SlideShare ist ein Scribd-Unternehmen logo
1 von 23
Downloaden Sie, um offline zu lesen
Building an Application
Security Program
Mike Spaulding
Director of Security Strategy & Architecture
*Company Confidential*
Disclaimer
All information within this session is presented AS-IS, if
you do something foolish with the presented material
resulting in your termination of employment,
imprisonment, etc –
THAT IS FULLY YOUR BURDEN
THINK BEFORE YOU ACT!
The path of least resistance
Malicious users exploit flaws that are not discovered
during development and attempt to bypass security
controls in order to gain access to systems and services
to steal data, disrupt operations, extort money, etc.
Application Security
Threats
The following are examples of known
security threats:
• Connected Car Vulnerabilities
• Attacks on Critical Infrastructure
• Attacks on the Internet of Things
• Cyber Attacks on
Smart Manufacturing Systems
• OWASP Top 10 Web Vulnerabilities
• Watering Hole Attack
• External Hostile Attacks
• Internal Malware Attacks
• Cryptography Vulnerabilities
• DoS and DDoS Attacks
• Buffer Overflows
• etc., etc., etc.
OWASP Top 10 Vulnerabilities
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
AppSec Objective
It seems simple, but too
many security peeps over
think this and let scope
creep destroy their
program.
The goal of Application Security is to
reduce the risks within an application!
Methods of AppSec
Dynamic Assessment
Static Assessment
It is important to understand the difference between
application security, penetration testing, and vulnerability
management. Too often, others blur these areas.
Static Analysis (Code Testing)
The objective of performing a code scan/assessment
is to locate portions of the code where common
secure coding errors exist. The truth is that most
developers are never shown how to code securely.
In many situations, developers are being pushed to
complete too much too fast and mistakes are made.
Static code analysis should not only pinpoint the
issue but suggest most optimal solution to resolve
the issue. This approach will also be used as a
training method for developers.
Sanitizing data input from end users is critical.
The less restrictive the data input, the greater
the opportunity for abuse.
Dynamic Analysis
The objective of
performing a dynamic test
is to attempt to verify the
effectiveness of the
secure coding testing.
This verification step is
necessary in order to
ensure that sections of
code were not assessed
or code that is ‘assumed’
to be clean is verified.
This testing is partially interactive, the goal is to complete
this testing as automated as possible and to investigate the
delta between dynamic and static testing.
The vulnerability testing ensures that no two
components, along with the application when placed
together do not create known vulnerabilities.
Components of AppSec
Web Applications
Client Server Applications
Mobile Applications
Middleware Applications
Cryptographic Analysis
Manual testing is in many cases what slows down the
assessment process. Overtime, as the developers get better
conditioned on expectations, this time will decrease.
Manual Verification
The objective of performing a final manual test is to ‘smoke-
test’ the final product and ensure that any anomalies
discovered during prior assessment phases are verified to be
closed, corrected, and no longer pose a threat.
AppSec KPIs & metrics define critical feedback information to
check the status of a program and make further decisions on
improvements actions.
Kaizen: Continuous Improvement
Annual Assessments:
• Internet Facing Apps
• RTO 0 Apps
• Apps containing
PII/PHI/PCI/IP
Adhoc Assessments:
• New Applications
• Apps going through
significant upgrades
• Emerging Technology
We could spend another hour just talking about these topics,
but unfortunately we do not have the time. These topics are
just as important as those covered more in-depth today.
Additional Considerations
Staffing:
• Training
• Liaison, Lead Analysts, Security Testers
• Resource Management
Operational Security
• Application Firewall
• Data Loss Prevention
Vendor Management
• Application Security Tools
• Consulting Services
4 Steps to AppSec
Start Simple, Start Small
Set Policies & Standards, Start Metrics
Scale AppSec to your SDLC
Scan Third Party Applications
Stolen from Chris Wysopal of Veracode
http://www.darkreading.com/application-security/simplifying-
application-security-4-steps-/a/d-id/1324254?_mc=RSS_DR_EDT
Start Simple, Start Small
The vast majority of companies simply do not
understand what many of us (Security People) do.
Most CISO’s don’t get it!
Too often IT peeps think technical and cannot convey
the risks well enough to the business.
* Remember the business wants to reduce costs
and sell more ‘widgets’ they don’t care about
security until it is too late!
Your greatest ability to influence a project starts here –
the business does not like surprises – do not tell them
at the 11th hour (Implementation):
“Hey NASA, we have a problem”!
Why Policies & Standards
Matter
During two phases, AppSec will
have it’s greatest influence:
Project Definition
System Overview
Too many security/IT peeps underestimate the power
of metrics. Metrics or reporting show effort (and
hopefully a reduction in risk!
Remember the arrow should go down to the right!
Why Metrics Matter
From a budget standpoint you have to show
a Return On Investment (ROI)
Define your security ROI with AppSec
Produce metrics consistently – weekly, monthly
Align AppSec with SDLC
Align AppSec with SDLC
AppSec process defines a set of activities at each phase of SDLC
1. Assistance during architectural solution definition
2. Assistance during high-level and low-level design
3. Static code (application) security scanning
4. Dynamic application security scanning
5. Web/mobile vulnerability security scanning
6. Manual testing
Align AppSec with SDLC
• It is critical that your alignment with the SDLC is
practical – it is far worse to over-engineer!
• Of course under-engineering is bad, but over-
engineering can lead to your program getting
canceled.
3 4
5 6
1 2 2 4
All too often third parties do not perform the necessary
security verification that we all assume that they do.
Again, AppSec is an expense – unless you care, they
won’t perform this function.
Trust but Verify …
Once your program is off and running assessing your
internal applications .. Where will the risk move to?
Ask for the opportunity to assess (always ask – as you could get
sued – See Slide 2!)
Require that the vendor perform verification (build this into your
procurement process – business function)
There is (perceived) significant overlap between QA
and AppSec – it is vital to differentiate this and advise
management that their objectives are entirely different!
AppSec Program
Expansion
Considerations:
If you do not have a formal Quality
Assurance Program, stand one up!
If you do not have an internal Red Team
(PenTest), stand one up!
Shameless Plug:
BSides Columbus 2017
January 2017
(intentionally will avoid ShmooCon weekend)
• Three Tracks of Security Goodness
Sweet Badges, Food, Much Fun!
Doge Approved!
Upcoming Talks:
• BSides Charm 2016 (Baltimore):
- Security Automation
• Somewhere later this Summer, who knows!
Feel free to get LinkedIn or hit me
up on Twitter: @fatherofmaddog

