SlideShare a Scribd company logo

Application Security: Last Line of Defense

Narudom Roongsiriwong, CISSP, profile picture
Narudom Roongsiriwong, CISSP

The presentation by Narudom Roongsiriwong at the ASEAN IT Security Conference highlights the shift in attackers' focus towards applications, with increasing availability of exploit toolkits. Major breaches in 2015 targeted applications, revealing security weaknesses in most web and mobile apps. Key takeaways emphasize the importance of implementing proactive application security controls and frameworks, such as the OWASP Top 10 and Microsoft Security Development Lifecycle.

Technology
Related topics:
Application Security
1 of 18
Downloaded 69 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Application Security Last Line of Defense Narudom Roongsiriwong, CISSP ASEAN IT Security Conference 2016 Critical C-Suite Security Knowledge Conference July 27, 2016 The Westin Grande Sukhumvit, Bangkok, Thailand
About Me • Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP) • Consulting Team Member for National e-Payment project • Consultant for OWASP Thailand Chapter • Committee Member of Cloud Security Alliance (CSA), Thailand Chapter. narudom.roongsiriwong@owasp.org
Internet Lines of Defense Source: IBM Software Group, Rational Software
Does Firewall Really Prevent the Intrusion? Source: Jeremiah Grossman, BlackHat 2001
Does SSL/TLS Really Prevent the Intrusion? Source: Jeremiah Grossman, BlackHat 2001
Attackers have shifted their focus to target applications. Improving user accessibility and ease of use also increases ease of access for attackers. Application exploit toolkits are increasingly available on the attack marketplace. Many major breaches in 2015 targeted applications. Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise
Most Web And Mobile Apps Contain Security Weaknesses that Can Open the Door to Attackers. Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise
Key Takeaways for Application Security Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise
What Are Application Security Risks? Source: OWASP: Open Web Application Security Project
www.owasp.org
OWASP Top 10 2013 Risk Source: OWASP: Open Web Application Security Project
Security controls cannot deal with broken business logic such as A2, A4 and A7 Software weaknesses reduction down to zero is possible Reduce Security Weaknesses vs Increase Security Controls
So Where Do You Go from Here?
OWASP Top 10 Proactive Controls C1: Verify for Security Early and Often C2: Parameterize Queries C3: Encode Data C4: Validate All Inputs C5: Implement Identity and Authentication Controls C6: Implement Appropriate Access Controls C7: Protect Data C8: Implement Logging and Intrusion Detection C9: Leverage Security Frameworks and Libraries C10: Error and Exception Handling https://www.owasp.org/index.php/OWASP_Proactive_Controls
Microsoft Security Development Lifecycle https://www.microsoft.com/en-us/sdl
Software Assurance Maturity Model Source: OWASP’s Software Assurance Maturity Model (OpenSAMM) https://www.owasp.org/index.php/OpenSamm
Application Security: Last Line of Defense
Application Security: Last Line of Defense

More Related Content

PDF
Secure Software Development Adoption Strategy
Narudom Roongsiriwong, CISSP
 
PDF
Securing the Internet from Cyber Criminals
Narudom Roongsiriwong, CISSP
 
PDF
Top 10 Bad Coding Practices Lead to Security Problems
Narudom Roongsiriwong, CISSP
 
PDF
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
 
PDF
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
PDF
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
PDF
Coding Security: Code Mania 101
Narudom Roongsiriwong, CISSP
 
PDF
OWASP Top 10 A4 – Insecure Direct Object Reference
Narudom Roongsiriwong, CISSP
 
Secure Software Development Adoption Strategy
Narudom Roongsiriwong, CISSP
 
Securing the Internet from Cyber Criminals
Narudom Roongsiriwong, CISSP
 
Top 10 Bad Coding Practices Lead to Security Problems
Narudom Roongsiriwong, CISSP
 
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
 
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
Coding Security: Code Mania 101
Narudom Roongsiriwong, CISSP
 
OWASP Top 10 A4 – Insecure Direct Object Reference
Narudom Roongsiriwong, CISSP
 

What's hot (20)

PDF
How Good Security Architecture Saves Corporate Workers from COVID-19
Narudom Roongsiriwong, CISSP
 
PDF
Embedded System Security: Learning from Banking and Payment Industry
Narudom Roongsiriwong, CISSP
 
PPT
Risky project Enterprise
Intaver Insititute
 
PDF
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 
PPT
3.Secure Design Principles And Process
phanleson
 
PDF
How To Avoid The Top Ten Software Security Flaws
Priyanka Aash
 
PDF
Secure Code Reviews
Marco Morana
 
PPTX
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
PDF
Making Threat Intelligence Actionable Final
Priyanka Aash
 
PPTX
Career In Information security
Anant Shrivastava
 
PDF
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
PPTX
Secure coding practices
Mohammed Danish Amber
 
PPTX
The Making of a simple Cyber Threat Intelligence Gathering System
Niran Seriki, CCISO, CISM
 
PDF
Cyber intelligence for corporate security
G3 intelligence Ltd
 
PDF
Web Application Penetration Testing
Priyanka Aash
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PDF
Achieving Defendable Architectures Via Threat Driven Methodologies
Priyanka Aash
 
PDF
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
PDF
Westjets Security Architecture Made Simple We Finally Got It Right
Priyanka Aash
 
PPTX
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
How Good Security Architecture Saves Corporate Workers from COVID-19
Narudom Roongsiriwong, CISSP
 
Embedded System Security: Learning from Banking and Payment Industry
Narudom Roongsiriwong, CISSP
 
Risky project Enterprise
Intaver Insititute
 
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 
3.Secure Design Principles And Process
phanleson
 
How To Avoid The Top Ten Software Security Flaws
Priyanka Aash
 
Secure Code Reviews
Marco Morana
 
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Making Threat Intelligence Actionable Final
Priyanka Aash
 
Career In Information security
Anant Shrivastava
 
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
Secure coding practices
Mohammed Danish Amber
 
The Making of a simple Cyber Threat Intelligence Gathering System
Niran Seriki, CCISO, CISM
 
Cyber intelligence for corporate security
G3 intelligence Ltd
 
Web Application Penetration Testing
Priyanka Aash
 
Application Security - Your Success Depends on it
WSO2
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Priyanka Aash
 
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Westjets Security Architecture Made Simple We Finally Got It Right
Priyanka Aash
 
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Ad

Viewers also liked (20)

PDF
AnyID: Security Point of View
Narudom Roongsiriwong, CISSP
 
PPTX
Payment Card System Overview
Narudom Roongsiriwong, CISSP
 
PDF
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
ODP
Unlock Security Insight from Machine Data
Narudom Roongsiriwong, CISSP
 
PPT
Risk Management in Project Management
Narudom Roongsiriwong, CISSP
 
PDF
AnyID and Privacy
Narudom Roongsiriwong, CISSP
 
PDF
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
PDF
Docker London: Container Security
Phil Estes
 
PPTX
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker, Inc.
 
PPTX
Business continuity & disaster recovery planning (BCP & DRP)
Narudom Roongsiriwong, CISSP
 
PPTX
Docker 101 - Nov 2016
Docker, Inc.
 
PDF
Web Security attacks and defense
Jose Mato
 
PDF
My AWS production stack with Docker, ECS, CloudFormation and other services
Victor Holban
 
PPT
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
PPTX
Handling Non Functional Requirements on an Agile Project
Ken Howard
 
PDF
Non-Functional Requirements
David Simons
 
PPTX
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
Ajith Kp
 
PDF
DWS16 - Smart city forum - Niels De Schutter, Atos
IDATE DigiWorld
 
PPTX
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
PPTX
Web application security: how to start?
Antonio Fontes
 
AnyID: Security Point of View
Narudom Roongsiriwong, CISSP
 
Payment Card System Overview
Narudom Roongsiriwong, CISSP
 
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
Unlock Security Insight from Machine Data
Narudom Roongsiriwong, CISSP
 
Risk Management in Project Management
Narudom Roongsiriwong, CISSP
 
AnyID and Privacy
Narudom Roongsiriwong, CISSP
 
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
Docker London: Container Security
Phil Estes
 
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker, Inc.
 
Business continuity & disaster recovery planning (BCP & DRP)
Narudom Roongsiriwong, CISSP
 
Docker 101 - Nov 2016
Docker, Inc.
 
Web Security attacks and defense
Jose Mato
 
My AWS production stack with Docker, ECS, CloudFormation and other services
Victor Holban
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Handling Non Functional Requirements on an Agile Project
Ken Howard
 
Non-Functional Requirements
David Simons
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
Ajith Kp
 
DWS16 - Smart city forum - Niels De Schutter, Atos
IDATE DigiWorld
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
Web application security: how to start?
Antonio Fontes
 
Ad

Similar to Application Security: Last Line of Defense (20)

PPTX
Application Security-Understanding The Horizon
Lalit Kale
 
PDF
Top 10 Web App Security Risks
Sperasoft
 
PPT
六合彩香港-六合彩
baoyin
 
PPTX
Web Application Security
sudip pudasaini
 
PDF
Web App Security: Top Threats and How to Protect Your App.pdf
Nathan Smith
 
PPTX
Walls of Steel, Doors of Wood - Relevance of Application Security
Abdul Jaleel
 
PDF
DataMindsConnect2018_SECDEVOPS
Tobias Koprowski
 
PPTX
FireHost Webinar: Protect Your Application With Intelligent Security
Armor
 
PDF
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
PPTX
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
PPTX
Andrew Useckas Csa presentation hacking custom webapps 4 3
Trish McGinity, CCSK
 
PPTX
Web Security Overview
Noah Jaehnert
 
PDF
Application security testing an integrated approach
Idexcel Technologies
 
PDF
Conférence - Adopter une approche de sécurité applicative avancée - #ACSS 2019
African Cyber Security Summit
 
PDF
Security Implications of the Cloud
Alert Logic
 
PPTX
Web_Appication_Security_Training_For_Developers.pptx
xobewe1102
 
PDF
Review Paper ( Research Articles )
SaadSaif6
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
PPTX
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Application Security-Understanding The Horizon
Lalit Kale
 
Top 10 Web App Security Risks
Sperasoft
 
六合彩香港-六合彩
baoyin
 
Web Application Security
sudip pudasaini
 
Web App Security: Top Threats and How to Protect Your App.pdf
Nathan Smith
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Abdul Jaleel
 
DataMindsConnect2018_SECDEVOPS
Tobias Koprowski
 
FireHost Webinar: Protect Your Application With Intelligent Security
Armor
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Trish McGinity, CCSK
 
Web Security Overview
Noah Jaehnert
 
Application security testing an integrated approach
Idexcel Technologies
 
Conférence - Adopter une approche de sécurité applicative avancée - #ACSS 2019
African Cyber Security Summit
 
Security Implications of the Cloud
Alert Logic
 
Web_Appication_Security_Training_For_Developers.pptx
xobewe1102
 
Review Paper ( Research Articles )
SaadSaif6
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
For Business's Sake, Let's focus on AppSec
Lalit Kale
 

More from Narudom Roongsiriwong, CISSP (11)

PDF
Biometric Authentication.pdf
Narudom Roongsiriwong, CISSP
 
PDF
Security Shift Leftmost - Secure Architecture.pdf
Narudom Roongsiriwong, CISSP
 
PDF
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
PDF
Security Patterns for Software Development
Narudom Roongsiriwong, CISSP
 
PDF
Secure Software Design for Data Privacy
Narudom Roongsiriwong, CISSP
 
PDF
Blockchain and Cryptocurrency for Dummies
Narudom Roongsiriwong, CISSP
 
PDF
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
PPTX
National Digital ID Platform Technical Forum
Narudom Roongsiriwong, CISSP
 
PDF
IoT Security
Narudom Roongsiriwong, CISSP
 
PDF
Secure Your Encryption with HSM
Narudom Roongsiriwong, CISSP
 
PDF
CarbonCredit-V4
Narudom Roongsiriwong, CISSP
 
Biometric Authentication.pdf
Narudom Roongsiriwong, CISSP
 
Security Shift Leftmost - Secure Architecture.pdf
Narudom Roongsiriwong, CISSP
 
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
Security Patterns for Software Development
Narudom Roongsiriwong, CISSP
 
Secure Software Design for Data Privacy
Narudom Roongsiriwong, CISSP
 
Blockchain and Cryptocurrency for Dummies
Narudom Roongsiriwong, CISSP
 
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
National Digital ID Platform Technical Forum
Narudom Roongsiriwong, CISSP
 
IoT Security
Narudom Roongsiriwong, CISSP
 
Secure Your Encryption with HSM
Narudom Roongsiriwong, CISSP
 
CarbonCredit-V4
Narudom Roongsiriwong, CISSP
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Teaching material agriculture food technology
LiaRayya
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 

Application Security: Last Line of Defense

  • 1. Application Security Last Line of Defense Narudom Roongsiriwong, CISSP ASEAN IT Security Conference 2016 Critical C-Suite Security Knowledge Conference July 27, 2016 The Westin Grande Sukhumvit, Bangkok, Thailand
  • 2. About Me • Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP) • Consulting Team Member for National e-Payment project • Consultant for OWASP Thailand Chapter • Committee Member of Cloud Security Alliance (CSA), Thailand Chapter. narudom.roongsiriwong@owasp.org
  • 3. Internet Lines of Defense Source: IBM Software Group, Rational Software
  • 4. Does Firewall Really Prevent the Intrusion? Source: Jeremiah Grossman, BlackHat 2001
  • 5. Does SSL/TLS Really Prevent the Intrusion? Source: Jeremiah Grossman, BlackHat 2001
  • 6. Attackers have shifted their focus to target applications. Improving user accessibility and ease of use also increases ease of access for attackers. Application exploit toolkits are increasingly available on the attack marketplace. Many major breaches in 2015 targeted applications. Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise
  • 7. Most Web And Mobile Apps Contain Security Weaknesses that Can Open the Door to Attackers. Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise
  • 8. Key Takeaways for Application Security Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise
  • 9. What Are Application Security Risks? Source: OWASP: Open Web Application Security Project
  • 11. OWASP Top 10 2013 Risk Source: OWASP: Open Web Application Security Project
  • 12. Security controls cannot deal with broken business logic such as A2, A4 and A7 Software weaknesses reduction down to zero is possible Reduce Security Weaknesses vs Increase Security Controls
  • 13. So Where Do You Go from Here?
  • 14. OWASP Top 10 Proactive Controls C1: Verify for Security Early and Often C2: Parameterize Queries C3: Encode Data C4: Validate All Inputs C5: Implement Identity and Authentication Controls C6: Implement Appropriate Access Controls C7: Protect Data C8: Implement Logging and Intrusion Detection C9: Leverage Security Frameworks and Libraries C10: Error and Exception Handling https://www.owasp.org/index.php/OWASP_Proactive_Controls
  • 15. Microsoft Security Development Lifecycle https://www.microsoft.com/en-us/sdl
  • 16. Software Assurance Maturity Model Source: OWASP’s Software Assurance Maturity Model (OpenSAMM) https://www.owasp.org/index.php/OpenSamm