CactusCon 2018 - Anatomy of an AppSec Program

•

1 like•111 views

It’s 2018, and we are haunted by the same vulnerabilities from more than a decade ago. Organizations of all sizes still struggle with very common vulnerabilities like command injection, XSS, and insecure direct object reference … despite an abundance of code scanners on the market. The OWASP Top 10 is quickly becoming irrelevant because it has barely changed in the last several years. This is one of the most pressing issues for CISOs and there is no definitive solution. AppSec isn’t a product you can buy, it isn’t even a state that you can achieve. There is no how-to guide for application security. But there are some qualities shared by successful AppSec programs. This talk will provide security managers and directors who struggle with application security a better understanding of those common elements and answer some questions, such as: What are some of the critical functions of an AppSec program? Will that work in my <insert buzzword SDLC here> environment? Okay, so where do I start?

Software

ANATOMY OF AN
APPSEC PROGRAM
OR HOW TO STOP DEPLOYING SHITTY SHODDY CODE TO PRODUCTION
SEPTEMBER 28-29, 2018

2
• Introductions
• The Problem (as I see it)
• The Solution (again, as I see it)
• Finding vulnerabilities
• Fixing things
• Preventing vulnerabilities
• Metrics
• Wrap-up / Q&A
BECAUSE QA SAID I NEEDED ONE
AGENDA

44
THE GLUE THAT STICKS SECURITY BALLS TOGETHER
APPSEC

55
14 YEARS OF THE SAME OL' SHIT CRAP
OWASP TOP 10

66
BECAUSE DRAMA CREATES TENSION
RIPPED FROM THE HEADLINES

7
IT'S SECURITY FOR APPLICATIONS
APPLICATION SECURITY
WHAT IS THIS APPSEC
YOU SPEAK OF?

88
WIKIPEDIA
Application security encompasses measures
taken to improve the security of an
application often by finding, fixing, and
preventing security vulnerabilities.
- Wikipedia
BECAUSE DEFINITIONS ARE AWESOME

99
WIKIPEDIA
Application security encompasses measures
taken to improve the security of an
application often by finding, fixing, and
preventing security vulnerabilities.
- Wikipedia
And then measure your results.
- Joe
BECAUSE DEFINITIONS ARE AWESOME

FINDING VULNS
LOOKING FOR A NEEDLE IN A STACK OF NEEDLES

12
YEAH, IT'S KINDA LIKE THAT
FINDING VULNS

13
WRITE THIS DOWN
KEY POINTS
• Don't try to do everything at once.
• Start small and expand.
• Focus on your high-risk apps first.
• Chain together assessment
methodologies.

TODO: FIX THIS STUFF
CUZ THAT'S BASICALLY THE POINT

16
WITH ANOTHER OVERUSED MEME
FIXING VULNS

17
BUT IT'S BEHIND THE FIREWALL”
FALSE POSITIVES
<?php
...
[omitted for brevity]
...
$con = mysql_connect("localhost",$user,$pass);
mysql_select_db("database", $con);
$id = $_GET['id'];
$result = mysql_query("SELECT name FROM user WHERE id=$id", $con);
mysql_close($con);
...
[omitted for brevity]
...
?>

18
BUT IT'S BEHIND THE FIREWALL”
FALSE POSITIVES
<?php
...
[omitted for brevity]
...
$con = mysql_connect("localhost",$user,$pass);
mysql_select_db("database", $con);
$id = validate($_GET['id’]; )
$result = mysql_query("SELECT name FROM user WHERE id=$id", $con);
mysql_close($con);
...
[omitted for brevity]
...
?>

19
WRITE THIS DOWN
KEY POINTS
• Make it easy for your developers to engage
in AppSec.
• Set realistic goals and expand.
• Create a security backlog and use “security
sprints” each release to work it.
• As teams mature, introduce security gates.
• Have a process to handle false positives.

22
IN THE WAYS OF SECURITY
EDUCATING DEVELOPERS

23
WRITE THIS DOWN
KEY POINTS
• Developers aren't security people.
• Have hands-on workshops to cover
security issues.
• Walk your developers through
hacking things.
• Top-down support is really critical.

25
WHAT'S THE DIFFERENCE?
METRICS VS. STATS
STATISTIC: A fact or piece of data from a study
of a large quantity of numerical data
METRICS: Standards of measurement by which
performance, progress, or quality of a plan,
process, or product can be assessed

26
AN EXAMPLE
APPSEC METRICS
GOAL QUESTION MEASURE METRIC
Less than
1% security
defect rate
How many vulns are there?
How many lines of code?
Number of vulns
Number of LoC
Security Defect Density – number of
vulns/1000 lines of code, plotted over
time with the target waterline

28
WRITE THIS DOWN
KEY POINTS
• Use the G-Q-M method for metrics.
• Choose meaningful metrics.
• Evaluate against a defined framework.
• This is how you demonstrate value.

2929
THE GLUE THAT STICKS SECURITY BALLS TOGETHER
APPSEC

WE’RE HIRING
www.BishopFox.com
Careers@BishopFox.com
VISIT US ONLINE TO FIND OUT MORE

What's hot

Security champions v1.0

Dinis Cruz

Cyber security report 2017 cisco 2017 acr_pdf

Mitch Cardoza, SPHR, Workforce Solutions Exec.