Weitere ähnliche Inhalte

Was ist angesagt?

Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programPriyanka Aash
 
Technical Writing for Consultants
Technical Writing for ConsultantsTechnical Writing for Consultants
Technical Writing for ConsultantsDilum Bandara
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachRahul Neel Mani
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 

Was ist angesagt? (20)

Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
 
Technical Writing for Consultants
Technical Writing for ConsultantsTechnical Writing for Consultants
Technical Writing for Consultants
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a Breach
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 

Ähnlich wie Building an AppSec Program in 4 Steps

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfElanusTechnologies
 

Ähnlich wie Building an AppSec Program in 4 Steps (20)

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work together
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
 

Mehr von Mike Spaulding

BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...Mike Spaulding
 
Redefining Security in the Cloud
Redefining Security in the CloudRedefining Security in the Cloud
Redefining Security in the CloudMike Spaulding
 
Attacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty YearsAttacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty YearsMike Spaulding
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Data Leakage Presentation
Data Leakage PresentationData Leakage Presentation
Data Leakage PresentationMike Spaulding
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004Mike Spaulding
 
CMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec WarriorCMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec WarriorMike Spaulding
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015Mike Spaulding
 

Mehr von Mike Spaulding (11)

BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
Redefining Security in the Cloud
Redefining Security in the CloudRedefining Security in the Cloud
Redefining Security in the Cloud
 
Attacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty YearsAttacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty Years
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Policy Map
Policy MapPolicy Map
Policy Map
 
Data Leakage Presentation
Data Leakage PresentationData Leakage Presentation
Data Leakage Presentation
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004
 
DNS Vulnerabilities
DNS VulnerabilitiesDNS Vulnerabilities
DNS Vulnerabilities
 
CMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec WarriorCMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec Warrior
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015
 

Building an AppSec Program in 4 Steps

  • 1. Building an Application Security Program Mike Spaulding Director of Security Strategy & Architecture *Company Confidential*
  • 2. Disclaimer All information within this session is presented AS-IS, if you do something foolish with the presented material resulting in your termination of employment, imprisonment, etc – THAT IS FULLY YOUR BURDEN THINK BEFORE YOU ACT!
  • 3. The path of least resistance Malicious users exploit flaws that are not discovered during development and attempt to bypass security controls in order to gain access to systems and services to steal data, disrupt operations, extort money, etc.
  • 4. Application Security Threats The following are examples of known security threats: • Connected Car Vulnerabilities • Attacks on Critical Infrastructure • Attacks on the Internet of Things • Cyber Attacks on Smart Manufacturing Systems • OWASP Top 10 Web Vulnerabilities • Watering Hole Attack • External Hostile Attacks • Internal Malware Attacks • Cryptography Vulnerabilities • DoS and DDoS Attacks • Buffer Overflows • etc., etc., etc. OWASP Top 10 Vulnerabilities A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards
  • 5. AppSec Objective It seems simple, but too many security peeps over think this and let scope creep destroy their program. The goal of Application Security is to reduce the risks within an application!
  • 6. Methods of AppSec Dynamic Assessment Static Assessment It is important to understand the difference between application security, penetration testing, and vulnerability management. Too often, others blur these areas.
  • 7. Static Analysis (Code Testing) The objective of performing a code scan/assessment is to locate portions of the code where common secure coding errors exist. The truth is that most developers are never shown how to code securely. In many situations, developers are being pushed to complete too much too fast and mistakes are made. Static code analysis should not only pinpoint the issue but suggest most optimal solution to resolve the issue. This approach will also be used as a training method for developers. Sanitizing data input from end users is critical. The less restrictive the data input, the greater the opportunity for abuse.
  • 8. Dynamic Analysis The objective of performing a dynamic test is to attempt to verify the effectiveness of the secure coding testing. This verification step is necessary in order to ensure that sections of code were not assessed or code that is ‘assumed’ to be clean is verified. This testing is partially interactive, the goal is to complete this testing as automated as possible and to investigate the delta between dynamic and static testing.
  • 9. The vulnerability testing ensures that no two components, along with the application when placed together do not create known vulnerabilities. Components of AppSec Web Applications Client Server Applications Mobile Applications Middleware Applications Cryptographic Analysis
  • 10. Manual testing is in many cases what slows down the assessment process. Overtime, as the developers get better conditioned on expectations, this time will decrease. Manual Verification The objective of performing a final manual test is to ‘smoke- test’ the final product and ensure that any anomalies discovered during prior assessment phases are verified to be closed, corrected, and no longer pose a threat.
  • 11. AppSec KPIs & metrics define critical feedback information to check the status of a program and make further decisions on improvements actions. Kaizen: Continuous Improvement Annual Assessments: • Internet Facing Apps • RTO 0 Apps • Apps containing PII/PHI/PCI/IP Adhoc Assessments: • New Applications • Apps going through significant upgrades • Emerging Technology
  • 12. We could spend another hour just talking about these topics, but unfortunately we do not have the time. These topics are just as important as those covered more in-depth today. Additional Considerations Staffing: • Training • Liaison, Lead Analysts, Security Testers • Resource Management Operational Security • Application Firewall • Data Loss Prevention Vendor Management • Application Security Tools • Consulting Services
  • 13. 4 Steps to AppSec Start Simple, Start Small Set Policies & Standards, Start Metrics Scale AppSec to your SDLC Scan Third Party Applications Stolen from Chris Wysopal of Veracode http://www.darkreading.com/application-security/simplifying- application-security-4-steps-/a/d-id/1324254?_mc=RSS_DR_EDT
  • 14. Start Simple, Start Small The vast majority of companies simply do not understand what many of us (Security People) do. Most CISO’s don’t get it! Too often IT peeps think technical and cannot convey the risks well enough to the business. * Remember the business wants to reduce costs and sell more ‘widgets’ they don’t care about security until it is too late!
  • 15. Your greatest ability to influence a project starts here – the business does not like surprises – do not tell them at the 11th hour (Implementation): “Hey NASA, we have a problem”! Why Policies & Standards Matter During two phases, AppSec will have it’s greatest influence: Project Definition System Overview
  • 16. Too many security/IT peeps underestimate the power of metrics. Metrics or reporting show effort (and hopefully a reduction in risk! Remember the arrow should go down to the right! Why Metrics Matter From a budget standpoint you have to show a Return On Investment (ROI) Define your security ROI with AppSec Produce metrics consistently – weekly, monthly
  • 18. Align AppSec with SDLC AppSec process defines a set of activities at each phase of SDLC 1. Assistance during architectural solution definition 2. Assistance during high-level and low-level design 3. Static code (application) security scanning 4. Dynamic application security scanning 5. Web/mobile vulnerability security scanning 6. Manual testing
  • 19. Align AppSec with SDLC • It is critical that your alignment with the SDLC is practical – it is far worse to over-engineer! • Of course under-engineering is bad, but over- engineering can lead to your program getting canceled. 3 4 5 6 1 2 2 4
  • 20. All too often third parties do not perform the necessary security verification that we all assume that they do. Again, AppSec is an expense – unless you care, they won’t perform this function. Trust but Verify … Once your program is off and running assessing your internal applications .. Where will the risk move to? Ask for the opportunity to assess (always ask – as you could get sued – See Slide 2!) Require that the vendor perform verification (build this into your procurement process – business function)
  • 21. There is (perceived) significant overlap between QA and AppSec – it is vital to differentiate this and advise management that their objectives are entirely different! AppSec Program Expansion Considerations: If you do not have a formal Quality Assurance Program, stand one up! If you do not have an internal Red Team (PenTest), stand one up!
  • 22. Shameless Plug: BSides Columbus 2017 January 2017 (intentionally will avoid ShmooCon weekend) • Three Tracks of Security Goodness Sweet Badges, Food, Much Fun! Doge Approved!
  • 23. Upcoming Talks: • BSides Charm 2016 (Baltimore): - Security Automation • Somewhere later this Summer, who knows! Feel free to get LinkedIn or hit me up on Twitter: @fatherofmaddog