using Java
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Proactive Security AppSec Case Study
byAndy Hoernecke
 
ODP
Effective DevSecOps
byPawel Krawczyk
 
PDF
Shmoocon 2015 - httpscreenshot
byjstnkndy
 
PDF
Evil User Stories - Improve Your Application Security
byAnne Oikarinen
 
PPTX
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 
The Joy of Proactive Security
byAndy Hoernecke
 
Static Analysis Security Testing for Dummies... and You
byKevin Fealey
 
Application Security Logging with Splunk using Java
byRobert Grupe, CSSLP CISSP PE PMP
 
Proactive Security AppSec Case Study
byAndy Hoernecke
 
Effective DevSecOps
byPawel Krawczyk
 
Shmoocon 2015 - httpscreenshot
byjstnkndy
 
Evil User Stories - Improve Your Application Security
byAnne Oikarinen
 
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 

What's hot

PPTX
Secure coding practices
byMohammed Danish Amber
 
PPTX
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
PPTX
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
byKyle Lai
 
PDF
"CERT Secure Coding Standards" by Dr. Mark Sherman
byRinaldi Rampen
 
PPSX
Agile AppSec DevOps
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Shift Left Security
bygjdevos
 
PPTX
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
PDF
Open Source Security for Newbies - Best Practices
byBlack Duck by Synopsys
 
PDF
Devops security-An Insight into Secure-SDLC
bySuman Sourav
 
PPTX
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
Web Application Security: Beyond PEN Testing
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
SecurityBSides London - Agnitio: it's static analysis but not as we know it
bySecurity Ninja
 
PDF
Scalable threat modelling with risk patterns
byStephen de Vries
 
PPTX
OWASP Top 10 practice workshop by Stanislav Breslavskyi
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
The path of secure software by Katy Anton
byDevSecCon
 
ODP
DevOps, CLI, APIs, Oh My! Security Gone Agile
byMatt Tesauro
 
PDF
Are Agile And Secure Development Mutually Exclusive?
bySource Conference
 
Secure coding practices
byMohammed Danish Amber
 
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
byRobert Grupe, CSSLP CISSP PE PMP
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
byKyle Lai
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
byRinaldi Rampen
 
Agile AppSec DevOps
byRobert Grupe, CSSLP CISSP PE PMP
 
Shift Left Security
bygjdevos
 
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
Open Source Security for Newbies - Best Practices
byBlack Duck by Synopsys
 
Devops security-An Insight into Secure-SDLC
bySuman Sourav
 
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
Web Application Security: Beyond PEN Testing
byRobert Grupe, CSSLP CISSP PE PMP
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
bySecurity Ninja
 
Scalable threat modelling with risk patterns
byStephen de Vries
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
byNazar Tymoshyk, CEH, Ph.D.
 
The path of secure software by Katy Anton
byDevSecCon
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
byMatt Tesauro
 
Are Agile And Secure Development Mutually Exclusive?
bySource Conference
 

Similar to AppSec in an Agile World

PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
PDF
ProdSec: A Technical Approach
byJeremy Brown
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PDF
An Introduction to Secure Application Development
byChristopher Frenz
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPT
Software Security Engineering
byMarco Morana
 
PPTX
Дмитро Терещенко, "How to secure your application with Secure SDLC"
bySigma Software
 
PDF
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
bypiggsadamiso
 
ODP
Making security-agile matt-tesauro
byMatt Tesauro
 
PPTX
Assessing System Risk the Smart Way
bySecurity Innovation
 
PPTX
Reduce Third Party Developer Risks
byKevo Meehan
 
PDF
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
PDF
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
PPTX
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
PDF
How to adapt the SDLC to the era of DevSecOps
byZane Lackey
 
PDF
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
PPT
Intro to-ssdl--lone-star-php-2013
bynanderoo
 
PPT
Software Security in the Real World
byMark Curphey
 
PDF
Including security in devops
byJérémy Matos
 
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
ProdSec: A Technical Approach
byJeremy Brown
 
Software security engineering
byAHM Pervej Kabir
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
An Introduction to Secure Application Development
byChristopher Frenz
 
Software security engineering
byAHM Pervej Kabir
 
Software Security Engineering
byMarco Morana
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
bySigma Software
 
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
bypiggsadamiso
 
Making security-agile matt-tesauro
byMatt Tesauro
 
Assessing System Risk the Smart Way
bySecurity Innovation
 
Reduce Third Party Developer Risks
byKevo Meehan
 
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
How to adapt the SDLC to the era of DevSecOps
byZane Lackey
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
Intro to-ssdl--lone-star-php-2013
bynanderoo
 
Software Security in the Real World
byMark Curphey
 
Including security in devops
byJérémy Matos
 

Recently uploaded

PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
DOCX
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
The Landscape of Computer Software Development Companies
byYash Singh
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
The year in review - MarvelClient in 2025
bypanagenda
 
