Priyanka Aash, profile picture
Uploaded byPriyanka Aash
140 views

Practical appsec lessons learned in the age of agile and DevOps

The document discusses the transition of application security (AppSec) practices from traditional waterfall models to more dynamic DevOps environments, emphasizing the need for teams to become self-sufficient in security. It highlights the importance of adapting legacy security practices, such as static analysis and dynamic scanning, to support faster development cycles and continuous integration. The key takeaway is that modern AppSec should focus on continuous feedback and visibility while transforming the security team's role to empower development teams rather than serve solely as gatekeepers.

Embed presentation

Download to read offline
SESSION ID:SESSION ID: #RSAC Zane Lackey Practical AppSec Lessons Learned in the Age of Agile and DevOps ASD-R02 Co-Founder / Chief Security Officer Signal Sciences @zanelackey
#RSAC Who you’ll be heckling today Started out in offense Pentester / researcher at iSEC Partners / NCC Group Moved to defense First CSO at Etsy, built and lead the four security groups Now scaling defense for many orgs Co-Founder / CSO at Signal Sciences, delivering a product that defends web applications in the DevOps/Cloud world
#RSAC So what is this talk about anyway? Lessons learned adapting AppSec/SDLC from a Waterfall world to the DevOps/Cloud world
#RSAC Spoiler: Security shifts from being a gatekeeper to enabling teams to be secure by default
#RSAC What has changed?
#RSAC The new realities in a DevSecOps world 1. Changes happen multiple orders of magnitude faster than previously  Deployments go from a few a year to a few a month, week, or even day  Many injection points for security drops to few injections point 2. Decentralized ownership of deployment: — The long and perilous journey of Dev->QA->Security->Dev->Sysops->Production becomes just Dev->Production — As Dev/DevOps teams own their own ability to build and deploy production infrastructure/apps, conversations with security become opt-in rather than mandated  A large culture shift is necessary around this  Spoken previously on this: http://www.slideshare.net/zanelackey/building-a-modern-security- engineering-organization
#RSAC The new realities in a DevSecOps world The combination of these two means security can no longer be “outsourced” to the security team, but rather that the security team’s mission changes to providing the resources for teams to be security self-sufficient Security only becomes successful if it can bake in to the Development/DevOps process
#RSAC How do legacy AppSec approaches fare in a DevSecOps world?
#RSAC An example of legacy AppSec approaches in a DevOps world
#RSAC Select components of common SDLCs Developer Training Threat modeling Design Reviews Static Analysis Dynamic Scanning Pentesting Feedback
#RSAC What pieces of the SDLC need to adapt the most?
#RSAC Which components we’ll discuss today Developer Training Threat Modeling Design Reviews Static Analysis Dynamic Scanning Pentesting Security Visibility Feedback Continuous Feedback — Note: Just because we’re not discussing several of these items in this talk doesn’t mean you stop doing them!
#RSAC Static Analysis: It’s not a party until the 32847326th page of the report!
#RSAC Static Analysis (legacy) Traditionally done as heavyweight process: — Run once a week/month resulting in a large output — Extensive configuration/tuning period, typically lasting months+ — Top down: search for everything, slowly refine to eliminate false positives Both of these issues were acceptable-ish in a Waterfall world where you had plenty of time in each release cycle
#RSAC How do we adapt this control?
#RSAC Static Analysis (modern) Shift from from a top down model to a bottoms up one: — Identify specific classes of vulnerabilities you care about most, and start with just those — Focus on eliminating false positives and enabling velocity with the goal of only producing real issues that can be directly consumed by a developer themselves — Once completed, add one or two more vulnerabilities classes — Repeat This enables the velocity needed in DevOps of being able to run static analysis on every code commit
#RSAC Static Analysis (modern) Example: Rather than trying to start with static analysis for XSS, SQLi, Directory Traversal, Command Execution, etc all at once, pick one: — Pro tip: Pick the easiest to implement first, (ex: Command Execution)  Grep’ing for system() has a pretty low false positive rate… The focus is not only on findings, but demonstrating to the development org that this approach to static analysis can bring them both value and velocity
#RSAC Static Analysis (modern) Identify use of certain primitives that should initiate a conversation with the security team rather than just be blocked: — Ex: Hashing, Encryption, File system operations, etc Common example: Use of hashing or encryption functions — Old approach: “MD5 is banned, use SHA256!” — New approach: “Hey, we saw you’re making use of a hashing function, can we chat on what you’re trying to protect?” — Silently allowing an approved hashing function to be used doesn’t help anyone in cases where it’s not the appropriate use, ex: a case where the data should be encrypted not hashed
#RSAC Static Analysis (modern) Build proactive alerting to know when sensitive and rarely changed portions of the codebase have been modified — Can be as simple as alerting on when the hash changes on certain key files  Ex: authorization primitives, session management, encryption wrappers, etc By not blocking on these changes, you don’t impact velocity but you ensure that the relevant security/development engineers know if key platform protections are being changed
#RSAC Dynamic Scanning
#RSAC Dynamic Scanning (legacy) Dynamic Scanning (legacy): Used to meet a baseline standard of discovering vulnerabilities: — Ex: “If a scanner can find it, we should probably fix it” Occasionally even (mis)used as a substitute for pentesting
#RSAC How do we adapt this control?
#RSAC Dynamic Scanning (modern) Applications architectures and functionality have changed significantly since scanners were pioneered in the early-mid 2000s — Modern applications are often far too complex to be effectively covered by scanners  Client side functionality, single page applications, etc. In the old use cases there’s too little bang for the buck from scanners when used with modern apps However, scanners can be adapted to two cheap and effective use cases:
#RSAC Dynamic Scanning (modern) 1. Ensuring that security policies are being enforced — Ex: TLS only supporting strong ciphers — Ex: Crawl the app and ensure that CSP exists, or that X-Frame-Options header is always set to DENY 2. An extra control on ensuring previous vulnerabilities aren’t accidentally regressed back in to the application: — Ex: We had an XSS in this parameter before, always check it with this specific payload to ensure the protection didn’t get accidentally rolled back
#RSAC Security Visibility
#RSAC Security Visibility (legacy) Logs, customer service reports, outages Each source of information was generally isolated in who had access to the data — Ex: Ops had logs, customer support dealt with emails from customers, outages would page only certain dev or ops on-call / leads, etc
#RSAC How do we adapt this control?
#RSAC Security Visibility (modern) GOAL: Break down the previous silos of data isolation and empower security, development, and DevOps teams to all know security relevant information from their application in real time This isn’t a new idea! Take principles of general operational visibility, and apply to a security perspective — Superset of operational data + security relevant data
#RSAC This graph provokes wildly different assumptions from Development, DevOps, and Security teams
#RSAC Give everyone the data they need. Context is key, for *all* groups +
#RSAC Feedback
#RSAC Feedback (legacy) Typically done as annual pentests Unfortunately this really only answers the question “do I have bugs?” Spoiler alert: The answer is yes. Always. When applications were released annually or bi-annually that could be “real time enough” feedback
#RSAC How do we adapt this control?
#RSAC Feedback (modern) Combination of bug bounty + pentests Bounty is not a replacement for pentest, it augments pentest Value is in the continuous nature of it, whereas pentests can be more directed Bounty gives general but more real time feedback, pentest shifts to giving more directed but less frequent feedback
#RSAC PENTEST BOUNTY DAST HIGH COVERAGE LOW FREQUENCY HIGH FREQUENCY LOW COVERAGE
#RSAC Break out the Thought Leader-hosen! It’s time for some thoughts on where modern Application Security should be headed towards
#RSAC The hallmark of a modern AppSec program is the combination of continuous feedback + visibility
#RSAC Or: To be successful against real attackers, you need to be able to answer the question: “How do I know when my attackers are being successful?”
#RSAC Three pillars of effective visibility + continuous feedback 1. Ability to detect attackers as early as possible in the attack chain You want to know when the attacker discovers the vulnerability, long before the database goes out the door 2. Ability to continuously test and refine your vulnerability triage/response The beauty of DevOps is that you can actually move faster than your attackers for the first time, especially the more you empower development / DevOps teams
#RSAC Three pillars of effective visibility + continuous feedback 3. Ability to continuously test and refine your incident response/DFIR/SecOps process By treating even benign bug reports as sample incidents, you can continuously exercise and adapt your process Ultimately you want to be able to answer several questions for any given bug report that comes in:  Did this bounty participant find any additional issues they’re not reporting?  Was this reported vulnerability exploited previously?  etc
#RSAC Continuous feedback loop success story “I discovered the vulnerability late Friday afternoon and wasn't quite ready to email it to them … [Etsy] had detected my requests and pushed a patch Saturday morning before I could email them. This was by far the fastest response time by any company I've reported to.” - Source: https://www.reddit.com/r/netsec/comments/vbrzg/etsy_has_been_one_of_the_best_companies_ ive
#RSAC Conclusions
#RSAC The thesis of modern application security is about shifting From: A mindset of “Exclusively focus on gatekeeping controls to eliminate bugs before code is deployed” — (An impossible goal, bugs will never be fully eliminated) To: Focus on obtaining and refining continuous visibility and feedback from deployed applications, and providing security capabilities that make developers/DevOps teams security self-sufficient
#RSAC Thanks! zane@signalsciences.com @zanelackey

