99X Technology, profile picture
Uploaded by99X Technology
PPTX, PDF200 views

How to develop an AppSec culture in your project

The document outlines steps to develop an application security culture within a project, emphasizing the significance of security awareness among developers and QA professionals. It discusses methodologies such as risk classification, periodic assessments, secure software development processes, and threat modeling. Additionally, it highlights various tools for vulnerability assessment and the OWASP top 10 web application security risks.

Technology
Related topics:
Cyber-Security
Download to read offline
How to develop an AppSec culture in your project Nirosh
A bit about Me I’m a Senior Security Engineer & Pentester. I have nearly three years of experience in Information Security and Secure Software Development. Educational Background • BSc. Eng (Hons) in Computer Science and Engineering - University of Moratuwa, Sri Lanka • MSc in Security Engineering (Reading) - University of Moratuwa, Sri Lanka Certifications  Web application Penetration Tester (eWPT) - eLearnSecurity Certificate ID: EWPT-343  Certified Ethical Hacker (CEHv9) – EC Council Certification Number: ECC39012388466  Certified Information Security Expert (CISE) – Innobuzz License Number: 30471
Why AppSec is a major concern? From https://www.akamai.com/ (2018/08/12 – 2018/08/19)
Why web application attacks occur? Application Developers and QA Professionals Don’t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.” Steve Carter
Security Assessments What ? Why? How ?
• Periodic Assessments – Once in every quarter ( Recommended) Vulnerability Assessments • Twice a year Penetration Testing • Twice a year Security Code Reviews
Risk Classification Methodology Risks can be classified using the following methodology: Risk = Impact × Likelihood Reference: OWASP Standards
Security in Agile • Dedicated sprint focusing on application security • Stories implemented are security related • Code is reviewed Security Sprint Approach • Similar to Microsoft Security Development Lifecycle (SDL) • Consists of the requirements and stories essential to security • No software should ever be released without requirements being met Every Sprint Approach
Secure Software Development Process •Guide Developers to follow Secure Coding Guidelines •Help QAs to integrate basic security test checklist into their regular test cases •Threat Modeling and Security Designs
Threat Modeling What is it?
It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application Step 4 Validate Step 3 Determine countermeasures and mitigation Step 2 Identify threats Step 1 Diagrams
An Example – User Login
Username harvesting – Show generic error message
Too user friendly. :P
Case Study: • A Norway based professional company uses a software application which can allow users to book professionals (Electrician, Plumber) and request professional services through the company. • They wanted a new feature in this application which can allow users to upload and download property documents and maintenance documents. Access to these documents must be strictly restricted to relevant users.
• Since last week, the dev team is designing the new feature for the website, that will enable authenticated users to upload and download property documents. • The architects will reuse the existing infrastructure whenever possible (they already have user accounts). • One of the board members got to know about these cyber attackers and the crazy attacks they perform which can easily damage the business and its reputation.
• He also heard about the threat modeling which helps project teams to identify major threats and take necessary security measures before they even start implementation. • He hired you to help project team with this.
Data Flow Diagram
What can go wrong? Microsoft’s STRIDE Model • Spoofing - Impersonate User • Tampering - Maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit • Repudiation - Perform an illegal action and deny it. • Information Disclosure - Read a file that one was not granted access to, or to read data in transit • Denial of Service - Deny access to valid users • Elevation of Privilege - Gain privileged access or gain unauthorized access
Threat Model
Threats in detail..
Secure Design Principles / Trust Model Authentication Authorization Cookie Management Data/Input Validation Error Handling/Information leakage Logging/Auditing Cryptography Secure Code Environment Session Management
Mitigation and Countermeasures
Security Automation using Tools How?
Web Application Security Risks For 2017, the OWASP Top 10 Most Critical Web Application Security Risks are:
Tools & Technologies Vulnerability Assessment & Pentesting -OWASP ZAP, Burp suite Scanner, Acunetix, SQLMap, Kali Linux, Arachni -With lots of Manual effort- OWASP/ SANS security assessment guidelines -Third party libraries – OWASP Dependency Check, RetireJs Server-side Security Assessment Tools -Nessus, Nmap, Nikto, OpenVAS, Wireshark, Metasploit framework Static Code Analysis -Manual Code Review, Findsecbug/PMD You can use commercial tools to perform assessments if you can purchase them
Demo
Acunetix Web App Scanner
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project

