Application Security not only consists in the use of software, hardware, and procedural methods to protect applications from external threats, it is more than technology, is a path not a destination, it is about risk management and implementing effective countermeasures to identify potential threats and understand that each threat presents a degree of risk. Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats. Security measures built into applications and a sound application security routine minimize the likelihood that unauthorized code will be able to manipulate applications to access, steal, modify, or delete sensitive data. Join up in a tour of various scenarios identifying the basic concepts about Application Security, learning about some of the most recent vulnerabilities and data breaches, as well as examples of how easy it can be to hack you.

1. APP SECURITY
FUNDAMENTALS
ÁNGEL GÓMEZ ROMERO
May 25th, 2019
KEY CONCEPTS FOR CYBERSECURITY
TOP THREATS WITH HACKING SCENARIOS
2019
#

2. 2019
#
ABOUT ME
2
@a_gomez_r BoquerónSec
Advanced App Engineering Associate Manager at Accenture. 15+ years
developing, designing, and architecting enterprise solutions in different
languages (mainly in Java). DevOps practitioner, Cloud solutions lover and
Application Security applied to SDLC (Software Delivery Lifecycle) evangelist.
ÁNGEL GÓMEZ ROMERO
Accenture Technology Center in Spain

3. 2019
#
CYBERSECURITY DIVISIONS MAP
Copyright 2019 Accenture. All rights reserved. 3
Source: Sanderson Recruitment Plc

4. APP SECURITY NOT ONLY CONSISTS IN THE
USE OF SOFTWARE, HARDWARE, AND
PROCEDURAL METHODS TO PROTECT
APPLICATIONS FROM EXTERNAL THREATS, IT
IS MORE THAN TECHNOLOGY, IS A PATH
NOT A DESTINATION
Copyright 2019 Accenture. All rights reserved. 4
2019
#

5. 2019
#
APP SEC
FOUNDATIONS
• Are we secure, or not?
• Brief history of App Security
• The life of a Cyberthreat
• Cybersec awareness: Malware
• Hacker/Cracker differences
Copyright 2019 Accenture. All rights reserved. 5

6. 2019
#
ARE WE SECURE, OR NOT?
Security is fundamentally about protecting assets.
Assets may be tangible items, such as a Web page or
database —
or less tangible, such as company reputation.
We must analyze our infrastructure and applications,
identifying potential threats and understand that each
threat presents a degree of risk.
This means on security we manage risks and we also
implement effective countermeasures.
Copyright 2019 Accenture. All rights reserved. 6
This is a common
misconception and it
depends on the
threat.
WHAT DO WE MEAN BY SECURITY?
A threat is a potential event that can adversely affect an asset, whereas a successful attack exploits
vulnerabilities in your system.
THREATS, VULNERABILITIES AND ATTACKS DEFINED
Threat Attack
Vulnerability

7. 2019
#
BRIEF HISTORY OF APP SECURITY
Highlights and reactions dating back to the late ‘80s
VIRUSES BEGINS
• 1971: First computer virus
"Creeper" detected on
ARPANET. First antivirus
program called the
"Reaper" created.
• 1988: First (not malicious)
Internet virus, “Morris”
worm, was unleashed.
• 1989: AIDS Trojan horse,
the first instance of a
ransomware detection.
ATTACKERS EVOLVED
FROM INDIVIDUALS TO
ORGANIZED GROUPS OF
CYBER CRIMINALS
• 1995: Javascript cross-site
scripting (XSS) attacks.
• 1998: Injection (such as
SQL) method of attack
discovered.
• 1999: “Melissa” Microsoft
Word virus disseminates
itself as email attachment.
MOBILE APPS
VULNERABILITIES OR
AUTOMOTIVE CYBER
THREATS EXPLOITED
• 2014: Attack on Sony
confidential information.
• 2015: Ashley Madison
personal data posted.
• 2017: “WannaCry” and
“Bad Rabbit” ransomware.
• 2018: Google+ API bug
potentially let to steal data
of 52.5 million users.
TACTIC/VULNERABILITY
DISCLOSURES
CONTINUE TO TREND
UPWARD
• 2000: “ILoveYou” worm,
infects systems worldwide.
• 2001: Microsoft victim of
DOS attacks the DNS.
• 2006: “Black Worm” filled
documents with garbage.
• 2009: Google China hit by
cyber attack, intellectual
property was stolen.
1980s 1990s 2000s 2010s
Computer hackers have a long history of trying to expose and exploit vulnerabilities on networks and in
software applications with profound business and personal impacts.
Copyright 2019 Accenture. All rights reserved. 7

8. 2019
#
THE LIFE OF A CYBERTHREAT
How malware get into your system to steal your data
Copyright 2019 Accenture. All rights reserved. 8
Online transactions
contain valuable
data making them a
huge target for
crime.
Source: Incognito Forensic Foundation, 2018
Hackers use underground
Internet circles known as the
Dark Web to share ideas and
organize, then they craft exploits
and ways to infiltrate targets
(some are malicious or hacked
websites that steal information).
There are other approaches,
phishing emails tricking
employees into downloading
malware that permits the hackers
access to secure systems
CYBERATTACKS AND
MALWARE CREATION
COLLABORATION OF
"THE GOOD GUYS"
Indicators of emerging cyber
threats help professionals to quickly
prevent malicious attacks, patch system
vulnerabilities and educate employees.

9. 2019
#
CYBERSECURITY AWARENESS:
MALWARE Differences between these programs
Copyright 2019 Accenture. All rights reserved. 9
Although they are all
bad, learn how to
“Guess who?” to
fight them.
IMAGE, ILLUSTRATION,
TEXT, GRAPH ETC.
Any malware software is intentionally
designed to cause damage to a
computer, server, client, or network.
It jeopardizes the affected systems after it
is implanted or introduced in some way
into a target's computer.
Source: ESET Smart Security

10. 2019
#
HACKER/CRACKER DIFFERENCES
Avoid bothering anyone confusing the terms
Copyright 2019 Accenture. All rights reserved. 10
Intensely interested in the recondite workings of
any computer operating system and programming
language (most often programmers), discovering holes
and the reasons, constantly seeking further knowledge,
freely share what they discover, and never intentionally
damage data.
One who breaks into or otherwise violates the
system integrity of remote machines with malicious intent.
Having gained unauthorized access, crackers destroy
vital data, deny legitimate users service, or cause
problems for their targets. This means on security we
manage risks and we also implement effective
countermeasures.
Differences to help
or to detect and stop
them. HACKER
• Ethical or White Hat vs Gray Hat hacker.
• Expert vs. Script Kiddies crackers.
SOME TYPES
CRACKER
IMAGE, ILLUSTRATION,
TEXT, GRAPH ETC.
Source: Peatonet Computing and Internet of Things Security

11. 2019
#
SECURING
APPLICATIONS
• How it works:
o Cybersecurity
o Cloud/Mobile Security
• Build a Secure application
• Security main elements
• Core Security principles
Copyright 2019 Accenture. All rights reserved. 11

12. 2019
#
HOW IT WORKS: CYBERSECURITY
Response plan stopping a security breach
Copyright 2019 Accenture. All rights reserved. 12
Meet John, he's the chief security officer
(CSO) for a company that has an incident
response platform (EIRP) in place which
acts as a hub for the people, processes
and technology
Threat source
identification
The IRP software
connects to the
company user directory
The IRP system
recognizes the user
account belongs to a
valid company user
Findings triage
Helping on the IRP
software, the security
team reject false-
positives and also
identify defect
criticality (John's
credentials
were stolen when the
hackers found a
vulnerability in the
company's firewall)
It has determined
the attempted attack
came from a well
known cybercrime
organization using
stolen credentials (a
malware infected file
was uploaded)
Irregular
activity occurs
on John’s
account
Vulnerabilities
are fixed
Security team uses the
findings to identify the
specific server
vulnerability that
allowed the attack
The IRP software uses
the information to
determine which
machines in the
network need to be
patched
Collect findings
The incident IP
addresses are sent by
the IRP to a threat
intelligence software
which identifies the
address (maybe it is a
suspected malware
known server)
Findings are
aggregated to a
playbook to be
checked/reviewed by a
security team
Status (legal)
report
Security team
communicates
which data may
have been stolen or
compromised during
the incident
Regulatory agencies
are notified, as well
as the affected
parties
2
1
1
2
3
4
5
6
A user behavior
analytics engine that
monitors account
activity recognizes a
suspicious behavior
Late-night logins and an
unusual amount of
downloaded data is
checked by the EIRP
3
4 5
6

13. 2019
#
IMAGE, ILLUSTRATION,
TEXT, GRAPH ETC.
HOW IT WORKS: CLOUD SECURITY
• Restricting visibility and filtering
data through a private cloud that isolates
the client applications for unwanted traffic
access and ensuring protection.
• Monitoring data and only allowing the
legitimate users to gain or block access to
the server.
• Managing identity for access and
also setting compliance rules to ensure
the safety of the data bases (bound by laws
and regulations).
Copyright 2019 Accenture. All rights reserved. 13
Cloud computing is
opening companies
up to new types of
cyber threats.
Source: WordPress Tidbits and Web Design Resource

14. 2019
#
IMAGE,
ILLUSTRATION,
TEXT, GRAPH ETC.
HOW IT WORKS: MOBILE SECURITY
• Prevent data leakage, ensuring that all
important data is encrypted, enhancing
security during the development process.
• Multiple security protection layers,
without making any changes to the mobile
app itself.
• Testing for vulnerabilities and risk
identifying where the (sensitive) data leaves
in the mobile.
• Protecting data in the wild with
obfuscation to prevent for changes in the
code or malware repackage.
Copyright 2019 Accenture. All rights reserved. 14
Personal information
is the most
important thing we
carry around.
Source: Shutterstock, Inc.

