DevSecOps: Finding the Adversaries in our Midst
1 like129 views
The document discusses the challenges and strategies surrounding application security, particularly in relation to modern threats like injection attacks and security misconfigurations. It highlights the importance of understanding adversaries' motives and the limitations of legacy security tools. The OWASP Top Ten is referenced as a critical starting point for addressing security risks, emphasizing the need for continuous improvement and adaptation in security practices.
DevSecOps: Finding the Adversaries in our Midst
- 1. Shannon Lietz - @devsecops James Wickett - @wickett
- 2. -- FOUNDER -- Shannon Lietz (@devsecops) 2
- 3. James Wickett (@wickett) ● ● ● @devsecops || @wickett3
- 4. ● ● ● 4
- 6. 6 @devsecsops || @wickett
- 7. “ massive computer-related attacks @devsecops || @wickett7 - Steven Bellovin, Thinking Security
- 8. 8
- 9. Adversary Perspective @devsecsops || @wickett9 Motives OpportunitiesMeans
- 12. 1) understand 2) measure 3) correct continuously @devsecops || @wickett12
- 13. HONEY SCANNERS DETECTION @devsecops || @wickett13
- 16. Deployment Architecture Component Manifest Lines of Code Tests Applied @devsecops || @wickett16
- 18. @devsecops || @wickett18 “We can see requests getting blocked but we don't know why. The samples just show the Ruleset name and not the actual reason for blocking the requests.” – Anonymous WAF User
- 20. OWASP TOP 10 App Sec Risks Real-World Top 10 Attacks 1 Injection Direct Object Reference 2 Broken Authentication Forceful Browsing 3 Sensitive Data Exposure Null Byte Attack 4 XML External Exposures (XXE) Command Injection 5 Broken Access Control Feature Abuse 6 Security Misconfiguration Evasion Techniques 7 Cross Site Scripting Subdomain Takeover 8 Insecure Deserialization Misconfiguration 9 Using Components with Known Vulnerabilities Cross Site Scripting 10 Insufficient Logging/Monitoring SQL Injection @devsecops || @wickett20
- 21. Researchers Paid Noise Advanced Adversaries Scanners @devsecops || @wickett21
- 22. Fame / Payment Continuous Payment Control / Payment Information Brokerage @devsecops || @wickett22
- 23. OWASP Top 10 Advanced Adversaries % Perceived Success Number of Adversaries + IPs Scanners Researchers Paid Noise @devsecops || @wickett23
- 24. OWASP Top Ten is just the most recognized part of the Problem You Can’t Secure New App Tech w/ Legacy AppSec Account Takeover Direct Object Reference Forceful Browsing Feature Abuse Evasion Techniques Subdomain Takeover Misconfiguration • Legacy WAFs focus on the same threats as 15 years ago • False positives result from generic signatures without context • Rarely used in blocking mode OWASP Injection Attacks Real-World Problems
- 29. whitelist themselves don’t use commercial scanners “goto” TTPs cryptocurrency AI/ML hide @devsecops || @wickett29
- 30. 30
- 31. 31 Every application is different @devsecops || @wickett
- 36. Return Rate Rate of Change Cost of fix Mean Time to Identification @devsecops || @wickett36
- 38. Time Changes Security Tests @devsecops || @wickett38
- 40. • … • … @devsecops || @wickett40