Application Security: Open Technologies, Tools, and Techniques for Running a Successful InfoSec Program

Transcript

1. Application Security on a Dime Open Technologies, Tools, and Blossoming

   InfoSec Programs Amidst a sea of threats, how ready is your enterprise to navigate beyond risk?

2. Navigational Map • Speaker Profile • Security Challenges • Intro

   to OWASP • Security Voltron Concept • Governance, Development, Security Testing • Closing Remarks

3. @t0nyuv LinkedIn.com/tonyuv Tony UcedaVélez CEO/ Founder, VerSprite VerSprite.com - Global

   Security Firm • OWASP Atlanta Chapter Leader (past 10 years) • Author, “Risk Centric Threat Modeling – Process for Attack Simulation & Threat Analysis”, Wiley June 2015 • Passionate global, threat modeling evangelist • Dreams of bankrupting #infosec with intelligent, threat inspired DevSecOps automation

4. Security Challenges How to start saying..... "I GOT 99 PROBS

   BUT SECURITY AIN'T ONE"

5. • Isolated SDLC Efforts • Anti-Security Culture • Expanding heterogeneous

   tech stack • Decentralizing management • Security not built into IT functions • Targeted attacks • Open intel on application components Challenges in AppSec Or, I got 99 problems and they are all security!

6. • Establish governance • Security requirements & resources • Implementation

   of SSDLC • User security frameworks • Test and test early • Track defects Sound Solutions Or, I got 99 problems and they are all security!

7. OWASP Open Web Application Security Project

8. OWASP Open Web Application Security Project

9. • Open Wen Application Security Project • Launched December 1st,

   2001 • Community-led open source software project • Dedicated to openness of all content and materials • International community focused on improving AppSec • X-cultural, X-Industry related challenges exposed and addressed • Massively supportive and responsive • Follow @OWASP Intro to OWASP

10. • OPEN - radical transparency, from finances to our code

    • INNOVATION – encourages innovation for solutions to software security challenges • GLOBAL – truly a global community • INTEGRITY – respectful, supportive, truthful, vendor neutral, Core Values (www.owasp.org)

11. Security Voltron Concept Collaboration Effort of Distinct Practices in Running

    a Security Program
12. None

13. Governance Without governance, your security program will sink

14. • Governance is centered on the processes and activities related

    to how an organization manages overall software development activites • Strategy & Metrics • Policy & Compliance • Education & Guidance Policies, Standards, Guidelines

15. Policies, Standards, Guidelines

16. • The Software Assurance Maturity Model (SAMM) is an open

    framework that helps organizations formulate and implement a strategy for software security that is tailored to a specific risk an organization is facing. • Evaluate your organization's existing software security practices • Build a balanced software security programam in well- defined iterations • Demonstrating concrete improvements • Defining and measuring security-related activities throughout an organization OWASP SAMM

17. Governance Without governance, your security program will sink

18. • The OWASP Top Ten represents a broad consensus about

    the most critical security risks to web applications • Adopted by the Payment Card Industry • Recommended as a best practice by many government and Industry entities • Benefits • Powerful awareness document for web application security • Great starting point and reference for developers to change the software development culture within your organization OWASP Top Ten

19. • 1. Injection • 2. Broken Authentication • 3. Sensitive

    Data Exposure • 4. XML External Entities (XXE) • 5. Broken Access Control • 6. Security Misconfiguration • 7. Cross-Site Scripting XSS • 8. Insecure Deserialization • 9. Using Components with Known Vulnerabilities • 10. Insufficient Logging & Monitoring https://owasp.org/www-project-top-ten/ OWASP Top Ten

20. "OWASP.org is a valuable resource for any company involved with

    online payment card transactions. Dell uses OWASP's Software Assurance Maturity Model to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP's local chapter meetings and conferences around the globe helps us blind stronger networks with our colleagues." Michael J. Craigue, Information Security & Compliance, Dell, Inc.

21. S-SDLC Building security in software development

22. If you do not have a published SDLC for your

    organization then you will NOT be successful

23. OWASP Developers Cheat Sheet • Created to provide a concise

    collection of high value information on specific application security topics • Created by appsec professionals • Can be found at • https://cheatsheetseries.owasp.org/index.html

24. • Primary aim is to normalize the range in the

    coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard • Provides a basic for testing application technical security controls • Developed with the following objectives in mind • Use as a metric • Use as guidance • Use during procurement OWASP ASVS – Application Security Assurance Methodology

25. • Supporting quotes and research • Secure Coding Guidelines •

    Secure Coding Checklist • Non-Functional Requirements • Static Code Analysis • Security Awareness Training • Threat Modeling • Application Security Risk Matrix • Published SDLC SDLC Building Blocks

