SlideShare a Scribd company logo

Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx

lior mazor
lior mazor

Our technology, work processes, and activities all depend on if we trust our software to be safe and secure. Join us virtually for our upcoming "Emphasizing Value of Prioritizing AppSec" Meetup to learn how to build a cost effective application security program, implement secure coding analysis and how to manage software security risks.

1 of 101
Join Us: https://www.linkedin.com/compa ny/application-security-virtual- meetups QR Link:
Future-Proofing Your Application Security Strategy Tanya Janca
What are we going to talk about today? Current AppSec challenges and trends a. Increase in the number of cyber attacks b. Growing attack surface c. Adoption of DevSecOps d. Automation and AI The importance of Application Security a. Planning a strategy & its execution b. Risk assessment c. Automation & Remediation d. DevSecOps processes e. Continuous education and training Creating a proactive AppSec strategy 1. 2. 3.
Tanya Janca ❖ CEO & Founder @ We Hack Purple ❖ AKA @SheHacksPurple ❖ Author: Alice and Bob Learn Application Security ❖ 25+ years in tech, Sec + Dev ❖ Advisor: Aiya Corp, CloudDefense.AI, Nord VPN ❖ Blogger, Podcaster, Streamer, Builder, Breaker ❖ Faculty at IANs Research ❖ Nerd at Large
The Importance of Application Security @WeHackPurple @SheHacksPurple
Application Security is every action you take towards ensuring the software that you (or someone else) create is secure This can mean: a. A formal secure code review b. Hiring someone to come in and perform a penetration test c. Updating a framework These practices do not need to be extremely formal, they just need to have the goal of ensure your systems are more secure.
Insecure software is the #1 cause of data breaches According to the Verizon Breach Reports, insecure software is the cause of approximately 30-40% of breaches, year after year
Application Security Current Trends @WeHackPurple @SheHacksPurple
The DevSecOps market is growing in size and importance According to the Verified Market Research: The DevSecOps Market size was valued at USD 3.73 Billion in 2021 and is projected to reach USD 41.66 Billion by 2030, growing at a CAGR of 30.76% from 2022 to 2030
Automation and AI is being used to streamline AppSec processes, such as vulnerability scanning and patching, and to reduce the risk of human error According to a survey conducted by IBM, 93% of organizations said to use or consider using AI to enhance their security posture
Increased adoption of cloud and mobile technologies a. 94% of enterprises use cloud services b. 48% of businesses choose to store their most important data in the cloud c. As of 2022, the global cloud computing industry has a market size of $480.04 B
Application Security Challenges @WeHackPurple @SheHacksPurple
The adoption of cloud computing has significantly increased the cyber attack surface for organizations. Sensitive data is no longer confined to the organizations environment and is accessible over the internet, creating new entry points for attackers.
Cyber crime is on the rise The cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025 - that is 4x the size of France’s GDP! According to Cybersecurity Ventures: *The predicted GDP for 2023 is 112.65 trillion, making cyber crime 7.1% of the world’s total
In 2022, global cyber attacks increased by 38%
Creating a proactive Application Security Strategy @WeHackPurple @SheHacksPurple
Need for creating a comprehensive AppSec strategy that aligns with business goals and objectives a. Vulnerability assessments b. Penetration testing c. Secure coding practices d. Incident response plans Your AppSec strategy should include a combination of: This helps organizations prioritize security measures based on the risk to critical business functions, data and assets
Risk assessment Automation & Remediation DevSecOps Processes Developer training ● Step 1: Perform inventory ● Step 2: Build a software bill of materials (SBOM) ● Step 3: Threat modeling ● Step 4: Find vulnerabilities (pen testing as well consider SAST, DAST, and IAST tools) ● Define and track remediation metrics ● Use automation and context to determine which vulnerabilities pose a real threat ● Implement remediation guidelines and tooling ● Define security requirements pre- build ● Empower developers to perform security testing during development ● Set agreed rules for governance and remediation ● Identify security champions ● Establish training programs ● Embed incentives for effective security testing throughout the SDLC Future-Proof AppSec strategy checklist
Risk Assessment step 1: perform inventory Inventory is the first step, because you need to KNOW what you have to properly test, monitor, and patch it. If it goes on the web, you need to know about it! According to the Verizon 2021 Data Breach Investigations Report: 43% of data breaches involve web applications. *Taking proper inventory can help reduce your risk of such incidents
Risk Assessment Step 2: Build a software bill of materials (SBOM) Using an SBOM can decrease risks of software supply chain attacks An SBOM provides a snapshot of all libraries, code packages, and other third- party components used to create a software application.
Risk Assessment Step 3: Threat Modeling The purpose of threat modeling: To assess possible threats to your system, do your best to mitigate them, and if it's not possible, to lessen or manage the risks Steps for threat modeling: a. Have a representative from each stakeholder group involved b. Identify risks to the system c. Evaluate each risk d. Mitigate, reduce, manage, or accept each risk
Risk Assessment Step 4: Find Vulnerabilities Security testing should be conducted on a regular basis, ideally as part of the organization’s software development lifecycle (SDLC), to ensure the applications and systems are secure from the outset. Build customer trust by demonstrating your commitment to proactive security
Automate and Remediate Automation can help reduce the time required to analyze and triage vulnerabilities, enabling teams to focus on remediation rather than time-consuming manual tasks According to a 2020 report by Forrester Consulting: Automating vulnerability remediation can reduce the risk of a data breach by up to 6 times, compared to manual remediation
DevSecOps Processes Empower developers to perform security testing during the early stages of development According to the 2020 Cost of a Data Breach report conducted by IBM: Incorporating security early in the SDLC can lead to a reduction of up to 90% in the cost of addressing security issues
Investing in Developer Training and Education 68% of organizations state that their employees are the weakest link in their security strategy Providing AppSec training and education to developers can lead to improved collaboration between security and development teams, resulting in fewer data breaches and more secure, high-quality code.
@WeHackPurple @SheHacksPurple Audience Q&A
How to Contact Us! Website: www.wehackpurple.com Email: Info@wehackpurple.com Twitter: @WeHackPurple Linkedin: www.linkedin.com/company/wehackpurple Community: www.community.wehackpurple.com Newsletter: www.newsletter.wehackpurple.com We Hack Purple
@WeHackPurple @SheHacksPurple Thank You!
The Significant ROI of Shifting AppSec Testing Left Gadi Bashvitz
AppSec challenges
Health info for 1 million patients stolen using critical GoAnywhere vulnerability Report: Overwhelming majority of codebases have open source vulnerabilities, half deemed high-risk Firms fear software stack breach as attack surface widens Ransomware attackers finding new ways to weaponize old vulnerabilities IoT, connected devices biggest contributors to expanding application attack surface T-Mobile API Breach – What Went Wrong?
