SlideShare ist ein Scribd-Unternehmen logo

Reveal the Security Risks in the software Development Lifecycle Meetup 06032024.pptx

lior mazor
lior mazor

Stay safe, grab a drink and join us virtually for our upcoming "Reveal the Security Risks in the Software Development Lifecycle" Meetup to learn how to find application security threats, issues in software development life cycle, build mature application security incident response processes and implement application security posture management. Agenda: 17:00 - 17:05 - 'Opening words' - by Gary Berman (Cyber Heroes Network) 17:05 - 17:35 - 'Why securing the SDLC fails at scale' - by Liav Caspi (Co-Founder & CTO at Legit Security) 17:35 - 18:05 - 'The Real AppSec Issues' - by Josh Grossman (CTO at BounceSecurity) 18:05 - 18:35 - 'Application security and IR process' - by Vitaly Davidoff (Application Security Lead at JFrog) 18:35 - 19:00 - 'The ASPM way - a new approach' - by Liav Caspi (Co-Founder & CTO at Legit Security)

Technologie
1 von 78
Join Us: https://www.linkedin.com/comp any/application-security-virtual- meetups QR Link:
Why securing the Software Development Lifecycle fails at scale PRESENTED BY: Liav Caspi © Copyright 2024 Legit Security.
Something in AppSec is still missing Here's some evidence © Copyright 2024 Legit Security. From the Gartner report, Mitigating Enterprise Software Supply Chain Risk. From The State of Vulnerability Management in DevSecOps September 2022 (Link) 61% of U.S. businesses were directly impacted by a software supply chain attack in the 12-month period ending in April 2023 Software Supply Chain Attacks persist 12avg live secrets are submitted per 100 repositories every week, on average Secrets are pervasive and critical threat 66% of large orgs. have an average of 100,000 vulnerabilities in their backlog Vulnerability overload hinders security
© Copyright 2024 Legit Security. 4 And it’s getting tighter © Copyright 2024 Legit Security. Creation of NIST SP 800- 218 and SSDF (Secure software development framework). CISA requires a signed attestation for every gov seller Executive order on securing supply chains live secrets are submitted per 100 repositories every week, on average SBOM is a requirement 3rd party governance, open source licenses, static analysis, threat modeling, Most standards double down on software security
© Copyright 2024 Legit Security.
What changed? Agile Continuous Integration, Continuous Delivery Cloud. Microservices. Containers. SaaS Complete dependency on 3rd party software Everything as code AI and LLMs © Copyright 2024 Legit Security. Developers make more decisions Attack surface increased Millions of vulnerabilities Application build and composition too complex to handle manually Long term trends Outcomes
© Copyright 2024 Legit Security. 7 © Copyright 2024 Legit Security. Attacks keep coming
8 Confidential and What is a secure software-development-lifecycle? Building secure software, making secure changes Securing the software factory Identifying and fixing security issues effectively
9 Confidential and The way software is assembled, built and deployed is complex. Introducing – a simple pipeline A single code change: No review required Server misconfigure d This is a “Highway to the Cloud” AppSec Control Plane
10 Confidential and The way software is assembled, built and deployed is complex. Introducing – the Pipeline A single code change: Vulnerable Open Source SBOM required
11 Confidential and 1. The way software is assembled, built and deployed is complex. 2. Introducing – the Pipeline A single code change: Deployment Misconfigurations
12 Confidential and The way software is assembled, built and deployed is complex. Introducing – the Pipeline Vulnerable Plugin accessible to cloud admin key
13 Confidential and The way software is assembled, built and deployed is complex. Introducing – the Pipeline Base image contains vulnerabilities Artifact storage has weak access controls Unprotected APIs
