SlideShare una empresa de Scribd logo

HouSecCon 2019: Offensive Security - Starting from Scratch

Descargar como PPTX, PDF
S
Spencer Koch

HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.

Tecnología
1 de 31
Offensive Security Transformation: Starting from Scratch Spencer Koch Offensive Security Leader, Securimancy Altaz Valani Cyber Security Researcher, Security Compass
Who We Are Spencer Koch Offensive Security Leader @sp3nx0r securimancy.com Altaz Valani Cyber Security Researcher, Security Compass securitycompass.com
This talk is: • Aimed at security leaders early on in the maturity curve • A cohesive storyboard for disparate capabilities that may already exist within SecOps teams • Pointers on what worked well and resources to start down this path • Both a practitioner and research perspective This talk is not: • Going to go deep in implementation or tooling details • Going to be news to anyone doing red teaming or having mature appsec capabilities About This Talk
How I structured my OffSec department: Application Security DevSecOps Security Champions Hardening Infra Vuln Management Red Team
You have inventories galore...? • Application listing • Infrastructure • Crown jewels / risk rankings / BIAs You have a Dev Team...? You have a Blue Team...? You have permission to fire...? • Buy-in from leadership • Know where the fragile network bits are You aren't a jerk...? Huge Assumptions
Application Security (Appsec) Overview Design Requirements Dependency Checking Source Code Analysis Dynamic App Testing Gray Matter Testing http://safecode.org/wp-content/uploads/2018/01/SAFECode_Dev_Practices1108.pdf Require- ments Design Develop Build Test Deploy
• Doesn't work: Providing a long list of policies (be specific) • Begin with driving the right security requirements • Goal is traceable and reusable requirements into the DevOps pipeline • Don't start from scratch, fork and make your own • OWASP ASVS or NIST, pepper in regulatory reqs • Tie into your DevOps training • Establish de facto minimum standard against range of app architectures Design Requirements Design Requirements Dependency Checking Source Code Analysis Dynamic App Testing Gray Matter Testing https://github.com/OWASP/Top10 https://github.com/OWASP/ASVS/tree/master/4.0
• One small step into the business world... • Eventually need to convert 'policy speak' to 'DevOps speak' • Agile stories? Microsoft SDL? Custom? • Create a "policy to execution" pipeline for scaling • For large orgs, eventually extend policy to execution into services layer Design Requirements Business Risk Policies mitigate d by Procedures enforced through https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
• Dependency management • Start here! Easy, cheap, gateway drug • Built in Github, OSS like OWASP Dependency Check, freemium Snyk • Frameworks need patching just OSes do, don't forget about them • Linters / Code Quality • Easy mode checks: dangerous/deprecated functions, simple regexes, easy analytics • Lots of devs think this is enough • Examples: SonarQube, TSLint Source Code Analysis https://github.com/OWASP/Top10 https://github.com/OWASP/ASVS/tree/master/4.0 Design Requirements Dependency Checking Source Code Analysis Dynamic App Testing Gray Matter Testing
• Dedicated security scanners, able to follow source to sink • Pay an arm/leg (money and resources) to get false positives • No one SAST to rule them all – and that's ok! • Give/take with UI, CI/CD integration, SaaS, languages, speed • Great SAST listing: https://github.com/mre/awesome- static-analysis • Hardest problem? Sizing for licenses (how's that inventory) Source Code Analysis - SAST
• How are you pushing security defects to backlog? ALM Integrations • DO NOT PRINT TO PDF & CHUCK • Customize your own ruleset / criticality ranking • You will spend a lot of time here trying to get this right... Source Code Analysis Gotchas • Use those IDE integrations – devs don't want another tool
• Coding standards for the team: it should exist and include security topics! • Appsec team sets the structure (e.g. how to solve for input sanitization, output encoding, database interaction, authX, logging) • Dev teams fill in their language/framework specific ways of achieving these guidelines • Build secure libraries if devs' framework doesn't handle it! • Infrastructure as Code (IaC) also needs standards too • Leverage others' work! CERT, OWASP, something... Secure Coding Standards https://wiki.sei.cmu.edu/confluence/display/seccode https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_Checklist