More Related Content

PPT
Security testing
bybaskar p
 
PPTX
How to produce more secure web apps
byDamilola Longe, CISSP, CCSP, MSc
 
PDF
Security-testing presentation
byEzhilan Elangovan (Eril)
 
PPTX
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
byNorth Texas Chapter of the ISSA
 
PPTX
5 things i wish i knew about sast (DSO-LG July 2021)
byMichael Man
 
PDF
Introduction to Application Security Testing
byMohamed Ridha CHEBBI, CISSP
 
PPTX
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
byNorth Texas Chapter of the ISSA
 
PPTX
Application Threat Modeling
byRochester Security Summit
 
Security testing
bybaskar p
 
How to produce more secure web apps
byDamilola Longe, CISSP, CCSP, MSc
 
Security-testing presentation
byEzhilan Elangovan (Eril)
 
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
byNorth Texas Chapter of the ISSA
 
5 things i wish i knew about sast (DSO-LG July 2021)
byMichael Man
 
Introduction to Application Security Testing
byMohamed Ridha CHEBBI, CISSP
 
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
byNorth Texas Chapter of the ISSA
 
Application Threat Modeling
byRochester Security Summit
 

What's hot

PPTX
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
byNorth Texas Chapter of the ISSA
 
PPTX
Web application security measures
byICT Frame Magazine Pvt. Ltd.
 
PPTX
Vulnerability Assessment
byprimeteacher32
 
PDF
5 Important Secure Coding Practices
byThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
PDF
Penetration testing & Ethical Hacking
byS.E. CTS CERT-GOV-MD
 
PPTX
Protecting Windows Networks From Malware
byRishu Mehra
 
PPTX
Hide and seek - Attack Surface Management and continuous assessment.
byEoin Keary
 
PPTX
Introduction to security testing raj
byRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
PDF
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
byEdureka!
 
PDF
Deception Technology: Use Cases & Implementation Approaches
byPriyanka Aash
 
PPTX
Ethical Hacking Services
byVirtue Security
 
PPTX
A Brief Introduction to Penetration Testing
byEC-Council
 
PPTX
VAPT, Ethical Hacking and Laws in India by prashant mali
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PPTX
Threat Modeling Web Applications
byNadia BENCHIKHA
 
PPTX
Cyber security for system design
byTom Kaczmarek
 
PPTX
Intro to Network Vapt
byApurv Singh Gautam
 
PDF
VAPT Services by prime
byPrime Infoserv
 
PDF
Secure software design
byAshis Kumar Chanda
 
PDF
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
byEdureka!
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
byNorth Texas Chapter of the ISSA
 
Web application security measures
byICT Frame Magazine Pvt. Ltd.
 
Vulnerability Assessment
byprimeteacher32
 
5 Important Secure Coding Practices
byThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Penetration testing & Ethical Hacking
byS.E. CTS CERT-GOV-MD
 
Protecting Windows Networks From Malware
byRishu Mehra
 
Hide and seek - Attack Surface Management and continuous assessment.
byEoin Keary
 
Introduction to security testing raj
byRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
byEdureka!
 
Deception Technology: Use Cases & Implementation Approaches
byPriyanka Aash
 
Ethical Hacking Services
byVirtue Security
 
A Brief Introduction to Penetration Testing
byEC-Council
 
VAPT, Ethical Hacking and Laws in India by prashant mali
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Threat Modeling Web Applications
byNadia BENCHIKHA
 
Cyber security for system design
byTom Kaczmarek
 
Intro to Network Vapt
byApurv Singh Gautam
 
VAPT Services by prime
byPrime Infoserv
 
Secure software design
byAshis Kumar Chanda
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
byEdureka!
 

Similar to How to develop an AppSec culture in your project

PDF
Application Security - Your Success Depends on it
byWSO2
 
PPTX
For Business's Sake, Let's focus on AppSec
byLalit Kale
 
PPT
六合彩香港-六合彩
bybaoyin
 
PPT
Software Security in the Real World
byMark Curphey
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
PPT
Software Security Engineering
byMarco Morana
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
byQA or the Highway
 
PDF
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
byDenim Group
 
PDF
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
PPTX
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
PPTX
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
PPT
Assessing and Measuring Security in Custom SAP Applications
bysebastianschinzel
 
PPTX
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
bylior mazor
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
PPTX
Best Practices for Embedding Security in the Development Stage
byCovrize IT Solutions Private Limited
 