14 Confidential and The REAL picture is much more complex, and has many attack vectors.
© Copyright 2024 Legit Security. 15 Why is it hard to build secure SDLC? Visibility gap o Is there a ”checklist”? o What tools are needed? What’s critical? o Constant change Knowledge gap o Noise, lot’s of false positives o Context missing o Putting off fires instead of fixing the root cause Too many findings o Build systems are unprotected o Secrets. Secrets everywhere o Bad development hygiene can have catastrophic consequences The tools are insecure © Copyright 2024 Legit Security. o How is application built? o Many components and component classes o 3rd party links
A deleted secret is an honest mistake. It won’t come up in code review It might stay in Git history forever (until found)… Example #1 – Secrets in code
Example #1 – Secrets in code docs
Example #2 – GitHub Actions pawned 1. Developer creates a pull request 2. Automated tests are triggered before any human reviews the code 3. Automated tests contain a flaw that allows the changes to run custom command in a privileged pipeline context 4. Attacker can use the context to steal credentials, make any change to the GitHub org and clean up the change request Further read How many are aware to how to write a safe pipeline script? Third party actions may make the org vulnerable regardless..
Example #3 – Secure your artifacts 30% of internet facing private artifact registries expose a high and above CVE 9% Expose secrets and internal technical data
Thank you! Questions? © Copyright 2024 Legit Security.
THE REAL APPSEC ISSUES JOSH GROSSMAN CTO, BOUNCE SECURITY March 2024 21
Josh Grossman ■ Over 15 years of IT and Application Security, IT Risk and development experience ■ CTO for Bounce Security, value- driven Application Security support ■ Consulting and training for clients internationally and locally ■ Contact: – @JoshCGrossman – josh@bouncesecurity.com – https://joshcgrossman.com/ – https://github.com/tghosth ■ OWASP Israel Chapter Board ■ Co-leader of the OWASP ASVS Project ■ Major Contributor to the OWASP Top Ten Proactive Controls project ■ Contributor to: – OWASP Top 10 Risks – OWASP JuiceShop 22 The Real AppSec Issues @JoshCGrossman
AppSec in real breaches The Real AppSec Issues @JoshCGrossman 23 Verizon 2023 Data Breach Investigations Report https://verizon.com/dbir/
The Real AppSec Issues @JoshCGrossman 24 ---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12
The Real AppSec Issues @JoshCGrossman 25 https://owasp.org/Top10/
Who are you? 26 The Real AppSec Issues @JoshCGrossman
The real issues ■ Not your standard OWASP top 10 – A different “top 10” ■ Observed from real organizations and people ■ Food for thought 27 The Real AppSec Issues @JoshCGrossman
The real issues ■ Not your standard OWASP top 10 – A different “top 10 6” (6 issues is enough!) ■ Observed from real organizations and people ■ Food for thought 28 The Real AppSec Issues @JoshCGrossman
The Real Issues
1) Security is the developer’s job? ■ Not taught University, boot camps, online tutorials. ■ Rarely incentivized or measured on this ■ Performance, UX, etc, are at least 2nd class citizens... – ...security usually isn’t. ■ Can’t secure from the sidelines 30 The Real AppSec Issues @JoshCGrossman
1) Security is the developer’s job? My advice: ■ Security = a software characteristic ■ Need buy-in from R&D management – “Shift up”* ■ Interactive/interesting training ■ Security champions program – Starting? – Sustaining? 31 The Real AppSec Issues @JoshCGrossman * Heard this from Francesco Cipollone @FrankSEC42
32 The Real AppSec Issues @JoshCGrossman
2) What is OWASP? ■ Many developers are not familiar ■ OWASP can bring: – Comprehensive requirements for security – Networking and knowledge sharing – Interactive developer training (members) 33 The Real AppSec Issues @JoshCGrossman