• Build on what is already done today (peer review? self review? no review?) • Define what needs to be reviewed: security features, APIs, code dealing with money/PII, first-of code using new framework/design/etc.) at a minimum • Keep it short! Don't kill them with checklists... • Code review notes become training vehicle • Architectural design decisions vs. syntax Code Reviews including Security!
• Requires compiled code, comes later in SDLC cycle • Can be automated / integrated into CI/CD • Works via HTTP request/response - great for web/mobile apps & APIs • Catches a different & overlapping set of vulns from SAST • Fewer false positives, and triage effort generally less than SAST • What about WAF / virtual patching? Yep, do this... • What about IAST/RASP? Don't worry about it yet... Dynamic Application Testing (DAST) https://github.com/OWASP/Top10 https://github.com/OWASP/ASVS/tree/master/4.0 Design Requirements Dependency Checking Source Code Analysis Dynamic App Testing Gray Matter Testing
• Every PMs' favorite step, or AKA "where the greenlight happens” • Pentesting != Secure App <- culture change • Shifting security left is hard, so spin as security == quality • Don't waste resources on simple, repeatable tasks - save these folks for the "hard stuff": business logic, authX, session management, crypto • Go broad: systemic testing beyond the app (adversaries won't respect app boundaries), work top-down to provide contextual priority of vulns • Expensive to execute, expensive to fix defects, always timeboxed • Avoid RCP: pick a partner(s), pick a framework, get involved Gray Matter Testing Design Requirements Dependency Checking Source Code Analysis Dynamic App Testing Gray Matter Testing
• That's a lot of testing, so what's your plan? • Utilize a framework (OWASP SAMM 2.0?) and benchmark your progress • Don't lose focus while chasing maturity – learn from CMMI • This never ends – continual improvement, continual reassessment • Don't be afraid to add your own capabilities – remain relevant and look for what's critical for assurance to your business Appsec Framework
• Start small: • # of apps onboarded / total apps • Vulnerability type by time (SQLi, XSS, etc.) • Average time to remediation • Even those 3 can be hard • Focus on telling a story and grow • Stay away from # of vulns metrics, stick to behavior around those vulns Metrics
• if (!infra_vuln && !appsec): devsecops = doomed • DevSecOps Manifesto by Larry Macherone: Build security in more than bolt it on • All about about automating manual security testing processes • Make friends with DevOps, understand pipelines • Build at lab/home, follow along with Securing DevOps by Julien Vehent • With this understanding, where to start putting Sec in DevOps? DevSecOps – Getting Started https://medium.com/continuous-agile/the-devsecops-manifesto-94579e0eb716
• SANS Secure DevOps Toolchain - epically good at framing your capability discussion! • Build a mindmap, add your priorities and start filling in blanks within your org • Be Agile just like the dev teams – iterate! • Keep it automated, reduce friction SANS Secure DevOps Toolchain https://www.sans.org/security-resources/posters/secure-devops-toolchain-swat-checklist/60/download
• Be choosey about what "breaks the build", start without any breaks • Plan out how security defects make it into the backlog: manual is painful • Get involved in backlog prioritization, don't be unreasonable • Come up with a plan and prioritize: ease to implement, bang for buck • Examples: dependency checking, to secrets scanning, to CIS benchmarks, to OWASP Top 10 DAST scanning, to … • Infra is always easier than app • Expect to have to code some stuff, get your hands dirty DevSecOps Gotchas
Don't be afraid of "bimodal DevSecOps": quick & dirty vs. deep-dive DevSecOps Gotchas CI/CD Integrated Testing •Focus on speed and keeping signal-to-noise ratio low •Completes in minutes, not days •Catch "heavy hitting" vulns (OWASP Top 10) Out-of-Band Testing •Scheduled on a frequency •Full code base, full URI path, full everything •Appsec engineer prunes false positives