PPTX
Appsec2013 assurance tagging-robert martin
bydrewz lin
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PPT
Web Application Security Testing
byMarco Morana
 
PPTX
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 
Application Security - Your Success Depends on it
byWSO2
 
For Business's Sake, Let's focus on AppSec
byLalit Kale
 
六合彩香港-六合彩
bybaoyin
 
Software Security in the Real World
byMark Curphey
 
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
Software Security Engineering
byMarco Morana
 
AppSec in an Agile World
byDavid Lindner
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
byQA or the Highway
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
byDenim Group
 
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
Assessing and Measuring Security in Custom SAP Applications
bysebastianschinzel
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
bylior mazor
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
Best Practices for Embedding Security in the Development Stage
byCovrize IT Solutions Private Limited
 
Appsec2013 assurance tagging-robert martin
bydrewz lin
 
The Future of Software Security Assurance
byRafal Los
 
Web Application Security Testing
byMarco Morana
 
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 

More from 99X Technology

PPTX
Starting Test Automation In Your Project - Webinar by 99X Technology
by99X Technology
 
PPTX
Webinar on Single Sign-On by 99X Technology
by99X Technology
 
PPTX
Become a Quality Enabler
by99X Technology
 
PPTX
Gearing Startups for Success through Product Engineering
by99X Technology
 
PPTX
Kick Starting Test Automation
by99X Technology
 
PPTX
The Adra Story
by99X Technology
 
PPTX
The Story of Automation
by99X Technology
 
PPTX
Microservices without servers
by99X Technology
 
PPTX
An Introduction to Docker
by99X Technology
 
PPTX
Microservices
by99X Technology
 
PPTX
Know your Ride!
by99X Technology
 
PPTX
Social Physics in a Corporate Environment
by99X Technology
 
PPTX
Cloud aware product engineering
by99X Technology
 
PPT
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
by99X Technology
 
PDF
Enterprise Integration Architectural Challenges in Large Enterprises - Colomb...
by99X Technology
 
PPTX
Same Patterns Different Architectures - Colombo Architecture Meetup - Session-03
by99X Technology
 
PPTX
005_studentsharepointcamp_planyourfuturewithsharepoint
by99X Technology
 
PPTX
004_studentsharepointcamp_enterprise application_demo
by99X Technology
 
PPTX
003_studentsharepointcamp_outoftheboxfeaturesofsharepoint_demo
by99X Technology
 
Starting Test Automation In Your Project - Webinar by 99X Technology
by99X Technology
 
Webinar on Single Sign-On by 99X Technology
by99X Technology
 
Become a Quality Enabler
by99X Technology
 
Gearing Startups for Success through Product Engineering
by99X Technology
 
Kick Starting Test Automation
by99X Technology
 
The Adra Story
by99X Technology
 
The Story of Automation
by99X Technology
 
Microservices without servers
by99X Technology
 
An Introduction to Docker
by99X Technology
 
Microservices
by99X Technology
 
Know your Ride!
by99X Technology
 
Social Physics in a Corporate Environment
by99X Technology
 
Cloud aware product engineering
by99X Technology
 
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
by99X Technology
 
Enterprise Integration Architectural Challenges in Large Enterprises - Colomb...
by99X Technology
 
Same Patterns Different Architectures - Colombo Architecture Meetup - Session-03
by99X Technology
 
005_studentsharepointcamp_planyourfuturewithsharepoint
by99X Technology
 
004_studentsharepointcamp_enterprise application_demo
by99X Technology
 
003_studentsharepointcamp_outoftheboxfeaturesofsharepoint_demo
by99X Technology
 

Recently uploaded

PPTX
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
MathML Core in WebKit
byIgalia
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
WebXR in Android and Linux with OpenXR
byIgalia
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 