2) What is OWASP? ■ Questions: – Can you name an OWASP project (not the top 10?) – Have you been to an OWASP meetup/conference? 34 The Real AppSec Issues @JoshCGrossman
2) What is OWASP? ■ Questions: – Can you name an OWASP project (not the top 10?) – Have you been to an OWASP meetup/conference? – Who has devs who go to OWASP meetups or conferences? (more important) 35 The Real AppSec Issues @JoshCGrossman
■ Encourage R&D to be involved ■ Avoid “reinventing the wheel” ■ Build familiarity and find what works for them – Tools like ZAP, Dependency-(Track|Check) – Documents like ASVS, Cheat sheets – Get involved in the Slack channel 36 The Real AppSec Issues @JoshCGrossman 2) What is OWASP? My advice:
3) Tool fatigue ■ Software security = SAST/DAST/SCA/etc? 37 The Real AppSec Issues @JoshCGrossman
3) Tool fatigue ■ Software security ≠ SAST/DAST/SCA/etc ■ Problems – Noisy, poorly configured tools – Poorly aligned metrics – Massive finding backlogs 38 The Real AppSec Issues @JoshCGrossman
3) Tool fatigue ■ Software security ≠ SAST/DAST/SCA/etc ■ Problems – Noisy, poorly configured tools – Poorly aligned metrics – Massive finding backlogs ■ Software security = Frustration with security tools 39 The Real AppSec Issues @JoshCGrossman
■ Cannot really be summarized in 3 bullets… – Tools should support a goal – Get clear management buy-in – Gradual approach to findings (expectations) ■ Get the benefit by treating as a process 40 The Real AppSec Issues @JoshCGrossman 3) Tool Fatigue My advice:
Penetration testing is like…. 41 The Real AppSec Issues @JoshCGrossman
4) Pen testing is low value ■ Hard to judge quality of tester ■ Why are there: – no findings? – too many findings! ■ Findings not aimed at developers ■ Highlighted by Haroon Meer at 44CON 2012: “Penetration Testing Considered Harmful” (Market for Lemons) 42 The Real AppSec Issues @JoshCGrossman
4) Pen testing is low value My advice: ■ Get details of the tester's experience ■ See an example report ■ Testing based on a standard (e.g. ASVS) ■ Bug Bounty company better for high-risk issues? – Specifically, as a penetration test! https://appsecg.host/pentest 43 The Real AppSec Issues @JoshCGrossman
5) Integrating security early ■ "Shifting left" (should be "spread left") ■ Hard to create consistent process for: – Security requirements – Design security – Threat modelling ■ Starting is easyish, continuing is hard 44 The Real AppSec Issues @JoshCGrossman
5) Integrating security early My advice: ■ Consistent set of requirements ■ Customize based on feature characteristics ■ Tailored, developer led processes ■ Lightweight threat modelling 45 The Real AppSec Issues @JoshCGrossman
6) Security as project management ■ How much time spent on tasks requiring security knowledge? – Chasing metrics? – Monitoring progress? – Building project plans? 46 The Real AppSec Issues @JoshCGrossman
6) Security as project management My advice: ■ R&D take responsibility for metrics ■ Security project manager / operations specialist ■ Make it to management clear where security expert time is going ■ Security can focus on guiding and improving 47 The Real AppSec Issues @JoshCGrossman
Summary of issues 1. Security is the developer’s job? 2. What is OWASP? 3. Tool fatigue 4. Pen testing is low value 5. Integrating security early 6. Security as project management 48 The Real AppSec Issues @JoshCGrossman
Want to hear more? 49 The Real AppSec Issues @JoshCGrossman Building a High-Value AppSec Scanning Programme https://appsecg.host/lisreg Accelerated AppSec – Hacking your Product Security Programme for Velocity and Value (Virtual) https://appsecg.host/bhreg
Key takeaways 50 The Real AppSec Issues @JoshCGrossman
Key takeaways ■ Strategic and collaborative approach ■ Software security is software quality ■ Meet developers where they are ■ Tools should support a wider process 51 The Real AppSec Issues @JoshCGrossman