Key AppSec Challenge Security professionals are outnumbered 500 to one by Developers * GitHub Security Lab Organizations report one Security Architect for every 159 Developers** ** Building Security In Maturity Model (BSIMM) 11 Disproportionate resources
AGILE DEV. HAPPENED AND THEN…
6-12 months release cycles Critical security issues wait a minimum of 4 months for a patch Endless manual PenTesting cycles The upside? Security is in sync with development speed Before After Multiple builds every day P/T can’t handle scanning of all releases The Result: 100s of releases a year go untested Agile Dev. – DevOps
Shifting Approach
The answer is a Shift Left Dynamic AppSec Testing Developers: Execution Iterative & automated scanning in SDLC Security baked into sprint planning Increased velocity of releases AppSec: Governance & Validation Testing & remediation guidelines More focus on educating champions Freeing of resources for business critical tasks
QA/ApSec Developers Developers/Q A BRIGHT LEGACY DAST UNIT TESTS XSS OSI LFI SQLi SSRF SECURITY HEADERS TLS/SSL SECURITY INTEGRATION TEST SQLi SSRF SECURITY HEADERS TLS/SSL SECURITY XSS OSI LFI FUNCTIONAL TEST SECURITY HEADERS TLS/SSL SECURITY SQLi SSRF XSS OSI LFI VERIFCATION TEST XSS OSI LFI SQLi SSRF SECURITY HEADERS TLS/SSL SECURITY CODE CHANGE COMMIT BUILD COMMIT PR CI/CD UAT PROD The case for dev-centric DAST - iterative in the SDLC
Provide strategy, guidance, governance & validation - What to scan - What tests to perform and what SDLC stage - When to fail a build Provide Application Security visibility to the Org. (trends, team benchmarks, exposure levels) How Many New Vulnerabilities Are Introduced ? At What Stage of the SDLC Are We Able to Find Them ? How Quickly Are They Resolved ? Application Specific Security Posture Dev. Teams Security Benchmarks AppSec’s role in developer- centric enterprise testing environment
Measuring ROI
The Increasing Cost of Fixing Flaws Later in the SDLC 1x Requirements / Architecture 5x Coding 10 x Integration / Component Testing 15 x System / Acceptance Testing 30x Production / Post-Release This increases to up to 60x more in the case of security defects..! National Institute of Standards and Technology (NIST) Early Detection = Cheaper (faster) Fix
USING LEGACY DAST USING DEV-CENTRIC DAST % of orgs knowingly pushing vulnerable apps & APIs to prod 86% <50% Time to remediate >Med vulns in prod 280 days <150 days % of > Med vulns detected in CI, or earlier <5% ~55% Dev time spent remediating vulns - Up to 60X faster Happiness level of Engineering & AppSec teams - Significantly improved Average cost of Data Breach (US) $7.86M $7.86M Testing variance
Enjoying the Benefits
Benefits of Shift Left AppSec Significantly decrease time to remediate vulnerabilities in production Dramatically cut the % of vulnerable apps and APIs pushed to production Skyrocket the % of vulnerabilities detected in CI or earlier Measurably increase developer productivity Maximise attack surface coverage Tangibly reduce security and technical debt
Reduced remediation costs Early identification lowers fixing costs by preventing expensive, late-stage code refactoring or architectural changes. Improved security posture increase security by identifying and remediating a wider range of vulnerabilities, reducing risks and potential reputational damage. Faster time-to-market Integrating testing in the dev process accelerates release cycles, fostering competitive advantages and revenue growth. Automation & scalability Enable automated, scalable security testing, reducing manual effort and enhancing overall application security Better compliance Comprehensive DAST solutions support regulatory and industry compliance, minimizing the risk of financial penalties and reputational harm. More informed decision- making Robust reporting and admin features empower AppSec teams to optimize security testing and resource allocation through data- driven insights. Key Benefits of a Developer-Centric DAST Solution
About Bright
About us FOUNDED 2018 HEADQUARTERS San Francisco, CA OUR MISSION Bright’s mission is to enable organizations to ship secure Applications and APIs at the speed of business SERIES A: US$ 20M RECOGNITION ISO 27701
Scaling Developer-Centric DAST for the Enterprise
Thank you!
TOOLBOX TURMOIL – GETTING MORE VALUE FROM APPSEC SCANNERS By Josh Grossman CTO, Bounce Security Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host
Josh Grossman ■ Over 15 years of IT and Application Security, IT Risk and development experience ■ CTO for Bounce Security, value- driven Application Security support ■ Consulting and training for clients internationally and locally ■ Contact: – @JoshCGrossman – josh@bouncesecurity.com – https://joshcgrossman.com/ ■ OWASP Israel Chapter Board ■ Co-leader of the OWASP ASVS Project ■ Major Contributor to the OWASP Top Ten Proactive Controls project ■ Contributor to: – OWASP Top 10 Risks – OWASP JuiceShop 50 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host
Why are we here? The challenges: ■ Hard to understand the tools ■ Complex, time intensive processes ■ Lots of findings ■ Insufficient documentation and resources 51 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Introduction
Testing tools overview ■ Software Composition Analysis (SCA) – Automatically finds vulnerabilities in library code (at coding time) ■ Static Application Security Testing (SAST) – Automatically finds vulnerabilities in our code (at coding time) ■ Dynamic Application Security Testing (DAST) – Automatically finds vulnerabilities in our code (at run time) 52 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Introduction
Topics 53 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host • How can I get a scan? • Usability/Interface • Steering the tool How does the tool work? • Measuring Performance • Everyone’s invited • Management Buy-in How am I using the tool? • Phased rule-set • Strategic Remediation • Accidentally unexploitable How am I fixing issues? Introduction
How does the tool work?
How can I get a scan? What does it take to get a scan? ■ Uncompiled code? ■ Compilable code? ■ Compiled binaries? ■ How much special treatment? ■ Running code? 55 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How does the tool work?
Usability/Interface 56 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Chaotic, chaotic evil How does the tool work?
Usability/Interface ■ Filtering to give user the correct view ■ Flexible reporting to help with your KPIs ■ Good explanatory text ■ Code flows (if relevant) ■ Need to use the UI for auditing findings ■ (at least at the start) 57 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How does the tool work?
Steering the tool (DAST) ■ How to navigate your application – List of links – Browser add-in – Postman file – Swagger/OpenAPI file – Full Requests log (e.g. HAR file) ■ Results in coverage ■ Needs to be updated 58 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How does the tool work?
How am I using the tool?
60 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host measure it Measuring performance How am I using the tool?
61 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Measuring performance ■ Assessing tool performance: – Quality of data from vendor (SCA) – Time to perform scans – Coverage – Accuracy How am I using the tool?
Measuring performance ■ Assessing our performance: – Ability to fix compared to target – New and Fixed issues split out – Categories of issues to drive training – Issue recurrence 62 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How am I using the tool?
Everyone’s invited 63 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Who will implement the process? Who will run/maintain the scan? Who will fix issues? Who will review and prioritize results? Roles How am I using the tool?
Everyone’s invited 64 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Who will implement the process? • Someone familiar with the tool/processes • Need management buy in Who will run/maintain the scan? • More like DevOps type of work • Focus on pipeline and automation Who will fix issues? • Should be developer or architect • Ideally familiar with the system component Who will review/prioritize results? • Someone with some AppSec understanding • Also needs to understand the codebase Roles How am I using the tool?
Management buy-in ■ None of this will happen “bottom up” ■ People want to do their job, as set by management ■ Need buy-in to make this happen 65 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How am I using the tool?
Management buy-in ■ Need clear objectives with defined metrics ■ Verified on a periodic basis ■ Non-compliance triggers exception process ■ Exception must not become the norm 66 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host https://commons.wikimedia.org/wiki/File:Ta pe_measure_colored.jpeg How am I using the tool?
How am I fixing issues?
Phased rule-set ■ Turning all rules leads to too many findings ■ Don't want overwhelmed/upset developers... ■ Need a plan for gradually introducing rules. 68 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How am I fixing issues?
Phased rule-set ■ Which findings get you the best signal/noise ratio? ■ Which findings are highest risk: – Based on the tool's assessment – Based on your application's risk profile ■ Blend of ■ Easy to fix ■ Hard to fix 69 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How am I fixing issues?
Strategic Remediation Centralize functionality ■ Potentially dangerous feature being used all over the app? ■ Centralize it to one place and wrap it ■ Findings only appear in one place ■ Controls only needed in one place… – …and this is the correct approach to begin with! 70 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host https://commons.wikimedia.org/wiki/File:Vintage_ telephone_switchboard_(49467795397).jpg How am I fixing issues?
Strategic Remediation Replacing functionality ■ Swap existing, insecure functionality with a secure alternative? ■ For example: – Replace database text queries with an ORM – Replace built-in Authentication/Authorization with an external component – Move local secrets handling to a dedicated secrets management solution 71 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How am I fixing issues?
Accidentally unexploitable Data process that unintentionally stops exploitation: ■ Data Validation – cast to numeric, low minimum length ■ Data Basketing – SAST tool confused between item elements (e.g. array) ■ Data Mangling – Data being transformed e.g. hashing 72 How am I fixing issues? I ACCIDENTALLY YOUR EXPLOIT Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host
Summary 73 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host • How can I get a scan? • Urgent issues • Usability/Interface • Steering the tool How does the tool work? • Measuring Performance • Everyone’s invited • Management Buy-in How am I using the tool? • Phased rule-set • Strategic Remediation • Accidentally unexploitable How am I fixing issues? Summary
Want to hear more? 74 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Summary Course at Black Hat USA – 7th/8th August 2023 https://appsecg.host/bhreg
THANKS! Josh Grossman Bounce Security josh@bouncesecurity.com https://JoshCGrossman.com https://appsecg.host @JoshCGrossman 75 KEY TAKEAWAYS: • Understand how a tool matches your needs • Customize to your processes • Take a methodical approach to triage and mitigation
Long Term Cost Effectiveness Enterprise Application Security Naore Azenkut, CTO
Agenda ● Story Time! ● New Threats ● Hidden Costs of Defence ● AI Driven Native Application Security ● Case Study ● Takeaways
Story Time!
● Trusty Insurance - a growing agency ● Data being sold online ● Discovered a Data leak: critical customer data ● Investigation Trusty Insurance
● Possible sources: Outsider? Departing employee? Human error? ● Breach traced back to Avivit ● Sensitive stolen data on her PC ● Is Avivit going to jail? Trusty Insurance
● SMS Link (Phishing) ● Attacker leverage AI (LLM) to generate a convincing SMS ● Attacker gained full access to Salesforce account ● Game over (: Trusty Insurance
● Loss of business to competitors and eroded customer trust ● Weeks between incident and discovery ● One user mistake -> huge company wide impact ● Legacy application security approaches are ineffective and cost prohibitive Outcomes
Just Avoid Phishing?
Just Avoid Phishing?
The O.M.G Cable The O.M.G Cable ● Hacker Remote control your PC ● Internal Bluetooth, Wifi ● Command Execution and remote shell ● Keystroke Injection, Mouse Injection, Self Destruct and much more ● Low cost and widely available https://shop.hak5.org/products/omg-cable
The Human Factor Human error Negligence Malicious Admin views sensitive data without consent Departing employee exports sensitive data Partner leaves an open door Outsider accessing your account
Israel National Cyber Directorate, 2022 Attackers ● Exploit Legitimate Users ● Sophisticated Defence is ● Resource Intensive ● Business Impacting Root Cause For Breaches?
Solution & Alternative Title (:
AI disruption in the Application Security Space Emerging Paradigm Native, Simple & Cost Effective Automating Security & Customer Trust
Definition: Security solution that runs natively at the application layer of the cloud provider, within the customer control and context. Ideally, AI and rule engine included Application Native Security
● Solving for the human factor is hard ● Innovative emerging approaches enable huge cost savings ● Understanding user behaviour in the application context enables precise AI Anomaly detection & prevention ● Complements network and endpoint protection Application Native Security
Case Study - Enterprise Financials
Enterprising Financial inc. ● Large Financial Services Enterprise ● Heavy internal & external compliance ● Green field public cloud, Salesforce CRM deployment ● Full Customer 360 Data on cloud ● Complex IT landscape ● Lots of users and attack surface
Enterprising Financial inc. Understood the Risk VPN On Premise
Enterprising Financial inc. Understood the Risk On Premise VPN
Enterprising Financial inc. On Premise ? Understood the Risk
Enterprising Financial inc. Understood the Risk On Premise
Enterprising Financial inc. Classic ● Inline / API Mode CASB ● Scaling Issues ● Hundreds of Monitoring APIs ● DIY Prevention & Incident Playbook ● High Implementation Complexity ● Protecting devices and networks Native Platform Security ● Single Monitoring API ● Scales with vendor ● Automated Controlled Prevention and Playbook ● Protecting Data at the Application ● Low implementation complexity ● Deep User & Application context and AI driven analysis
Enterprising Financial inc. Classic Build > 1.2M$ / Yearly Cost > 200K$ ● 3-6 Months to setup ● Consultants and Implementation Fees ● Hidden headcount cost ● High Subscription Fees ● Business Challenge (Mobile, B2C) ● Slows Business TTM ● High Maintenance Native Platform Security Build - < 15K$ / Yearly Cost ~ 20K$ ● 3-6 Days to setup ● Organization Independence ● Minimal ongoing internal effort ● Reduced Subscription Fees ● Business Enabler (Mobile, B2C) ● Adapts to Business TTM ● Very Low Maintenance
Key Takeaways Key Takeaways Book a Demo or connect with us with any question Mike Partush Co-Founder & CEO Naore Azenkut Co-Founder & CTO Cloud Application Security is… Attackers leverage AI, companies become more vulnerable to the human factor – Traditionally resource intensive, high TCO, limited protection -- Native Security & AI reduce TCO, TTM and secure data at the application level Work with us enforce.one
Thank You! Questions? To be continued… https://www.linkedin.com/company/application-security-virtual-meetups

Recommended

Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
HCLSoftware
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
SolviosTechnology
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
NathanDjami
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 

Recommended

Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
HCLSoftware
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
SolviosTechnology
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
NathanDjami
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
itnewsafrica
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Cenzic
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Research Paper
Research PaperResearch Paper
Research PaperDavid Chaponniere
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
Panoptica
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
Mainstay
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
Developing Secure Apps
Developing Secure AppsDeveloping Secure Apps
Developing Secure Apps
Livares Technologies Pvt Ltd
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
SaadSaif6
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration
Enov8
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptx
tmbainjr131
 
5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud
tCell
 
16231
1623116231
16231James Grant
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
Narola Infotech
 
Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends
Enterprise Management Associates
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
Ernest Staats
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 

More Related Content

Similar to Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx

Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
itnewsafrica
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Cenzic
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
Panoptica
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
Mainstay
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
Developing Secure Apps
Developing Secure AppsDeveloping Secure Apps
Developing Secure Apps
Livares Technologies Pvt Ltd
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
SaadSaif6
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration
Enov8
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptx
tmbainjr131
 
5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud
tCell
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
Narola Infotech
 
Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends
Enterprise Management Associates
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
Ernest Staats
 

Similar to Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx (20)

Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Developing Secure Apps
Developing Secure AppsDeveloping Secure Apps
Developing Secure Apps
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptx
 
5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud
 
16231
1623116231
16231
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
 

More from lior mazor

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
lior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
lior mazor
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
lior mazor
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
lior mazor
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
lior mazor
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
lior mazor
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
lior mazor
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
lior mazor
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
lior mazor
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
lior mazor
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
lior mazor
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
lior mazor
 

