SlideShare una empresa de Scribd logo

Building application security with 0 money down

Descargar como PPTX, PDF
DefCamp
DefCamp

Muhammad Mudassar Yamin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Tecnología
1 de 25
@intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 1 Building application security with 0 money down Mushegh Hakhinian| VP, Security Architecture| November 9, 2018
Why this talk? Share experience: • “Everything-as-code” means “most-of-the-things” can be fixed in code • A good program can be started without major investment in tooling • A good program cannot be established without smart investment in tooling © 2018 Intralinks, Inc. l All Rights Reserved l 2
Introduction 01 © 2018 Intralinks, Inc. l All Rights Reserved l 3
Microsoft SDL Steps © 2018 Intralinks, Inc. l All Rights Reserved l 4 1. Training 2. Requirements 3. Design 4. Implementation 1. Core Security Training 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
Microsoft SDL Steps (continued) © 2018 Intralinks, Inc. l All Rights Reserved l 5 5. Verification 6. Release 7. Response 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review 1. Incident Response Plan 2. Final Security Review 3. Release Certification 1. Execute Incident Response Plan
Application Security Stages - Coming of Age 02 © 2018 Intralinks, Inc. l All Rights Reserved l 6
Beginning State Sincere ignorance © 2018 Intralinks, Inc. l All Rights Reserved l 7
Next State Vicious Cycle First assessment Fix critical issues Second assessment Fix critical issues Third assessment Fix critical issues … … N-th assessment Fix critical issues © 2018 Intralinks, Inc. l All Rights Reserved l 8
Application Security Process Inception 03 © 2018 Intralinks, Inc. l All Rights Reserved l 9
Attainable Goal 1 - Find Glaring Issues Step 1 - Test Production Instances Free Tools: - OWASP Zed Attack Proxy - Openssl.com for quick check of TLS profiles © 2018 Intralinks, Inc. l All Rights Reserved l 10 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
Attainable Goal 2 – Fix Issues Under Own Control Step 2 - Check Own Code Free Tools: - Dependency Checker for 3-rd party components (weekly) - SonarQube for code analysis (nightly) - Clair for docker container analysis (weekly) © 2018 Intralinks, Inc. l All Rights Reserved l 11 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
Attainable Goal 3 – Catch Issues Before Coding Starts Step 3 – Define Required Security Controls When Designing and Perform Architectural Risk Analysis Free Tools: - Microsoft Threat Modeling Tool © 2018 Intralinks, Inc. l All Rights Reserved l 12 3. Design 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling
Process Inception Checklist © 2018 Intralinks, Inc. l All Rights Reserved l 13 Use special tickets to track vulnerabilities – it takes some research to understand at which layer the fix needs to be applied Get stakeholder commitment to fix Critical issues immediately Get commitment to patch 3-rd party components
Steps to Maturity and Scaling 04 © 2018 Intralinks, Inc. l All Rights Reserved l 14
Maturity Goal 1 – Establish Continuous Assessment Budget for Commercial Tooling Evaluate and Implement 24/7 Dynamic Assessment Product Scan Test Environments Before Promoting to Production © 2018 Intralinks, Inc. l All Rights Reserved l 15 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
Maturity Goal 2 – Integrate With Commercial Code Analysis Tools Budget for Commercial Tooling Scan for Viral Licenses Scan for non-patched components Perform Static code analysis for each build © 2018 Intralinks, Inc. l All Rights Reserved l 16 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
Maturity Goal 3 – Enforce Security Gates Define thresholds and fail builds for critical items © 2018 Intralinks, Inc. l All Rights Reserved l 17 2. Requirements 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments
Maturity Goal 4 – Invest in Training Establish Formal Security Training for Engineers With Yearly Re-certification Train and Certify Security Champions to Scale The Security Program © 2018 Intralinks, Inc. l All Rights Reserved l 18 1. Training 1. Core Security Training
Process Maturity Checklist © 2018 Intralinks, Inc. l All Rights Reserved l 19 Establish Cross-team committee to review security issues Establish Timelines for fixing all security issues Low to Critical Automate 3-rd party component patching Establish metrics for executive level reporting (Risk Management Committee)
Conclusion 05 © 2018 Intralinks, Inc. l All Rights Reserved l 20
Customized SDL Steps With Little Initial Investment © 2018 Intralinks, Inc. l All Rights Reserved l 21 1. Production Scanning 6. Security Gates Enforcement 3. Threat Modeling 2. Code Analysis 4. Continuous Assessment 5. Automated Code Analysis 7. Secure Coding Training
Ultimately, People Make The Program Work © 2018 Intralinks, Inc. l All Rights Reserved l 22
Useful Links to Free Tools © 2018 Intralinks, Inc. l All Rights Reserved l 23 https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project https://www.owasp.org/index.php/OWASP_Dependency_Check https://www.sonarqube.org/ https://github.com/coreos/clair https://www.microsoft.com/en-us/download/details.aspx?id=49168
@intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 24 SonarQube Demo Bogdan Petru-Ungureanu| Security Architect| November 9, 2018
Thank You! @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 25 intralinks.com

Recomendados

Kba talk track 2018
Kba talk track 2018Kba talk track 2018
Kba talk track 2018
Greg Wartes, MCP
 
Risk Management using ITSG-33
Risk Management using ITSG-33Risk Management using ITSG-33
Risk Management using ITSG-33
CTE Solutions Inc.
 