15. 2019
#
SECURITY MAIN ELEMENTS
Security relies on elements described below
AUTHENTICATION
• Who are you? Applied for users,
other services, processes, computers.
• Is the process uniquely identifying the
clients of your applications and
services?
AUTHORIZATION
• What can you do? Resources and
operations that the authenticated client
is permitted to access.
• Resources as files, databases, tables,
… and operations as product purchase.
AUDITING
• Together with logging is the key to
non-repudiation.
• This mechanism guarantees that a
user cannot deny performing an
operation or initiating a transaction.
CONFIDENTIALITY
• Data cannot be gathered by
unauthorized users or monitoring the
flow of traffic across a network.
• Encryption and Access control lists
(ACLs) are used to enforce privacy.
IMAGE OR
ILLUSTRATION
1 2
INTEGRITY
• Guarantee that data is protected from
accidental or deliberate (malicious)
modification.
• Hashing techniques and message
authentication codes often used.
AVAILABILITY
• Systems remain available for
legitimate users.
• DOS (denial-of-service) attacks try to
crash an application or to make sure
that it is sufficiently overwhelmed.
Copyright 2019 Accenture. All rights reserved. 15
3 4
6
5

16. 2019
#
CORE SECURITY PRINCIPLES
Recommendations regardless of technology/scenario
Compartmentalize
Reduce the surface area of attack.
Use least privilege
Minimal privileges and access rights.
Apply defense in depth
You do not rely on a single layer of security.
Do not trust user input
Assume all input is malicious until proven.
Check at the gate
Authenticate/authorize early —
at the first gate.
Fail securely
do not leave sensitive data accessible.
Secure the weakest link
Review any weak link in the chain for breaches.
Keep security simple
Avoid complex architectures and use simpler approach.
Create secure defaults
E.g. Disable default account and enable when required.
Don’t trust infrastructure/services
Application needs auth2 action from surrounded systems.
Reduce your attack surface
If you do not use it, remove it or disable it.
Establish secure defaults
Deliver an “out of the box” secure experience for users.
Copyright 2019 Accenture. All rights reserved. 16

17. 2019
#
HACKING
SCENARIOS
• Social Engineering hack you
• Should we fear hijacking?
Copyright 2019 Accenture. All rights reserved. 17

18. 2019
#
SOCIAL ENGINEERING HACK YOU
Simple trick with a phone call and crying baby
IMAGE, ILLUSTRATION,
TEXT, GRAPH ETC.
Hacking without any
code, just use a
phone, mail and
connection to
internet.
The focus in Social Engineering is to
extract some information or data points
that can be used in a later attack.
Copyright 2019 Accenture. All rights reserved. 18

19. 2019
#
SHOULD WE FEAR HIJACKING?
Hackers remotely (and easily) kill a Jeep on highway
Type of network
security attack to
takes control of a
communication.
In hijacking the atacker masquerades
as one of the entities who communicate
between them.
Some typical scenarios are man-in-the-
middle attack, browser hijacking
or web site hijack.
Copyright 2019 Accenture. All rights reserved. 19
IMAGE, ILLUSTRATION,
TEXT, GRAPH ETC.

20. 2019
#
THANKS !!
Copyright 2019 Accenture. All rights reserved. 20
https://www.zdnet.com/pictures/these-are-the-worst-hacks-cyberattacks-and-data-breaches-of-2018
WORST HACKS, CYBERATTACKS, AND DATA BREACHES OF 2018
https://www.youtube.com/channel/UClAgZm2OXFpX8WoMsOpWoXA
https://www.youtube.com/channel/UCtVlDASwc48aPui_gGZg4dQ
IBM SECURITY / IBM THINK ACADEMY
https://www.youtube.com/channel/UCe2VfUzsF9E4_MpVbLxHjmA
https://jktech.com/insight/blogs/how-does-cloud-based-security-work/
ESET USA / JKT (A HIGH IQ COMPANY)
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP TOP 10 MOST CRITICAL WEB APPLICATION SECURITY RISKS