Upgrade to Pro — share decks privately, control downloads, hide ads and more …

An introduction to AppSec?

Jérémy Courtial
October 23, 2018
Programming
0
42

An introduction to AppSec?

What is Application Security? Why it's important and how it can be implemented in tech teams?

Jérémy Courtial

October 23, 2018
Tweet

More Decks by Jérémy Courtial

See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
24
Secure by design: introduction to threat modeling
mrartichaut
0
47
Taming secrets with Vault
mrartichaut
0
80
Lead Tech: Empowering the team
mrartichaut
0
45
Web Platform Security
mrartichaut
0
44
go doSomeThing()
mrartichaut
0
49
Practical Cryptography : Data Encryption
mrartichaut
0
58
Practical Cryptography : Password Hashing
mrartichaut
1
68
HTTP/2 : One connection to rule them all
mrartichaut
1
57

Other Decks in Programming

See All in Programming
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
4
1.1k
Click-free releases & the making of a CLI app
oheyadam
2
110
【Kaigi on Rails 2024】YOUTRUST スポンサーLT
krpk1900
1
320
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
160
RubyLSPのマルチバイト文字対応
notfounds
0
100
EventSourcingの理想と現実
wenas
6
2.3k
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
430
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
470
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
610
as(型アサーション)を書く前にできること
marokanatani
4
590
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
1
270
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.1k

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
400
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Music & Morning Musume
bryan
46
6.2k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.8k

Transcript

  1. An introduction
 to AppSec Jérémy Courtial Software Security Architect @JeremyCourtial

  2. AppSec?

  3. Application
 Secucirty?

  4. It’s not just about firewall

  5. Combination of 3 bugs leading to privilege escalation https://newsroom.fb.com/news/2018/09/security-update/

  6. Unpatched Apache Struts with critical Remote Execution vulnerability. (Plus lake

    of defence in depth?)

  7. « Application security encompasses measures taken to improve the security

    of an application often by finding, fixing and preventing security vulnerabilities. » Wikipedia

  8. It not just about finding & fixing It’s how applications

    are made

  9. Security is not a feature It’s a property like performance

    and reliability

  10. Security should be addressed at each step of the development

    lifecycle

  11. Design Implementation Vetification Release Security requirements Training Architecture reviews Threat

    modelling Documentation Secure coding Code reviews Static analysis Dynamic analysis Pen testing Secure environnement Monitoring Incident Response Requirements & trainings

  12. Requirements & trainings Use HSTS Must be HTTPS-only Have anti-CSRF

    mechanism See Spring-Security ? Security checklists

  13. Design Feedbacks-oriented meeting before any major changes enters development. Identifying

    subjects that need closer follow-ups. Ensuring best practices. Architecture reviews

  14. Impl. Static analysis Code analysis: Looks for common vulnerabilities pattern

    in code. Composition analysis: Looks for vulnerable dependencies.

  15. Impl. Static analysis Code analysis Composition 
 analysis

  16. Verification Dynamic analysis Looks for common vulnerabilities in live applications.

    OWASP ZAP

  17. Release Secure environment Up-to-date infrastructure (« patch, patch, patch… »)

    Host hardening: system, Docker, k8s, etc. Protected and segmented networks

  18. Who ?

  19. None

  20. Security champions One per team/platform Infuses security in daily activities

  21. Security owner Owns the threat model Leads structural projects Harmonises

    practices Leans on champions

  22. Security team Varies skills: - DevSec - Pen testing -

    Network & system - Compliance - …

  23. How ?

  24. Don’t be a faceless gate

  25. Support Help Devs to produce
 more secure apps! Tools, guidance,

    feedback, even code!

  26. Partnership Communicate goals, roadmaps, challenges, etc. We all want to

    ship
 ours (secure) products Shared responsibility

  27. Get out of the way: automate, automate! Setup meaningful and

    
 actionable alerts DevOps: ride the wave

  28. Security is impor Last challenge: awareness

  29. openrday.oodrive.fr Come talk about dev, security, etc.

  30. Thank you!