An introduction to AppSec?

Transcript

1. An introduction
 to AppSec Jérémy Courtial Software Security Architect @JeremyCourtial

2. AppSec?

3. Application
 Secucirty?

4. It’s not just about firewall

5. Combination of 3 bugs leading to privilege escalation https://newsroom.fb.com/news/2018/09/security-update/

6. Unpatched Apache Struts with critical Remote Execution vulnerability. (Plus lake

   of defence in depth?)

7. « Application security encompasses measures taken to improve the security

   of an application often by finding, fixing and preventing security vulnerabilities. » Wikipedia

8. It not just about finding & fixing It’s how applications

   are made

9. Security is not a feature It’s a property like performance

   and reliability

10. Security should be addressed at each step of the development

    lifecycle

11. Design Implementation Vetification Release Security requirements Training Architecture reviews Threat

    modelling Documentation Secure coding Code reviews Static analysis Dynamic analysis Pen testing Secure environnement Monitoring Incident Response Requirements & trainings

12. Requirements & trainings Use HSTS Must be HTTPS-only Have anti-CSRF

    mechanism See Spring-Security ? Security checklists

13. Design Feedbacks-oriented meeting before any major changes enters development. Identifying

    subjects that need closer follow-ups. Ensuring best practices. Architecture reviews

14. Impl. Static analysis Code analysis: Looks for common vulnerabilities pattern

    in code. Composition analysis: Looks for vulnerable dependencies.

15. Impl. Static analysis Code analysis Composition 
 analysis

16. Verification Dynamic analysis Looks for common vulnerabilities in live applications.

    OWASP ZAP

17. Release Secure environment Up-to-date infrastructure (« patch, patch, patch… »)

    Host hardening: system, Docker, k8s, etc. Protected and segmented networks

18. Who ?

19. None

20. Security champions One per team/platform Infuses security in daily activities

21. Security owner Owns the threat model Leads structural projects Harmonises

    practices Leans on champions

22. Security team Varies skills: - DevSec - Pen testing -

    Network & system - Compliance - …

23. How ?

24. Don’t be a faceless gate

25. Support Help Devs to produce
 more secure apps! Tools, guidance,

    feedback, even code!

26. Partnership Communicate goals, roadmaps, challenges, etc. We all want to

    ship
 ours (secure) products Shared responsibility

27. Get out of the way: automate, automate! Setup meaningful and

    
 actionable alerts DevOps: ride the wave

28. Security is impor Last challenge: awareness

29. openrday.oodrive.fr Come talk about dev, security, etc.

30. Thank you!