The document outlines a 5-step approach to building a continuous application security program, emphasizing the importance of understanding both deployed applications and overall attack surface. It advocates for using Penetration Testing as a Service (PTaaS) over traditional methods, employing risk-based remediation strategies, and maintaining continuous vulnerability assessment throughout the application lifecycle. Effective collaboration and threat intelligence are key components to successfully reducing cyber risks.

1. Outpost24 Template
2019
5 Steps to build a continuous Application Security Program
Data Classification: External
February 2022
February 2022

2. Outpost24 Group leads to cyber risk reduction
2
Technology Assets
Applications – website,
CMS, shopping carts
Critical data – PII and
cardholder data
Cloud infrastructure –
AWS, Azure, Docker
Endpoints – desktop,
laptop, smartphone
Data center – data
storage, backup, recovery
User access – password
and credential
Malware
Ransomware kit
Data breach
Vulnerability exploits
Phishing attempts
Credential stuffing
Crytojacking
Cyber Threats
Where can attackers
gain access and disrupt,
extort, or steal?
Who are the attackers,
who are they targeting,
and what techniques do
they use?
Outpost24 Group uniquely bridges these
domains with continuous risk assessment
• Security assessment of
all technology assets
• Intelligence about
threat actors and their
methods of attack
• Combined into the most
effective prescriptive
actions that reduce
business risk at the least
cost

3. Why an Application Security program is important
3

4. 4
• More than just vulnerability scanning your
applications every month
• Understanding
• What you think you have deployed
• What you really have deployed
• What your overall application attack
surface looks like
• Taking decisive action, applying a range of
tools to reduce risk
• Creating a continuous feedback loop
What is an Application Security program

5. 5 steps to achieve an AppSec program
5
Continuous attack
surface discovery
1
Using Penetration
testing as a service
over traditional Pen
Testing
2
Risk based
prioritization of
discovered
vulnerabilities
3
Retesting and
verification of
findings
4
Continuously repeat
the process
throughout the
applications lifecycle
5

6. Outpost24 Template
2019
1. Assess your Application attack surface
6

7. 7
• What you know (your Ecommerce system)
• What you don’t know
• IOT devices
• Benefits
• Marketing campaigns
• Acquisitions
• Other 3rd party sites (employee
benefits)
• These make up your addressable
application attack surface
What makes up my Application attack
surface

8. 8
• Use OSINT techniques to
discover potential weakness
and entry points
• R1: Gather information
• R2: Determine the range (domain)
• R3: Identify active web applications
• R4: Discover open doors and entry points (7
vectors)
• R5: Fingerprint the web app (score)
• R6: Uncover components behind those doors
(components detection)
• R7: Map the apps (crawl)
How to identify your application
attack surface

9. 9
• Basic understanding of the web
application
• Don’t need to understand DEVOPS or
be an Appsec Guru
• Mostly what we would call ‘Basic
security best practice’
Assess the Apps for possible risk

10. Application Risk Score (ARS)
10
Application Name Surface Score
Criticality
Update frequency Appsec Program
Availability Confidentiality Integrity
demo1.com 20.45 2 2 2 1 5
demo2.com 20.22 3 2 2 2 9

11. An attack surface mapped
11

12. Which leads to informed choice of tools
• Make informed choices about tools, solutions and services
• Critical applications : Continuous hybrid application testing
• Less critical : DAST scanning + one time penetration test
• Identify IOT devices, turn off access or block with firewall
• Start to inform development decisions
• SCA for 3rd party components
• SAST or IAT for code improvements
• Build a continuous application security assessment program
12

13. Outpost24 Template
2019
2. Deploy PTaaS rather than traditional penetration testing
13

14. $$
$$$$
$$$$$$
The hidden costs of an Application Pen Test
• Go to tender
• Find your supplier
• Scope out the app
• Negotiate the contract
• Wait for the test to be
completed
• Manually translate to
actionable items
• Wait for remediation
14
• A day rate

15. What is Penetration testing as a service (PTaaS)
15
Delivery of on demand penetration testing services through a portal
Blends (or gives options to select) automated scanning with manual driven testing
Can be singular (one time) or continuous assessment (year long)
Can be both network infrastructure and / or Application security based.

16. Penetration Testing as a Service - Benefits
16
Speed of delivery
• Tests can be
initiated within
days, not weeks
Collaboration
• Organisations
can talk to the
testing team
through the
portal for
information on
findings
Validation of
findings
• Through
unlimited
verification
requests
Reporting to
meet your needs
• Reports can be
delivered as
and when you
need them
Better ROI
• Compared to
traditional pen
testing

17. Outpost24 Template
2019
3. Apply a risk-based remediation strategy
17

18. Why Risk based approach to remediation
• Emphasis on what vulnerabilities are being exploited in the wild
• Remediate these first to reduce exploit risk
• Works well for CVE based vulnerabilities but less so for CWE only
• But, as you will see, they can be complex & time consuming
18

19. 1. Adopt the MITRE CWE scoring model
19
• We can adopt the CWE scoring
method to define risk
• But you'd have to do this
manually beyond the top 40
• Can be a useful manual gauge
for focused remediation
• Your AppSec tools need to allow
CWE risk categorization

20. 2. Use threat intelligence tactically
• Understand
• What threat actors are doing?
• How are they attacking?
• What regions are they operating
in?
• What sectors are they targeting?
• Figure out
• Does any of this apply to me?
20

21. 3. Map your organization again Mitre Att&ck
21

22. 4. Combine for a unified view of risk 22
Driven by threat
intelligence from
multiple sources

23. 5. Drill into your applications, assess risk, remediate
23
Working view for all
AppStaks in a single
business area

24. Outpost24 Template
2019
4. Continuous retesting and verification to reduce Attack surface
24

25. Collaboration
• Key to really understanding
issues and knowing if you’ve
fixed them
• Are you able to message
your tester at will to get
answers?
• Do you feel your in a
partnership with your
testing company?
25

26. 26
• Collaboration is important for
verification
• Ability to ask your testers to
check you’ve fixed the problem
– verification
• Do this unlimited times
through-out the subscription
period
Verification

27. Retest, regularly
27
Retesting of the application allows you to
understand:
•If things are being fixed organically across sprints
•New vulnerabilities are being introduced
•You're shrinking your attack surface
Having this as part of your service is critical to
managing and reducing your attack surface.

28. Outpost24 Template
2019
5. Create a continuous loop throughout the applications lifecycle
28

29. Adopt a continuous approach to application security
29

30. 5 Steps to drive Application security
30
Continuous attack
surface discovery
1
Using Penetration
testing as a service
over traditional Pen
Testing
2
Risk based
prioritization of
discovered
vulnerabilities
3
Retesting and
verification of
findings
4
Continuously repeat
the process
throughout the
applications lifecycle
5

31. Outpost24 Template
2019
Q&A
31