THANKS FOR LISTENING! Josh Grossman Bounce Security josh@bouncesecurity.com https://JoshCGrossman.com @JoshCGrossman 52 • Strategic and collaborative approach • Software security is software quality • Meet developers where they are • Tools should support a wider process Questions?
“ When AppSec Met IR “ Vitaly Davidoff CISSP, CSSLP
Agenda 54 1. What is IR? 2. Why appsec team? 3. End 2 End Process (Roles and Responsibilities) 4. PPT (Processes, People, Technologies) 5. Example 6. Summary
Incident Response Overview 55 Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack. The goal of an Incident Response plan or procedure is to handle the situation in a way that limits damage and reduces recovery time and costs.
Incident Response Overview 56
Critical CVE In Production - An Incident? 57
Why Application Security Team? 58 1. Software Security - special knowledge 2. What if we are not affected? 3. Research for attack path (scan for vulnerabilities) 4. Safe money, time and effort 5. Response to Customers (Justification) 6. Remediation options and fix verification
Where AppSec team will help 59 Response Provide technical advisory justification for customers. Do a research for attack breadcrumbs inside logs, publish CVE. Discuss holistic solution for specific issues. Research Understand vulnerability details, create attack simulation. Explain attack vector to appropriate stakeholders. Communicate with external researchers/customers to obtain more details.Work with R&D teams to verify issue applicability.. Recovery Provide technical suggestions and guidelines for remediation. Work with R&D and DevOps/Operations teams to provide workarounds (temporary mitigations) if need. Verify mitigation code (code review, test security fix)
Documents and Communications 60
Security Champions 61
Security Tools 62 https://jfrog.com/help/r/jfrog-security-documentation/vulnerability-contextual-analysis
Example 63
Conclusion 64 1. Critical zero days CVE’s - should be part of IR 2. AppSec team can safe you money and effort 3. Security champions - your best friends 4. Use security tools if possible 5. Response to Customers - AppSec team responsibility to provide a justification
Thank You Questions? 65
The ASPM Way A new approach PRESENTED BY: Liav Caspi © Copyright 2024 Legit Security.
What is ASPM? A new class of solutions and technology to help managing appsec, efficiently and at scale It is based on the following principles Complete visibility Secure the environment Contextual prioritization Collaboration & automation
Visibility Repositories, tech stack Developers, permissions Tools, systems, plugins 3rd party / open source dependencies Artifacts Secret management LLM / AI BoM More…
What do we get from extreme visibility? Respond to an event – vulnerable Jenkins plugin, Log4Shell Find critically insecure configurations Plan what we need?
Risk management Stuff we fix Problems we create RISK
Fix More Risk No more new You must do it simultaneously DevSecOps guardrails Secure infrastructure Developer awareness Automated remediation Find smarter ways to prioritize. Root causes Bulk operations Exploitability / reachability
How ASPM helps #1 – contextual prioritization
How ASPM helps #2 – DevSecOps Guardrails o A guardrail catches vulnerabilities before they reach runtime o It doesn’t have to be blocking o Reduces load from security teams
How ASPM helps #3 – Git configuration security Review required MFA enforced for all developers Only verified actions Workflow can’t approve themselves And dozens more…
Getting started Consolidate an inventory and map the attack surface ASPM tools are available to generate gap reports Configuration scanners – you can start for free ( see Legitify) Start small- introduce security scanners. Don’t forget data
© Copyright 2024 Legit Security. See how we help enterprises optimize their AppSec: legitsecurity.com
Thank you! Questions? © Copyright 2024 Legit Security.
Thank You! Questions? To be continued… https://www.linkedin.com/company/application-security-virtual-meetups

