Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security: Open Technologies, Tools, and Techniques for Running a Successful InfoSec Program

Application Security: Open Technologies, Tools, and Techniques for Running a Successful InfoSec Program

When teams start considering application security, it can feel like you are being thrown into the open ocean without a lifeboat. Security threats can hit you like waves from all sides, while you are just looking for a navigation system to help guide you through each step of securing your code.

In this presentation, Tony UcedaVélez, CEO of VerSprite cybersecurity consulting and leader of OWASP Atlanta, steered attendees through the developer benefits, helpful security guides, and break from the storm that collaboratives like OWASP offer. He also shares some trade-favorite technologies, security tools, and techniques that you and your team can use to inject security into every stage of your development lifecycle.

- What is OWASP?
- What does OWASP have to offer?
- VerSprite's Top Security Tools for Developers and Security Professionals
- Closing Thoughts

699c399db4dd0fcca37b80eba31e48f3?s=128

VerSprite, Inc

July 22, 2020
Tweet

More Decks by VerSprite, Inc

Other Decks in Technology

Transcript

  1. Application Security on a Dime Open Technologies, Tools, and Blossoming

    InfoSec Programs Amidst a sea of threats, how ready is your enterprise to navigate beyond risk?
  2. Navigational Map • Speaker Profile • Security Challenges • Intro

    to OWASP • Security Voltron Concept • Governance, Development, Security Testing • Closing Remarks
  3. @t0nyuv LinkedIn.com/tonyuv Tony UcedaVélez CEO/ Founder, VerSprite VerSprite.com - Global

    Security Firm • OWASP Atlanta Chapter Leader (past 10 years) • Author, “Risk Centric Threat Modeling – Process for Attack Simulation & Threat Analysis”, Wiley June 2015 • Passionate global, threat modeling evangelist • Dreams of bankrupting #infosec with intelligent, threat inspired DevSecOps automation
  4. Security Challenges How to start saying..... "I GOT 99 PROBS

    BUT SECURITY AIN'T ONE"
  5. • Isolated SDLC Efforts • Anti-Security Culture • Expanding heterogeneous

    tech stack • Decentralizing management • Security not built into IT functions • Targeted attacks • Open intel on application components Challenges in AppSec Or, I got 99 problems and they are all security!
  6. • Establish governance • Security requirements & resources • Implementation

    of SSDLC • User security frameworks • Test and test early • Track defects Sound Solutions Or, I got 99 problems and they are all security!
  7. OWASP Open Web Application Security Project

  8. OWASP Open Web Application Security Project

  9. • Open Wen Application Security Project • Launched December 1st,

    2001 • Community-led open source software project • Dedicated to openness of all content and materials • International community focused on improving AppSec • X-cultural, X-Industry related challenges exposed and addressed • Massively supportive and responsive • Follow @OWASP Intro to OWASP
  10. • OPEN - radical transparency, from finances to our code

    • INNOVATION – encourages innovation for solutions to software security challenges • GLOBAL – truly a global community • INTEGRITY – respectful, supportive, truthful, vendor neutral, Core Values (www.owasp.org)
  11. Security Voltron Concept Collaboration Effort of Distinct Practices in Running

    a Security Program
  12. None
  13. Governance Without governance, your security program will sink

  14. • Governance is centered on the processes and activities related

    to how an organization manages overall software development activites • Strategy & Metrics • Policy & Compliance • Education & Guidance Policies, Standards, Guidelines
  15. Policies, Standards, Guidelines

  16. • The Software Assurance Maturity Model (SAMM) is an open

    framework that helps organizations formulate and implement a strategy for software security that is tailored to a specific risk an organization is facing. • Evaluate your organization's existing software security practices • Build a balanced software security programam in well- defined iterations • Demonstrating concrete improvements • Defining and measuring security-related activities throughout an organization OWASP SAMM
  17. Governance Without governance, your security program will sink

  18. • The OWASP Top Ten represents a broad consensus about

    the most critical security risks to web applications • Adopted by the Payment Card Industry • Recommended as a best practice by many government and Industry entities • Benefits • Powerful awareness document for web application security • Great starting point and reference for developers to change the software development culture within your organization OWASP Top Ten
  19. • 1. Injection • 2. Broken Authentication • 3. Sensitive

    Data Exposure • 4. XML External Entities (XXE) • 5. Broken Access Control • 6. Security Misconfiguration • 7. Cross-Site Scripting XSS • 8. Insecure Deserialization • 9. Using Components with Known Vulnerabilities • 10. Insufficient Logging & Monitoring https://owasp.org/www-project-top-ten/ OWASP Top Ten
  20. "OWASP.org is a valuable resource for any company involved with

    online payment card transactions. Dell uses OWASP's Software Assurance Maturity Model to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP's local chapter meetings and conferences around the globe helps us blind stronger networks with our colleagues." Michael J. Craigue, Information Security & Compliance, Dell, Inc.
  21. S-SDLC Building security in software development

  22. If you do not have a published SDLC for your

    organization then you will NOT be successful
  23. OWASP Developers Cheat Sheet • Created to provide a concise

    collection of high value information on specific application security topics • Created by appsec professionals • Can be found at • https://cheatsheetseries.owasp.org/index.html
  24. • Primary aim is to normalize the range in the

    coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard • Provides a basic for testing application technical security controls • Developed with the following objectives in mind • Use as a metric • Use as guidance • Use during procurement OWASP ASVS – Application Security Assurance Methodology
  25. • Supporting quotes and research • Secure Coding Guidelines •