Mastering next gen-siem-usecases-part1

Priyanka Aash

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon

Tom Stiehm

Future of password less Authentication

Dhineshsunder ganapathi

CLUSIR INFONORD OWASP iot 2014

Sebastien Gioria

Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery. Now some good news: you can easily integrate security into your existing processes to solve this challenge. In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss: - Leveraging the DevSecOps approach to help speed up security - Scaling security into your agile processes - 5 easy ways to start driving DevSecOps in your organization

The Challenges of Scaling DevSecOps

WhiteSource

Maintaining and updating your risk assessment using vsRisk

Vigilant Software

Introducing vsRisk 2.6

Vigilant Software

Application Security in an Agile World - Agile Singapore 2016

Stefan Streichsbier

DevSecOps

Joel Divekar

Turning security into code by Jeff Williams

DevSecCon

What's hot (12)

Security champions v1.0

Cyber security report 2017 cisco 2017 acr_pdf

Mastering next gen-siem-usecases-part1

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon

Future of password less Authentication

CLUSIR INFONORD OWASP iot 2014

The Challenges of Scaling DevSecOps

Maintaining and updating your risk assessment using vsRisk

Introducing vsRisk 2.6

Application Security in an Agile World - Agile Singapore 2016

DevSecOps

Turning security into code by Jeff Williams

Similar to CactusCon 2018 - Anatomy of an AppSec Program

The Principles of Secure Development - BSides Las Vegas 2009

Security Ninja

Why 'positive security' is a software security game changer

Jaap Karan Singh

The New Security Practitioner

Adrian Sanabria

SDLC & DevSecOps

Irina Kostina

2019 FRSecure CISSP Mentor Program: Class Ten

FRSecure

Agile development methodologies have brought with them a myriad of challenges for security engineers. Old school application security testing no longer keeps pace with the rapid deployment of code, fast moving projects and change of requirements. This presentation aims to introduce how we security engineers are adapting to integrate application security testing and tools into the software development process and discuss the new role of QA engineer in taking ownership too of security of the product.

Application security testing in the age of Agile development - by Julio Cesar...

Blaze Information Security

Software Security Initiative And Capability Maturity Models

Marco Morana

SecDevOps Risk Workflow - v0.6

Dinis Cruz

Agile and Secure SDLC

Nazar Tymoshyk, CEH, Ph.D.

Managing Application Security Risk in Enterprises - Thoughts and recommendations

Thierry Zoller

As our world becomes digital, the systems we build must be secure by design. The security community has developed a well-understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers. And when the principles are explained, they are often shrouded in the jargon of the security engineering community, so mainstream developers struggle to understand and apply them. This talk explains why secure design matters and introduces 10 of the most important proven principles for designing secure systems, distilled from the wisdom of the security engineering community.

Secure by Design - Security Design Principles for the Working Architect

Eoin Woods

"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine This talk covers critical foundations for building a scalable Application Security Program. Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program. Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale. Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers. If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on. Is there a script you could follow? And which set of frameworks would you use to get started in the right direction? My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started. What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program. [Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020

Brian Levine

Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors

Ryan Elkins

Making Security Agile - Oleg Gryb

SeniorStoryteller

Дмитро Терещенко, "How to secure your application with Secure SDLC"

Sigma Software

GrrCon 2014: Security On the Cheap

Joel Cardella

FRSecure 2018 CISSP Mentor Program Session 10

FRSecure

Lviv IT Arena is a conference specially designed for programmers, designers, developers, top managers, inverstors, entrepreneur and startuppers. Annually it takes place on 2-4 of October in Lviv at the Arena Lviv stadium. In 2015 conference gathered more than 1400 participants and over 100 speakers from companies like Facebook. FitBit, Mail.ru, HP, Epson and IBM. More details about conference at itarene.lviv.ua.

Security as a New Metric for Your Business, Product and Development Lifecycle...

IT Arena

Security as a new metric for Business, Product and Development Lifecycle

Nazar Tymoshyk, CEH, Ph.D.

Application Security 101 (OWASP DC)

mikemcbryde

Similar to CactusCon 2018 - Anatomy of an AppSec Program (20)

The Principles of Secure Development - BSides Las Vegas 2009

Why 'positive security' is a software security game changer

The New Security Practitioner

SDLC & DevSecOps

2019 FRSecure CISSP Mentor Program: Class Ten

Application security testing in the age of Agile development - by Julio Cesar...

Software Security Initiative And Capability Maturity Models

SecDevOps Risk Workflow - v0.6

Agile and Secure SDLC

Managing Application Security Risk in Enterprises - Thoughts and recommendations

Secure by Design - Security Design Principles for the Working Architect

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020

Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors

Making Security Agile - Oleg Gryb

Дмитро Терещенко, "How to secure your application with Secure SDLC"

GrrCon 2014: Security On the Cheap

FRSecure 2018 CISSP Mentor Program Session 10

Security as a New Metric for Your Business, Product and Development Lifecycle...

