Nathan Desmet. Lead Engineer

Similar documents
How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M. Matias Madou Ph.D., Secure Code Warrior

THE ART OF SECURING 100 PRODUCTS. Nir

Application Security at Scale

Application security : going quicker

Taking Control of Your Application Security

Discover Best of Show März 2016, Düsseldorf

An Introduction to Runtime Application Self-Protection (RASP)

An Introduction to the Waratek Application Security Platform

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Achieving Java Application Security With Parasoft Jtest

SECURITY TESTING. Towards a safer web world

Background FAST FACTS

Weaving Security into Every Application

THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

PT Unified Application Security Enforcement. ptsecurity.com

Hardening Attack Vectors to cars by Fuzzing

TRAINING CURRICULUM 2017 Q2

You ve Been Hacked: Why Web Application Security Programs Should Start with RASP

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1

Gujarat Forensic Sciences University

ShiftLeft. Real-World Runtime Protection Benchmarking

Lookout's cybersecurity predictions

Fintech District. The First Testing Cyber Security Platform. In collaboration with CISCO. Cloud or On Premise Platform

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Presentation Overview

The Divine and Felonious Nature of Cyber Security

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Vendor Security Questionnaire

locuz.com SOC Services

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

hidden vulnerabilities

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Cyber Security. It s not just about technology. May 2017

An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec,

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

In collaborazione con

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

V Conference on Application Security and Modern Technologies

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Cybersecurity Today Avoid Becoming a News Headline

Continuously Discover and Eliminate Security Risk in Production Apps

Think Like an Attacker

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Internet infrastructure

DOWNLOAD OR READ : WEB APPLICATION SECURITY TESTING THIRD EDITION PDF EBOOK EPUB MOBI

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Addressing penetration testing and vulnerabilities, and adding verification measures

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Penetration testing.

Security

Cyber Attacks & Breaches It s not if, it s When

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

C1: Define Security Requirements

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU. Jeff Williams,

Security Solution. Web Application

Application Security Buyer s Guide

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

The Value of Automated Penetration Testing White Paper

Sage Data Security Services Directory

Managed Application Security trends and best practices in application security

Robots with Pentest Recipes:

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

SIEMLESS THREAT DETECTION FOR AWS

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

AppSec in a DevOps World

Vulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.

The Hidden Risk of OSS. The Dawn of Software Assembly

Overcoming the Challenges of Automating Security in a DevOps Environment

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Will your application be secure enough when Robots produce code for you?

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

SECURITY PRACTICES OVERVIEW

Micro Focus Fortify Application Security

SAP Security anno Tim Lynen, Manager axl & trax 2017

Carbon Black PCI Compliance Mapping Checklist

DevOps A How To for Agility with Security

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

OWASP InfoSec Romania 2013

IT Vulnerabilities: What an IT Auditor Should be Thinking About

BHConsulting. Your trusted cybersecurity partner

DHS Hackers and the Lawyers Who Advise Them

Cybersecurity Vulnerabilities and Process Frameworks for Oil and Gas

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Creating an AppSec Pipeline with containers in a week. How we failed and succeeded Jeroen Willemsen OWASP benelux days

Cybersecurity for Service Providers

Vulnerability Management From B Movie to Blockbuster Rahim Jina

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Device Discovery for Vulnerability Assessment: Automating the Handoff

Product Security Program

Transcription:

Nathan Desmet Lead Engineer Degree in Applied Informatics - Computer and Cyber Crime Professional Co-founder of Sensei Security (which is merged with SCW) Leading the development of Sensei.

Pieter De Cremer, ir. Engineer and Ph.D Candidate M.Eng in Computer Science Engineering Thesis on binary patch diffing Personal grant from Flemish Government to work as a Ph.D. student One of the R&D leads at Secure Code Warrior

Vendor Pitch-Free Zone Promise

> Today s challenges

22M Software developers around the world ~ Evans Data Source: https://evansdata.com/reports/viewrelease.php?reportid=9

111BN Lines of code written by developers every year ~ CSO Online Source: https://www.csoonline.com/article/3151003/application-development/world-will-need-to-secure-111-billion-lines-of-new-software-code-in-2017.html

1 to 4 Exploitable Security Bugs in every 50 000 Lines of Code Source: StackOverflow

90% Security incidents result from defects in the design or code ~ DHS Source: https://www.us-cert.gov/sites/default/files/publications/infosheet_softwareassurance.pdf

21% Of data breaches caused by software vulnerability ~ Verizon Source: Verizon, Data Breach Report, 2018 (but in there the last 10 years)

1 in 3 of newly scanned applications had SQL injections over the past 5 yrs ~ Cisco Source: Cybersecurity as a Growth Advantage, Cisco, 2016

> How did we end up here?

