CactusCon 2018 - Anatomy of an AppSec Program
1 like116 views
The document outlines the essential elements of an application security (AppSec) program, emphasizing the importance of finding, fixing, and preventing vulnerabilities in software. Key points include starting small, engaging developers in security practices, educating them on security issues, and employing effective metrics to evaluate success. The goal is to improve code quality and security through a structured approach and ongoing collaboration.
![17
BUT IT'S BEHIND THE FIREWALL”
FALSE POSITIVES
<?php
...
[omitted for brevity]
...
$con = mysql_connect("localhost",$user,$pass);
mysql_select_db("database", $con);
$id = $_GET['id'];
$result = mysql_query("SELECT name FROM user WHERE id=$id", $con);
mysql_close($con);
...
[omitted for brevity]
...
?>](https://image.slidesharecdn.com/cactuscon2018-anatomyofanappsecprogram-presentation-final-181001192545/85/CactusCon-2018-Anatomy-of-an-AppSec-Program-17-320.jpg)
![18
BUT IT'S BEHIND THE FIREWALL”
FALSE POSITIVES
<?php
...
[omitted for brevity]
...
$con = mysql_connect("localhost",$user,$pass);
mysql_select_db("database", $con);
$id = validate($_GET['id’]; )
$result = mysql_query("SELECT name FROM user WHERE id=$id", $con);
mysql_close($con);
...
[omitted for brevity]
...
?>](https://image.slidesharecdn.com/cactuscon2018-anatomyofanappsecprogram-presentation-final-181001192545/85/CactusCon-2018-Anatomy-of-an-AppSec-Program-18-320.jpg)
CactusCon 2018 - Anatomy of an AppSec Program
- 1. ANATOMY OF AN APPSEC PROGRAM OR HOW TO STOP DEPLOYING SHITTY SHODDY CODE TO PRODUCTION SEPTEMBER 28-29, 2018
- 2. 2 • Introductions • The Problem (as I see it) • The Solution (again, as I see it) • Finding vulnerabilities • Fixing things • Preventing vulnerabilities • Metrics • Wrap-up / Q&A BECAUSE QA SAID I NEEDED ONE AGENDA
- 3. 3 THIS IS KINDA IMPORTANT WARNING
- 4. 44 THE GLUE THAT STICKS SECURITY BALLS TOGETHER APPSEC
- 5. 55 14 YEARS OF THE SAME OL' SHIT CRAP OWASP TOP 10
- 6. 66 BECAUSE DRAMA CREATES TENSION RIPPED FROM THE HEADLINES
- 7. 7 IT'S SECURITY FOR APPLICATIONS APPLICATION SECURITY WHAT IS THIS APPSEC YOU SPEAK OF?
- 8. 88 WIKIPEDIA Application security encompasses measures taken to improve the security of an application often by finding, fixing, and preventing security vulnerabilities. - Wikipedia BECAUSE DEFINITIONS ARE AWESOME
- 9. 99 WIKIPEDIA Application security encompasses measures taken to improve the security of an application often by finding, fixing, and preventing security vulnerabilities. - Wikipedia And then measure your results. - Joe BECAUSE DEFINITIONS ARE AWESOME
- 10. FINDING VULNS LOOKING FOR A NEEDLE IN A STACK OF NEEDLES
- 11. 11 DON'T FOCUS ON TOOLS FINDING VULNS
- 12. 12 YEAH, IT'S KINDA LIKE THAT FINDING VULNS
- 13. 13 WRITE THIS DOWN KEY POINTS • Don't try to do everything at once. • Start small and expand. • Focus on your high-risk apps first. • Chain together assessment methodologies.
- 14. TODO: FIX THIS STUFF CUZ THAT'S BASICALLY THE POINT
- 15. 15 WITH A MEME FIXING VULNS
- 16. 16 WITH ANOTHER OVERUSED MEME FIXING VULNS
- 17. 17 BUT IT'S BEHIND THE FIREWALL” FALSE POSITIVES <?php ... [omitted for brevity] ... $con = mysql_connect("localhost",$user,$pass); mysql_select_db("database", $con); $id = $_GET['id']; $result = mysql_query("SELECT name FROM user WHERE id=$id", $con); mysql_close($con); ... [omitted for brevity] ... ?>
- 18. 18 BUT IT'S BEHIND THE FIREWALL” FALSE POSITIVES <?php ... [omitted for brevity] ... $con = mysql_connect("localhost",$user,$pass); mysql_select_db("database", $con); $id = validate($_GET['id’]; ) $result = mysql_query("SELECT name FROM user WHERE id=$id", $con); mysql_close($con); ... [omitted for brevity] ... ?>
- 19. 19 WRITE THIS DOWN KEY POINTS • Make it easy for your developers to engage in AppSec. • Set realistic goals and expand. • Create a security backlog and use “security sprints” each release to work it. • As teams mature, introduce security gates. • Have a process to handle false positives.
- 22. 22 IN THE WAYS OF SECURITY EDUCATING DEVELOPERS
- 23. 23 WRITE THIS DOWN KEY POINTS • Developers aren't security people. • Have hands-on workshops to cover security issues. • Walk your developers through hacking things. • Top-down support is really critical.
- 24. METRICS HOW TO KNOW IF IT'S WORKING
- 25. 25 WHAT'S THE DIFFERENCE? METRICS VS. STATS STATISTIC: A fact or piece of data from a study of a large quantity of numerical data METRICS: Standards of measurement by which performance, progress, or quality of a plan, process, or product can be assessed
- 26. 26 AN EXAMPLE APPSEC METRICS GOAL QUESTION MEASURE METRIC Less than 1% security defect rate How many vulns are there? How many lines of code? Number of vulns Number of LoC Security Defect Density – number of vulns/1000 lines of code, plotted over time with the target waterline
- 28. 28 WRITE THIS DOWN KEY POINTS • Use the G-Q-M method for metrics. • Choose meaningful metrics. • Evaluate against a defined framework. • This is how you demonstrate value.
- 29. 2929 THE GLUE THAT STICKS SECURITY BALLS TOGETHER APPSEC
- 30. WE’RE HIRING www.BishopFox.com [email protected] VISIT US ONLINE TO FIND OUT MORE
- 31. THANK YOU