Security as a new metric for Business, Product and Development Lifecycle

Application Security 101 (OWASP DC)

More from Bishop Fox

SharePoint Hacking - Advanced SharePoint Security Tools and Tips https://resources.bishopfox.com/resources/tools/sharepoint-hacking-diggity/ Microsoft SharePoint products and technologies continue to grow in popularity and have become the core foundation upon which many organizations have built their web presence. Unfortunately, guidance concerning common SharePoint security issues tends to be overly complex and often misunderstood. Ultimately this results in insecurely configured and deployed SharePoint instances in production environments. This demonstration rich presentation will cover our newly released SharePoint hacking tools and techniques that security professionals can easily use to identify and exploit common insecure configurations in SharePoint applications. Some of the areas we’ll attempt to tackle are: - Identifying vulnerable SharePoint applications using public search engines such as Google and Bing - Gaining unauthorized access to SharePoint administrative web interfaces - Exploiting holes in SharePoint site user permissions and inheritance - Illustrating the dangers of granting excessive access to normal user accounts - Pillaging Active Directory via insecure SharePoint services - Attacking 3rd party plugins/code within SharePoint - And much more…

OWASP LA – SharePoint Hacking – 22Feb2012 – Slides.PDF

Bishop Fox

05 April 2016 - DEF CON 23 (2015) Fran Brown & Shubham Shah - Bishop Fox https://resources.bishopfox.com/resources/tools/rfid-hacking/ https://www.defcon.org/html/defcon-23/dc-23-speakers.html#Brown Have you ever attended an RFID hacking presentation and walked away with more questions than answers? This talk will finally provide practical guidance for penetration testers on hacking High Frequency (HF - 13.56 MHz) and Ultra-High Frequency (UHF – 840-960 MHz). This includes Near Field Communication (NFC), which also operates at 13.56 MHz and can be found in things like mobile payment technologies, e.g., Apple Pay and Google Wallet. We’ll also be releasing a slew of new and free RFID hacking tools using Arduino microcontrollers, Raspberry Pis, phone/tablet apps, and even 3D printing. This presentation will NOT weigh you down with theoretical details or discussions of radio frequencies and modulation schemes. It WILL serve as a practical guide for penetration testers to better understand the attack tools and techniques available to them for stealing and using RFID tag information, specifically for HF and UHF systems. We will showcase the best-of-breed in hardware and software that you’ll need to build an RFID penetration toolkit. Our goal is to eliminate pervasive myths and accurately illustrate RFID risks via live attack DEMOS: o High Frequency / NFC – Attack Demos: - HF physical access control systems (e.g., iCLASS and MIFARE DESFire “contactless smart card” product families) - Credit cards, public transit cards, passports (book), mobile payment systems (e.g., Apple Pay, Google Wallet), NFC loyalty cards (e.g., MyCoke Rewards), new hotel room keys, smart home door locks, and more o Ultra-High Frequency – Attack Demos: - Ski passes, enhanced driver’s licenses, passports (card), U.S. Permanent Resident Card (“green card”), trusted traveler cards Schematics and Arduino code will be released, and 100 lucky audience members will receive one of a handful of new flavors of our Tastic RFID Thief custom PCB, which they can insert into almost any commercial RFID reader to steal badge info or use as a MITM backdoor device capable of card replay attacks. New versions include extended control capabilities via Arduino add-on modules such as Bluetooth low energy (BLE) and GSM/GPRS (SMS messaging) modules This DEMO-rich presentation will benefit both newcomers to RFID penetration testing as well as seasoned professionals. DISCLAIMER: This video is intended for pentesting training purposes only.

InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...

Bishop Fox

https://resources.bishopfox.com/resources/tools/google-hacking-diggity/ As of late, security professionals have been waging a losing battle against hackers. Google, Bing, and other major search engines have been kind enough to index and make searchable all the vulnerabilities on the web, including everything from exposed password files to SQL injection points. This fact has not gone unnoticed by hackers. Last year, LulzSec employed Google hacking to go on an epic 50 day hacking spree that left in its wake a wide variety of major victims including Sony, PBS, Arizona's Department of Public Safety, Infraguard, the FBI, and the CIA. Botnets have also been confirmed to be utilizing search engines for identifying targets as part of mass injection campaigns and other malware distribution techniques. This falls in line with the results of the 2012 Verizon Data Breach Investigations Report which found that 79% of all victims were targets of opportunity. Google Hacking is the perfect vehicle to enable opportunistic attackers who are seeking quick and easy targets to exploit on a massive scale. It is imperative that security professionals learn to take equal advantage of these techniques to help safeguard their organizations. In this workshop, the audience will gain an understanding of the magnitude of this threat, as well as the importance of being proactive in addressing it. We’ll be introducing you to slew of new tools and techniques that will allow you to leverage Google, Bing, SHODAN and many more open search interfaces to track down and eliminate information disclosures and vulnerabilities in your public facing systems and applications before hackers have the chance to exploit them. Some of the topics to be covered are: • Search engine hacking – primary attack methods o Google Hacking o Bing Hacking o Toolkit overview:  Diggity toolset, Maltego, theHarvester, FOCA, and more… • Footprinting target organization networks and applications o Identifying applications, URLs, hostnames, domains, IP addresses, emails and more o Port scanning networks passively via Google o DNS data mining via DeepMagic search engine • Data loss prevention tools and techniques o Locating sensitive data leaks via public web applications • Cloud hacking via Google o Targeting cloud implementations via search engines o Using the cloud and custom search to identify vulnerabilities • Adobe Flash hacking via Google and Bing • Open source code vulnerabilities • Finding sensitive information disclosures on 3rd party sites o Facebook, Twitter, YouTube, PasteBin o Cloud document storage (Dropbox, Google Drive, etc.) • Malware and Search Engines – Bound by Destiny, Unholy Union o Understanding how search engines are used to distribute malware to users o Leveraging search engines to identify and avoid malware • Advanced defense tools and techniques o Search engine hacking alerts and intrusion detection systems (IDS)

InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...