More from lior mazor (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 

Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx

  • 3. What are we going to talk about today? Current AppSec challenges and trends a. Increase in the number of cyber attacks b. Growing attack surface c. Adoption of DevSecOps d. Automation and AI The importance of Application Security a. Planning a strategy & its execution b. Risk assessment c. Automation & Remediation d. DevSecOps processes e. Continuous education and training Creating a proactive AppSec strategy 1. 2. 3.
  • 4. Tanya Janca ❖ CEO & Founder @ We Hack Purple ❖ AKA @SheHacksPurple ❖ Author: Alice and Bob Learn Application Security ❖ 25+ years in tech, Sec + Dev ❖ Advisor: Aiya Corp, CloudDefense.AI, Nord VPN ❖ Blogger, Podcaster, Streamer, Builder, Breaker ❖ Faculty at IANs Research ❖ Nerd at Large
  • 5. The Importance of Application Security @WeHackPurple @SheHacksPurple
  • 6. Application Security is every action you take towards ensuring the software that you (or someone else) create is secure This can mean: a. A formal secure code review b. Hiring someone to come in and perform a penetration test c. Updating a framework These practices do not need to be extremely formal, they just need to have the goal of ensure your systems are more secure.
  • 7. Insecure software is the #1 cause of data breaches According to the Verizon Breach Reports, insecure software is the cause of approximately 30-40% of breaches, year after year
  • 9. The DevSecOps market is growing in size and importance According to the Verified Market Research: The DevSecOps Market size was valued at USD 3.73 Billion in 2021 and is projected to reach USD 41.66 Billion by 2030, growing at a CAGR of 30.76% from 2022 to 2030
  • 10. Automation and AI is being used to streamline AppSec processes, such as vulnerability scanning and patching, and to reduce the risk of human error According to a survey conducted by IBM, 93% of organizations said to use or consider using AI to enhance their security posture
  • 11. Increased adoption of cloud and mobile technologies a. 94% of enterprises use cloud services b. 48% of businesses choose to store their most important data in the cloud c. As of 2022, the global cloud computing industry has a market size of $480.04 B
  • 13. The adoption of cloud computing has significantly increased the cyber attack surface for organizations. Sensitive data is no longer confined to the organizations environment and is accessible over the internet, creating new entry points for attackers.
  • 14. Cyber crime is on the rise The cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025 - that is 4x the size of France’s GDP! According to Cybersecurity Ventures: *The predicted GDP for 2023 is 112.65 trillion, making cyber crime 7.1% of the world’s total
  • 15. In 2022, global cyber attacks increased by 38%
  • 16. Creating a proactive Application Security Strategy @WeHackPurple @SheHacksPurple
  • 17. Need for creating a comprehensive AppSec strategy that aligns with business goals and objectives a. Vulnerability assessments b. Penetration testing c. Secure coding practices d. Incident response plans Your AppSec strategy should include a combination of: This helps organizations prioritize security measures based on the risk to critical business functions, data and assets
  • 18. Risk assessment Automation & Remediation DevSecOps Processes Developer training ● Step 1: Perform inventory ● Step 2: Build a software bill of materials (SBOM) ● Step 3: Threat modeling ● Step 4: Find vulnerabilities (pen testing as well consider SAST, DAST, and IAST tools) ● Define and track remediation metrics ● Use automation and context to determine which vulnerabilities pose a real threat ● Implement remediation guidelines and tooling ● Define security requirements pre- build ● Empower developers to perform security testing during development ● Set agreed rules for governance and remediation ● Identify security champions ● Establish training programs ● Embed incentives for effective security testing throughout the SDLC Future-Proof AppSec strategy checklist
  • 19. Risk Assessment step 1: perform inventory Inventory is the first step, because you need to KNOW what you have to properly test, monitor, and patch it. If it goes on the web, you need to know about it! According to the Verizon 2021 Data Breach Investigations Report: 43% of data breaches involve web applications. *Taking proper inventory can help reduce your risk of such incidents
  • 20. Risk Assessment Step 2: Build a software bill of materials (SBOM) Using an SBOM can decrease risks of software supply chain attacks An SBOM provides a snapshot of all libraries, code packages, and other third- party components used to create a software application.
  • 21. Risk Assessment Step 3: Threat Modeling The purpose of threat modeling: To assess possible threats to your system, do your best to mitigate them, and if it's not possible, to lessen or manage the risks Steps for threat modeling: a. Have a representative from each stakeholder group involved b. Identify risks to the system c. Evaluate each risk d. Mitigate, reduce, manage, or accept each risk
  • 22. Risk Assessment Step 4: Find Vulnerabilities Security testing should be conducted on a regular basis, ideally as part of the organization’s software development lifecycle (SDLC), to ensure the applications and systems are secure from the outset. Build customer trust by demonstrating your commitment to proactive security
  • 23. Automate and Remediate Automation can help reduce the time required to analyze and triage vulnerabilities, enabling teams to focus on remediation rather than time-consuming manual tasks According to a 2020 report by Forrester Consulting: Automating vulnerability remediation can reduce the risk of a data breach by up to 6 times, compared to manual remediation
