SlideShare a Scribd company logo

Building an AppSec Culture

Download as PPTX, PDF
Nirosh Jayaratnam
Nirosh Jayaratnam

This slide set describes developing an AppSec culture in your projects. This includes how to implement security risk assessment program, threat modeling and security designs and tools for security Automation.

Software
1 of 33
How to develop an AppSec culture in your project Nirosh
A bit about Me I’m a Senior Security Engineer & Pentester. I have nearly three years of experience in Information Security and Secure Software Development. Educational Background • BSc. Eng (Hons) in Computer Science and Engineering - University of Moratuwa, Sri Lanka • MSc in Security Engineering (Reading) - University of Moratuwa, Sri Lanka Certifications  Web application Penetration Tester (eWPT) - eLearnSecurity Certificate ID: EWPT-343  Certified Ethical Hacker (CEHv9) – EC Council Certification Number: ECC39012388466  Certified Information Security Expert (CISE) – Innobuzz License Number: 30471
Why AppSec is a major concern? From https://www.akamai.com/ (2018/08/12 – 2018/08/19)
Why web application attacks occur? Application Developers and QA Professionals Don’t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.” Steve Carter
Security Assessments What ? Why? How ?
• Periodic Assessments – Once in every quarter ( Recommended) Vulnerability Assessments • Twice a year Penetration Testing • Twice a year Security Code Reviews
Risk Classification Methodology Risks can be classified using the following methodology: Risk = Impact × Likelihood Reference: OWASP Standards
Security in Agile • Dedicated sprint focusing on application security • Stories implemented are security related • Code is reviewed Security Sprint Approach • Similar to Microsoft Security Development Lifecycle (SDL) • Consists of the requirements and stories essential to security • No software should ever be released without requirements being met Every Sprint Approach
Secure Software Development Process •Guide Developers to follow Secure Coding Guidelines •Help QAs to integrate basic security test checklist into their regular test cases •Threat Modeling and Security Designs
Threat Modeling What is it?
It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application Step 4 Validate Step 3 Determine countermeasures and mitigation Step 2 Identify threats Step 1 Diagrams
An Example – User Login
Username harvesting – Show generic error message
Too user friendly. :P
Case Study: • A Norway based professional company uses a software application which can allow users to book professionals (Electrician, Plumber) and request professional services through the company. • They wanted a new feature in this application which can allow users to upload and download property documents and maintenance documents. Access to these documents must be strictly restricted to relevant users.
• Since last week, the dev team is designing the new feature for the website, that will enable authenticated users to upload and download property documents. • The architects will reuse the existing infrastructure whenever possible (they already have user accounts). • One of the board members got to know about these cyber attackers and the crazy attacks they perform which can easily damage the business and its reputation.
• He also heard about the threat modeling which helps project teams to identify major threats and take necessary security measures before they even start implementation. • He hired you to help project team with this.
Data Flow Diagram
What can go wrong? Microsoft’s STRIDE Model • Spoofing - Impersonate User • Tampering - Maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit • Repudiation - Perform an illegal action and deny it. • Information Disclosure - Read a file that one was not granted access to, or to read data in transit • Denial of Service - Deny access to valid users • Elevation of Privilege - Gain privileged access or gain unauthorized access
Threat Model
Threats in detail..
Secure Design Principles / Trust Model Authentication Authorization Cookie Management Data/Input Validation Error Handling/Information leakage Logging/Auditing Cryptography Secure Code Environment Session Management
Mitigation and Countermeasures
Security Automation using Tools How?
Web Application Security Risks For 2017, the OWASP Top 10 Most Critical Web Application Security Risks are:
Tools & Technologies Vulnerability Assessment & Pentesting -OWASP ZAP, Burp suite Scanner, Acunetix, SQLMap, Kali Linux, Arachni -With lots of Manual effort- OWASP/ SANS security assessment guidelines -Third party libraries – OWASP Dependency Check, RetireJs Server-side Security Assessment Tools -Nessus, Nmap, Nikto, OpenVAS, Wireshark, Metasploit framework Static Code Analysis -Manual Code Review, Findsecbug/PMD You can use commercial tools to perform assessments if you can purchase them
Demo
Acunetix Web App Scanner
Building an AppSec Culture
Building an AppSec Culture
Building an AppSec Culture

Recommended

Security testing
Security testingSecurity testing
Security testing
baskar p
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
Damilola Longe, CISSP, CCSP, MSc
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
Ezhilan Elangovan (Eril)
 
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
North Texas Chapter of the ISSA
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
North Texas Chapter of the ISSA
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 

Recommended

Security testing
Security testingSecurity testing
Security testing
baskar p
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
Damilola Longe, CISSP, CCSP, MSc
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
Ezhilan Elangovan (Eril)
 
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
North Texas Chapter of the ISSA
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
North Texas Chapter of the ISSA
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA
 
Web application security measures
Web application security measuresWeb application security measures
Web application security measures
ICT Frame Magazine Pvt. Ltd.
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From Malware
Rishu Mehra
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
Eoin Keary
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Ethical Hacking Services
Ethical Hacking ServicesEthical Hacking Services
Ethical Hacking Services
Virtue Security
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration Testing
EC-Council
 
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant maliVAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
Nadia BENCHIKHA
 
Cyber security for system design
Cyber security for system designCyber security for system design
Cyber security for system design
Tom Kaczmarek
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
Apurv Singh Gautam
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
Prime Infoserv
 
Secure software design
Secure software designSecure software design
Secure software design
Ashis Kumar Chanda
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
Edureka!
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 

More Related Content

What's hot

NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA
 
Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From Malware
Rishu Mehra
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
Edureka!
 