Empfohlen

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
CPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeCPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeMoti Sagey מוטי שגיא
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 

Empfohlen

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
CPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeCPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeMoti Sagey מוטי שגיא
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldMark Nunnikhoven
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
Built-in Security Mindfulness for Software Developers
Built-in Security Mindfulness for Software DevelopersBuilt-in Security Mindfulness for Software Developers
Built-in Security Mindfulness for Software DevelopersPhú Phùng
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?London School of Cyber Security
 
Philly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by ConstructionPhilly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by Constructionjxyz
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdflior mazor
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 

Weitere ähnliche Inhalte

Ähnlich wie Reveal the Security Risks in the software Development Lifecycle Meetup 06032024.pptx

Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldMark Nunnikhoven
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
Built-in Security Mindfulness for Software Developers
Built-in Security Mindfulness for Software DevelopersBuilt-in Security Mindfulness for Software Developers
Built-in Security Mindfulness for Software DevelopersPhú Phùng
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
Philly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by ConstructionPhilly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by Constructionjxyz
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 

Ähnlich wie Reveal the Security Risks in the software Development Lifecycle Meetup 06032024.pptx (20)

Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibility
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
Built-in Security Mindfulness for Software Developers
Built-in Security Mindfulness for Software DevelopersBuilt-in Security Mindfulness for Software Developers
Built-in Security Mindfulness for Software Developers
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Philly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by ConstructionPhilly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by Construction
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 

Mehr von lior mazor

The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdflior mazor
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxlior mazor
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdflior mazor
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxlior mazor
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxlior mazor
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxlior mazor
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022lior mazor
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 blior mazor
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021lior mazor
 
Application security meetup 02032021
Application security meetup 02032021Application security meetup 02032021
Application security meetup 02032021lior mazor
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 

Mehr von lior mazor (19)

The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 
Application security meetup 02032021
Application security meetup 02032021Application security meetup 02032021
Application security meetup 02032021
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 

Kürzlich hochgeladen

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Kürzlich hochgeladen (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Reveal the Security Risks in the software Development Lifecycle Meetup 06032024.pptx

