Application Security

Transcript

1. APPLICATION SECURITY Emmanuel Muturia™

2. APPSE C DEVSECOP S THE RISKS 01 What is AppSec

   and why should you even care? 02 What are the common Vulnerabilities in Apps? 03 DevSecOps and The Shift-Left Principle… Table of contents Q&A 04 Ask your Questions…

3. 01 APPSEC What is Application Security [AppSec] and why should

   we even care about it?

4. What is an App? Therefore, we can say that Application

   Security [AppSec] is the ongoing Process of designing, coding, testing, and managing Software to protect it from Internal and External Threats… AppSec

5. Types of Applications 2XXX 2XXX 2XXX 2XXX Mobile WhatsApp, TikTok,

   Instagram, etc… Web Google Search, Facebook, YouTube, etc… Cloud Google Workspace, Microsoft 365, Salesforce, etc Desktop Adobe Suite, Microsoft Office, VLC Media Player, etc…

6. Equifax Log4J Solarwind s The Worst Hacks [Kinda…] Unpatched Known

   Vulnerabilities… Open-Source Software Dependencies and Input Validation… Supply Chain Security and Build Pipeline Integrity…

7. 0 2 THE RISKS What are the common Risks faced

   by modern Applications?

8. The OWASP Top 10 API The unique stateless Logic, Data

   Exposition, and Endpoint Structures inherent to APIs… LLMs Vulnerabilities found when interacting with Applications via standard Web Browsers… LLMs rely on human-centric Prompts, adding entirely new Attack Surfaces like Behavioural Manipulation and Data Poisoning… Mobile Vulnerabilities local to physical handheld Device Architectures, Platform EcoSystems, and Endpoint Storage… Web

9. The Common Risks Weak Passwords 40% 30% 10% 20% Input

   Validation Data Exposure Access Control

10. 82% Organisations with Security Debt tied to unpatched Vulnerabilities… [Source]

    48.5% Enterprise Applications with unresolved Vulnerabilities more than a Year old… [Source] 87% AI-generated Code has at least one Security Vulnerability… [Source]

11. 0 3 DEVSECOPS Shifting to The Left…

12. Develop Deploy Secure The Old Way Push as much Code

    as possible… Code as fast as possible. Security is useless… Think about Security after being hacked…

13. Secure Secure Secure The New Way Secure The Pipeline… Secure

    The Code… Secure The Product…

14. Best Practices • Shift Left. Security from The Beginning onwards…

    • Input Validation & Sanitisation… • Use of MFA & Strong Authentication… • Regular Security Testing [SAST, DAST, SCA]... • Keep everything updated [feat. Patching]... • Secure Coding Guidelines [Including Training]... • Use AI responsibly, will ya?

15. The AppSec Personas Do not be like Wantam… Wantam Emmanuel

    Be like Emmanuel… Select Select

16. —Bruce Schneier “If you think technology can solve your security

    problems, then you don't understand the problems and you don't understand the technology…”
17. None

18. What does “OWASP” stand for?

19. 04 Q&A Ask your Questions…

20. Q&A Ask Me anything [Relevant]…

21. CREDITS: This presentation template was created by Slidesgo, including icons

    by Flaticon, and infographics & images by Freepik Website: www.emmanuelmuturia.com Social Media: @emmanuelmuturia Thank You…

22. Resources • The OWASP Top 10 [Web]... • The OWASP

    Top 10 [APIs]... • The OWASP Top 10 [LLMs]... • The OWASP Mobile Application Security [MAS] Project… • APIsec University… • PortSwigger Web Security Academy… • DeepLearning.ai [Prompt Engineering Course]... • Pro Git [Learning Git]...