Bishop Fox

29 July 2012 - DEF CON 20 (2012) Fran Brown - Bishop Fox https://resources.bishopfox.com/resources/tools/google-hacking-diggity/ https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Brown All brand new tool additions to the Google Hacking Diggity Project - The Next Generation Search Engine Hacking Arsenal. As always, all tools are free for download and use. When last we saw our heroes, the Diggity Duo had demonstrated how search engine hacking could be used to take over someone's Amazon cloud in less than 30 seconds, build out an attack profile of the Chinese government's external networks, and even download all of an organization's Internet facing documents and mine them for passwords and secrets. Google and Bing were forced to hug it out, as their services were seamlessly combined to identify which of the most popular websites on the Internet were unwittingly being used as malware distribution platforms against their own end-users. Now, we've traveled through space and time, my friend, to rock this house again... True to form, the legendary duo have toiled night and day in the studio (a one room apartment with no air conditioning) to bring you an entirely new search engine hacking tool arsenal that's packed with so much tiger blood and awesome-sauce, that it's banned on 6 continents. Many of these new Diggity tools are also fueled by the power of the cloud and provide you with vulnerability data faster and easier than ever thanks to the convenience of mobile applications.Just a few highlights of new tools to be unveiled are: * AlertDiggityDB * Diggity Dashboard * Bing Hacking Database (BHDB) 2.0 * NotInMyBackYardDiggity * PortScanDiggity * CloudDiggity Data Mining Tool Suite * CodeSearchDiggity-Cloud Edition * BingBinaryMalwareSearch (BBMS) * Diggity IDS So come ready to engage us as we explore these tools and more in this DEMO rich presentation. You are cordially invited to ride the lightning.

DEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides.PDF

Bishop Fox

SpellCheckV2 Rules

Bishop Fox

As seen at Black Hat USA and DEF CON 27: Do you feel safe in your home with the security system armed? You may reconsider after watching a demo of our new hacking toolkit, ZigDiggity, where we target door & window sensors using an "ACK Attack". ZigDiggity will emerge as the weapon of choice for testing ZigBee-enabled systems, replacing all previous efforts. ZigBee continues to grow in popularity as a method for providing simple wireless communication between devices (i.e. low power/traffic, short distance), & can be found in a variety of consumer products that range from smart home automation to healthcare. Security concerns introduced by these systems are just as diverse and plentiful, underscoring a need for quality assessment tools. Unfortunately, existing ZigBee hacking solutions have fallen into disrepair, having barely been maintained, let alone improved upon. Left without a practical way to evaluate the security of ZigBee networks, we've created ZigDiggity, a new open-source pentest arsenal from Bishop Fox. Our DEMO-rich presentation showcases ZigDiggity's attack capabilities by pitting it against common Internet of Things (IoT) products that use ZigBee.

Smarter Home Invasion With ZigDiggity

Bishop Fox

Did you know that Elastic Block Storage (Amazon EBS) has a "public" mode that makes your virtual hard disk available to anyone on the internet? Apparently hundreds of thousands of others didn't either, because they're out there exposing secrets for everyone to see. I tore apart the petabytes of data for you and have some dirty laundry to air: encryption keys, passwords, authentication tokens, PII, you name it and it's here. Whole (virtual) hard drives to live sites and apps, just sitting there for anyone to read. So much data in fact that I had to invent a custom system to process it all. There's a massive Wall of Sheep out there on the internet, and you might not have even noticed that you're on it. Actually, you should stop reading and go check that out right now.

Hacking Exposed EBS Volumes

Bishop Fox

Bitflips happen more than you know, especially on mobile devices and especially on cheap phones with memory that has higher FIT rates (Failures-In-Time). In the past, encryption in-transit (TLS/SSL) would have protected you against the most dangerous opportunistic attackers because it was cost prohibitive. Today however, certificates are free. Free for you and threat actors, thanks to Let’s Encrypt and major cloud providers. While free certificate authorities are a net positive for internet security, we already know attackers are leveraging the HTTPS lock for subverting security awareness training and more successful phishing. What about corporate espionage? That’s precisely what we investigated and will demonstrate with this slide deck.

Ghost in the Browser: Broad-Scale Espionage with Bitsquatting

Bishop Fox

Internet scammers move pretty fast. If you don’t stop and look around once in a while, you could miss it. Just as Ferris Bueller always had another trick up his sleeve to dupe Principle Rooney, attackers are employing homoglyphs, subdomain attacks, typo-squats, bit-squats, and similar attacks to trick internet denizens with fraudulent websites. Adversaries may register domains permutations in order to commit fraud, distribute malware, redirect traffic, steal credentials, or for corporate espionage. We know these threats have been around for a while, but not many defenders adopt proactive technical controls in their social engineering incident response plans. The question isn’t what are we going to do about it. The question is what aren’t we going to do. With the capability to continuously monitor domain permutations for new HTTP, HTTPS, or SMTP services in real-time, the blue team doesn’t have to trust domain permutations any further than they can throw them. In this talk, we will demonstrate red team and blue team techniques. For Buellers, demonstrations include ways to leverage domain permutations in adversary simulations. For Rooneys, we will detail how to better prepare, identify, contain, and eradicate threats that utilize domain permutations. If you’re not leveraging our recommended technical controls to defeat attackers, you risk fishing for your wallet in a yard full of rage-fueled Rottweilers. (This was originally presented on March 3, 2019 at BSides San Francisco.)

Ferris Bueller’s Guide to Abuse Domain Permutations

Bishop Fox

So you’ve managed to get a foothold into the web server — now what? Privilege escalation can be an intimidating process for those unfamiliar with Linux systems or advanced penetration testing techniques. Servers are often cluttered with utilities, backups, and files; how do you find your way through to a root shell? Where are the first places an attacker might look for exploitable vulnerabilities? In this workshop, participants will learn about common privilege escalation paths on Linux systems, including sticky bits, shell escapes, wildcard injections, and how to identify vulnerable services. This presentation will demonstrate several techniques for those looking to improve their security skills. (This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019). (This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019). (This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019). (This was originally presented at BSides Columbus 2019 on March 1, 2019.)

Check Your Privilege (Escalation)

Bishop Fox

So you’ve managed to get a foothold into the web server — now what? Privilege escalation can be an intimidating process for those unfamiliar with Linux systems or advanced penetration testing techniques. Servers are often cluttered with utilities, backups, and files; how do you find your way through to a root shell? Where are the first places an attacker might look for exploitable vulnerabilities? This slide deck will help you learn about common privilege escalation paths on Linux systems, including sticky bits, shell escapes, wildcard injections, and how to identify vulnerable services. Furthermore, it will illustrate several techniques for those looking to improve their security skills, with time for discussion afterward. (This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).

Introduction to Linux Privilege Escalation Methods

Bishop Fox

Penetration Testing Resource Guide

Bishop Fox

Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells. At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities. (This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).

Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics

Bishop Fox

very picture I take, I pose a threat. By picture, I mean screenshot. By threat I mean attacker. What if there was a way to find more exposures without exactly knowing what we’re looking for? OWASP DirBuster had the right idea but was missing the power of perceptual analysis. This talk is full of dirty tricks to optimize the hunt for security exposures. Unlimited storage, scalable serverless infrastructure, and machine learning powered by collaborative filtering will enable us to usher in a new age of visibility into our attack surface. Around the world, bug hunters are leveraging OSINT techniques (e.g. using OWASP Amass) to find security vulnerabilities for organizations. However, they need better ways to perform analysis at scale. Traditional scanners require in-depth knowledge of each issue in order to write a signature. All we need with this new approach is a target, a path, and as output we will get potential exposures. Do this properly at scale and you have effectively taken what would be millions of results to review and filtered it to thousands of likely vulnerable candidates. Come watch the revolution unfold with new ways to: * Distribute requests to targets and paths using scalable serverless infrastructure * Screenshot results with unlimited storage and organize them by visual similarity * Automate identification of more exposures more quickly using collaborative filtering Focus these techniques on identifying RCEs and you now have a formidable weapon. In conclusion, this approach can be used for a variety of analysis use cases. Penetration testers, bug bounty, SOC analysts, threat researchers, vulnerability scan jockeys, will all benefit from this next generation approach.

How Perceptual Analysis Helps Bug Hunters

Bishop Fox

You’ve heard about cloud, big data, server-less infrastructure, web scale, and other buzzwords that cause VCs to throw money at people - but how does this help you? If you’re getting bored going over the same checklist in your pentests then you’re missing out on what some of these new technologies can offer you. Using some of the newer cloud technologies not only can you automate all of your workflows, but you can do so with almost zero maintenance at a low cost with almost infinite scalability! This talk will show you how to blow conventional pentesters out of the water using some cool new technologies along with a little bit of trickery. Some of the topics we’ll go over include: * Cheap and scalable rainbow tables with BigQuery, 5TB in 10 seconds * SQS & Lambda, like Burp Intruder but 10K QPS * Scalable GPU Clusters on the cheap with Spot Instances and Elastic Beanstalk * Cloud exit nodes, rotating IPs via Elastic Beanstalk and nano instances * Cost effective fuzzing with Elastic Beanstalk and Spot Instances (This was originally presented on November 16, 2018 at Kiwicon 2038).

Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale

Bishop Fox

When it comes to cybersecurity, the victim mindset is all too pervasive. Everyone is convinced a breach is imminent - and that this attitude justifies overinvesting in defenses instead of focusing on emerging threats. In this presentation, we will discuss why this approach is unsustainable and why red teaming is worth your organization's time and money in addition to the ways most organizations are compromised. As well, we will touch upon what you must consider before embarking on a red team engagement. (This was originally presented on November 6, 2018 as a Practising Law Institute SFO seminar.) To learn more about red teaming, check out our guide: https://www.bishopfox.com/blog/2018/07/a-primer-to-red-teaming/

Evolving Cyber Adversary Simulation: How Red Teaming Benefits Organizations

Bishop Fox

From Sun Devil to math teacher to professional pentester, Mike Ostrowski’s keynote will lay out the groundwork for an unconventional career in cybersecurity. You’ll learn firsthand what it’s like to be a cybersecurity consultant at Bishop Fox. Expect to hear about Mike’s distinct path to security. He will share what helped him reach this point, his stories what it was that sold him on a cybersecurity career, and finally, what he looks for in potential consultants. This will include explaining why communication is so important, why pieces of paper aren’t everything, and what the mindset is that you need to embrace for success. Come prepared to understand the reality of what it’s like to “break in” for a living – and how you can make that your professional reality someday.

ASU Cybersecurity Symposium - Breaking Into a Career of Breaking In

Bishop Fox

One of the main reasons information security is so hard to achieve today is that IT itself is changing so rapidly. Cloud computing places security in the hands of a third-party service provider. Mobile technology, meanwhile, places security in the hands of the end user. And the emergence of intelligent, Internet-connected, non-computer devices -- the Internet of Things -- represents an entirely new set of security challenges. In this slide deck, you'll learn how IT organizations can build a security strategy that works when so much of the computing environment is outside their span of control. She will also touch upon how security departments can implement technologies and practices that will work in both today's IT environment and tomorrow's dynamic, multi-dimensional computing world.