  • 2. Why securing the Software Development Lifecycle fails at scale PRESENTED BY: Liav Caspi © Copyright 2024 Legit Security.
  • 3. Something in AppSec is still missing Here's some evidence © Copyright 2024 Legit Security. From the Gartner report, Mitigating Enterprise Software Supply Chain Risk. From The State of Vulnerability Management in DevSecOps September 2022 (Link) 61% of U.S. businesses were directly impacted by a software supply chain attack in the 12-month period ending in April 2023 Software Supply Chain Attacks persist 12avg live secrets are submitted per 100 repositories every week, on average Secrets are pervasive and critical threat 66% of large orgs. have an average of 100,000 vulnerabilities in their backlog Vulnerability overload hinders security
  • 4. © Copyright 2024 Legit Security. 4 And it’s getting tighter © Copyright 2024 Legit Security. Creation of NIST SP 800- 218 and SSDF (Secure software development framework). CISA requires a signed attestation for every gov seller Executive order on securing supply chains live secrets are submitted per 100 repositories every week, on average SBOM is a requirement 3rd party governance, open source licenses, static analysis, threat modeling, Most standards double down on software security
  • 5. © Copyright 2024 Legit Security.
  • 6. What changed? Agile Continuous Integration, Continuous Delivery Cloud. Microservices. Containers. SaaS Complete dependency on 3rd party software Everything as code AI and LLMs © Copyright 2024 Legit Security. Developers make more decisions Attack surface increased Millions of vulnerabilities Application build and composition too complex to handle manually Long term trends Outcomes
  • 7. © Copyright 2024 Legit Security. 7 © Copyright 2024 Legit Security. Attacks keep coming
  • 8. 8 Confidential and What is a secure software-development-lifecycle? Building secure software, making secure changes Securing the software factory Identifying and fixing security issues effectively
  • 9. 9 Confidential and The way software is assembled, built and deployed is complex. Introducing – a simple pipeline A single code change: No review required Server misconfigure d This is a “Highway to the Cloud” AppSec Control Plane
  • 10. 10 Confidential and The way software is assembled, built and deployed is complex. Introducing – the Pipeline A single code change: Vulnerable Open Source SBOM required
  • 11. 11 Confidential and 1. The way software is assembled, built and deployed is complex. 2. Introducing – the Pipeline A single code change: Deployment Misconfigurations
  • 12. 12 Confidential and The way software is assembled, built and deployed is complex. Introducing – the Pipeline Vulnerable Plugin accessible to cloud admin key
  • 13. 13 Confidential and The way software is assembled, built and deployed is complex. Introducing – the Pipeline Base image contains vulnerabilities Artifact storage has weak access controls Unprotected APIs
  • 14. 14 Confidential and The REAL picture is much more complex, and has many attack vectors.
  • 15. © Copyright 2024 Legit Security. 15 Why is it hard to build secure SDLC? Visibility gap o Is there a ”checklist”? o What tools are needed? What’s critical? o Constant change Knowledge gap o Noise, lot’s of false positives o Context missing o Putting off fires instead of fixing the root cause Too many findings o Build systems are unprotected o Secrets. Secrets everywhere o Bad development hygiene can have catastrophic consequences The tools are insecure © Copyright 2024 Legit Security. o How is application built? o Many components and component classes o 3rd party links
  • 16. A deleted secret is an honest mistake. It won’t come up in code review It might stay in Git history forever (until found)… Example #1 – Secrets in code
  • 17. Example #1 – Secrets in code docs
  • 18. Example #2 – GitHub Actions pawned 1. Developer creates a pull request 2. Automated tests are triggered before any human reviews the code 3. Automated tests contain a flaw that allows the changes to run custom command in a privileged pipeline context 4. Attacker can use the context to steal credentials, make any change to the GitHub org and clean up the change request Further read How many are aware to how to write a safe pipeline script? Third party actions may make the org vulnerable regardless..
  • 19. Example #3 – Secure your artifacts 30% of internet facing private artifact registries expose a high and above CVE 9% Expose secrets and internal technical data
  • 20. Thank you! Questions? © Copyright 2024 Legit Security.
  • 21. THE REAL APPSEC ISSUES JOSH GROSSMAN CTO, BOUNCE SECURITY March 2024 21
  • 22. Josh Grossman ■ Over 15 years of IT and Application Security, IT Risk and development experience ■ CTO for Bounce Security, value- driven Application Security support ■ Consulting and training for clients internationally and locally ■ Contact: – @JoshCGrossman – josh@bouncesecurity.com – https://joshcgrossman.com/ – https://github.com/tghosth ■ OWASP Israel Chapter Board ■ Co-leader of the OWASP ASVS Project ■ Major Contributor to the OWASP Top Ten Proactive Controls project ■ Contributor to: – OWASP Top 10 Risks – OWASP JuiceShop 22 The Real AppSec Issues @JoshCGrossman