  • 24. DevSecOps Processes Empower developers to perform security testing during the early stages of development According to the 2020 Cost of a Data Breach report conducted by IBM: Incorporating security early in the SDLC can lead to a reduction of up to 90% in the cost of addressing security issues
  • 25. Investing in Developer Training and Education 68% of organizations state that their employees are the weakest link in their security strategy Providing AppSec training and education to developers can lead to improved collaboration between security and development teams, resulting in fewer data breaches and more secure, high-quality code.
  • 27. How to Contact Us! Website: www.wehackpurple.com Email: Info@wehackpurple.com Twitter: @WeHackPurple Linkedin: www.linkedin.com/company/wehackpurple Community: www.community.wehackpurple.com Newsletter: www.newsletter.wehackpurple.com We Hack Purple
  • 29. The Significant ROI of Shifting AppSec Testing Left Gadi Bashvitz
  • 31. Health info for 1 million patients stolen using critical GoAnywhere vulnerability Report: Overwhelming majority of codebases have open source vulnerabilities, half deemed high-risk Firms fear software stack breach as attack surface widens Ransomware attackers finding new ways to weaponize old vulnerabilities IoT, connected devices biggest contributors to expanding application attack surface T-Mobile API Breach – What Went Wrong?
  • 32. Key AppSec Challenge Security professionals are outnumbered 500 to one by Developers * GitHub Security Lab Organizations report one Security Architect for every 159 Developers** ** Building Security In Maturity Model (BSIMM) 11 Disproportionate resources
  • 34. 6-12 months release cycles Critical security issues wait a minimum of 4 months for a patch Endless manual PenTesting cycles The upside? Security is in sync with development speed Before After Multiple builds every day P/T can’t handle scanning of all releases The Result: 100s of releases a year go untested Agile Dev. – DevOps
  • 36. The answer is a Shift Left Dynamic AppSec Testing Developers: Execution Iterative & automated scanning in SDLC Security baked into sprint planning Increased velocity of releases AppSec: Governance & Validation Testing & remediation guidelines More focus on educating champions Freeing of resources for business critical tasks
  • 37. QA/ApSec Developers Developers/Q A BRIGHT LEGACY DAST UNIT TESTS XSS OSI LFI SQLi SSRF SECURITY HEADERS TLS/SSL SECURITY INTEGRATION TEST SQLi SSRF SECURITY HEADERS TLS/SSL SECURITY XSS OSI LFI FUNCTIONAL TEST SECURITY HEADERS TLS/SSL SECURITY SQLi SSRF XSS OSI LFI VERIFCATION TEST XSS OSI LFI SQLi SSRF SECURITY HEADERS TLS/SSL SECURITY CODE CHANGE COMMIT BUILD COMMIT PR CI/CD UAT PROD The case for dev-centric DAST - iterative in the SDLC
  • 38. Provide strategy, guidance, governance & validation - What to scan - What tests to perform and what SDLC stage - When to fail a build Provide Application Security visibility to the Org. (trends, team benchmarks, exposure levels) How Many New Vulnerabilities Are Introduced ? At What Stage of the SDLC Are We Able to Find Them ? How Quickly Are They Resolved ? Application Specific Security Posture Dev. Teams Security Benchmarks AppSec’s role in developer- centric enterprise testing environment
  • 40. The Increasing Cost of Fixing Flaws Later in the SDLC 1x Requirements / Architecture 5x Coding 10 x Integration / Component Testing 15 x System / Acceptance Testing 30x Production / Post-Release This increases to up to 60x more in the case of security defects..! National Institute of Standards and Technology (NIST) Early Detection = Cheaper (faster) Fix
  • 41. USING LEGACY DAST USING DEV-CENTRIC DAST % of orgs knowingly pushing vulnerable apps & APIs to prod 86% <50% Time to remediate >Med vulns in prod 280 days <150 days % of > Med vulns detected in CI, or earlier <5% ~55% Dev time spent remediating vulns - Up to 60X faster Happiness level of Engineering & AppSec teams - Significantly improved Average cost of Data Breach (US) $7.86M $7.86M Testing variance
  • 43. Benefits of Shift Left AppSec Significantly decrease time to remediate vulnerabilities in production Dramatically cut the % of vulnerable apps and APIs pushed to production Skyrocket the % of vulnerabilities detected in CI or earlier Measurably increase developer productivity Maximise attack surface coverage Tangibly reduce security and technical debt
  • 44. Reduced remediation costs Early identification lowers fixing costs by preventing expensive, late-stage code refactoring or architectural changes. Improved security posture increase security by identifying and remediating a wider range of vulnerabilities, reducing risks and potential reputational damage. Faster time-to-market Integrating testing in the dev process accelerates release cycles, fostering competitive advantages and revenue growth. Automation & scalability Enable automated, scalable security testing, reducing manual effort and enhancing overall application security Better compliance Comprehensive DAST solutions support regulatory and industry compliance, minimizing the risk of financial penalties and reputational harm. More informed decision- making Robust reporting and admin features empower AppSec teams to optimize security testing and resource allocation through data- driven insights. Key Benefits of a Developer-Centric DAST Solution
  • 46. About us FOUNDED 2018 HEADQUARTERS San Francisco, CA OUR MISSION Bright’s mission is to enable organizations to ship secure Applications and APIs at the speed of business SERIES A: US$ 20M RECOGNITION ISO 27701
  • 47. Scaling Developer-Centric DAST for the Enterprise
