WIXLIB

A baker’s dozen: application security on alimited budgetCopyright Security Journey

About Chris RomeoSEC U R I TY B AC KG R O U ND CEO / Co-Founder @ Security Journey 22 years in the security world, CISSP, CSSLP 10 years at Cisco, leading security education. Co-Lead of the OWASP Triangle ChapterL I STE N TO METhe ApplicationSecurity PodcastTAL K TO ME@edgeroute@AppSecPodcast

Agenda1. Traditional application security programs2. The importance of security community3. Building a program based on OWASP Awareness and education Process and measurement Tools4. Final thoughts

Traditional AppSec programsPEOPLEPROCESSTOOLS

Goals of an AppSec ProgramGOALGOALGOALGOALLimit vulnerabilitiesin deployed code.Build securesoftware andteach developersto build securesoftware.Provide processesand tools forAppSecstandardization.Demonstratesoftware securitymaturity throughmetrics andassessment.1234

What if I had to develop an applicationsecurity program with a budget of 0?

RealityRealityEnhance withOWASP ResourcesFill in missing areas ofyour program

Security Championsse · cu · ri · ty cham · pi · on [sih ·kyer · uh · tee cham · pee · uhn],noun 1 a person passionate aboutsecurity with a desire to educatethose around them.we all want to embed securitychampions in our companies.

PremiseLABPROJECTS24FLAGSHIPPROJECTS18As of 6 September, 2019INCUBATORPROJECTS73

Scale of project riskRatingExplanation01-3The only way this goes away is if owasp.orgdisappears off the InternetStable project, multiple releases, high likelihood of sustainability4-6Newer project, fewer releases7-9Older project with a lack of updates within the last year10If I added one of these to this project, I should have my headexamined

NOTICEUse OWASP projects withcaution. There is no guaranteethat a project will ever beupdated again.

The categoriesAwareness, knowledge, and educationProcess and measurementTools

Awareness, knowledge and education

A1:2017-InjectionA2:2017-Broken AuthenticationA3:2017-Sensitive Data ExposureA4:2017-XML External Entities (XXE)A5:2017-Broken Access ControlA6:2017-Security MisconfigurationA7:2017-Cross-Site Scripting (XSS)Project Risk0A8:2017-Insecure DeserializationA9:2017-Using Components with Known VulnerabilitiesA10:2017-Insufficient Logging & Monitoringhttps://owasp.org/www-project-top-ten/

Project Risk2C1 Define SecurityRequirementsC2 LeverageSecurityFrameworks andLibrariesC3 Secure DatabaseAccessC4 Encode andEscape DataC5 Validate AllImputsC6 ImplementDigital IdentityC7 Enforce AccessControlC8 Protect DataEverywhereC9 ImplementSecurity Loggingand MonitoringC10 Handle AllErrors ve-controls/

The interminglingOWASP Top 10 - 2017A1:2017-InjectionC4 Encode and Escape Data, C5 Validate All InputsA2:2017-Broken AuthenticationC6 Implement Digital IdentityA3:2017-Sensitive Data ExposureC8 Protect Data EverywhereA4:2017-XML External Entities (XXE)C5 Validate All InputsA5:2017-Broken Access ControlC7 Enforce Access ControlA6:2017-Security MisconfigurationNoneA7:2017-Cross-Site Scripting (XSS)C4 Encode and Escape Data, C5 Validate All InputsA8:2017-Insecure DeserializationC5 Validate All InputsA9:2017-Using Components with KnownVulnerabilitiesC2 Leverage Security Frameworks and LibrariesA10:2017-Insufficient Logging & MonitoringC9 Implement Security Logging and Monitoring

Cross Site Scripting PreventionProject Risk2https://cheatsheetseries.owasp.org/

JavaScript-basedIntentionally insecure web appProject Risk3Encompasses the entire OWASP Top Tenand other severe security flawshttps://owasp.org/www-project-juice-shop/

Missing pieces in awareness, knowledge and educationDelivery of awarenessand educationAdministration of thetraining platforms

Awareness and education: impact and headcountAwarenessFoundationalunderstandingof the mostimportantconcepts inAppSecKnowledgeA concisereference forsolving the mostdifficult AppSecproblemsHands-on trainingAssimilation ofkey conceptsthroughactivities thatlock inknowledge andmake itpractical

Awareness and education: getting startedAwarenessLunch and learnsessions to teach thebasics of all awarenessdocumentsKnowledgeTeach developersabout available cheatsheetsHost an internal copyof the cheat sheetsLead a training sessioncovering the three mostcrucial cheat sheets foryour organizationHands-on TrainingBuild an environmentthat hosts JuiceShopSchedule a hack-a-thonwhere teams gatherand work on JuiceShopin teams and learnfrom each other

Process and Measurement

Project Risk1https://owasp.org/www-project-samm/

RequirementProject Risk1V1. Architecture, design andthreat modellingV11. HTTP securityconfigurationV2. AuthenticationV13. Malicious controlsV3. Session managementV15. Business logicV4. Access controlV16. File and resourcesV5. Malicious input handlingV17. MobileV7. Cryptography at restV18. Web servicesV8. Error handling andloggingV19. ConfigurationV9. Data protectionV11. HTTP securityconfigurationV10. ation-security-verification-standard/

Project Risk5https://www.owasp.org/index.php/Application Threat Modeling

Project Risk4Secure code review methodologyTechnical reference for secure code review: OWASP Top 10HTML5Same origin policyReviewing logging codeError handlingBuffer overrunsClient-side JavaScriptCode review do's and don'tsCode review checklistCode WASP Code Review Project

Project Risk1Information gatheringConfiguration and deployment management testingIdentity management testingAuthentication testingAuthorization testingSession management testingInput validation testingTesting for error handlingTesting for weak cryptoBusiness logic testingClient-side testing-guide/

Missing pieces in process and measurementEnd-to end SDL or Secure SDLCProgram metricsDeployment advice/experience onhow to be successful

Process and measurement: impact and headcountProcessMeasurementASVS provides importantrequirementsA roadmap to where you aretoday, and a plan for whereyou want to go with yourAppSec programApp threat modeling defines theprocess with examplesCode review guide describeshow to perform a code reviewand what to look forTesting guide provides how totest and a knowledge base ofhow to exploit vulnerabilities

Process and measurement: getting startedProcessChoose one of the process areas tostart with (threat modeling) and buildout this activity as your firstEarly wins are key!MeasurementPerform an early assessment todetermine where you areMap out your futureShare these assessments withExecutives and Security Champions(and anyone else that will listen)Advocate for Executive support onyour plan to build a stronger AppSecprogram

Tools

Project e-rule-set/

NVDVulnerabilities?Project Risk3Analyzer DependencyList of y-check/

BrowserProject Risk2https://owasp.org/www-project-zap/Web app

Project Risk7https://owasp.org/www-project-threat-dragon/

Missing pieces in toolsNo options for SAST or IASTA dashboard to track everything(requirements management, activities,releases, metrics)

Tools: impact and headcountInfrastructureCRS provides a true WAFsolutionDependency check identifiesvulnerable 3rd party softwareZAP provides DAST, and plugs into any dev methodology

Tools: getting startedInfrastructureAdd Dependency Check to yourbuild pipeline tomorrowTeach ZAP to Security Championsand interested testersWork with your infra owner todeploy a test of ModSecurity CRSThreatDragon POC

Headcount summaryAwareness, knowledge, and educationProcess and measurementTools

DesignToolsInfrastructureProcessProcess ssand educationHands-on trainingSecurity CommunityThe 13 OWASP projects as an AppSec program

Apply What You Have Learned Today Next week you should: Assess a high-level current state of your application security program anddetermine if you have visible gaps In the first three months following this presentation you should: Perform a deeper assessment using OpenSAMM Choose one of the dozen to implement Within six months you should: Measure the impact of your first project implementation Plan and execute on one or two additional pieces, resources permitting

Final thoughts for an AppSec program on the cheap1.Use Open SAMM to assess current program and future goals.2.There is no OWASP SDL; build/tailor required.3.Start small; choose one item for awareness and education to launchyour program.4.Build security community early; it is the support structure.5.Evaluate available projects in each category and build a 1-2-year planto roll each effort out.6.While OWASP is free, head count is not; plan for head count tosupport your “free” program.

How to engage with Security JourneyL E AR NFree trial of the Security Belt ProgramL I STE NThe Application Security Podcasthttps://app.securityjourney.comR E ADhttps://www.securityjourney.com/hi5E MAI LSO C I AL SCopyright Security Journeychris romeo@securityjourney.com@edgeroute@AppSecPodcast

The intermingling OWASP Top 10 - 2017 A1:2017-Injection C4 Encode and Escape Data, C5 Validate All Inputs A2:2017-Broken Authentication C6 Implement Digital Identity A3:2017-Sensitive Data Exposure C8 Protect Data Everywhere A4:2017-XML External Entities (XXE) C5 Validate All Inputs A5:2017-Broken Access Control C7 Enforce Access Control A6:2017-Security Misconfiguration None