How to develop an AppSec culture in your project

  • 1.
    How to developan AppSec culture in your project Nirosh
  • 2.
    A bit aboutMe I’m a Senior Security Engineer & Pentester. I have nearly three years of experience in Information Security and Secure Software Development. Educational Background • BSc. Eng (Hons) in Computer Science and Engineering - University of Moratuwa, Sri Lanka • MSc in Security Engineering (Reading) - University of Moratuwa, Sri Lanka Certifications  Web application Penetration Tester (eWPT) - eLearnSecurity Certificate ID: EWPT-343  Certified Ethical Hacker (CEHv9) – EC Council Certification Number: ECC39012388466  Certified Information Security Expert (CISE) – Innobuzz License Number: 30471
  • 3.
    Why AppSec isa major concern? From https://www.akamai.com/ (2018/08/12 – 2018/08/19)
  • 4.
    Why web applicationattacks occur? Application Developers and QA Professionals Don’t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.” Steve Carter
  • 5.
  • 6.
    • Periodic Assessments– Once in every quarter ( Recommended) Vulnerability Assessments • Twice a year Penetration Testing • Twice a year Security Code Reviews
  • 7.
    Risk Classification Methodology Riskscan be classified using the following methodology: Risk = Impact × Likelihood Reference: OWASP Standards
  • 9.
    Security in Agile •Dedicated sprint focusing on application security • Stories implemented are security related • Code is reviewed Security Sprint Approach • Similar to Microsoft Security Development Lifecycle (SDL) • Consists of the requirements and stories essential to security • No software should ever be released without requirements being met Every Sprint Approach
  • 10.
    Secure Software Development Process •Guide Developers tofollow Secure Coding Guidelines •Help QAs to integrate basic security test checklist into their regular test cases •Threat Modeling and Security Designs
  • 11.
  • 12.
    It is astructured approach that enables you to identify, quantify, and address the security risks associated with an application Step 4 Validate Step 3 Determine countermeasures and mitigation Step 2 Identify threats Step 1 Diagrams
  • 13.
    An Example –User Login
  • 14.
    Username harvesting –Show generic error message
  • 15.
  • 16.
    Case Study: • ANorway based professional company uses a software application which can allow users to book professionals (Electrician, Plumber) and request professional services through the company. • They wanted a new feature in this application which can allow users to upload and download property documents and maintenance documents. Access to these documents must be strictly restricted to relevant users.
  • 17.
    • Since lastweek, the dev team is designing the new feature for the website, that will enable authenticated users to upload and download property documents. • The architects will reuse the existing infrastructure whenever possible (they already have user accounts). • One of the board members got to know about these cyber attackers and the crazy attacks they perform which can easily damage the business and its reputation.
  • 18.
    • He alsoheard about the threat modeling which helps project teams to identify major threats and take necessary security measures before they even start implementation. • He hired you to help project team with this.
  • 19.
  • 20.
    What can gowrong? Microsoft’s STRIDE Model • Spoofing - Impersonate User • Tampering - Maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit • Repudiation - Perform an illegal action and deny it. • Information Disclosure - Read a file that one was not granted access to, or to read data in transit • Denial of Service - Deny access to valid users • Elevation of Privilege - Gain privileged access or gain unauthorized access
  • 21.
  • 22.
  • 23.
    Secure Design Principles / TrustModel Authentication Authorization Cookie Management Data/Input Validation Error Handling/Information leakage Logging/Auditing Cryptography Secure Code Environment Session Management
  • 24.
  • 25.
  • 26.
    Web Application SecurityRisks For 2017, the OWASP Top 10 Most Critical Web Application Security Risks are:
  • 27.
    Tools & Technologies VulnerabilityAssessment & Pentesting -OWASP ZAP, Burp suite Scanner, Acunetix, SQLMap, Kali Linux, Arachni -With lots of Manual effort- OWASP/ SANS security assessment guidelines -Third party libraries – OWASP Dependency Check, RetireJs Server-side Security Assessment Tools -Nessus, Nmap, Nikto, OpenVAS, Wireshark, Metasploit framework Static Code Analysis -Manual Code Review, Findsecbug/PMD You can use commercial tools to perform assessments if you can purchase them
  • 28.
  • 30.

Editor's Notes

  • #4  Appsec plays a major role in the current cyber world Linkedin breach –password cracking attacks A small breach can cause huge damage to the business
  • #5 We ignore security. And we don’t consider security as a part of business requirement Secure software development life cycle. Security testing is part of that process.
  • #6 If you already built a software product, you have to establish a security assessment methodology.
  • #7 3 popular assessment methodology for security.
  • #8 Impact – What are the consequences or damages if the vulnerability is exploited. Likelihood- how easy it is to exploit the vulnerability ( exploits available on the net)
  • #9 How you can handle these security risks?
  • #12 This can be done either beginning of the software development or at the end.
  • #13 What are the possible ways to break the system ?
  • #24 Once the basic threat agents and business impacts are understood, we should try to identify the set of controls that could prevent these threat agents from causing those impacts.