Tweet
Tweet

Slide 1

Slide 1 text

Application Security on a Dime Open Technologies, Tools, and Blossoming InfoSec Programs Amidst a sea of threats, how ready is your enterprise to navigate beyond risk?

Slide 2

Slide 2 text

Navigational Map ● Speaker Profile ● Security Challenges ● Intro to OWASP ● Security Voltron Concept ● Governance, Development, Security Testing ● Closing Remarks

Slide 3

Slide 3 text

@t0nyuv LinkedIn.com/tonyuv Tony UcedaVélez CEO/ Founder, VerSprite VerSprite.com - Global Security Firm ● OWASP Atlanta Chapter Leader (past 10 years) ● Author, “Risk Centric Threat Modeling – Process for Attack Simulation & Threat Analysis”, Wiley June 2015 ● Passionate global, threat modeling evangelist ● Dreams of bankrupting #infosec with intelligent, threat inspired DevSecOps automation

Slide 4

Slide 4 text

Security Challenges How to start saying..... "I GOT 99 PROBS BUT SECURITY AIN'T ONE"

Slide 5

Slide 5 text

● Isolated SDLC Efforts ● Anti-Security Culture ● Expanding heterogeneous tech stack ● Decentralizing management ● Security not built into IT functions ● Targeted attacks ● Open intel on application components Challenges in AppSec Or, I got 99 problems and they are all security!

Slide 6

Slide 6 text

● Establish governance ● Security requirements & resources ● Implementation of SSDLC ● User security frameworks ● Test and test early ● Track defects Sound Solutions Or, I got 99 problems and they are all security!

Slide 7

Slide 7 text

OWASP Open Web Application Security Project

Slide 8

Slide 8 text

OWASP Open Web Application Security Project

Slide 9

Slide 9 text

● Open Wen Application Security Project ● Launched December 1st, 2001 ● Community-led open source software project ● Dedicated to openness of all content and materials ● International community focused on improving AppSec ● X-cultural, X-Industry related challenges exposed and addressed ● Massively supportive and responsive ● Follow @OWASP Intro to OWASP

Slide 10

Slide 10 text

● OPEN - radical transparency, from finances to our code ● INNOVATION – encourages innovation for solutions to software security challenges ● GLOBAL – truly a global community ● INTEGRITY – respectful, supportive, truthful, vendor neutral, Core Values (www.owasp.org)

Slide 11

Slide 11 text

Security Voltron Concept Collaboration Effort of Distinct Practices in Running a Security Program

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Governance Without governance, your security program will sink

Slide 14

Slide 14 text

● Governance is centered on the processes and activities related to how an organization manages overall software development activites ● Strategy & Metrics ● Policy & Compliance ● Education & Guidance Policies, Standards, Guidelines

Slide 15

Slide 15 text

Policies, Standards, Guidelines

Slide 16

Slide 16 text

● The Software Assurance Maturity Model (SAMM) is an open framework that helps organizations formulate and implement a strategy for software security that is tailored to a specific risk an organization is facing. ● Evaluate your organization's existing software security practices ● Build a balanced software security programam in well- defined iterations ● Demonstrating concrete improvements ● Defining and measuring security-related activities throughout an organization OWASP SAMM

Slide 17

Slide 17 text

Governance Without governance, your security program will sink

Slide 18

Slide 18 text

● The OWASP Top Ten represents a broad consensus about the most critical security risks to web applications ● Adopted by the Payment Card Industry ● Recommended as a best practice by many government and Industry entities ● Benefits ● Powerful awareness document for web application security ● Great starting point and reference for developers to change the software development culture within your organization OWASP Top Ten

Slide 19

Slide 19 text

● 1. Injection ● 2. Broken Authentication ● 3. Sensitive Data Exposure ● 4. XML External Entities (XXE) ● 5. Broken Access Control ● 6. Security Misconfiguration ● 7. Cross-Site Scripting XSS ● 8. Insecure Deserialization ● 9. Using Components with Known Vulnerabilities ● 10. Insufficient Logging & Monitoring https://owasp.org/www-project-top-ten/ OWASP Top Ten

Slide 20

Slide 20 text

"OWASP.org is a valuable resource for any company involved with online payment card transactions. Dell uses OWASP's Software Assurance Maturity Model to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP's local chapter meetings and conferences around the globe helps us blind stronger networks with our colleagues." Michael J. Craigue, Information Security & Compliance, Dell, Inc.

Slide 21

Slide 21 text

S-SDLC Building security in software development

Slide 22

Slide 22 text

If you do not have a published SDLC for your organization then you will NOT be successful

Slide 23

Slide 23 text

OWASP Developers Cheat Sheet ● Created to provide a concise collection of high value information on specific application security topics ● Created by appsec professionals ● Can be found at ● https://cheatsheetseries.owasp.org/index.html

Slide 24

Slide 24 text

• Primary aim is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard • Provides a basic for testing application technical security controls • Developed with the following objectives in mind • Use as a metric • Use as guidance • Use during procurement OWASP ASVS – Application Security Assurance Methodology

Slide 25

Slide 25 text

● Supporting quotes and research ● Secure Coding Guidelines ● Secure Coding Checklist ● Non-Functional Requirements ● Static Code Analysis ● Security Awareness Training ● Threat Modeling ● Application Security Risk Matrix ● Published SDLC SDLC Building Blocks