  • 23. AppSec in real breaches The Real AppSec Issues @JoshCGrossman 23 Verizon 2023 Data Breach Investigations Report https://verizon.com/dbir/
  • 24. The Real AppSec Issues @JoshCGrossman 24 ---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12
  • 25. The Real AppSec Issues @JoshCGrossman 25 https://owasp.org/Top10/
  • 26. Who are you? 26 The Real AppSec Issues @JoshCGrossman
  • 27. The real issues ■ Not your standard OWASP top 10 – A different “top 10” ■ Observed from real organizations and people ■ Food for thought 27 The Real AppSec Issues @JoshCGrossman
  • 28. The real issues ■ Not your standard OWASP top 10 – A different “top 10 6” (6 issues is enough!) ■ Observed from real organizations and people ■ Food for thought 28 The Real AppSec Issues @JoshCGrossman
  • 30. 1) Security is the developer’s job? ■ Not taught University, boot camps, online tutorials. ■ Rarely incentivized or measured on this ■ Performance, UX, etc, are at least 2nd class citizens... – ...security usually isn’t. ■ Can’t secure from the sidelines 30 The Real AppSec Issues @JoshCGrossman
  • 31. 1) Security is the developer’s job? My advice: ■ Security = a software characteristic ■ Need buy-in from R&D management – “Shift up”* ■ Interactive/interesting training ■ Security champions program – Starting? – Sustaining? 31 The Real AppSec Issues @JoshCGrossman * Heard this from Francesco Cipollone @FrankSEC42
  • 32. 32 The Real AppSec Issues @JoshCGrossman
  • 33. 2) What is OWASP? ■ Many developers are not familiar ■ OWASP can bring: – Comprehensive requirements for security – Networking and knowledge sharing – Interactive developer training (members) 33 The Real AppSec Issues @JoshCGrossman
  • 34. 2) What is OWASP? ■ Questions: – Can you name an OWASP project (not the top 10?) – Have you been to an OWASP meetup/conference? 34 The Real AppSec Issues @JoshCGrossman
  • 35. 2) What is OWASP? ■ Questions: – Can you name an OWASP project (not the top 10?) – Have you been to an OWASP meetup/conference? – Who has devs who go to OWASP meetups or conferences? (more important) 35 The Real AppSec Issues @JoshCGrossman
  • 36. ■ Encourage R&D to be involved ■ Avoid “reinventing the wheel” ■ Build familiarity and find what works for them – Tools like ZAP, Dependency-(Track|Check) – Documents like ASVS, Cheat sheets – Get involved in the Slack channel 36 The Real AppSec Issues @JoshCGrossman 2) What is OWASP? My advice:
  • 37. 3) Tool fatigue ■ Software security = SAST/DAST/SCA/etc? 37 The Real AppSec Issues @JoshCGrossman
  • 38. 3) Tool fatigue ■ Software security ≠ SAST/DAST/SCA/etc ■ Problems – Noisy, poorly configured tools – Poorly aligned metrics – Massive finding backlogs 38 The Real AppSec Issues @JoshCGrossman
  • 39. 3) Tool fatigue ■ Software security ≠ SAST/DAST/SCA/etc ■ Problems – Noisy, poorly configured tools – Poorly aligned metrics – Massive finding backlogs ■ Software security = Frustration with security tools 39 The Real AppSec Issues @JoshCGrossman
  • 40. ■ Cannot really be summarized in 3 bullets… – Tools should support a goal – Get clear management buy-in – Gradual approach to findings (expectations) ■ Get the benefit by treating as a process 40 The Real AppSec Issues @JoshCGrossman 3) Tool Fatigue My advice:
  • 41. Penetration testing is like…. 41 The Real AppSec Issues @JoshCGrossman
  • 42. 4) Pen testing is low value ■ Hard to judge quality of tester ■ Why are there: – no findings? – too many findings! ■ Findings not aimed at developers ■ Highlighted by Haroon Meer at 44CON 2012: “Penetration Testing Considered Harmful” (Market for Lemons) 42 The Real AppSec Issues @JoshCGrossman
  • 43. 4) Pen testing is low value My advice: ■ Get details of the tester's experience ■ See an example report ■ Testing based on a standard (e.g. ASVS) ■ Bug Bounty company better for high-risk issues? – Specifically, as a penetration test! https://appsecg.host/pentest 43 The Real AppSec Issues @JoshCGrossman
  • 44. 5) Integrating security early ■ "Shifting left" (should be "spread left") ■ Hard to create consistent process for: – Security requirements – Design security – Threat modelling ■ Starting is easyish, continuing is hard 44 The Real AppSec Issues @JoshCGrossman
  • 45. 5) Integrating security early My advice: ■ Consistent set of requirements ■ Customize based on feature characteristics ■ Tailored, developer led processes ■ Lightweight threat modelling 45 The Real AppSec Issues @JoshCGrossman
  • 46. 6) Security as project management ■ How much time spent on tasks requiring security knowledge? – Chasing metrics? – Monitoring progress? – Building project plans? 46 The Real AppSec Issues @JoshCGrossman