• Devs will resist; too much on their plate already • Start with a respected developer interested in security • Designate as security champion and commit (not a part time role; needs budget & training) • Keep the momentum – it's change management (Kotter, PDCA, ..) • Get some wins (measurable ROI on pre/post prod vuln metrics) across different champions and build toward a SC program • Build word of mouth, sell career development for devs, success spreads • Not worth pursuing nay-sayers, let them get FOMO • Scale to a community of practice that offers advice, tools, onboarding, etc. Security Champions https://safecode.org/?s=security+champions https://www.managementstudyguide.com/kotters-8-step-model-of-change.htm
• Work with your sysadmins, be reasonable, keep them happy • Where are you today? Start with CIS/NIST for core OSes, make the standards your own, document your deviations • You will have hundreds of findings at the beginning – don't panic, it's normal • Work the list - prioritize in phases, based on criticality and testing timing • After a few rounds, expand to less familiar platforms (middleware, cloud platforms, network gear) • Patterns will emerge, don't worry if there's no CIS benchmark for $STUFF Hardening https://www.cisecurity.org/cis-benchmarks/ https://nvd.nist.gov/ncp/repository https://nvd.nist.gov/ncp/checklist/811 - RHEL https://nvd.nist.gov/ncp/checklist/560 - Win2012
• Scan all the things – this is the easiest part of this talk • Don't trust your asset data, and add your results to IT asset data • Automate infrastructure scanning/validation and tie to risk tolerance for key applications (don't do this alone, get the business involved – they own risk register) • Infra vuln management is collaborative - understand impact to sysadmins and get their help to create the right processes and data • Infrastructure as Code gets devs involved too, codify your hardening/scanning Infra Vuln Management https://www.inspec.io/ https://archerysec.info/
• Frame your scan objectives: discovery, subnet/asset, agent • DON'T PRINT TO CSV – utilize best fix paths and pick reasonable goals • If you can't explain what the vuln is / how the vuln was detected, go research it • Sell to sysadmins as validation of patching/config, you're in it together! • Spot the patterns – don't forget about feedback loops Infra Vuln Management Gotchas
• Don't do this if you aren't doing basic infra vuln management, go focus on that • Focus on blue team effectiveness at the beginning • Visualize gaps and help Blue Team be better • Your reports have power – write each scenario up as a budget request Red Team
• Phishing activities • OSS tools galore like Gophish, just add AWS infrastructure • Social engineering • Call center password reset • Signature Emulation – is your $TOOL detecting what you think it does? • (Network) BT3 – Blue Team Training Toolkit / (Host) Red Canary • Active Directory health (Bloodhound / PingCastle) • Awesome Redteaming lists – pick your poison Red Team Introductory Activities https://www.redcanary.com/blog/atomic-red-team-testing/ https://github.com/BloodHoundAD/BloodHound https://www.pingcastle.com/ https://github.com/yeyintminthuhtut/Awesome-Red-Teaming https://github.com/gophish/gophish https://www.bt3.no/
• Continue to build, automate where possible • See a technique on Twitter, try it out and see if Blue Team sees it Red Team Final Notes • Feedback loop forevah • Always focus on ROI and value proposition, or face budget cuts • Don't expect or try to be the next APT
Problem: Everything's going to the cloud! Oh nooooes… Approaches that work: • Fight for testing as it moves – you may never see that app again! • Shift security testing focus from depth to breadth • Change methodologies – don't be the blocker • Change the duration – 3 apps per week • Stress importance of risk registers and good documentation • Pick the hill(s) to die on – care about the most critical vulns Bonus: Cloud Migrations
Ditch FUD, embrace the new • Use Infrastructure as Code to your benefit • Use Cloud Service Provider tools to your benefit • Push for network segmentation • Encourage use of cloud devops tools – they're likely more secure than self-managed Hardest part of migration: getting funding to fix those uncovered vulns Bonus: Cloud Migrations https://github.com/dev-sec - IaC hardening https://github.com/aws-quickstart/quickstart-compliance-cis-benchmark - CSP tooling for hardening/alerting
• Still a fledgling discipline, room to explore • Get involved with DevSecOps communities, local chapters • Partner with researchers • Industry collaboration - reach out to us! Next Steps / Where To Go From Here

Recomendados

Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 

Recomendados

Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
dotSecurity2017
dotSecurity2017dotSecurity2017
dotSecurity2017Zane Lackey
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 

Más contenido relacionado

La actualidad más candente

How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 

La actualidad más candente (20)

How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
dotSecurity2017
dotSecurity2017dotSecurity2017
dotSecurity2017
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 

Similar a HouSecCon 2019: Offensive Security - Starting from Scratch

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...OWASP Delhi
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source softwarePriyanka Aash
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 

Similar a HouSecCon 2019: Offensive Security - Starting from Scratch (20)

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 

Último

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 

HouSecCon 2019: Offensive Security - Starting from Scratch

  • 1. Offensive Security Transformation: Starting from Scratch Spencer Koch Offensive Security Leader, Securimancy Altaz Valani Cyber Security Researcher, Security Compass
  • 2. Who We Are Spencer Koch Offensive Security Leader @sp3nx0r securimancy.com Altaz Valani Cyber Security Researcher, Security Compass securitycompass.com
  • 3. This talk is: • Aimed at security leaders early on in the maturity curve • A cohesive storyboard for disparate capabilities that may already exist within SecOps teams • Pointers on what worked well and resources to start down this path • Both a practitioner and research perspective This talk is not: • Going to go deep in implementation or tooling details • Going to be news to anyone doing red teaming or having mature appsec capabilities About This Talk
  • 4. How I structured my OffSec department: Application Security DevSecOps Security Champions Hardening Infra Vuln Management Red Team
  • 5. You have inventories galore...? • Application listing • Infrastructure • Crown jewels / risk rankings / BIAs You have a Dev Team...? You have a Blue Team...? You have permission to fire...? • Buy-in from leadership • Know where the fragile network bits are You aren't a jerk...? Huge Assumptions
  • 6. Application Security (Appsec) Overview Design Requirements Dependency Checking Source Code Analysis Dynamic App Testing Gray Matter Testing http://safecode.org/wp-content/uploads/2018/01/SAFECode_Dev_Practices1108.pdf Require- ments Design Develop Build Test Deploy
  • 7. • Doesn't work: Providing a long list of policies (be specific) • Begin with driving the right security requirements • Goal is traceable and reusable requirements into the DevOps pipeline • Don't start from scratch, fork and make your own • OWASP ASVS or NIST, pepper in regulatory reqs • Tie into your DevOps training • Establish de facto minimum standard against range of app architectures Design Requirements Design Requirements Dependency Checking Source Code Analysis Dynamic App Testing Gray Matter Testing https://github.com/OWASP/Top10 https://github.com/OWASP/ASVS/tree/master/4.0
  • 8. • One small step into the business world... • Eventually need to convert 'policy speak' to 'DevOps speak' • Agile stories? Microsoft SDL? Custom? • Create a "policy to execution" pipeline for scaling • For large orgs, eventually extend policy to execution into services layer Design Requirements Business Risk Policies mitigate d by Procedures enforced through https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
  • 9. • Dependency management • Start here! Easy, cheap, gateway drug • Built in Github, OSS like OWASP Dependency Check, freemium Snyk • Frameworks need patching just OSes do, don't forget about them • Linters / Code Quality • Easy mode checks: dangerous/deprecated functions, simple regexes, easy analytics • Lots of devs think this is enough • Examples: SonarQube, TSLint Source Code Analysis https://github.com/OWASP/Top10 https://github.com/OWASP/ASVS/tree/master/4.0 Design Requirements Dependency Checking Source Code Analysis Dynamic App Testing Gray Matter Testing
  • 10. • Dedicated security scanners, able to follow source to sink • Pay an arm/leg (money and resources) to get false positives • No one SAST to rule them all – and that's ok! • Give/take with UI, CI/CD integration, SaaS, languages, speed • Great SAST listing: https://github.com/mre/awesome- static-analysis • Hardest problem? Sizing for licenses (how's that inventory) Source Code Analysis - SAST
  • 11. • How are you pushing security defects to backlog? ALM Integrations • DO NOT PRINT TO PDF & CHUCK • Customize your own ruleset / criticality ranking • You will spend a lot of time here trying to get this right... Source Code Analysis Gotchas • Use those IDE integrations – devs don't want another tool
