This talk is completely dedicated to how to build application security culture and team in your organization. I have presented this talk at The Hack Summit Poland.

1. C:>
How to Build AppSec
Team & Culture in your
Organization
Kunwar Atul (@kunwaratulhax0r)
www.thehacksummit.com 5/12/2020 online / Warsaw ORGANIZERS:

2. 2
Introduction
• Kunwar Atul
• Yet another Appsec and DevSecOps Guy
• Break – Fix – Repeat
• Synack Red Team Member
• OWASP MASVS Hindi and DevSecOps
University Contributor
• Social media- kunwaratulhax0r

3. 3
Current situation of Appsec culture
in Organizations

4. 4
What and Why?
• Application Security is the process of tools and practices aiming
to protect applications from threats throughout the entire
application lifecycle.
• Application Security is not a one-person job, it is for every
person who is involved in the software development lifecycle
from the very beginning.
• Appsec engineers are in demand now a days.
• Mostly, offers are focused upon an individual, one unicorn that
does all those wonderful things to ensure that the organization
is building secure software's.

5. 5
Risk Graph
Ref:- https://community.microfocus.com/t5/Security-Blog/Everything-you-need-to-know-to-build-an-AppSec-program/ba-p/2690564?lightbox-message-images-
2690564=16128i49D75DED5CDBEFE5

6. 6
Struggle
• Software Development organizations are struggling to secure the
application they develop and deploy for several reasons.
• Growing dependency on open source code as cost cutting, time
saving for application construction requires development team to
check that code for vulnerabilities.
• When a vulnerability detects, it takes time to patch for a
responsible team and affected code presents multiple problems
for developers and consumers.
• But the time and cost involved in patching the unsecure code is
motivating the developers to build the security into their application
in the very beginning stage (SDLC).

7. 7
Struggle
• The majority of companies simply do not
understand what a AppSec guy does.
• Many a times, IT people think technically and
cannot convey the risk well enough to the business.
• Business only wants to reduce the costs and
sell more ‘widgets’. They don’t care about
security until it is too late.

8. 8
Security Policy
• Security Policies can be considered as
foundation of any organization. But if we talk
about reality, then in most of the
organization people don’t read the Security
Policy.
• There are chances that employees also
might not be following the security policy and
they are not aware about what’s written in
the related Security Policy.

9. 9
Mind Map of CISO
• Business Involvement
• Governance
• Budget
• Security Architecture
• Compliance
• Audit
• Project Delivery Lifecycle
• Risk Management
• Identity Management

10. 10

11. 11
Where is AppSec ?
Application Security
• Application Development
Standards
• Secure Code Training
and Review
• Application Vulnerability
Testing
• Change Control File
Integrity Monitoring
• WAF
• Integration to SDLC and
Project Delivery
Image Reference-
https://rafeeqrehman.com/wp-
content/uploads/2017/07/CISO_
Job_MindMap_v9-768x1157.png

12. 12
Components of Appsec
• Web Applications
• Client Server Applications
• Mobile Applications
• Middleware Applications
• Cryptographic Analysis

13. 13
Affected components
Multiple researches have validated the fact that most successful
breaches target exploitable vulnerabilities residing in the application
layer, indicating the need for enterprise IT departments to be extra
vigilant about application security. To further compound the problem,
the number and complexity of applications is growing.
Common Vulnerabilities in AppSec:
• SQL injection
• CRLF
• Injection
• Cross-Site Scripting (XSS)

14. 14
What next?

15. 15
Application Security Team
Development Cycle

16. 16
Do we need to hire Appsec
Specialist?
Ref- pixtastock.com

17. 17
Security Champions
Image Source-
https://safecode.org/putting-a-
face-to-software-security-
champions/

18. 18
What do they do?
• Collaborate with other security champions - Review impact of the
'breaking changes' made in other projects.
• Attend weekly meetings.
• Are the single point of contact for their assigned team.
• Ensure that security is not a blocker on active development or
reviews.

19. 19
Why you should become one?
• Great opportunity for your career.
• Learn more
• Application Security
• Offence techniques (‘how to exploit an OWASP Top 10
vulnerability’)
• Defensive techniques (‘how to write secure code’)
• Code review techniques
• Solve hard technological problems in various phases like
development, testing, visualization.
• Meet members from other teams and improve your internal network.

20. 20
JIRA Risk Workflow

21. 21
Automate you Application Security
• A successful DevSecOps program can not be possible without
automation. New tools have emerged, giving dev and IT teams the
ability to create and destroy servers and deploy entire applications in
minutes with the push of a button.
• Application security can also be automated to a large extent.
Automated scanning tools can scan source code or even launch
attacks against running systems to find vulnerabilities before the code
reaches production.

22. 22
Available Methodology for AppSec
• Static Analysis (SAST), or “white-box” testing, analyzes applications
without executing them.
• Dynamic Analysis (DAST), or “black-box” testing, identifies
vulnerabilities in running web applications.
• Software Composition Analysis (SCA) analyzes open source and
third-party components.
• Manual Penetration Testing (or “pen testing”) uses the same
methodology cybercriminals use to exploit application weaknesses.

23. 23

24. 24
What type of Security we need to
create/Security Implementation?
• An environment where Security (Appsec and Infosec) people are
enabler.
• Infosec protects the organization and operations.
• Appsec protects the code.
• Developers are well versed with common application/code level
vulnerabilities.
• They are working in an environment, where it is difficult to create
vulnerabilities.
• Developers are aware about latest threats and vulnerabilities.
• Infosec teams are providing proper training to the developers and
security champions.

25. 25
How Bug Bounty Programs can help
making AppSec Strong?

26. 26
Health Monitoring for AppSec
• Application health monitoring is the practice of tracking the inputs
and outputs of an application based on key metrics, logs and traces
in order to watch how an application performs over time.
• Application health checks are when you define “healthy” parameters
for the monitoring metrics across your application and run regular
checks to ensure the system is performing the way it’s expected to.

27. 27
References
• https://community.microfocus.com/t5/Security-Blog/Everything-you-need-to-know-to-build-an-AppSec-program/ba-p/2690564
• https://www.veracode.com/blog/managing-appsec/few-my-lessons-learned-building-appsec-program
• https://www.darkreading.com/informationweek-home/how-to-raise-the-level-of-appsec-competency-in-your-organization/a/d-
id/1334402
• https://adam.shostack.org/blog/2017/10/application-security-team/
• https://techbeacon.com/security/7-must-dos-delivering-app-focused-security
• https://www.brighttalk.com/webcast/12807/365976/steps-to-creating-security-champions-on-your-application-development-team
• https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rp-451-pathfinder-modern-appsec.pdf
• https://www.blackhat.com/presentations/bh-usa-07/Coffey_and_Viega/Whitepaper/bh-usa-07-coffey_and_viega-WP.pdf
• https://securityboulevard.com/2019/10/how-to-build-a-process-around-an-application-security-tool/
• https://www.hackerone.com/blog/5-Tips-Effective-AppSec-Testing-Strategy
• https://www.esecurityplanet.com/applications/why-bug-bounties-matter.html
• https://medium.com/betterappsec/how-to-develop-an-appsec-team-that-will-last-forever-3fc5e96b14fc
• https://blog.rapid7.com/2019/04/04/all-in-on-appsec-5-considerations-when-creating-an-application-security-program/
• https://safecode.org/putting-a-face-to-software-security-champions/

28. Thank you for your attention!
Leave your questions in the comment
section below and remember to join
Q&A session on the 5th of December.
www.thehacksummit.com 5/12/2020 online ORGANIZERS: