confidence 2015: appsec, the untrustable dev - timur khrotko
TRANSCRIPT
■ Open Web Application Security Project[s]
o owasp.org, open-source, non-profit o AppSec evangelism
■ OWASP ≠ Top 10 (which is an educational project imo)
■ some projectso ASVS (Application Security Verification Standard)o (T10) Proactive Controlso Testing Guide (TG)o ZAP (Zed Attack Proxy)o dependency-check …
O.W.A.S.P.
■ coders will never care about security
○ it can only be a by-product of their gut/tacit practice
■ don’t rely on appsec, detect and handle incidents
■ applications are vulnerable anyway - why?:○ complexity, culture of devs, complicity (yours
also, see culture of audits), mismanagement, immature methodologies and robots
■ for the dev teams who aren't lost:○ secure coding course +dev coaching
+ review of audit findings
abstract / goo.gl/mbrPYO
■ AppSec = QA (security QA, SeQA)
o product + production/dev + support + etc practices
■ don’t buy it w/o threat modeling (risk assessment)
■ AS policy, S-SDLCo design, code, configuration, controls, testingo patch management, support agreement, sec SLA
■ countermeasures: filter, isolate, monitor, respondo waf, sandboxing, dmz, log audit, id(p)s
■ audit/testo va, sast, dast, iast, code review, bl tests, pentest,
ci …
appsec concepts
appsec, the short story
■ application security is created by the developers to meet the set requirements
The task of the software development team is to engineer the illusion of
simplicity.
why #1: complexity
image: Bobbi J. Young et al. 2007. Software complexity: how do we bring order to chaos?
open sw production culture
■ HB -- a failure of the opensource QA myth
o “OpenSSL is written by monkeys”/ Marco Peereboom, 2009
o “… is a patchwork nightmare”/ Matthew Green, 2013
o “I told you so, la la la, I told you so!”/ Marco Peereboom, 2014 image: XOX
enterprise sw culture
■ “Threats in custom app development: enterprises' lack of security”
o Veracode Inc. blog, 2014 Sep
OWASP Proactive Controls
C1: Parameterize Queries
C2: Encode Data
C3: Validate All Inputs
C4: Implement Appropriate Access Controls
C5: Establish Identity and Authentication Controls
C6: Protect Data and Privacy
C7: Implement Logging, Error Handling and Intrusion Detection
C8: Leverage Security Features of Frameworks and Security Libraries
C9: Include Security-Specific Requirements
C10: Design and Architect Security In
OWASP ASVS
■ AppSec Verification Standard
o “security engineering checklist”o levels (eg. L2): risk --> requirements -->
verification
resource: cut eh bdgt
■ eh (ethical hacking incl webapp assessments) is just another expensive social construct you subscribed too eh culture is just as bad as that of the dev’s
■ relocate and spend more on:
o trainingso S-SDLC, AppSec policy enforcemento threat modeling and IR
■ use appsec specialists with whom your devs can work constructively (eg. coaching)
resource for the smb-s
■ involve a visiting appsec specialist in critical moments
■ have a visiting ciso, at least rarely visiting
■ make one resident member of the dev team security champion (see MS SDL)
■ secure coding courses