  • 12. • Coding standards for the team: it should exist and include security topics! • Appsec team sets the structure (e.g. how to solve for input sanitization, output encoding, database interaction, authX, logging) • Dev teams fill in their language/framework specific ways of achieving these guidelines • Build secure libraries if devs' framework doesn't handle it! • Infrastructure as Code (IaC) also needs standards too • Leverage others' work! CERT, OWASP, something... Secure Coding Standards https://wiki.sei.cmu.edu/confluence/display/seccode https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_Checklist
  • 13. • Build on what is already done today (peer review? self review? no review?) • Define what needs to be reviewed: security features, APIs, code dealing with money/PII, first-of code using new framework/design/etc.) at a minimum • Keep it short! Don't kill them with checklists... • Code review notes become training vehicle • Architectural design decisions vs. syntax Code Reviews including Security!
  • 14. • Requires compiled code, comes later in SDLC cycle • Can be automated / integrated into CI/CD • Works via HTTP request/response - great for web/mobile apps & APIs • Catches a different & overlapping set of vulns from SAST • Fewer false positives, and triage effort generally less than SAST • What about WAF / virtual patching? Yep, do this... • What about IAST/RASP? Don't worry about it yet... Dynamic Application Testing (DAST) https://github.com/OWASP/Top10 https://github.com/OWASP/ASVS/tree/master/4.0 Design Requirements Dependency Checking Source Code Analysis Dynamic App Testing Gray Matter Testing
  • 15. • Every PMs' favorite step, or AKA "where the greenlight happens” • Pentesting != Secure App <- culture change • Shifting security left is hard, so spin as security == quality • Don't waste resources on simple, repeatable tasks - save these folks for the "hard stuff": business logic, authX, session management, crypto • Go broad: systemic testing beyond the app (adversaries won't respect app boundaries), work top-down to provide contextual priority of vulns • Expensive to execute, expensive to fix defects, always timeboxed • Avoid RCP: pick a partner(s), pick a framework, get involved Gray Matter Testing Design Requirements Dependency Checking Source Code Analysis Dynamic App Testing Gray Matter Testing
  • 16. • That's a lot of testing, so what's your plan? • Utilize a framework (OWASP SAMM 2.0?) and benchmark your progress • Don't lose focus while chasing maturity – learn from CMMI • This never ends – continual improvement, continual reassessment • Don't be afraid to add your own capabilities – remain relevant and look for what's critical for assurance to your business Appsec Framework
  • 17. • Start small: • # of apps onboarded / total apps • Vulnerability type by time (SQLi, XSS, etc.) • Average time to remediation • Even those 3 can be hard • Focus on telling a story and grow • Stay away from # of vulns metrics, stick to behavior around those vulns Metrics
  • 18. • if (!infra_vuln && !appsec): devsecops = doomed • DevSecOps Manifesto by Larry Macherone: Build security in more than bolt it on • All about about automating manual security testing processes • Make friends with DevOps, understand pipelines • Build at lab/home, follow along with Securing DevOps by Julien Vehent • With this understanding, where to start putting Sec in DevOps? DevSecOps – Getting Started https://medium.com/continuous-agile/the-devsecops-manifesto-94579e0eb716
  • 19. • SANS Secure DevOps Toolchain - epically good at framing your capability discussion! • Build a mindmap, add your priorities and start filling in blanks within your org • Be Agile just like the dev teams – iterate! • Keep it automated, reduce friction SANS Secure DevOps Toolchain https://www.sans.org/security-resources/posters/secure-devops-toolchain-swat-checklist/60/download
  • 20. • Be choosey about what "breaks the build", start without any breaks • Plan out how security defects make it into the backlog: manual is painful • Get involved in backlog prioritization, don't be unreasonable • Come up with a plan and prioritize: ease to implement, bang for buck • Examples: dependency checking, to secrets scanning, to CIS benchmarks, to OWASP Top 10 DAST scanning, to … • Infra is always easier than app • Expect to have to code some stuff, get your hands dirty DevSecOps Gotchas
  • 21. Don't be afraid of "bimodal DevSecOps": quick & dirty vs. deep-dive DevSecOps Gotchas CI/CD Integrated Testing •Focus on speed and keeping signal-to-noise ratio low •Completes in minutes, not days •Catch "heavy hitting" vulns (OWASP Top 10) Out-of-Band Testing •Scheduled on a frequency •Full code base, full URI path, full everything •Appsec engineer prunes false positives