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 

AppSec in an Agile World

  • 1.
    AppSec in an AgileWorld Wednesday, May 16 11:00AM 2018 Secure360 Twin Cities @secure360 www.Secure360.orgfacebook.com/secure360 David Lindner
  • 2.
    Who is thisguy? class Speaker { let name = “David Lindner” let title = “Chief Strategy Officer” let company = ”nVisium" let twitter = “@golfhackerdave” var hobbies = [“Dadding”, ”Golf”, “IoT/Mobile”, “Fishing”] }
  • 3.
    • Dev Types •Security and the SDLC • Integrating AppSec into Process Agenda
  • 4.
    • Need forexecutive level support • Need for a program with governance, people, process, and tools • Collaborative relationships between teams • Authentication/Authorization, Input handing, crypto, logging… • Need for Threat Models, Secure Design, etc. • Still write code, for the most part… What hasn’t changed
  • 5.
    • Architecture patterns •Development methodologies have changed • The speed of development/deployment • The need for tooling and automation has greatly increased • The infrastructure that applications live on • Who is responsible for the infrastructure What has changed
  • 6.
    The Changing Stateof Development Waterfall Agile DevOps Monolithic Apps Physical Bare Metal Physical Bare Metal VMs Containers Public/Private N-Tier Apps Microservices & APIs
  • 7.
    Waterfall 1. Concept 2. Requirements 3.Design 4. Code 5. Test 6. Deploy 7. Support (maybe)
  • 8.
    • After development •Usually perform yearly assessments • Standalone tools • Manual assessments • Time consuming • No real understanding of current security posture Waterfall and Application Security
  • 9.
    Agile 1. Design • Stories 2.Build 3. Test • Unit Tests • Security Tests 4. Release
  • 10.
    • Early 1990sreferred to as ”the application development crisis” • Time between business need and application was about 3 years • Snowbird meeting in Utah in 2001 • The Agile Manifesto Agile Development
  • 11.
    • Many differentmethodologies • Extreme Programming (XP) • Scrum • Crystal • Dynamic Systems Development Method (DSDM) • Lean Development • Feature-Driven Development (FDD) • And more…. Agile Methodologies
  • 12.
  • 13.
  • 14.
  • 15.
    • Everyone isresponsible for security • Security as code • Ensure data security DevSecOps
  • 16.
    So you saysecurity…..
  • 17.
    Systems used tolook like this Client (Web Browser) Web Application + Apache Tomcat Database Monolithic
  • 19.
    • Authentication • Username •Password, MFA • Account Management • Authorization • Role-Based Access Control • Attribute-Based Access Control • Rule-Based Access Control • Input Handling • Test input for type, length, context • Output encode contextually • Privacy • Need to know access to customer/client data • Cryptography • Standard algorithms, strengths, and modes • What data to encrypt at rest/in transit • Third-party libraries • Maintain list of 3rd party dependencies • Monitor updates to known dependencies • Logging/Audit • Standard format • Criteria for what to/not to log and when • Criteria for who should review and when • Error and Exception Handling • Criteria for error messages (include/not include) • When to fail open/closed Security Standards should be technology agnostic. They should be fairly static, however, if vulnerabilities are found without a matching standard, consider updating them. Security Standards
  • 20.
    • Understand theinherent risk of an application • Prioritize resources and security investments • Gain a better understanding of the risk presented by the applications • Process for completion and maintenance of application catalog • Inherent Risk “…is an assessed level of raw or untreated risk; that is, the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of controls.” Gregory Monahan (2008). Enterprise Risk Management: A Methodology for Achieving Strategic Objectives. John Wiley & Sons. • 20-25 Question survey to measure: • People • Process • Infrastructure • Data Application Risk Categorization
  • 21.
    • Least-Privilege • Default-Deny •Economy of Mechanism • Complete Mediation • Open Design • Separation of Concern • Least Common Mechanism • Psychological Acceptability • Defense-in-Depth • And more… Secure Design Principles Resources: OWASP Security by Design Principles https://www.owasp.org/index.php/Security_by_Design_Principles IEEE Avoiding Common Security Design Flaws http://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf
  • 22.
  • 23.
    • Scoping andRules of Engagement • In scope and out of scope targets • Contact information • Debriefing schedule Scoping and Rules of Engagement Pre- engagement and Recon Vulnerability Analysis Exploitation and Post Exploitation Reporting Testing and Verification
  • 24.
    • Pre-engagement andRecon • Black box or white box? • Permission to test all in scope targets? • OSINT and Recon Testing and Verification Scoping and Rules of Engagement Pre- engagement and Recon Vulnerability Analysis Exploitation and Post Exploitation Reporting
  • 25.
    • Vulnerability Analysis •Tools • Manual discovery Testing and Verification Scoping and Rules of Engagement Pre- engagement and Recon Vulnerability Analysis Exploitation and Post Exploitation Reporting
  • 26.
    • Exploitation andPost Exploitation • Create or recreate any exploits • Document exploits • Perform agreed upon level of post exploit activities • Clean up exploit data Testing and Verification Scoping and Rules of Engagement Pre- engagement and Recon Vulnerability Analysis Exploitation and Post Exploitation Reporting
  • 27.
    • Reporting • Whenand how long was the testing • What process was followed • What was found and what are the risk levels • How can issues be recreated • How can issues be fixed Testing and Verification Scoping and Rules of Engagement Pre- engagement and Recon Vulnerability Analysis Exploitation and Post Exploitation Reporting