  • 49. TOOLBOX TURMOIL – GETTING MORE VALUE FROM APPSEC SCANNERS By Josh Grossman CTO, Bounce Security Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host
  • 50. Josh Grossman ■ Over 15 years of IT and Application Security, IT Risk and development experience ■ CTO for Bounce Security, value- driven Application Security support ■ Consulting and training for clients internationally and locally ■ Contact: – @JoshCGrossman – josh@bouncesecurity.com – https://joshcgrossman.com/ ■ OWASP Israel Chapter Board ■ Co-leader of the OWASP ASVS Project ■ Major Contributor to the OWASP Top Ten Proactive Controls project ■ Contributor to: – OWASP Top 10 Risks – OWASP JuiceShop 50 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host
  • 51. Why are we here? The challenges: ■ Hard to understand the tools ■ Complex, time intensive processes ■ Lots of findings ■ Insufficient documentation and resources 51 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Introduction
  • 52. Testing tools overview ■ Software Composition Analysis (SCA) – Automatically finds vulnerabilities in library code (at coding time) ■ Static Application Security Testing (SAST) – Automatically finds vulnerabilities in our code (at coding time) ■ Dynamic Application Security Testing (DAST) – Automatically finds vulnerabilities in our code (at run time) 52 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Introduction
  • 53. Topics 53 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host • How can I get a scan? • Usability/Interface • Steering the tool How does the tool work? • Measuring Performance • Everyone’s invited • Management Buy-in How am I using the tool? • Phased rule-set • Strategic Remediation • Accidentally unexploitable How am I fixing issues? Introduction
  • 54. How does the tool work?
  • 55. How can I get a scan? What does it take to get a scan? ■ Uncompiled code? ■ Compilable code? ■ Compiled binaries? ■ How much special treatment? ■ Running code? 55 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How does the tool work?
  • 56. Usability/Interface 56 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Chaotic, chaotic evil How does the tool work?
  • 57. Usability/Interface ■ Filtering to give user the correct view ■ Flexible reporting to help with your KPIs ■ Good explanatory text ■ Code flows (if relevant) ■ Need to use the UI for auditing findings ■ (at least at the start) 57 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How does the tool work?
  • 58. Steering the tool (DAST) ■ How to navigate your application – List of links – Browser add-in – Postman file – Swagger/OpenAPI file – Full Requests log (e.g. HAR file) ■ Results in coverage ■ Needs to be updated 58 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How does the tool work?
  • 59. How am I using the tool?
  • 60. 60 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host measure it Measuring performance How am I using the tool?
  • 61. 61 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Measuring performance ■ Assessing tool performance: – Quality of data from vendor (SCA) – Time to perform scans – Coverage – Accuracy How am I using the tool?
  • 62. Measuring performance ■ Assessing our performance: – Ability to fix compared to target – New and Fixed issues split out – Categories of issues to drive training – Issue recurrence 62 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How am I using the tool?
  • 63. Everyone’s invited 63 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Who will implement the process? Who will run/maintain the scan? Who will fix issues? Who will review and prioritize results? Roles How am I using the tool?
  • 64. Everyone’s invited 64 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Who will implement the process? • Someone familiar with the tool/processes • Need management buy in Who will run/maintain the scan? • More like DevOps type of work • Focus on pipeline and automation Who will fix issues? • Should be developer or architect • Ideally familiar with the system component Who will review/prioritize results? • Someone with some AppSec understanding • Also needs to understand the codebase Roles How am I using the tool?
  • 65. Management buy-in ■ None of this will happen “bottom up” ■ People want to do their job, as set by management ■ Need buy-in to make this happen 65 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How am I using the tool?
  • 66. Management buy-in ■ Need clear objectives with defined metrics ■ Verified on a periodic basis ■ Non-compliance triggers exception process ■ Exception must not become the norm 66 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host https://commons.wikimedia.org/wiki/File:Ta pe_measure_colored.jpeg How am I using the tool?
  • 67. How am I fixing issues?
  • 68. Phased rule-set ■ Turning all rules leads to too many findings ■ Don't want overwhelmed/upset developers... ■ Need a plan for gradually introducing rules. 68 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How am I fixing issues?
  • 69. Phased rule-set ■ Which findings get you the best signal/noise ratio? ■ Which findings are highest risk: – Based on the tool's assessment – Based on your application's risk profile ■ Blend of ■ Easy to fix ■ Hard to fix 69 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How am I fixing issues?
  • 70. Strategic Remediation Centralize functionality ■ Potentially dangerous feature being used all over the app? ■ Centralize it to one place and wrap it ■ Findings only appear in one place ■ Controls only needed in one place… – …and this is the correct approach to begin with! 70 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host https://commons.wikimedia.org/wiki/File:Vintage_ telephone_switchboard_(49467795397).jpg How am I fixing issues?