  • 47. 6) Security as project management My advice: ■ R&D take responsibility for metrics ■ Security project manager / operations specialist ■ Make it to management clear where security expert time is going ■ Security can focus on guiding and improving 47 The Real AppSec Issues @JoshCGrossman
  • 48. Summary of issues 1. Security is the developer’s job? 2. What is OWASP? 3. Tool fatigue 4. Pen testing is low value 5. Integrating security early 6. Security as project management 48 The Real AppSec Issues @JoshCGrossman
  • 49. Want to hear more? 49 The Real AppSec Issues @JoshCGrossman Building a High-Value AppSec Scanning Programme https://appsecg.host/lisreg Accelerated AppSec – Hacking your Product Security Programme for Velocity and Value (Virtual) https://appsecg.host/bhreg
  • 50. Key takeaways 50 The Real AppSec Issues @JoshCGrossman
  • 51. Key takeaways ■ Strategic and collaborative approach ■ Software security is software quality ■ Meet developers where they are ■ Tools should support a wider process 51 The Real AppSec Issues @JoshCGrossman
  • 52. THANKS FOR LISTENING! Josh Grossman Bounce Security josh@bouncesecurity.com https://JoshCGrossman.com @JoshCGrossman 52 • Strategic and collaborative approach • Software security is software quality • Meet developers where they are • Tools should support a wider process Questions?
  • 53. “ When AppSec Met IR “ Vitaly Davidoff CISSP, CSSLP
  • 54. Agenda 54 1. What is IR? 2. Why appsec team? 3. End 2 End Process (Roles and Responsibilities) 4. PPT (Processes, People, Technologies) 5. Example 6. Summary
  • 55. Incident Response Overview 55 Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack. The goal of an Incident Response plan or procedure is to handle the situation in a way that limits damage and reduces recovery time and costs.
  • 57. Critical CVE In Production - An Incident? 57
  • 58. Why Application Security Team? 58 1. Software Security - special knowledge 2. What if we are not affected? 3. Research for attack path (scan for vulnerabilities) 4. Safe money, time and effort 5. Response to Customers (Justification) 6. Remediation options and fix verification
  • 59. Where AppSec team will help 59 Response Provide technical advisory justification for customers. Do a research for attack breadcrumbs inside logs, publish CVE. Discuss holistic solution for specific issues. Research Understand vulnerability details, create attack simulation. Explain attack vector to appropriate stakeholders. Communicate with external researchers/customers to obtain more details.Work with R&D teams to verify issue applicability.. Recovery Provide technical suggestions and guidelines for remediation. Work with R&D and DevOps/Operations teams to provide workarounds (temporary mitigations) if need. Verify mitigation code (code review, test security fix)
  • 64. Conclusion 64 1. Critical zero days CVE’s - should be part of IR 2. AppSec team can safe you money and effort 3. Security champions - your best friends 4. Use security tools if possible 5. Response to Customers - AppSec team responsibility to provide a justification
  • 66. The ASPM Way A new approach PRESENTED BY: Liav Caspi © Copyright 2024 Legit Security.
  • 67. What is ASPM? A new class of solutions and technology to help managing appsec, efficiently and at scale It is based on the following principles Complete visibility Secure the environment Contextual prioritization Collaboration & automation
  • 68. Visibility Repositories, tech stack Developers, permissions Tools, systems, plugins 3rd party / open source dependencies Artifacts Secret management LLM / AI BoM More…
  • 69. What do we get from extreme visibility? Respond to an event – vulnerable Jenkins plugin, Log4Shell Find critically insecure configurations Plan what we need?
  • 70. Risk management Stuff we fix Problems we create RISK
  • 71. Fix More Risk No more new You must do it simultaneously DevSecOps guardrails Secure infrastructure Developer awareness Automated remediation Find smarter ways to prioritize. Root causes Bulk operations Exploitability / reachability
  • 72. How ASPM helps #1 – contextual prioritization
  • 73. How ASPM helps #2 – DevSecOps Guardrails o A guardrail catches vulnerabilities before they reach runtime o It doesn’t have to be blocking o Reduces load from security teams
  • 74. How ASPM helps #3 – Git configuration security Review required MFA enforced for all developers Only verified actions Workflow can’t approve themselves And dozens more…
  • 75. Getting started Consolidate an inventory and map the attack surface ASPM tools are available to generate gap reports Configuration scanners – you can start for free ( see Legitify) Start small- introduce security scanners. Don’t forget data
  • 76. © Copyright 2024 Legit Security. See how we help enterprises optimize their AppSec: legitsecurity.com
  • 77. Thank you! Questions? © Copyright 2024 Legit Security.
  • 78. Thank You! Questions? To be continued… https://www.linkedin.com/company/application-security-virtual-meetups