    Secure Coding Checklist • Non-Functional Requirements • Static Code Analysis • Security Awareness Training • Threat Modeling • Application Security Risk Matrix • Published SDLC SDLC Building Blocks
  26. Security in SDLC

  27. S-SDLC / Building Security-In Without governance, your security program will

    sink
  28. OWASP Developer References Without governance, your security program will sink

  29. • The OWASP® ModSecurity Core Rule Set (CRS) is a

    set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS provides protection against many common attack categories. • SQL Injection (SQLi) • Cross Site Scripting (XSS) • Local File Inclusion (LFI) • Remote File Inclusion (RFI) • PHP Code Injection • Java Code Injection HTTPoxy • Shellshock • Unix/Windows Shell Injection • Session Fixation • Scripting/Scanner/Bot Detection • Metadata/Error Leakages OWASP ModSecurity
  30. • One of the world’s most popular free security tools

    • Automatically find security vulnerabilities while you are developing and testing your applications • OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. • CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. • Java, .Netand PHP implementations • Provides code to generate unique request tokens to mitigate CSRF risks OWASP CSRFGuard
  31. OWASP CSRFGuard

  32. Security Awareness How well do the members of your organization

    know regarding the protection of the physical, and especially informational, assets of that organization
  33. • Over 15 years of experience in web application security

    bundled into a single application • Vital coding took for your development team • Learn to integrate security into your web application • Includes manageable projects with checklists and best practice code examples in multiple program languages OWASP Security Knowledge Framework
  34. • Most modern and sophisticated insecure web application • Used

    during security trainings, awareness demos, CTFs • Encompasses vulnerabilities from the entire OWASAP Top Ten • Contains multiple hacking challenges of varying difficulties OWASP Juice Shop
  35. Security Testing Testing insecurities before your adversaries do

  36. • Simplify!!! • Create roadmap • Standardize testing • Follow

    a methodology!!! • Metrics are important. Really. • Tools Prescriptive Advice for Testing
  37. • Frontispiece • Introduction • The OWASP testing framework •

    Web application Security Testing Into • Configuration and Deployment Management Testing • Reporting Testing Guide V4: Index
  38. • Use in conjunction with Burp or Zed Attack Proxy

    • Capture POST request to website via proxy • Copy POST requests to text file Sqlmap.py – Test for the Dreaded SQLi
  39. • Released September 2010 • Ease of use a priority

    • Comprehensive help pages • Free, Open source • Cross platform • A fork of the well-regarded Paros Proxy • Involvement actively encouraged • Adopted by OWASP October 2010 The Zed Attack Proxy
  40. • ZAP is: • Easy to use (for a web

    app pentest tool) • Ideal for appsec newcomers • Ideal for training courses • Being used by Professional Pen Testers • Easy to contribute to (and please do!) • Improving rapidly ZAP Overview
  41. Where is ZAP Being Used? United States Japan Spain United

    Kingdom Germany China
  42. • All the essentials for web application testing • Intercepting

    Proxy • Active and Passive Scanners • Spider • Report Generation • Brute Force (using OWASP DirBustercode) • Fuzzing (using OWASP JBroFuzzcode) The Main Features
  43. • Auto tagging • Port scanner • Smart card support

    • Session comparison • Invoke external apps • BeanShell integration • API + Headless mode • Dynamic SSL Certificates • Anti CSRF token handling The Additional Features
  44. Testing insecurities before your adversaries do

  45. Testing insecurities before your adversaries do

  46. • ZAP has: • An active development community • An

    international user base • The potential to reach people new to OWASP and appsec, especially developers and functional testers • ZAP is a key OWASP project • Security Tool of the Year 2013 ZAP Summary
  47. • Define scope of adoption • 1.Driven by _ _

    _ _ _ _ _ (impact, criticality, etc.) • 2.Use cases/ Abuse cases • 3.Architecture • Set up controlled adoption • Test, decompile, review • Become involved in dev forums ZAP Summary
  48. More Tools & Closing Thoughts More Open Source Tools for

    effective AppSec Activities
  49. • OWASP Threat Dragon https://owasp.org/www-project-threat-dragon/ • SSL-Labs https://www.ssllabs.com/ssltest/ • Rumble

    https://www.rumble.run/ • Metasploit– http://www.metasploit.com • Kali-http://www.kali.org/ • Burp-http://portswigger.net/burp/ • Recon-ng–full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng • Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise More Tools
  50. • Leverage Open Source sources to INFLUENCE your security program

    development/ management • Do NOT make your security program free and open, keep it close to the vest • Keep abreast of security news is a must –ever changing threat landscape • Need to tell management that security is a process, not a one-time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program. • Diversify your security program. Closing Thoughts
  51. To Get More Out of OWASP, start here> www.owasp.org #FollowThenLead

    @t0nyuv @versprite @OWASPATL LinkedIn.com/tonyuv Email: tonyuv@versprite.com tonyuv@owasp.org Closing Thoughts