Corporates had a branding website, the Internet was mostly for geeks > AppSec was virtually non-existent in corporate world AppSec in 2000 > Hacking was focussed on exploiting infrastructure vulnerabilities (bof, race conditions, fmt str*) > Research on first web app weaknesses > OWASP started and Top 10 released! > Penetration testing was black magic

F**k it. We ve got bigger problems (Y2K) than worrying about Application Security

Companies started offering web-based services; Web 2.0 and Mobile are new > Penetration testing was THE thing > Web Application Firewalls will stop everything AppSec in 2010 > Paper-based secure coding guidelines > Static Code Analysis Tools (SAST) emerge

Monthly data breaches, Hackers everywhere, Privacy, GDPR, PCI-DSS, HIPAA Putin

Everything runs on software. Cybersecurity & AppSec are hot topics. > SAST is still here > Runtime Application Security Protection (RASP) AppSec in 2018 > Dynamic Application Security Testing (DAST) > Interactive Application Security Testing (IAST) > Crowd-Sourced Security Testing (CSST?) > DevSecOps is getting traction - Containerisation - Integrating security and ops into dev - Security pipelining > SHIFT Left

Challenge - Pen-testing mostly sucks AppSec in 2018 Security Experts Developers

Challenge - Black Hole of security knowledge AppSec in 2018

The current black hole of security knowledge TOOLS SECURITY EXPERTS TEST AND FIND VULNERABILITIES DEVELOPER FINDS WAY TO FIX THE PROBLEM KNOWLEDGE DISAPPEARS INTO A BLACK HOLE SIMILAR VULNERABILITY REAPPEARS

We re failing in Learning from Our Mistakes

AppSec @ Work

SHIFT START left Scale and Make an Impact as an AppSec Pro

> Where does enforcing coding guidelines come in?

Developer 1

Coding guideline

XXE

XXE

XXE

XXE

XXE

XXE

Preventing XXE

Preventing XXE

Preventing XXE Secure coding guideline On DocumentBuilderFactory call setfeature with these parameters before calling newdocumentbuilder

Developer 2

Coding guideline

Coding guideline Secure coding guideline On DocumentBuilderFactory call setfeature with these parameters before calling newdocumentbuilder

Coding guideline Secure coding guideline On DocumentBuilderFactory call setfeature with these parameters before calling newdocumentbuilder

XXE

XXE

XXE

Preventing XXE

SDLC Train Develop Build Test Deploy

Security started as part of software testing Train Develop Build Test Pen testing Code analysis Deploy Breaches

Shift left Train Develop Build Test Code analysis Code review Code analysis Pen testing Deploy Breaches

Keep shifting left? Train Develop Build Test Code analysis? Code analysis Code analysis Pen testing Deploy Breaches

Code analysis Train Develop Build User input doget request.getparameter isauthorized readxml user.hasrole factory.newdocbuilder Test Deploy

Code analysis Train Develop Build Test User input doget request.getparameter! isauthorized readxml user.hasrole factory.newdocbuilder Deploy

Code analysis Train Develop Build User input doget request.getparameter isauthorized readxml user.hasrole factory.newdocbuilder Test Deploy

Code analysis Train Develop Build Test User input doget request.getparameter Day 1 isauthorized readxml user.hasrole factory.newdocbuilder Deploy

Code analysis Train Develop Build User input doget request.getparameter Day 2 isauthorized readxml user.hasrole factory.newdocbuilder Test Deploy

Code analysis Train Develop Build Test User input Day 3 doget request.getparameter isauthorized readxml user.hasrole factory.newdocbuilder Deploy

Code analysis Train Develop Build Test User input doget request.getparameter! isauthorized readxml user.hasrole factory.newdocbuilder Deploy

Code analysis Train Develop Build Test User input doget request.getparameter Day 4 isauthorized readxml user.hasrole factory.setfeature factory.newdocbuilder Deploy

Keep shifting left? Train Develop Code analysis? Coding guidelines Build Test Code analysis Code review Code analysis Pen testing Deploy Breaches

Code analysis Train Develop Build Test User input doget request.getparameter Day 1 isauthorized readxml user.hasrole factory.newdocbuilder Deploy

Code analysis Train Develop Build Test User input doget request.getparameter! Day 1 isauthorized readxml user.hasrole factory.newdocbuilder Deploy

Code analysis Train Develop Build Test User input doget request.getparameter! Day 1 isauthorized readxml user.hasrole factory.setfeature factory.newdocbuilder Deploy

> Other advantages for coding guidelines

Scalable User input doget request.getparameter! isauthorized readxml user.hasrole factory.newdocbuilder

Scalable User input? readxml factory.newdocbuilder

Scalable User input! readxml factory.newdocbuilder

Uniformity User input readxml factory.newdocbuilder

Protect from future use User input 2 months later readxml factory.newdocbuilder

Protect from future use User input 2 months later! readxml factory.newdocbuilder

Protect from future use User input 2 months + 1 day? readxml factory.setfeature factory.newdocbuilder

> Final case for tool-based support

You

Coding guideline? Secure coding guideline On DocumentBuilderFactory call setfeature with these parameters before calling newdocumentbuilder

Coding guideline Secure coding guideline On DocumentBuilderFactory call setfeature with these parameters before calling newdocumentbuilder

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback