How to develop an AppSec culture in your project
Download as PPTX, PDF1 like197 views
The document outlines steps to develop an application security culture within a project, emphasizing the significance of security awareness among developers and QA professionals. It discusses methodologies such as risk classification, periodic assessments, secure software development processes, and threat modeling. Additionally, it highlights various tools for vulnerability assessment and the OWASP top 10 web application security risks.
How to develop an AppSec culture in your project
- 1. How to develop an AppSec culture in your project Nirosh
- 2. A bit about Me I’m a Senior Security Engineer & Pentester. I have nearly three years of experience in Information Security and Secure Software Development. Educational Background • BSc. Eng (Hons) in Computer Science and Engineering - University of Moratuwa, Sri Lanka • MSc in Security Engineering (Reading) - University of Moratuwa, Sri Lanka Certifications Web application Penetration Tester (eWPT) - eLearnSecurity Certificate ID: EWPT-343 Certified Ethical Hacker (CEHv9) – EC Council Certification Number: ECC39012388466 Certified Information Security Expert (CISE) – Innobuzz License Number: 30471
- 3. Why AppSec is a major concern? From https://www.akamai.com/ (2018/08/12 – 2018/08/19)
- 4. Why web application attacks occur? Application Developers and QA Professionals Don’t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.” Steve Carter
- 5. Security Assessments What ? Why? How ?
- 6. • Periodic Assessments – Once in every quarter ( Recommended) Vulnerability Assessments • Twice a year Penetration Testing • Twice a year Security Code Reviews
- 7. Risk Classification Methodology Risks can be classified using the following methodology: Risk = Impact × Likelihood Reference: OWASP Standards
- 9. Security in Agile • Dedicated sprint focusing on application security • Stories implemented are security related • Code is reviewed Security Sprint Approach • Similar to Microsoft Security Development Lifecycle (SDL) • Consists of the requirements and stories essential to security • No software should ever be released without requirements being met Every Sprint Approach
- 10. Secure Software Development Process •Guide Developers to follow Secure Coding Guidelines •Help QAs to integrate basic security test checklist into their regular test cases •Threat Modeling and Security Designs
- 11. Threat Modeling What is it?
- 12. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application Step 4 Validate Step 3 Determine countermeasures and mitigation Step 2 Identify threats Step 1 Diagrams
- 13. An Example – User Login
- 14. Username harvesting – Show generic error message
- 15. Too user friendly. :P
- 16. Case Study: • A Norway based professional company uses a software application which can allow users to book professionals (Electrician, Plumber) and request professional services through the company. • They wanted a new feature in this application which can allow users to upload and download property documents and maintenance documents. Access to these documents must be strictly restricted to relevant users.
- 17. • Since last week, the dev team is designing the new feature for the website, that will enable authenticated users to upload and download property documents. • The architects will reuse the existing infrastructure whenever possible (they already have user accounts). • One of the board members got to know about these cyber attackers and the crazy attacks they perform which can easily damage the business and its reputation.
- 18. • He also heard about the threat modeling which helps project teams to identify major threats and take necessary security measures before they even start implementation. • He hired you to help project team with this.
- 20. What can go wrong? Microsoft’s STRIDE Model • Spoofing - Impersonate User • Tampering - Maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit • Repudiation - Perform an illegal action and deny it. • Information Disclosure - Read a file that one was not granted access to, or to read data in transit • Denial of Service - Deny access to valid users • Elevation of Privilege - Gain privileged access or gain unauthorized access
- 21. Threat Model
- 23. Secure Design Principles / Trust Model Authentication Authorization Cookie Management Data/Input Validation Error Handling/Information leakage Logging/Auditing Cryptography Secure Code Environment Session Management
- 26. Web Application Security Risks For 2017, the OWASP Top 10 Most Critical Web Application Security Risks are:
- 27. Tools & Technologies Vulnerability Assessment & Pentesting -OWASP ZAP, Burp suite Scanner, Acunetix, SQLMap, Kali Linux, Arachni -With lots of Manual effort- OWASP/ SANS security assessment guidelines -Third party libraries – OWASP Dependency Check, RetireJs Server-side Security Assessment Tools -Nessus, Nmap, Nikto, OpenVAS, Wireshark, Metasploit framework Static Code Analysis -Manual Code Review, Findsecbug/PMD You can use commercial tools to perform assessments if you can purchase them
- 28. Demo
- 30. Acunetix Web App Scanner
Editor's Notes
- #4: Appsec plays a major role in the current cyber world Linkedin breach –password cracking attacks A small breach can cause huge damage to the business
- #5: We ignore security. And we don’t consider security as a part of business requirement Secure software development life cycle. Security testing is part of that process.
- #6: If you already built a software product, you have to establish a security assessment methodology.
- #7: 3 popular assessment methodology for security.
- #8: Impact – What are the consequences or damages if the vulnerability is exploited. Likelihood- how easy it is to exploit the vulnerability ( exploits available on the net)
- #9: How you can handle these security risks?
- #12: This can be done either beginning of the software development or at the end.
- #13: What are the possible ways to break the system ?
- #24: Once the basic threat agents and business impacts are understood, we should try to identify the set of controls that could prevent these threat agents from causing those impacts.