  • 71. Strategic Remediation Replacing functionality ■ Swap existing, insecure functionality with a secure alternative? ■ For example: – Replace database text queries with an ORM – Replace built-in Authentication/Authorization with an external component – Move local secrets handling to a dedicated secrets management solution 71 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host How am I fixing issues?
  • 72. Accidentally unexploitable Data process that unintentionally stops exploitation: ■ Data Validation – cast to numeric, low minimum length ■ Data Basketing – SAST tool confused between item elements (e.g. array) ■ Data Mangling – Data being transformed e.g. hashing 72 How am I fixing issues? I ACCIDENTALLY YOUR EXPLOIT Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host
  • 73. Summary 73 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host • How can I get a scan? • Urgent issues • Usability/Interface • Steering the tool How does the tool work? • Measuring Performance • Everyone’s invited • Management Buy-in How am I using the tool? • Phased rule-set • Strategic Remediation • Accidentally unexploitable How am I fixing issues? Summary
  • 74. Want to hear more? 74 Getting more value from AppSec scanners @JoshCGrossman | https://appsecg.host Summary Course at Black Hat USA – 7th/8th August 2023 https://appsecg.host/bhreg
  • 75. THANKS! Josh Grossman Bounce Security josh@bouncesecurity.com https://JoshCGrossman.com https://appsecg.host @JoshCGrossman 75 KEY TAKEAWAYS: • Understand how a tool matches your needs • Customize to your processes • Take a methodical approach to triage and mitigation
  • 76. Long Term Cost Effectiveness Enterprise Application Security Naore Azenkut, CTO
  • 77. Agenda ● Story Time! ● New Threats ● Hidden Costs of Defence ● AI Driven Native Application Security ● Case Study ● Takeaways
  • 79. ● Trusty Insurance - a growing agency ● Data being sold online ● Discovered a Data leak: critical customer data ● Investigation Trusty Insurance
  • 80. ● Possible sources: Outsider? Departing employee? Human error? ● Breach traced back to Avivit ● Sensitive stolen data on her PC ● Is Avivit going to jail? Trusty Insurance
  • 81. ● SMS Link (Phishing) ● Attacker leverage AI (LLM) to generate a convincing SMS ● Attacker gained full access to Salesforce account ● Game over (: Trusty Insurance
  • 82. ● Loss of business to competitors and eroded customer trust ● Weeks between incident and discovery ● One user mistake -> huge company wide impact ● Legacy application security approaches are ineffective and cost prohibitive Outcomes
  • 85. The O.M.G Cable The O.M.G Cable ● Hacker Remote control your PC ● Internal Bluetooth, Wifi ● Command Execution and remote shell ● Keystroke Injection, Mouse Injection, Self Destruct and much more ● Low cost and widely available https://shop.hak5.org/products/omg-cable
  • 86. The Human Factor Human error Negligence Malicious Admin views sensitive data without consent Departing employee exports sensitive data Partner leaves an open door Outsider accessing your account
  • 87. Israel National Cyber Directorate, 2022 Attackers ● Exploit Legitimate Users ● Sophisticated Defence is ● Resource Intensive ● Business Impacting Root Cause For Breaches?
  • 89. AI disruption in the Application Security Space Emerging Paradigm Native, Simple & Cost Effective Automating Security & Customer Trust
  • 90. Definition: Security solution that runs natively at the application layer of the cloud provider, within the customer control and context. Ideally, AI and rule engine included Application Native Security
  • 91. ● Solving for the human factor is hard ● Innovative emerging approaches enable huge cost savings ● Understanding user behaviour in the application context enables precise AI Anomaly detection & prevention ● Complements network and endpoint protection Application Native Security
  • 92. Case Study - Enterprise Financials
  • 93. Enterprising Financial inc. ● Large Financial Services Enterprise ● Heavy internal & external compliance ● Green field public cloud, Salesforce CRM deployment ● Full Customer 360 Data on cloud ● Complex IT landscape ● Lots of users and attack surface
  • 94. Enterprising Financial inc. Understood the Risk VPN On Premise
  • 95. Enterprising Financial inc. Understood the Risk On Premise VPN
  • 96. Enterprising Financial inc. On Premise ? Understood the Risk
  • 98. Enterprising Financial inc. Classic ● Inline / API Mode CASB ● Scaling Issues ● Hundreds of Monitoring APIs ● DIY Prevention & Incident Playbook ● High Implementation Complexity ● Protecting devices and networks Native Platform Security ● Single Monitoring API ● Scales with vendor ● Automated Controlled Prevention and Playbook ● Protecting Data at the Application ● Low implementation complexity ● Deep User & Application context and AI driven analysis
  • 99. Enterprising Financial inc. Classic Build > 1.2M$ / Yearly Cost > 200K$ ● 3-6 Months to setup ● Consultants and Implementation Fees ● Hidden headcount cost ● High Subscription Fees ● Business Challenge (Mobile, B2C) ● Slows Business TTM ● High Maintenance Native Platform Security Build - < 15K$ / Yearly Cost ~ 20K$ ● 3-6 Days to setup ● Organization Independence ● Minimal ongoing internal effort ● Reduced Subscription Fees ● Business Enabler (Mobile, B2C) ● Adapts to Business TTM ● Very Low Maintenance
  • 100. Key Takeaways Key Takeaways Book a Demo or connect with us with any question Mike Partush Co-Founder & CEO Naore Azenkut Co-Founder & CTO Cloud Application Security is… Attackers leverage AI, companies become more vulnerable to the human factor – Traditionally resource intensive, high TCO, limited protection -- Native Security & AI reduce TCO, TTM and secure data at the application level Work with us enforce.one
  • 101. Thank You! Questions? To be continued… https://www.linkedin.com/company/application-security-virtual-meetups