Preparing a Next Generation IT Strategy

Bishop Fox

During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the teamís resourcefulness was the ability to determine whether Allied forces had successfully bombed bridges leading into Paris based on increasing orange prices. Since then OSINT sources have surged in number and diversity, but none can compare to the wealth of information provided by the internet. Attackers have been clever enough in the past to take advantage of search engines to filter this information to identify vulnerabilities. However, current search hacking techniques have been stymied by search provider efforts to curb this type of behavior. Not anymore. Our demonstration-heavy presentation picks up the subtle art of search engine hacking at the current state and discusses why these techniques fail. We will then reveal several new search engine hacking techniques that have resulted in remarkable breakthroughs against both Google and Bing. Come ready to engage with us as we release two new tools, GoogleDiggity and BingDiggity, which take full advantage of the new hacking techniques. Weíll also be releasing the first ever 'live vulnerability feed', which will quickly become the new standard on how to detect and protect yourself against these types of attacks. This presentation will change the way you've previously thought about search engine hacking, so put on your helmets. We don't want a mess when we blow your minds.

Lord of the Bing: Taking Back Search Engine Hacking From Google and Bing

Bishop Fox

Last year's Lord of the Bing presentation stabbed Google Hacking in the heart with a syringe full of adrenaline and injected life back into a dying art form. New attack tools and modern defensive techniques redefined the way people thought about Google Hacking. Among these were the first ever Bing Hacking tool and the Google/Bing Hacking Alert RSS feeds, which have grown to become the world's single largest repository of live vulnerabilities on the web. And it was only the beginning… This year, we once again tear down the basic assumptions about what Google/Bing Hacking is and the extent to which it can be exploited to target organizations and even governments. In our secret underground laboratory, we've been busy creating an entirely new arsenal of Diggity Hacking tools that we'll be unveiling for the first time and releasing for free at Black Hat USA 2011. Just a few highlights of new tools to be unveiled are: BaiduDiggity:first ever Baidu hacking tool, which targets vulnerabilities disclosed by China's dominant search engine. DEMO: Live targeting of vulnerabilities in Chinese government websites exposed via Baidu. DroidDiggity:fully functional GoogleDiggity and BingDiggity application for Android phones. GoogleCodeSearchDiggity:identifying vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 40 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. FlashDiggity:automated Google searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and info disclosures. SHODAN Hacking Alerts:new live vulnerability RSS feeds based on results from the popular SHODAN hacking search engine. MalwareDiggity and MalwareDiggity Alerts:leveraging Bing API and the Google SafeBrowsing API together to provide an answer to a simple question, "Am I being used as a platform to distribute malware to people who visit my website?" AlertDiggity:Windows systray application that filters the results of the various Google/Bing/Shodan Hacking Alerts RSS feeds and notifies the user if any new alerts match a domain belong to them. DiggityDLP:Data loss prevention tool that leverages Google/Bing to identify exposures of sensitive info (e.g. SSNs, credit card numbers, etc.) via common document formats such as .doc, .xls, and .pdf. Also utilizes Google APIs for searching across Google Docs/Spreadsheets for data leaks. That is just a taste of the new tools that will be explored in this DEMO rich presentation. So come ready to engage us as we re-define Google Hacking once again. WARNING: For safety, you should be in good health and free from high blood pressure, heart, back or neck problems, motion sickness, or other conditions that could be aggravated by this adventure.

Pulp Google Hacking

Bishop Fox

More from Bishop Fox (20)

OWASP LA – SharePoint Hacking – 22Feb2012 – Slides.PDF

InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...

InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...

DEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides.PDF

SpellCheckV2 Rules

Smarter Home Invasion With ZigDiggity

Hacking Exposed EBS Volumes

Ghost in the Browser: Broad-Scale Espionage with Bitsquatting

Ferris Bueller’s Guide to Abuse Domain Permutations

Check Your Privilege (Escalation)

Introduction to Linux Privilege Escalation Methods

Penetration Testing Resource Guide

Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics

How Perceptual Analysis Helps Bug Hunters

Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale

Evolving Cyber Adversary Simulation: How Red Teaming Benefits Organizations

ASU Cybersecurity Symposium - Breaking Into a Career of Breaking In

Preparing a Next Generation IT Strategy

Lord of the Bing: Taking Back Search Engine Hacking From Google and Bing

Pulp Google Hacking

Recently uploaded

A great deal of attention in medical devices has shifted towards cybersecurity with the ratification of section 524B of the FD&C act. This new law enables the FDA to enforce cybersecurity controls in any medical device that is capable of networked communications or that has software. In this webinar we will recap the process for managing vulnerabilities, identify categories of vulnerabilities and solutions and more.

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

ICS

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

At TECUNIQUE, we're a stable and steadily growing Indian software services company with over 14 years of industry experience. Specializing in offshore software development and quality assurance services, we've built a reputation for delivering unique and effective solutions to start-ups, software development companies, enterprises, and digital agencies. We pride ourselves on our commitment to excellence and innovation. By blending insightful business domain knowledge with exceptional technical prowess, we craft tailor-made solutions that meet the unique needs of our clients. Our dedicated teams are adept in specific technologies, ensuring seamless integration of skills and delivering reliable, scalable, and high-quality software solutions aligned with our clients' preferences. Bespoke Dedicated Teams: Crafted to meet your specific needs and technology preferences, our dedicated teams are committed to delivering top-notch software solutions. Offshore Software Development: Accelerate your software development and scale up quickly with our 12+ years of expertise in offshore development. Quality Assurance Services: Ensure the quality of your software products with our dedicated teams of experienced QA professionals. IT Staff Augmentation: Overcome skill gaps with our client-centric software team, offering staff augmentation services. Expert Software Services: Unlock our capabilities in custom software development, product development, and quality assurance. Mission and Vision: Our mission at TECUNIQUE is to be the catalyst for our clients' success in the dynamic domain of software development. Rooted in our core values of respect, authenticity, and responsibility, we strive to ease the software outsourcing experience, reducing both time and cost to market for our clients. We envision ourselves as the leading Indian software services company, renowned for our unwavering commitment to excellence and innovation. www.tecunique.com