Slide 26

Slide 26 text

Security in SDLC

Slide 27

Slide 27 text

S-SDLC / Building Security-In Without governance, your security program will sink

Slide 28

Slide 28 text

OWASP Developer References Without governance, your security program will sink

Slide 29

Slide 29 text

● The OWASP® ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS provides protection against many common attack categories. ● SQL Injection (SQLi) ● Cross Site Scripting (XSS) ● Local File Inclusion (LFI) ● Remote File Inclusion (RFI) ● PHP Code Injection ● Java Code Injection HTTPoxy ● Shellshock ● Unix/Windows Shell Injection ● Session Fixation ● Scripting/Scanner/Bot Detection ● Metadata/Error Leakages OWASP ModSecurity

Slide 30

Slide 30 text

● One of the world’s most popular free security tools ● Automatically find security vulnerabilities while you are developing and testing your applications ● OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. ● CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. ● Java, .Netand PHP implementations ● Provides code to generate unique request tokens to mitigate CSRF risks OWASP CSRFGuard

Slide 31

Slide 31 text

OWASP CSRFGuard

Slide 32

Slide 32 text

Security Awareness How well do the members of your organization know regarding the protection of the physical, and especially informational, assets of that organization

Slide 33

Slide 33 text

• Over 15 years of experience in web application security bundled into a single application • Vital coding took for your development team • Learn to integrate security into your web application • Includes manageable projects with checklists and best practice code examples in multiple program languages OWASP Security Knowledge Framework

Slide 34

Slide 34 text

• Most modern and sophisticated insecure web application • Used during security trainings, awareness demos, CTFs • Encompasses vulnerabilities from the entire OWASAP Top Ten • Contains multiple hacking challenges of varying difficulties OWASP Juice Shop

Slide 35

Slide 35 text

Security Testing Testing insecurities before your adversaries do

Slide 36

Slide 36 text

● Simplify!!! ● Create roadmap ● Standardize testing ● Follow a methodology!!! ● Metrics are important. Really. ● Tools Prescriptive Advice for Testing

Slide 37

Slide 37 text

● Frontispiece ● Introduction ● The OWASP testing framework ● Web application Security Testing Into ● Configuration and Deployment Management Testing ● Reporting Testing Guide V4: Index

Slide 38

Slide 38 text

● Use in conjunction with Burp or Zed Attack Proxy ● Capture POST request to website via proxy ● Copy POST requests to text file Sqlmap.py – Test for the Dreaded SQLi

Slide 39

Slide 39 text

● Released September 2010 ● Ease of use a priority ● Comprehensive help pages ● Free, Open source ● Cross platform ● A fork of the well-regarded Paros Proxy ● Involvement actively encouraged ● Adopted by OWASP October 2010 The Zed Attack Proxy

Slide 40

Slide 40 text

● ZAP is: ● Easy to use (for a web app pentest tool) ● Ideal for appsec newcomers ● Ideal for training courses ● Being used by Professional Pen Testers ● Easy to contribute to (and please do!) ● Improving rapidly ZAP Overview

Slide 41

Slide 41 text

Where is ZAP Being Used? United States Japan Spain United Kingdom Germany China

Slide 42

Slide 42 text

● All the essentials for web application testing ● Intercepting Proxy ● Active and Passive Scanners ● Spider ● Report Generation ● Brute Force (using OWASP DirBustercode) ● Fuzzing (using OWASP JBroFuzzcode) The Main Features

Slide 43

Slide 43 text

● Auto tagging ● Port scanner ● Smart card support ● Session comparison ● Invoke external apps ● BeanShell integration ● API + Headless mode ● Dynamic SSL Certificates ● Anti CSRF token handling The Additional Features

Slide 44

Slide 44 text

Testing insecurities before your adversaries do

Slide 45

Slide 45 text

Testing insecurities before your adversaries do

Slide 46

Slide 46 text

● ZAP has: ● An active development community ● An international user base ● The potential to reach people new to OWASP and appsec, especially developers and functional testers ● ZAP is a key OWASP project ● Security Tool of the Year 2013 ZAP Summary

Slide 47

Slide 47 text

● Define scope of adoption ● 1.Driven by _ _ _ _ _ _ _ (impact, criticality, etc.) ● 2.Use cases/ Abuse cases ● 3.Architecture ● Set up controlled adoption ● Test, decompile, review ● Become involved in dev forums ZAP Summary

Slide 48

Slide 48 text

More Tools & Closing Thoughts More Open Source Tools for effective AppSec Activities

Slide 49

Slide 49 text

● OWASP Threat Dragon https://owasp.org/www-project-threat-dragon/ ● SSL-Labs https://www.ssllabs.com/ssltest/ ● Rumble https://www.rumble.run/ ● Metasploit– http://www.metasploit.com ● Kali-http://www.kali.org/ ● Burp-http://portswigger.net/burp/ ● Recon-ng–full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng ● Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise More Tools

Slide 50

Slide 50 text

● Leverage Open Source sources to INFLUENCE your security program development/ management ● Do NOT make your security program free and open, keep it close to the vest ● Keep abreast of security news is a must –ever changing threat landscape ● Need to tell management that security is a process, not a one-time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program. ● Diversify your security program. Closing Thoughts

Slide 51

Slide 51 text

To Get More Out of OWASP, start here> www.owasp.org #FollowThenLead @t0nyuv @versprite @OWASPATL LinkedIn.com/tonyuv Email: [email protected] [email protected] Closing Thoughts