What's hot (19)

NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
 
Web application security measures
Web application security measuresWeb application security measures
Web application security measures
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From Malware
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
 
Ethical Hacking Services
Ethical Hacking ServicesEthical Hacking Services
Ethical Hacking Services
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration Testing
 
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant maliVAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant mali
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
 
Cyber security for system design
Cyber security for system designCyber security for system design
Cyber security for system design
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
 
Secure software design
Secure software designSecure software design
Secure software design
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
 

Similar to Building an AppSec Culture

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
Rahul Raghavan
 

Similar to Building an AppSec Culture (20)

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Safe Internet Banking Cyber Security
Safe Internet Banking Cyber SecuritySafe Internet Banking Cyber Security
Safe Internet Banking Cyber Security
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
 

Recently uploaded

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 

Building an AppSec Culture

  • 1. How to develop an AppSec culture in your project Nirosh
  • 2. A bit about Me I’m a Senior Security Engineer & Pentester. I have nearly three years of experience in Information Security and Secure Software Development. Educational Background • BSc. Eng (Hons) in Computer Science and Engineering - University of Moratuwa, Sri Lanka • MSc in Security Engineering (Reading) - University of Moratuwa, Sri Lanka Certifications  Web application Penetration Tester (eWPT) - eLearnSecurity Certificate ID: EWPT-343  Certified Ethical Hacker (CEHv9) – EC Council Certification Number: ECC39012388466  Certified Information Security Expert (CISE) – Innobuzz License Number: 30471
  • 3. Why AppSec is a major concern? From https://www.akamai.com/ (2018/08/12 – 2018/08/19)
  • 4. Why web application attacks occur? Application Developers and QA Professionals Don’t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.” Steve Carter
  • 6. • Periodic Assessments – Once in every quarter ( Recommended) Vulnerability Assessments • Twice a year Penetration Testing • Twice a year Security Code Reviews
  • 7. Risk Classification Methodology Risks can be classified using the following methodology: Risk = Impact × Likelihood Reference: OWASP Standards
  • 8.
  • 9. Security in Agile • Dedicated sprint focusing on application security • Stories implemented are security related • Code is reviewed Security Sprint Approach • Similar to Microsoft Security Development Lifecycle (SDL) • Consists of the requirements and stories essential to security • No software should ever be released without requirements being met Every Sprint Approach
  • 10. Secure Software Development Process •Guide Developers to follow Secure Coding Guidelines •Help QAs to integrate basic security test checklist into their regular test cases •Threat Modeling and Security Designs
  • 12. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application Step 4 Validate Step 3 Determine countermeasures and mitigation Step 2 Identify threats Step 1 Diagrams
  • 13. An Example – User Login
  • 14. Username harvesting – Show generic error message
  • 16. Case Study: • A Norway based professional company uses a software application which can allow users to book professionals (Electrician, Plumber) and request professional services through the company. • They wanted a new feature in this application which can allow users to upload and download property documents and maintenance documents. Access to these documents must be strictly restricted to relevant users.
  • 17. • Since last week, the dev team is designing the new feature for the website, that will enable authenticated users to upload and download property documents. • The architects will reuse the existing infrastructure whenever possible (they already have user accounts). • One of the board members got to know about these cyber attackers and the crazy attacks they perform which can easily damage the business and its reputation.
  • 18. • He also heard about the threat modeling which helps project teams to identify major threats and take necessary security measures before they even start implementation. • He hired you to help project team with this.
  • 20. What can go wrong? Microsoft’s STRIDE Model • Spoofing - Impersonate User • Tampering - Maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit • Repudiation - Perform an illegal action and deny it. • Information Disclosure - Read a file that one was not granted access to, or to read data in transit • Denial of Service - Deny access to valid users • Elevation of Privilege - Gain privileged access or gain unauthorized access
  • 23. Secure Design Principles / Trust Model Authentication Authorization Cookie Management Data/Input Validation Error Handling/Information leakage Logging/Auditing Cryptography Secure Code Environment Session Management
  • 26. Web Application Security Risks For 2017, the OWASP Top 10 Most Critical Web Application Security Risks are:
  • 27. Tools & Technologies Vulnerability Assessment & Pentesting -OWASP ZAP, Burp suite Scanner, Acunetix, SQLMap, Kali Linux, Arachni -With lots of Manual effort- OWASP/ SANS security assessment guidelines -Third party libraries – OWASP Dependency Check, RetireJs Server-side Security Assessment Tools -Nessus, Nmap, Nikto, OpenVAS, Wireshark, Metasploit framework Static Code Analysis -Manual Code Review, Findsecbug/PMD You can use commercial tools to perform assessments if you can purchase them
  • 28. Demo
  • 29.
  • 30. Acunetix Web App Scanner

Editor's Notes

  1. Appsec plays a major role in the current cyber world Linkedin breach –password cracking attacks A small breach can cause huge damage to the business
  2. We ignore security. And we don’t consider security as a part of business requirement Secure software development life cycle. Security testing is part of that process.
  3. If you already built a software product, you have to establish a security assessment methodology.
  4. 3 popular assessment methodology for security.
  5. Impact – What are the consequences or damages if the vulnerability is exploited. Likelihood- how easy it is to exploit the vulnerability ( exploits available on the net)
  6. How you can handle these security risks?
  7. This can be done either beginning of the software development or at the end.
  8. What are the possible ways to break the system ?
  9. Once the basic threat agents and business impacts are understood, we should try to identify the set of controls that could prevent these threat agents from causing those impacts.