TECUNIQUE: Success Stories: IT Service provider

mohitmore19

In the past six months, the AI landscape has undergone a massive transformation, ushering in a new era of productivity with the latest in Large Language Models (LLMs) and AI technology. This deep dive unlocks how to: Create CustomGPT Models: No coding needed to tailor AI for your unique projects. Integrate your own data, including PDFs and Excel sheets, making information handling a breeze. Plus, discover how to call your own actions/integrations for even more personalized utility. Navigate Advanced Prompting: Overcome AI's memory limits and utilize Retrieval-Augmented Generation for accessing your personalized data, streamlining how you interact with AI. Stay Ahead with AI Trends: Peek into the evolving world of LLMs, featuring newcomers like Google Gemini, Anthropic Claude, Open Sora, and Twitter Grok, and understand what their advancements mean for your productivity. Witness Real-Life Transformations: Through examples and prompt demonstrations, see firsthand how these AI strategies revolutionize routine tasks, from data analysis to content creation. Learn to leverage image output and input for advanced practical use cases, adding a new dimension to your productivity toolkit. No previous coding or AI experience is needed for this talk. Stay ahead in the fast-evolving world of work. Embrace the AI revolution and transform your workflow with advanced LLM techniques. Join us to ensure you're not left behind in the productivity race.

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

VictorSzoltysek

InShot proinshot.com stands tall among its peers as the ultimate video editing app, offering simplicity, versatility, and power in one package. With its intuitive interface and comprehensive feature set, InShot caters to both beginners and seasoned editors alike. Whether you're creating content for social media, YouTube, or personal projects, InShot empowers you to unleash your creativity and transform your videos into captivating masterpieces. Join the millions of users who trust InShot https://www.proinshot.com/ for all their video editing needs and discover the difference for yourself!

Exploring the Best Video Editing App.pdf

proinshot.com

Software Quality Assurance Interview Questions

Arshad QA

At the recent Microsoft Ignite 2023 conference, Microsoft unveiled a groundbreaking strategy that will redefine enterprise work management. The plan involves integrating Microsoft’s key planning tools, Microsoft To Do, Microsoft Planner, and Microsoft Project for the web into a unified experience called “Microsoft Planner.” What does this new strategy from Microsoft mean for current users? Join us and learn how best to take advantage of this announcement while gaining a clear path on how to elevate the current state of Microsoft Planner from a basic task manager to a comprehensive tool for Enterprise Work Management using OnePlan. Learn how OnePlan’s integration with Microsoft Planner allows for strategic alignment with business goals through advanced features like strategic planning, portfolio management, resource management, financial management, and more!

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

OnePlan Solutions

Model Call Girl Services in Delhi reach out to us at 🔝 9953056974 🔝✔️✔️ Our agency presents a selection of young, charming call girls available for bookings at Oyo Hotels. Experience high-class escort services at pocket-friendly rates, with our female escorts exuding both beauty and a delightful personality, ready to meet your desires. Whether it's Housewives, College girls, Russian girls, Muslim girls, or any other preference, we offer a diverse range of options to cater to your tastes. We provide both in-call and out-call services for your convenience. Our in-call location in Delhi ensures cleanliness, hygiene, and 100% safety, while our out-call services offer doorstep delivery for added ease. We value your time and money, hence we kindly request pic collectors, time-passers, and bargain hunters to refrain from contacting us. Our services feature various packages at competitive rates: One shot: ₹2000/in-call, ₹5000/out-call Two shots with one girl: ₹3500/in-call, ₹6000/out-call Body to body massage with sex: ₹3000/in-call Full night for one person: ₹7000/in-call, ₹10000/out-call Full night for more than 1 person: Contact us at 🔝 9953056974 🔝. for details Operating 24/7, we serve various locations in Delhi, including Green Park, Lajpat Nagar, Saket, and Hauz Khas near metro stations. For premium call girl services in Delhi 🔝 9953056974 🔝. Thank you for considering us!

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

9953056974 Low Rate Call Girls In Saket, Delhi NCR

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

ThousandEyes

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf

VishalKumarJha10

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

10 Trends Likely to Shape Enterprise Technology in 2024

Mind IT Systems

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf

kalichargn70th171

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...

OnePlan Solutions

Diamond Application Development Crafting Solutions with Precision

SolGuruz

Many specialized tools cater to distinct stages within the software development lifecycle (SDLC). These tools target various aspects of development, delivery, and operations, each with its unique strengths. Uniting these diverse testing needs into a single continuous testing platform presents several challenges. Such a platform must seamlessly integrate with various development tools and environments, accommodate different testing methodologies, and remain flexible to adapt to organizational processes and quality standards.

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...

kalichargn70th171

8257 interfacing 2 in microprocessor for btech students

HimanshiGarg82

Recently uploaded (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

Microsoft AI Transformation Partner Playbook.pdf

A Secure and Reliable Document Management System is Essential.docx

VTU technical seminar 8Th Sem on Scikit-learn

TECUNIQUE: Success Stories: IT Service provider

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

Exploring the Best Video Editing App.pdf

Software Quality Assurance Interview Questions

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

10 Trends Likely to Shape Enterprise Technology in 2024

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...

Diamond Application Development Crafting Solutions with Precision

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...

8257 interfacing 2 in microprocessor for btech students

CactusCon 2018 - Anatomy of an AppSec Program

1. ANATOMY OF AN APPSEC PROGRAM OR HOW TO STOP DEPLOYING SHITTY SHODDY CODE TO PRODUCTION SEPTEMBER 28-29, 2018

2. 2 • Introductions • The Problem (as I see it) • The Solution (again, as I see it) • Finding vulnerabilities • Fixing things • Preventing vulnerabilities • Metrics • Wrap-up / Q&A BECAUSE QA SAID I NEEDED ONE AGENDA

3. 3 THIS IS KINDA IMPORTANT WARNING

4. 44 THE GLUE THAT STICKS SECURITY BALLS TOGETHER APPSEC

5. 55 14 YEARS OF THE SAME OL' SHIT CRAP OWASP TOP 10

6. 66 BECAUSE DRAMA CREATES TENSION RIPPED FROM THE HEADLINES

7. 7 IT'S SECURITY FOR APPLICATIONS APPLICATION SECURITY WHAT IS THIS APPSEC YOU SPEAK OF?

8. 88 WIKIPEDIA Application security encompasses measures taken to improve the security of an application often by finding, fixing, and preventing security vulnerabilities. - Wikipedia BECAUSE DEFINITIONS ARE AWESOME

9. 99 WIKIPEDIA Application security encompasses measures taken to improve the security of an application often by finding, fixing, and preventing security vulnerabilities. - Wikipedia And then measure your results. - Joe BECAUSE DEFINITIONS ARE AWESOME

10. FINDING VULNS LOOKING FOR A NEEDLE IN A STACK OF NEEDLES

11. 11 DON'T FOCUS ON TOOLS FINDING VULNS

12. 12 YEAH, IT'S KINDA LIKE THAT FINDING VULNS

13. 13 WRITE THIS DOWN KEY POINTS • Don't try to do everything at once. • Start small and expand. • Focus on your high-risk apps first. • Chain together assessment methodologies.

14. TODO: FIX THIS STUFF CUZ THAT'S BASICALLY THE POINT

15. 15 WITH A MEME FIXING VULNS

16. 16 WITH ANOTHER OVERUSED MEME FIXING VULNS

17. 17 BUT IT'S BEHIND THE FIREWALL” FALSE POSITIVES <?php ... [omitted for brevity] ... $con = mysql_connect("localhost",$user,$pass); mysql_select_db("database", $con); $id = $_GET['id']; $result = mysql_query("SELECT name FROM user WHERE id=$id", $con); mysql_close($con); ... [omitted for brevity] ... ?>

18. 18 BUT IT'S BEHIND THE FIREWALL” FALSE POSITIVES <?php ... [omitted for brevity] ... $con = mysql_connect("localhost",$user,$pass); mysql_select_db("database", $con); $id = validate($_GET['id’]; ) $result = mysql_query("SELECT name FROM user WHERE id=$id", $con); mysql_close($con); ... [omitted for brevity] ... ?>

19. 19 WRITE THIS DOWN KEY POINTS • Make it easy for your developers to engage in AppSec. • Set realistic goals and expand. • Create a security backlog and use “security sprints” each release to work it. • As teams mature, introduce security gates. • Have a process to handle false positives.

20. PREVENTION ACTUALLY GETTING BETTER

21. 21 MAKING DEVELOPERS BETTER PREVENTION

22. 22 IN THE WAYS OF SECURITY EDUCATING DEVELOPERS

23. 23 WRITE THIS DOWN KEY POINTS • Developers aren't security people. • Have hands-on workshops to cover security issues. • Walk your developers through hacking things. • Top-down support is really critical.

24. METRICS HOW TO KNOW IF IT'S WORKING

25. 25 WHAT'S THE DIFFERENCE? METRICS VS. STATS STATISTIC: A fact or piece of data from a study of a large quantity of numerical data METRICS: Standards of measurement by which performance, progress, or quality of a plan, process, or product can be assessed

26. 26 AN EXAMPLE APPSEC METRICS GOAL QUESTION MEASURE METRIC Less than 1% security defect rate How many vulns are there? How many lines of code? Number of vulns Number of LoC Security Defect Density – number of vulns/1000 lines of code, plotted over time with the target waterline

27. 27 AN EXAMPLE APPSEC METRICS

28. 28 WRITE THIS DOWN KEY POINTS • Use the G-Q-M method for metrics. • Choose meaningful metrics. • Evaluate against a defined framework. • This is how you demonstrate value.

29. 2929 THE GLUE THAT STICKS SECURITY BALLS TOGETHER APPSEC

30. WE’RE HIRING www.BishopFox.com Careers@BishopFox.com VISIT US ONLINE TO FIND OUT MORE

31. THANK YOU

CactusCon 2018 - Anatomy of an AppSec Program

Recommended

Recommended

More Related Content

What's hot

What's hot (12)

Similar to CactusCon 2018 - Anatomy of an AppSec Program

Similar to CactusCon 2018 - Anatomy of an AppSec Program (20)

More from Bishop Fox

More from Bishop Fox (20)

Recently uploaded

Recently uploaded (20)

CactusCon 2018 - Anatomy of an AppSec Program