Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
An introduction to AppSec?
Search
Jérémy Courtial
October 23, 2018
Programming
0
36
An introduction to AppSec?
What is Application Security? Why it's important and how it can be implemented in tech teams?
Jérémy Courtial
October 23, 2018
Tweet
Share
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
23
Secure by design: introduction to threat modeling
mrartichaut
0
39
Taming secrets with Vault
mrartichaut
0
73
Lead Tech: Empowering the team
mrartichaut
0
43
Web Platform Security
mrartichaut
0
43
go doSomeThing()
mrartichaut
0
49
Practical Cryptography : Data Encryption
mrartichaut
0
55
Practical Cryptography : Password Hashing
mrartichaut
1
65
HTTP/2 : One connection to rule them all
mrartichaut
1
55
Other Decks in Programming
See All in Programming
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
560
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
9
4.2k
Implementing Design Systems in Swift
seyfoyun
0
370
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
850
Go製Webアプリケーションのエラーとの向き合い方大全、あるいはやっぱりスタックトレース欲しいやん / Kyoto.go #50
utgwkk
6
1.7k
Java 22 Overview
kishida
1
190
try! Swift Tokyo 初参加報告LT
hinakko2
0
230
Ruby Function Composition
bkuhlmann
1
340
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
210
Netty Chicago Java User Group 2024-04-17
sullis
0
200
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
890
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
160
Featured
See All Featured
Optimising Largest Contentful Paint
csswizardry
12
2.4k
The Invisible Customer
myddelton
114
12k
The Cult of Friendly URLs
andyhume
74
5.7k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
11
1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Building Flexible Design Systems
yeseniaperezcruz
320
37k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
117
18k
YesSQL, Process and Tooling at Scale
rocio
165
13k
The Invisible Side of Design
smashingmag
294
49k
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Transcript
An introduction to AppSec Jérémy Courtial Software Security Architect @JeremyCourtial
AppSec?
Application Secucirty?
It’s not just about firewall
Combination of 3 bugs leading to privilege escalation https://newsroom.fb.com/news/2018/09/security-update/
Unpatched Apache Struts with critical Remote Execution vulnerability. (Plus lake
of defence in depth?)
« Application security encompasses measures taken to improve the security
of an application often by finding, fixing and preventing security vulnerabilities. » Wikipedia
It not just about finding & fixing It’s how applications
are made
Security is not a feature It’s a property like performance
and reliability
Security should be addressed at each step of the development
lifecycle
Design Implementation Vetification Release Security requirements Training Architecture reviews Threat
modelling Documentation Secure coding Code reviews Static analysis Dynamic analysis Pen testing Secure environnement Monitoring Incident Response Requirements & trainings
Requirements & trainings Use HSTS Must be HTTPS-only Have anti-CSRF
mechanism See Spring-Security ? Security checklists
Design Feedbacks-oriented meeting before any major changes enters development. Identifying
subjects that need closer follow-ups. Ensuring best practices. Architecture reviews
Impl. Static analysis Code analysis: Looks for common vulnerabilities pattern
in code. Composition analysis: Looks for vulnerable dependencies.
Impl. Static analysis Code analysis Composition analysis
Verification Dynamic analysis Looks for common vulnerabilities in live applications.
OWASP ZAP
Release Secure environment Up-to-date infrastructure (« patch, patch, patch… »)
Host hardening: system, Docker, k8s, etc. Protected and segmented networks
Who ?
None
Security champions One per team/platform Infuses security in daily activities
Security owner Owns the threat model Leads structural projects Harmonises
practices Leans on champions
Security team Varies skills: - DevSec - Pen testing -
Network & system - Compliance - …
How ?
Don’t be a faceless gate
Support Help Devs to produce more secure apps! Tools, guidance,
feedback, even code!
Partnership Communicate goals, roadmaps, challenges, etc. We all want to
ship ours (secure) products Shared responsibility
Get out of the way: automate, automate! Setup meaningful and
actionable alerts DevOps: ride the wave
Security is impor Last challenge: awareness
openrday.oodrive.fr Come talk about dev, security, etc.
Thank you!