More Related Content

PDF
Securing 100 products - How hard can it be?
byPriyanka Aash
 
PDF
Collaborative security : Securing open source software
byPriyanka Aash
 
PDF
Lessons from a recovering runtime application self protection addict
byPriyanka Aash
 
PDF
DevSecOps - Building continuous security into it and app infrastructures
byPriyanka Aash
 
PDF
How to transform developers into security people
byPriyanka Aash
 
PDF
A worldwide journey to build a secure development environment
byPriyanka Aash
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
Estimating Development Security Maturity in About an Hour
byPriyanka Aash
 
Securing 100 products - How hard can it be?
byPriyanka Aash
 
Collaborative security : Securing open source software
byPriyanka Aash
 
Lessons from a recovering runtime application self protection addict
byPriyanka Aash
 
DevSecOps - Building continuous security into it and app infrastructures
byPriyanka Aash
 
How to transform developers into security people
byPriyanka Aash
 
A worldwide journey to build a secure development environment
byPriyanka Aash
 
DevSecOps in Baby Steps
byPriyanka Aash
 
Estimating Development Security Maturity in About an Hour
byPriyanka Aash
 

What's hot

PDF
Establishing a-quality-vulnerability-management-program
byPriyanka Aash
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
PDF
Agile Security—Field of Dreams
byPriyanka Aash
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PDF
ChaoSlingr: Introducing Security-Based Chaos Testing
byPriyanka Aash
 
PPTX
Speeding Up Secure Software Development
byUlisses Albuquerque
 
PDF
A Pragmatic Union: Security and SRE
byJames Wickett
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
Application Security from the Inside Out
byUlisses Albuquerque
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PDF
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
byCA Technologies
 
PDF
DevSecOps at Agile 2019
byElizabeth Ayer
 
PPTX
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
PDF
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
Establishing a-quality-vulnerability-management-program
byPriyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
Agile Security—Field of Dreams
byPriyanka Aash
 
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
ChaoSlingr: Introducing Security-Based Chaos Testing
byPriyanka Aash
 
Speeding Up Secure Software Development
byUlisses Albuquerque
 
A Pragmatic Union: Security and SRE
byJames Wickett
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Application Security from the Inside Out
byUlisses Albuquerque
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
byCA Technologies
 
DevSecOps at Agile 2019
byElizabeth Ayer
 
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 

Similar to Practical appsec lessons learned in the age of agile and DevOps

PDF
How to adapt the SDLC to the era of DevSecOps
byZane Lackey
 
PDF
Exploring the Real-World Application Security Top 10
byPriyanka Aash
 
PPTX
API Security: Assume Possible Interference
byJulie Tsai
 
PPTX
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
byPrateek Mishra
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
PDF
Introducing a Security Program to Large Scale Legacy Products
byPriyanka Aash
 
PPTX
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
bySeniorStoryteller
 
PDF
Application security for the modern web - ISSA South Texas Houston DevOps
byPhillip Maddux
 
PDF
Realizing Software Security Maturity: The Growing Pains and Gains
byPriyanka Aash
 
PDF
A New Security Paradigm for IoT (Internet of Threats)
byPriyanka Aash
 
PPTX
Cybersecurity model and top cloud security controls for product development e...
byJames DeLuccia IV
 
PDF
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PDF
Hardening the cloud : Assuring agile security in high-growth environments
byPriyanka Aash
 
PDF
Innovating Faster with Continuous Application Security
byJeff Williams
 
PPTX
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
bylior mazor
 
PDF
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
byBlack Duck by Synopsys
 
PDF
Realities of Data Security
byPriyanka Aash
 
PDF
RSA 2016 Realities of Data Security
byScott Carlson
 
PPTX
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
byDrew Malone
 
How to adapt the SDLC to the era of DevSecOps
byZane Lackey
 
Exploring the Real-World Application Security Top 10
byPriyanka Aash
 
API Security: Assume Possible Interference
byJulie Tsai
 
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
byPrateek Mishra
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
Introducing a Security Program to Large Scale Legacy Products
byPriyanka Aash
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
bySeniorStoryteller
 
Application security for the modern web - ISSA South Texas Houston DevOps
byPhillip Maddux
 
Realizing Software Security Maturity: The Growing Pains and Gains
byPriyanka Aash
 
A New Security Paradigm for IoT (Internet of Threats)
byPriyanka Aash
 
Cybersecurity model and top cloud security controls for product development e...
byJames DeLuccia IV
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
The Future of DevSecOps
byStefan Streichsbier
 
Hardening the cloud : Assuring agile security in high-growth environments
byPriyanka Aash
 
Innovating Faster with Continuous Application Security
byJeff Williams
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
bylior mazor
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
byBlack Duck by Synopsys
 
Realities of Data Security
byPriyanka Aash
 
RSA 2016 Realities of Data Security
byScott Carlson
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
byDrew Malone
 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 

Recently uploaded

PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
Managing SELinux Security - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PDF
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
PDF
November Patch Tuesday
byIvanti
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Managing SELinux Security - RHCSA (RH134).pdf
byLinuxCert Guru
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
November Patch Tuesday
byIvanti
 

Practical appsec lessons learned in the age of agile and DevOps

  • 1.
    SESSION ID:SESSION ID: #RSAC ZaneLackey Practical AppSec Lessons Learned in the Age of Agile and DevOps ASD-R02 Co-Founder / Chief Security Officer Signal Sciences @zanelackey
  • 2.
    #RSAC Who you’ll beheckling today Started out in offense Pentester / researcher at iSEC Partners / NCC Group Moved to defense First CSO at Etsy, built and lead the four security groups Now scaling defense for many orgs Co-Founder / CSO at Signal Sciences, delivering a product that defends web applications in the DevOps/Cloud world
  • 3.
    #RSAC So what isthis talk about anyway? Lessons learned adapting AppSec/SDLC from a Waterfall world to the DevOps/Cloud world
  • 4.
    #RSAC Spoiler: Security shiftsfrom being a gatekeeper to enabling teams to be secure by default
  • 5.
  • 6.
    #RSAC The new realitiesin a DevSecOps world 1. Changes happen multiple orders of magnitude faster than previously  Deployments go from a few a year to a few a month, week, or even day  Many injection points for security drops to few injections point 2. Decentralized ownership of deployment: — The long and perilous journey of Dev->QA->Security->Dev->Sysops->Production becomes just Dev->Production — As Dev/DevOps teams own their own ability to build and deploy production infrastructure/apps, conversations with security become opt-in rather than mandated  A large culture shift is necessary around this  Spoken previously on this: http://www.slideshare.net/zanelackey/building-a-modern-security- engineering-organization
  • 7.
    #RSAC The new realitiesin a DevSecOps world The combination of these two means security can no longer be “outsourced” to the security team, but rather that the security team’s mission changes to providing the resources for teams to be security self-sufficient Security only becomes successful if it can bake in to the Development/DevOps process
  • 8.
    #RSAC How do legacyAppSec approaches fare in a DevSecOps world?
  • 9.
    #RSAC An example oflegacy AppSec approaches in a DevOps world
  • 10.
    #RSAC Select components ofcommon SDLCs Developer Training Threat modeling Design Reviews Static Analysis Dynamic Scanning Pentesting Feedback
  • 11.
    #RSAC What pieces ofthe SDLC need to adapt the most?
  • 12.
    #RSAC Which components we’lldiscuss today Developer Training Threat Modeling Design Reviews Static Analysis Dynamic Scanning Pentesting Security Visibility Feedback Continuous Feedback — Note: Just because we’re not discussing several of these items in this talk doesn’t mean you stop doing them!
  • 13.
    #RSAC Static Analysis: It’snot a party until the 32847326th page of the report!
  • 14.
    #RSAC Static Analysis (legacy) Traditionallydone as heavyweight process: — Run once a week/month resulting in a large output — Extensive configuration/tuning period, typically lasting months+ — Top down: search for everything, slowly refine to eliminate false positives Both of these issues were acceptable-ish in a Waterfall world where you had plenty of time in each release cycle
  • 15.
    #RSAC How do weadapt this control?
  • 16.
    #RSAC Static Analysis (modern) Shiftfrom from a top down model to a bottoms up one: — Identify specific classes of vulnerabilities you care about most, and start with just those — Focus on eliminating false positives and enabling velocity with the goal of only producing real issues that can be directly consumed by a developer themselves — Once completed, add one or two more vulnerabilities classes — Repeat This enables the velocity needed in DevOps of being able to run static analysis on every code commit
  • 17.
    #RSAC Static Analysis (modern) Example:Rather than trying to start with static analysis for XSS, SQLi, Directory Traversal, Command Execution, etc all at once, pick one: — Pro tip: Pick the easiest to implement first, (ex: Command Execution)  Grep’ing for system() has a pretty low false positive rate… The focus is not only on findings, but demonstrating to the development org that this approach to static analysis can bring them both value and velocity
  • 18.
    #RSAC Static Analysis (modern) Identifyuse of certain primitives that should initiate a conversation with the security team rather than just be blocked: — Ex: Hashing, Encryption, File system operations, etc Common example: Use of hashing or encryption functions — Old approach: “MD5 is banned, use SHA256!” — New approach: “Hey, we saw you’re making use of a hashing function, can we chat on what you’re trying to protect?” — Silently allowing an approved hashing function to be used doesn’t help anyone in cases where it’s not the appropriate use, ex: a case where the data should be encrypted not hashed
  • 19.
    #RSAC Static Analysis (modern) Buildproactive alerting to know when sensitive and rarely changed portions of the codebase have been modified — Can be as simple as alerting on when the hash changes on certain key files  Ex: authorization primitives, session management, encryption wrappers, etc By not blocking on these changes, you don’t impact velocity but you ensure that the relevant security/development engineers know if key platform protections are being changed