26. Security in SDLC

27. S-SDLC / Building Security-In Without governance, your security program will

    sink

28. OWASP Developer References Without governance, your security program will sink

29. • The OWASP® ModSecurity Core Rule Set (CRS) is a

    set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS provides protection against many common attack categories. • SQL Injection (SQLi) • Cross Site Scripting (XSS) • Local File Inclusion (LFI) • Remote File Inclusion (RFI) • PHP Code Injection • Java Code Injection HTTPoxy • Shellshock • Unix/Windows Shell Injection • Session Fixation • Scripting/Scanner/Bot Detection • Metadata/Error Leakages OWASP ModSecurity

30. • One of the world’s most popular free security tools

    • Automatically find security vulnerabilities while you are developing and testing your applications • OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. • CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. • Java, .Netand PHP implementations • Provides code to generate unique request tokens to mitigate CSRF risks OWASP CSRFGuard

31. OWASP CSRFGuard

32. Security Awareness How well do the members of your organization

    know regarding the protection of the physical, and especially informational, assets of that organization

33. • Over 15 years of experience in web application security

    bundled into a single application • Vital coding took for your development team • Learn to integrate security into your web application • Includes manageable projects with checklists and best practice code examples in multiple program languages OWASP Security Knowledge Framework

34. • Most modern and sophisticated insecure web application • Used

    during security trainings, awareness demos, CTFs • Encompasses vulnerabilities from the entire OWASAP Top Ten • Contains multiple hacking challenges of varying difficulties OWASP Juice Shop

35. Security Testing Testing insecurities before your adversaries do

36. • Simplify!!! • Create roadmap • Standardize testing • Follow

    a methodology!!! • Metrics are important. Really. • Tools Prescriptive Advice for Testing

37. • Frontispiece • Introduction • The OWASP testing framework •

    Web application Security Testing Into • Configuration and Deployment Management Testing • Reporting Testing Guide V4: Index

38. • Use in conjunction with Burp or Zed Attack Proxy

    • Capture POST request to website via proxy • Copy POST requests to text file Sqlmap.py – Test for the Dreaded SQLi

39. • Released September 2010 • Ease of use a priority

    • Comprehensive help pages • Free, Open source • Cross platform • A fork of the well-regarded Paros Proxy • Involvement actively encouraged • Adopted by OWASP October 2010 The Zed Attack Proxy

40. • ZAP is: • Easy to use (for a web

    app pentest tool) • Ideal for appsec newcomers • Ideal for training courses • Being used by Professional Pen Testers • Easy to contribute to (and please do!) • Improving rapidly ZAP Overview

41. Where is ZAP Being Used? United States Japan Spain United

    Kingdom Germany China

42. • All the essentials for web application testing • Intercepting

    Proxy • Active and Passive Scanners • Spider • Report Generation • Brute Force (using OWASP DirBustercode) • Fuzzing (using OWASP JBroFuzzcode) The Main Features

43. • Auto tagging • Port scanner • Smart card support

    • Session comparison • Invoke external apps • BeanShell integration • API + Headless mode • Dynamic SSL Certificates • Anti CSRF token handling The Additional Features

44. Testing insecurities before your adversaries do

45. Testing insecurities before your adversaries do

46. • ZAP has: • An active development community • An

    international user base • The potential to reach people new to OWASP and appsec, especially developers and functional testers • ZAP is a key OWASP project • Security Tool of the Year 2013 ZAP Summary

47. • Define scope of adoption • 1.Driven by _ _

    _ _ _ _ _ (impact, criticality, etc.) • 2.Use cases/ Abuse cases • 3.Architecture • Set up controlled adoption • Test, decompile, review • Become involved in dev forums ZAP Summary

48. More Tools & Closing Thoughts More Open Source Tools for

    effective AppSec Activities

49. • OWASP Threat Dragon https://owasp.org/www-project-threat-dragon/ • SSL-Labs https://www.ssllabs.com/ssltest/ • Rumble

    https://www.rumble.run/ • Metasploit– http://www.metasploit.com • Kali-http://www.kali.org/ • Burp-http://portswigger.net/burp/ • Recon-ng–full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng • Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise More Tools

50. • Leverage Open Source sources to INFLUENCE your security program

    development/ management • Do NOT make your security program free and open, keep it close to the vest • Keep abreast of security news is a must –ever changing threat landscape • Need to tell management that security is a process, not a one-time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program. • Diversify your security program. Closing Thoughts

51. To Get More Out of OWASP, start here> www.owasp.org #FollowThenLead

    @t0nyuv @versprite @OWASPATL LinkedIn.com/tonyuv Email: [email protected] [email protected] Closing Thoughts