How to build app sec team & culture in your organization the hack summit 2020
How to Build AppSec
Team & Culture in your
Kunwar Atul (@kunwaratulhax0r)
www.thehacksummit.com 5/12/2020 online / Warsaw ORGANIZERS:
• Kunwar Atul
• Yet another Appsec and DevSecOps Guy
• Break – Fix – Repeat
• Synack Red Team Member
• OWASP MASVS Hindi and DevSecOps
• Social media- kunwaratulhax0r
What and Why?
• Application Security is the process of tools and practices aiming
to protect applications from threats throughout the entire
• Application Security is not a one-person job, it is for every
person who is involved in the software development lifecycle
from the very beginning.
• Appsec engineers are in demand now a days.
• Mostly, offers are focused upon an individual, one unicorn that
does all those wonderful things to ensure that the organization
is building secure software's.
• Software Development organizations are struggling to secure the
application they develop and deploy for several reasons.
• Growing dependency on open source code as cost cutting, time
saving for application construction requires development team to
check that code for vulnerabilities.
• When a vulnerability detects, it takes time to patch for a
responsible team and affected code presents multiple problems
for developers and consumers.
• But the time and cost involved in patching the unsecure code is
motivating the developers to build the security into their application
in the very beginning stage (SDLC).
• The majority of companies simply do not
understand what a AppSec guy does.
• Many a times, IT people think technically and
cannot convey the risk well enough to the business.
• Business only wants to reduce the costs and
sell more ‘widgets’. They don’t care about
security until it is too late.
• Security Policies can be considered as
foundation of any organization. But if we talk
about reality, then in most of the
organization people don’t read the Security
• There are chances that employees also
might not be following the security policy and
they are not aware about what’s written in
the related Security Policy.
Mind Map of CISO
• Business Involvement
• Security Architecture
• Project Delivery Lifecycle
• Risk Management
• Identity Management
Where is AppSec ?
• Application Development
• Secure Code Training
• Application Vulnerability
• Change Control File
• Integration to SDLC and
Components of Appsec
• Web Applications
• Client Server Applications
• Mobile Applications
• Middleware Applications
• Cryptographic Analysis
Multiple researches have validated the fact that most successful
breaches target exploitable vulnerabilities residing in the application
layer, indicating the need for enterprise IT departments to be extra
vigilant about application security. To further compound the problem,
the number and complexity of applications is growing.
Common Vulnerabilities in AppSec:
• SQL injection
• Cross-Site Scripting (XSS)
What do they do?
• Collaborate with other security champions - Review impact of the
'breaking changes' made in other projects.
• Attend weekly meetings.
• Are the single point of contact for their assigned team.
• Ensure that security is not a blocker on active development or
Why you should become one?
• Great opportunity for your career.
• Learn more
• Application Security
• Offence techniques (‘how to exploit an OWASP Top 10
• Defensive techniques (‘how to write secure code’)
• Code review techniques
• Solve hard technological problems in various phases like
development, testing, visualization.
• Meet members from other teams and improve your internal network.
Automate you Application Security
• A successful DevSecOps program can not be possible without
automation. New tools have emerged, giving dev and IT teams the
ability to create and destroy servers and deploy entire applications in
minutes with the push of a button.
• Application security can also be automated to a large extent.
Automated scanning tools can scan source code or even launch
attacks against running systems to find vulnerabilities before the code
Available Methodology for AppSec
• Static Analysis (SAST), or “white-box” testing, analyzes applications
without executing them.
• Dynamic Analysis (DAST), or “black-box” testing, identifies
vulnerabilities in running web applications.
• Software Composition Analysis (SCA) analyzes open source and
• Manual Penetration Testing (or “pen testing”) uses the same
methodology cybercriminals use to exploit application weaknesses.
What type of Security we need to
• An environment where Security (Appsec and Infosec) people are
• Infosec protects the organization and operations.
• Appsec protects the code.
• Developers are well versed with common application/code level
• They are working in an environment, where it is difficult to create
• Developers are aware about latest threats and vulnerabilities.
• Infosec teams are providing proper training to the developers and
Health Monitoring for AppSec
• Application health monitoring is the practice of tracking the inputs
and outputs of an application based on key metrics, logs and traces
in order to watch how an application performs over time.
• Application health checks are when you define “healthy” parameters
for the monitoring metrics across your application and run regular
checks to ensure the system is performing the way it’s expected to.