TETRA
TETRATETRA
TETRA
Intetics
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignment
Alan Tatourian
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
Alan Tatourian
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
idsecconf
 
Ga society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapterGa society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapter
Greg Wartes, MCP
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development Environment
Intland Software GmbH
 

Recomendados

Kba talk track 2018
Kba talk track 2018Kba talk track 2018
Kba talk track 2018
Greg Wartes, MCP
 
Risk Management using ITSG-33
Risk Management using ITSG-33Risk Management using ITSG-33
Risk Management using ITSG-33
CTE Solutions Inc.
 
TETRA
TETRATETRA
TETRA
Intetics
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignment
Alan Tatourian
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
Alan Tatourian
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
idsecconf
 
Ga society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapterGa society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapter
Greg Wartes, MCP
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development Environment
Intland Software GmbH
 
Systems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasisSystems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasis
Alan Tatourian
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Black Duck by Synopsys
 
Security in Android Application
Security in Android ApplicationSecurity in Android Application
Security in Android Application
Rishabh Gupta
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
Augusta gen v presentation adapture v2
Augusta gen v presentation adapture v2Augusta gen v presentation adapture v2
Augusta gen v presentation adapture v2
Greg Wartes, MCP
 
Cloud security live hack - final meetup
Cloud security live hack - final meetupCloud security live hack - final meetup
Cloud security live hack - final meetup
AWS User Group North (Manchester)
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Black Duck by Synopsys
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
Alan Tatourian
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon
 
Open source code
Open source codeOpen source code
Open source code
Intetics
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 
Hacking ble smartwatch
Hacking ble smartwatch Hacking ble smartwatch
Hacking ble smartwatch
idsecconf
 
Attack eu 2021 attack4cvc
Attack eu 2021 attack4cvcAttack eu 2021 attack4cvc
Attack eu 2021 attack4cvc
Andrey Bezverkhiy
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat Security Conference
 
Securing future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureSecuring future connected vehicles and infrastructure
Securing future connected vehicles and infrastructure
Alan Tatourian
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE - ATT&CKcon
 
Software Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDSoftware Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CD
OWASP Delhi
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
Michael Furman
 

Más contenido relacionado

La actualidad más candente

Systems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasisSystems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasis
Alan Tatourian
 
Cloud security live hack - final meetup
Cloud security live hack - final meetupCloud security live hack - final meetup
Cloud security live hack - final meetup
AWS User Group North (Manchester)
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Black Duck by Synopsys
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat Security Conference
 

La actualidad más candente (20)

Systems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasisSystems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasis
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
 
Security in Android Application
Security in Android ApplicationSecurity in Android Application
Security in Android Application
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
 
Augusta gen v presentation adapture v2
Augusta gen v presentation adapture v2Augusta gen v presentation adapture v2
Augusta gen v presentation adapture v2
 
Cloud security live hack - final meetup
Cloud security live hack - final meetupCloud security live hack - final meetup
Cloud security live hack - final meetup
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
 
Open source code
Open source codeOpen source code
Open source code
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
Hacking ble smartwatch
Hacking ble smartwatch Hacking ble smartwatch
Hacking ble smartwatch
 
Attack eu 2021 attack4cvc
Attack eu 2021 attack4cvcAttack eu 2021 attack4cvc
Attack eu 2021 attack4cvc
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
 
Securing future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureSecuring future connected vehicles and infrastructure
Securing future connected vehicles and infrastructure
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
 
Software Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDSoftware Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CD
 

Similar a Building application security with 0 money down

Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
Tiago Henriques
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 

Similar a Building application security with 0 money down (20)

RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical Systems
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 

Más de DefCamp

Más de DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 

Último

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Building application security with 0 money down

  • 1. @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 1 Building application security with 0 money down Mushegh Hakhinian| VP, Security Architecture| November 9, 2018
  • 2. Why this talk? Share experience: • “Everything-as-code” means “most-of-the-things” can be fixed in code • A good program can be started without major investment in tooling • A good program cannot be established without smart investment in tooling © 2018 Intralinks, Inc. l All Rights Reserved l 2
  • 3. Introduction 01 © 2018 Intralinks, Inc. l All Rights Reserved l 3
  • 4. Microsoft SDL Steps © 2018 Intralinks, Inc. l All Rights Reserved l 4 1. Training 2. Requirements 3. Design 4. Implementation 1. Core Security Training 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
  • 5. Microsoft SDL Steps (continued) © 2018 Intralinks, Inc. l All Rights Reserved l 5 5. Verification 6. Release 7. Response 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review 1. Incident Response Plan 2. Final Security Review 3. Release Certification 1. Execute Incident Response Plan
  • 6. Application Security Stages - Coming of Age 02 © 2018 Intralinks, Inc. l All Rights Reserved l 6
  • 7. Beginning State Sincere ignorance © 2018 Intralinks, Inc. l All Rights Reserved l 7
  • 8. Next State Vicious Cycle First assessment Fix critical issues Second assessment Fix critical issues Third assessment Fix critical issues … … N-th assessment Fix critical issues © 2018 Intralinks, Inc. l All Rights Reserved l 8
  • 9. Application Security Process Inception 03 © 2018 Intralinks, Inc. l All Rights Reserved l 9
  • 10. Attainable Goal 1 - Find Glaring Issues Step 1 - Test Production Instances Free Tools: - OWASP Zed Attack Proxy - Openssl.com for quick check of TLS profiles © 2018 Intralinks, Inc. l All Rights Reserved l 10 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
  • 11. Attainable Goal 2 – Fix Issues Under Own Control Step 2 - Check Own Code Free Tools: - Dependency Checker for 3-rd party components (weekly) - SonarQube for code analysis (nightly) - Clair for docker container analysis (weekly) © 2018 Intralinks, Inc. l All Rights Reserved l 11 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
  • 12. Attainable Goal 3 – Catch Issues Before Coding Starts Step 3 – Define Required Security Controls When Designing and Perform Architectural Risk Analysis Free Tools: - Microsoft Threat Modeling Tool © 2018 Intralinks, Inc. l All Rights Reserved l 12 3. Design 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling
  • 13. Process Inception Checklist © 2018 Intralinks, Inc. l All Rights Reserved l 13 Use special tickets to track vulnerabilities – it takes some research to understand at which layer the fix needs to be applied Get stakeholder commitment to fix Critical issues immediately Get commitment to patch 3-rd party components
  • 14. Steps to Maturity and Scaling 04 © 2018 Intralinks, Inc. l All Rights Reserved l 14
  • 15. Maturity Goal 1 – Establish Continuous Assessment Budget for Commercial Tooling Evaluate and Implement 24/7 Dynamic Assessment Product Scan Test Environments Before Promoting to Production © 2018 Intralinks, Inc. l All Rights Reserved l 15 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
  • 16. Maturity Goal 2 – Integrate With Commercial Code Analysis Tools Budget for Commercial Tooling Scan for Viral Licenses Scan for non-patched components Perform Static code analysis for each build © 2018 Intralinks, Inc. l All Rights Reserved l 16 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
  • 17. Maturity Goal 3 – Enforce Security Gates Define thresholds and fail builds for critical items © 2018 Intralinks, Inc. l All Rights Reserved l 17 2. Requirements 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments
  • 18. Maturity Goal 4 – Invest in Training Establish Formal Security Training for Engineers With Yearly Re-certification Train and Certify Security Champions to Scale The Security Program © 2018 Intralinks, Inc. l All Rights Reserved l 18 1. Training 1. Core Security Training
  • 19. Process Maturity Checklist © 2018 Intralinks, Inc. l All Rights Reserved l 19 Establish Cross-team committee to review security issues Establish Timelines for fixing all security issues Low to Critical Automate 3-rd party component patching Establish metrics for executive level reporting (Risk Management Committee)
  • 20. Conclusion 05 © 2018 Intralinks, Inc. l All Rights Reserved l 20
  • 21. Customized SDL Steps With Little Initial Investment © 2018 Intralinks, Inc. l All Rights Reserved l 21 1. Production Scanning 6. Security Gates Enforcement 3. Threat Modeling 2. Code Analysis 4. Continuous Assessment 5. Automated Code Analysis 7. Secure Coding Training
  • 22. Ultimately, People Make The Program Work © 2018 Intralinks, Inc. l All Rights Reserved l 22
  • 23. Useful Links to Free Tools © 2018 Intralinks, Inc. l All Rights Reserved l 23 https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project https://www.owasp.org/index.php/OWASP_Dependency_Check https://www.sonarqube.org/ https://github.com/coreos/clair https://www.microsoft.com/en-us/download/details.aspx?id=49168
  • 24. @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 24 SonarQube Demo Bogdan Petru-Ungureanu| Security Architect| November 9, 2018
  • 25. Thank You! @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 25 intralinks.com