  • 22. • Devs will resist; too much on their plate already • Start with a respected developer interested in security • Designate as security champion and commit (not a part time role; needs budget & training) • Keep the momentum – it's change management (Kotter, PDCA, ..) • Get some wins (measurable ROI on pre/post prod vuln metrics) across different champions and build toward a SC program • Build word of mouth, sell career development for devs, success spreads • Not worth pursuing nay-sayers, let them get FOMO • Scale to a community of practice that offers advice, tools, onboarding, etc. Security Champions https://safecode.org/?s=security+champions https://www.managementstudyguide.com/kotters-8-step-model-of-change.htm
  • 23. • Work with your sysadmins, be reasonable, keep them happy • Where are you today? Start with CIS/NIST for core OSes, make the standards your own, document your deviations • You will have hundreds of findings at the beginning – don't panic, it's normal • Work the list - prioritize in phases, based on criticality and testing timing • After a few rounds, expand to less familiar platforms (middleware, cloud platforms, network gear) • Patterns will emerge, don't worry if there's no CIS benchmark for $STUFF Hardening https://www.cisecurity.org/cis-benchmarks/ https://nvd.nist.gov/ncp/repository https://nvd.nist.gov/ncp/checklist/811 - RHEL https://nvd.nist.gov/ncp/checklist/560 - Win2012
  • 24. • Scan all the things – this is the easiest part of this talk • Don't trust your asset data, and add your results to IT asset data • Automate infrastructure scanning/validation and tie to risk tolerance for key applications (don't do this alone, get the business involved – they own risk register) • Infra vuln management is collaborative - understand impact to sysadmins and get their help to create the right processes and data • Infrastructure as Code gets devs involved too, codify your hardening/scanning Infra Vuln Management https://www.inspec.io/ https://archerysec.info/
  • 25. • Frame your scan objectives: discovery, subnet/asset, agent • DON'T PRINT TO CSV – utilize best fix paths and pick reasonable goals • If you can't explain what the vuln is / how the vuln was detected, go research it • Sell to sysadmins as validation of patching/config, you're in it together! • Spot the patterns – don't forget about feedback loops Infra Vuln Management Gotchas
  • 26. • Don't do this if you aren't doing basic infra vuln management, go focus on that • Focus on blue team effectiveness at the beginning • Visualize gaps and help Blue Team be better • Your reports have power – write each scenario up as a budget request Red Team
  • 27. • Phishing activities • OSS tools galore like Gophish, just add AWS infrastructure • Social engineering • Call center password reset • Signature Emulation – is your $TOOL detecting what you think it does? • (Network) BT3 – Blue Team Training Toolkit / (Host) Red Canary • Active Directory health (Bloodhound / PingCastle) • Awesome Redteaming lists – pick your poison Red Team Introductory Activities https://www.redcanary.com/blog/atomic-red-team-testing/ https://github.com/BloodHoundAD/BloodHound https://www.pingcastle.com/ https://github.com/yeyintminthuhtut/Awesome-Red-Teaming https://github.com/gophish/gophish https://www.bt3.no/
  • 28. • Continue to build, automate where possible • See a technique on Twitter, try it out and see if Blue Team sees it Red Team Final Notes • Feedback loop forevah • Always focus on ROI and value proposition, or face budget cuts • Don't expect or try to be the next APT
  • 29. Problem: Everything's going to the cloud! Oh nooooes… Approaches that work: • Fight for testing as it moves – you may never see that app again! • Shift security testing focus from depth to breadth • Change methodologies – don't be the blocker • Change the duration – 3 apps per week • Stress importance of risk registers and good documentation • Pick the hill(s) to die on – care about the most critical vulns Bonus: Cloud Migrations
  • 30. Ditch FUD, embrace the new • Use Infrastructure as Code to your benefit • Use Cloud Service Provider tools to your benefit • Push for network segmentation • Encourage use of cloud devops tools – they're likely more secure than self-managed Hardest part of migration: getting funding to fix those uncovered vulns Bonus: Cloud Migrations https://github.com/dev-sec - IaC hardening https://github.com/aws-quickstart/quickstart-compliance-cis-benchmark - CSP tooling for hardening/alerting
  • 31. • Still a fledgling discipline, room to explore • Get involved with DevSecOps communities, local chapters • Partner with researchers • Industry collaboration - reach out to us! Next Steps / Where To Go From Here