  • 28.
    • Do youknow what code is in your applications and who put it there and when? • Intentional malicious code • Unintentional malicious code • Open Source with unfriendly licensing • Dependency Squatting • Embarrassed Developer Software Integrity
  • 29.
    • Git • Builda process to review with pull requests • Restrict access to the Master branch (If not Github, make the Git repo only writeable by one user, and make it readable by all others. That way they can fork and issue a PR to the master.) • Provide reviewers with review baseline • Sign commits with PGP • Ensure that all users are only internal accounts • If using GitHub, ensure that SSH keys are not shared across accounts. • Standard Review Baseline • Develop a baseline to review commits • Certain functions, keywords, size • Initially not all commits would need to be reviewed • Automate many checks in later phases • Code Signing • Verify code is what it should be • Verifiable update mechanism • Do you check for signature? • Hash? Software Integrity Examples
  • 30.
    Security Tooling • StaticCode Analysis § FindSecurityBugs § Brakeman § ESLint § Phan § etc • Dynamic Scanning § ZAP § BurpSuite § Sqlmap § ssllabs-scan
  • 31.
    Security Tooling • DependencyMgmt § Dependency Check § Bundler-Audit § Retire.js • IDE Plugins § DevSkim § FindSecurityBugs § Puma Scan § Sonar Lint
  • 32.
    • Secure DevOpsToolchain and SWAT • https://www.sans.org/security-resources/posters/appsec/secure-devops- toolchain-swat-checklist-60 Security Tooling
  • 33.
    • So wehave all these security practices…. • How do we go from Waterfall AppSec to a more continuous security model? • Tools are only so good • False Positives • Can’t handle assessing Access Control or Environmental controls • Manual is normally slow and a hindrance What’s Next?
  • 34.
  • 35.
    • Not ContinuousDeployment • All changes “could” go to production but may not • How can we provide security benefit with CD? Continuous Delivery
  • 36.
    Building a SecureCI/CD Pipeline
  • 37.
    Discovery • Review whatyou have, what you want to do, what tools work best for you • Make it an interactive process with artifact reviews, face to face conversations, white boarding
  • 38.
  • 39.
    Implement Automation • UseCI triggers to determine when scanning activity is required • Work with development teams to implement unit-tests in the language or testing framework already in use • Determine how best to utilize messaging services, notify the security teams as to when scans begin and when the results should be reviewed
  • 40.
  • 41.
    Determine Risk andActions Risk Rating Testing Method Action Taken High, Medium, Low Unit-Tests (All environments) Failing unit-tests should mean that code will not be deployed until all the unit-tests pass, whether or not the unit-test fails because it is broken or because the application is vulnerable. High, Medium Dynamic Scanning - Production Env Code should not enter production. The security team should be notified immediately. Low Dynamic Scanning - Production Env Remediation should be prioritized by an agreed timeline between the security team and product managers. High, Medium, Low Dynamic Scanning - Alpha Env Unless the vulnerability is a known false positive or an issue that the security team has accepted as a necessary risk, the code triggering new issues should be resolved prior to moving any further in the development pipeline.
  • 42.
    Security Implementation • Integratesecurity testing into automation • Create a system with early detection and efficient remediation of security vulnerabilities that are part of the development process • Eliminate existing duplicate dependencies in order to de- duplicate outstanding tickets and updated outstanding tickets in JIRA.
  • 43.
    • Current securityissues • With details • Fixed issues • New threats • All tracked in bug tracker Issue Tracking
  • 44.
  • 45.
    OLD SDLC andSecurity Process The old way to do it was to have a separate SDLC and security process with different tracking systems. Who still does this? UX Workflow Design Coding Testing QA SDLC Bug Tracker Report Scope Recon Analyze Exploit Document Security Security Issues Tracker
  • 46.
    • What isyour application’s current security posture? • What is current? 1 year? 1 month? 1 day? Current Security Posture?
  • 47.
    • Scrum • Analysis •Planning • Design • Coding • Testing • Releases NEW Secure SDLC Process Integrate security into a defined process, don’t attempt to create a parallel security process. Many activities within the SDLC process simply need to be done with a security mindset, checklist, guide, or similar support. Business Analysis Define User Stories Refine Feature List -Business Requirements -User Requirements -Estimate -Scoping Sprint Planning Meeting Daily Work Sprint Review UX Workflow Design Coding Testing QA SDLC Threat Modeling Secure Design Principles IDE Tooling Security Automation Change Management Defect Tracker
  • 48.
    • What isyour application’s current security posture? • What is current? 1 year? 1 month? 1 day? Current Security Posture?
  • 49.
  • 50.
    Process Integration –Risks of Gating
  • 51.
    Process Integration Integrate intothe processes and existing workflows. If they don’t exist, help create them. Design Design Review Code Review Test Deploy
  • 52.
  • 53.
    What did welearn? • Application Security is hard, but we need to keep trying • There is no easy button or one stop shop for everything you may need • Every org has different needs and requirements • We all need to work together
  • 54.