  • 20.
  • 21.
    #RSAC Dynamic Scanning (legacy) DynamicScanning (legacy): Used to meet a baseline standard of discovering vulnerabilities: — Ex: “If a scanner can find it, we should probably fix it” Occasionally even (mis)used as a substitute for pentesting
  • 22.
    #RSAC How do weadapt this control?
  • 23.
    #RSAC Dynamic Scanning (modern) Applicationsarchitectures and functionality have changed significantly since scanners were pioneered in the early-mid 2000s — Modern applications are often far too complex to be effectively covered by scanners  Client side functionality, single page applications, etc. In the old use cases there’s too little bang for the buck from scanners when used with modern apps However, scanners can be adapted to two cheap and effective use cases:
  • 24.
    #RSAC Dynamic Scanning (modern) 1.Ensuring that security policies are being enforced — Ex: TLS only supporting strong ciphers — Ex: Crawl the app and ensure that CSP exists, or that X-Frame-Options header is always set to DENY 2. An extra control on ensuring previous vulnerabilities aren’t accidentally regressed back in to the application: — Ex: We had an XSS in this parameter before, always check it with this specific payload to ensure the protection didn’t get accidentally rolled back
  • 25.
  • 26.
    #RSAC Security Visibility (legacy) Logs,customer service reports, outages Each source of information was generally isolated in who had access to the data — Ex: Ops had logs, customer support dealt with emails from customers, outages would page only certain dev or ops on-call / leads, etc
  • 27.
    #RSAC How do weadapt this control?
  • 28.
    #RSAC Security Visibility (modern) GOAL:Break down the previous silos of data isolation and empower security, development, and DevOps teams to all know security relevant information from their application in real time This isn’t a new idea! Take principles of general operational visibility, and apply to a security perspective — Superset of operational data + security relevant data
  • 29.
    #RSAC This graph provokeswildly different assumptions from Development, DevOps, and Security teams
  • 30.
    #RSAC Give everyone thedata they need. Context is key, for *all* groups +
  • 31.
  • 32.
    #RSAC Feedback (legacy) Typically doneas annual pentests Unfortunately this really only answers the question “do I have bugs?” Spoiler alert: The answer is yes. Always. When applications were released annually or bi-annually that could be “real time enough” feedback
  • 33.
    #RSAC How do weadapt this control?
  • 34.
    #RSAC Feedback (modern) Combination ofbug bounty + pentests Bounty is not a replacement for pentest, it augments pentest Value is in the continuous nature of it, whereas pentests can be more directed Bounty gives general but more real time feedback, pentest shifts to giving more directed but less frequent feedback
  • 35.
  • 36.
    #RSAC Break out theThought Leader-hosen! It’s time for some thoughts on where modern Application Security should be headed towards
  • 37.
    #RSAC The hallmark ofa modern AppSec program is the combination of continuous feedback + visibility
  • 38.
    #RSAC Or: To besuccessful against real attackers, you need to be able to answer the question: “How do I know when my attackers are being successful?”
  • 39.
    #RSAC Three pillars ofeffective visibility + continuous feedback 1. Ability to detect attackers as early as possible in the attack chain You want to know when the attacker discovers the vulnerability, long before the database goes out the door 2. Ability to continuously test and refine your vulnerability triage/response The beauty of DevOps is that you can actually move faster than your attackers for the first time, especially the more you empower development / DevOps teams
  • 40.
    #RSAC Three pillars ofeffective visibility + continuous feedback 3. Ability to continuously test and refine your incident response/DFIR/SecOps process By treating even benign bug reports as sample incidents, you can continuously exercise and adapt your process Ultimately you want to be able to answer several questions for any given bug report that comes in:  Did this bounty participant find any additional issues they’re not reporting?  Was this reported vulnerability exploited previously?  etc
  • 41.
    #RSAC Continuous feedback loopsuccess story “I discovered the vulnerability late Friday afternoon and wasn't quite ready to email it to them … [Etsy] had detected my requests and pushed a patch Saturday morning before I could email them. This was by far the fastest response time by any company I've reported to.” - Source: https://www.reddit.com/r/netsec/comments/vbrzg/etsy_has_been_one_of_the_best_companies_ ive
  • 42.
  • 43.
    #RSAC The thesis ofmodern application security is about shifting From: A mindset of “Exclusively focus on gatekeeping controls to eliminate bugs before code is deployed” — (An impossible goal, bugs will never be fully eliminated) To: Focus on obtaining and refining continuous visibility and feedback from deployed applications, and providing security capabilities that make developers/DevOps teams security self-sufficient
  • 44.