Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security Landscape

Matt Konda
November 06, 2015

Application Security Landscape

A talk about application security in the scope of an overall security program ..

Matt Konda

November 06, 2015
Tweet

More Decks by Matt Konda

Other Decks in Programming

Transcript

  1. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 ChicagoCoderConference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Big Data Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] Secure DevOps Growing OWASP Board Agile Security
  2. “This year, organized crime became the most frequently seen threat

    actor for Web App Attacks.” Verizon 2015 DBIR
  3. See • Botnets • Widespread use of harvested credentials •

    Account takeover • Credit card fraud • Dumps of passwords and sensitive data with SQLi • User pwnage with XSS
  4. “Two thirds of the incidents in this pattern had no

    attacker-attribution information whatsoever.” Verizon 2015 DBIR Cyber-Espionage
  5. 90% of security investments focus on network security. 75% of

    attacks focus on vulnerable applications. From industry advertisement. Original source not cited.
  6. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring
  7. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation
  8. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation
  9. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation Penetration Testing
  10. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation Penetration Testing
  11. B+

  12. We need to understand applications: data flow, fraud scenarios and

    data sensitivity to build an appropriately focused security program.
  13. Organizational Health • 2184 members, 45 corporate. • Financially sound.

    • Excellent conference results including for AppSecUSA, AppSecEU and LATAM tour. • ED is full time employee (started summer 2014, full time Spring 2015) • Recently hired community manager - Noreen Whysel (November 2014) • Recently hired project co-ordinator - Claudia Casanovas (May) • Kate Hartmann and Kelly Santalucia continue to handle operational and membership awesomeness.
  14. Active Work • Funded OWASP summer of code. • Increased

    activity in project summits. • Conference planning • All the background work of sponsors, elections, membership, project support…
  15. Flagship Projects Tools • ZAP • OWASP Dependency Check •

    Web Testing Environment Project • OWTF Code • ModSecurity • CSRFGuard • AppSensor Documentation • ASVS • SAMM • Top 10 • Testing Guide • Benchmark
  16. Tiers • 0  –  Cursory  –  You  have  done  

    something.    You  define.   • 1  –  Opportunistic  –  Adequately  defends   against  easily  discoverable  items.   • 2  –  Standard  –  Adequately  defends   against  items  of  moderate  to  serious   risk.   • 3  –  Advanced  –  Defends  against  even   advanced  attacks  and  demonstrates   good  security  design.