Downloaded 10 times
Uploaded byOutpost24
Building an application security program
The document outlines the importance of building an application security (AppSec) program to enhance security posture amidst the app revolution. It discusses objectives such as better security, compliance, and shrinking the attack surface while detailing the application lifecycle and various security testing tools. Additionally, it emphasizes integrating security into the development process and utilizing automated assessments to manage vulnerabilities effectively.
More Related Content
Similar to Building an application security program
Building an application security program
- 1. Building an AppsecProgram Bob Egner, CMO be@outpost24.com 1
- 2. 2 Helping customers improvesecurity posture since 2001 Over 1,500 customers in all regions of the world Really good at breaking technology
- 3. Today’s topic 3 The apprevolution Application lifecycle Application Security Testing Working with test results Takeaways
- 4.
- 5. Everything is anapp 5 Business Drivers Digital Transformation • Customer experience • Internal automation • Supply chain efficiency Mobile device proliferation • Consumer expectation
- 6. 6 Everything is anapp Process drivers Agile development • Shorter time to features DevOps • Eliminating handoffs Photo: Dave Allen https://bloomfieldfinancial.co.uk/blog/25-5-reasons-computer-programmers-often-have-poor-pension-retirement-plans
- 7. Everything is anapp 7 Operational Drivers Virtualized • Faster spin up Cloud • Lower capitalized cost Container • Less management and administration
- 8. Everything is anapp 8 Security drivers Security is considered, later • How to build a culture of security awareness? Security likes stability • How to create a repeatable and timely process? • How to fit with DevOps? Image: Pete Cheslock @petecheslock https://vimeo.com/129822165
- 9. Familiar security process 9 Objectivesfor Appsec program • Better security • Focus for limited resources • Meet compliance policies • Build security awareness Measure and shrink the attack surface… and maintain it at the smallest level
- 10.
- 11. Application life cycle 11 DevelopmentPre-production Production Gate 1 Gate 2
- 12. Application life cycle 12 DevelopmentPre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments
- 13. Application life cycle 13 DevelopmentPre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments Internal Development
- 14. Application life cycle 14 DevelopmentPre-production Production Design & develop Build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments Internal Development COTS + Customize
- 15. Application life cycle 15 DevelopmentPre-production Production Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments Internal Development COTS + Customize Outsourced Development
- 16.
- 17. NIST Cyber SecurityFramework 17 Asset Management • Applications • Infrastructure • Data Risk Assessment • Application Security Testing • Vulnerability Assessment Risk Management Strategy • Test results
- 18. 18 The hacker pivot Photo:Jim Goodrich, Stacey Peralta rides the Willis pool in the San Fernando Valley. October 1977. https://mpora.com/skateboarding/history-of-surfing-skating-snowboarding Establish objective Attack multiple entry points Move laterally to objective
- 19. 19 Tools in theAST kit SAST - Static Automated Focused on developers Noisy
- 20. 20 Tools in theAST kit SAST - Static Automated Focused on developers Noisy DAST - Dynamic Automated Operational system test Can’t address all cases
- 21. 21 Tools in theAST kit SAST - Static Automated Focused on developers Noisy DAST - Dynamic Automated Operational system test Can’t address all cases Penetration Test Manual Most comprehensive Low frequency use
- 22. 22 Tools in theAST kit SAST - Static Automated Focused on developers Noisy DAST - Dynamic Automated Operational system test Can’t address all cases Penetration Test Manual Most comprehensive Low frequency use MAST – Mobile Partially automated Focused on developers Lots of variants of test target
- 23. 23 Tools in theAST kit SAST - Static Automated Focused on developers Noisy DAST - Dynamic Automated Operational system test Can’t address all cases Penetration Test Manual Most comprehensive Low frequency use MAST – Mobile Partially automated Focused on developers Lots of variants of test target IAST – Interactive Automated Included in code Related to RASP (runtime app self protection)
- 24. 24 Tools in theAST kit SAST - Static Automated Focused on developers Noisy DAST - Dynamic Automated Operational system test Can’t address all cases Penetration Test Manual Most comprehensive Low frequency use MAST – Mobile Partially automated Focused on developers Lots of variants of test target IAST – Interactive Automated Included in code Related to RASP (runtime app self protection) Bug Bounty Manual Independent security researchers Pay by finding
- 25. Application life cycle 25 DevelopmentPre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments SAST IAST DAST MAST Bug Bounty Penetration Test
- 26. 26 “The whole isgreater than the sum of its parts.” - Aristotle
- 27.
- 28. Infrastructure tools 28 Owned Infrastructure Automated Networkscanning Vulnerability assessment • OS, virtualized OS • Installed software • Network configuration
- 29. Infrastructure tools 29 Owned Infrastructure Automated Networkscanning Vulnerability assessment • OS, virtualized OS • Installed software • Network configuration Cloud Infrastructure Automated Authorization required Instances (IaaS, PaaS) and Containers Vulnerability assessment • Installed software • Cloud configuration
- 30. Working with ASTresults
- 31. OWASP top 10 31 Mostcritical web application security risks • Some areas are easy to automate • Other areas are not Focused on the application OWASP risk model • Likelihood – threat agent, vulnerability • Impact – technical, business New New New
- 32. What about ? 32 Commonframework to compare vulnerabilities • Applications • Infrastructure • Data State of the art • Still somewhat blunt
- 33. Priority for remediation 33 Simplerisk = f( likelihood, impact) • Not directly calculated from test result Severity of vulnerability • Alternate approach • Directly calculated (CVSS score) Streamline effort invested based on application complexity Very Low (1) Low (2) Medium (3) High (4) Very High (5) Very Low (1) Low (2) Medium (3) High (4) Very High (5) Likelihood Impact
- 34. Distribution 34 Application and Infrastructureissue routing • System owners, Data owners • DevOps • Service Management Supporting processes • Recreate, scoring • Verification of resolution • Automate as Appsec program matures • Trends over time to build security awareness
- 35.
- 36. Initiate your Appsecprogram 36 • Include security in development SOW • Monitor included software and infrastructure components for updates • Pen test app and infrastructure on each release (Outpost24 Snapshot / SWAT, Outscan / EWP) • Track accepted / resolved risk, manage recurrence Outsourced Development Internal Development COTS + Customize • Manage 3rd party software and infrastructure in DevOps cycle • Dynamic app and infrastructure on each release (Outpost24 SWAT / Scale, Outscan / EWP) • Automate distribution of AST results in DevOps flow • Include accepted / resolved risk in release planning • Define scope of assessment from business criticality and release frequency
- 37. Q & AThanks! Bob Egner, CMO be@outpost24.com
Editor's Notes
- #12 Bigger than SDLC, includes Dev and Ops Gartner
- #29 Where does the application run? Where does the data reside? What weaknesses will allow an attacker to control the server, and pivot to the application?
- #30 Cloud is different Authorization for assessment? Cloud console (or container manager) for configuration issues