How to embed security in your Application from first steps, QNAP vulnerabilities, API Security and How to establish a lean security program.

2. Secure
Development
Lifecycle
Ver 2
April 21st, 2022

3. Regine Bonneau
RB Advisory Founder and
CEO
2
I started my engineering and cyber career 30 years ago from programming –
robotics – coding – GRC – Cyber in the Finance, Government, Healthcare, Legal, and
Technology industry.
I founded RB Advisory in 2016 after years in Corporate environments, which provides
cyber risk management, security assessments, compliance services,
forensic audits, and privacy consultations for private sector and government
clients.
I believe in order to create an effective governance, compliance and
security culture there needs to be an understanding of each aspect of the
phenomena in enterprise risk management and governance with insight
and commitment at every level of an organization.
We have partnered with Cybrella to create a stronger professional
cybersecurity services for small to medium sized businesses, and to larger
enterprises as they are looking to expand their cybersecurity capabilities.

4. 4
4
Introduction to Secure Development Lifecycle
Secure Development Lifecycle Roles and Responsibilities
Secure Development Lifecycle Benefits
Secure Development Lifecycle Phases
How To Get Started and SDL Practices
Agenda

5. • Framework that defines the steps involved in building
secure applications.
• Collection of best practices that designed to add
security to the standard SDLC process.
• The SDL approach calls for a secure development
mindset.
Introduction to SDL
5
5

6. 6
SDL Main Benefits
SDL is a good illustration of what is known as a "shift-left" drive, which refers to v
Detecting vulnerabilities
early will save you both
time and money
From the planning stage
onward, security decisions
are coordinated
Creating a security culture
limits business risks
through the SDLC

7. 7
Secure Development Lifecycle Phases
• Security in any of the SDLC phases.
• Security at the forefront of the Dev team's mind.
• SDL and cohesive communication with clients.
Core Security
Training
Establish
Security
Requirements
Create Quality
Gates / Bug Bars
Security &
Privacy Risk
Assessment
Establish Design
Requirements
Analyze Attack
Surface
Threat Modeling
Use Approved
Tools
Deprecate
Unsafe Function
Static Analysis
Dynamic
Analysis
Fuzz Testing
Attack Surface
Review
Incident
Response Plan
Final Security
Review
Release Archive
Execute Incident
Response Plan
Training Requirement Design Implementation Verification Release Response

8. 8
Training
Core Security Training
• Secure Design
• Threat Modeling
• Secure Coding
Core Security
Training
Establish
Security
Requirements
Create Quality
Gates / Bug Bars
Security &
Privacy Risk
Assessment
Establish Design
Requirements
Analyze Attack
Surface
Threat Modeling
Use Approved
Tools
Deprecate
Unsafe Function
Static Analysis
Dynamic
Analysis
Fuzz Testing
Attack Surface
Review
Incident
Response Plan
Final Security
Review
Release Archive
Execute Incident
Response Plan
Training Requirement Design Implementation Verification Release Response
• Security Testing
• Privacy

9. 9
Requirement
Security Requirements, Quality Gates/Bug Bars, Security and Privacy Risk Assessment
• Security and privacy “up front” is a fundamental aspect of secure system development.
• Quality gates and bug bars are used to establish minimum acceptable levels of security and
privacy quality.
• SRAs and PRAs are mandatory processes that identify functional aspects of the software
that require deep review.
Core Security
Training
Establish
Security
Requirements
Create Quality
Gates / Bug Bars
Security &
Privacy Risk
Assessment
Establish Design
Requirements
Analyze Attack
Surface
Threat Modeling
Use Approved
Tools
Deprecate
Unsafe Function
Static Analysis
Dynamic
Analysis
Fuzz Testing
Attack Surface
Review
Incident
Response Plan
Final Security
Review
Release Archive
Execute Incident
Response Plan
Training Requirement Design Implementation Verification Release Response

10. 10
Design
Design Requirements, Attack Surface Reduction, Threat Modeling
• It is critically important to consider security and privacy concerns carefully during the
design phase.
• Attack surface reduction is a means of reducing risk by giving attackers less opportunity to
exploit a potential weak spot or vulnerability
• Threat modeling is used in environments where there is meaningful security risk.
Core Security
Training
Establish
Security
Requirements
Create Quality
Gates / Bug Bars
Security &
Privacy Risk
Assessment
Establish Design
Requirements
Analyze Attack
Surface
Threat Modeling
Use Approved
Tools
Deprecate
Unsafe Function
Static Analysis
Dynamic
Analysis
Fuzz Testing
Attack Surface
Review
Incident
Response Plan
Final Security
Review
Release Archive
Execute Incident
Response Plan
Training Requirement Design Implementation Verification Release Response

11. 11
Implementation
Use Approved Tools, Deprecate Unsafe Function, Static Analysis
• Developers should publish a list of approved tools and their security checks.
• The development teams should analyze all functions and APIs that will be used and
prohibit those that are unsafe.
• An efficient method for ensuring secure coding policies is static code analysis.
Core Security
Training
Establish
Security
Requirements
Create Quality
Gates / Bug Bars
Security &
Privacy Risk
Assessment
Establish Design
Requirements
Analyze Attack
Surface
Threat Modeling
Use Approved
Tools
Deprecate
Unsafe Function
Static Analysis
Dynamic
Analysis
Fuzz Testing
Attack Surface
Review
Incident
Response Plan
Final Security
Review
Release Archive
Execute Incident
Response Plan
Training Requirement Design Implementation Verification Release Response

12. 12
Verification
Dynamic Program Analysis, Fuzz Testing, Threat Model and Attack Surface Review
• Run-time verification of software programs is necessary to ensure that a program’s functionality
works as designed.
• A fuzz test introduces malformed or random data to a program in order to cause its failure.
• As soon the development is completed, threat models and attack surfaces should be re-
reviewed.
Core Security
Training
Establish
Security
Requirements
Create Quality
Gates / Bug Bars
Security &
Privacy Risk
Assessment
Establish Design
Requirements
Analyze Attack
Surface
Threat Modeling
Use Approved
Tools
Deprecate
Unsafe Function
Static Analysis
Dynamic
Analysis
Fuzz Testing
Attack Surface
Review
Incident
Response Plan
Final Security
Review
Release Archive
Execute Incident
Response Plan
Training Requirement Design Implementation Verification Release Response

13. 13
Release & Response
Incident Response Plan, Penetration Testing, Final Security Review, Release/Archive,
• Every software release subject to the requirements of the SDL must include an incident response plan.
• Performing penetration testing on a software system simulates the actions of a hacker that will may try to
breach your application.
• Final security review is a deliberate inspection of all security activities conducted on a software application
before its release
• By using the FSR and other data, the security advisor assigned to the release must certify that security requirements
were met.
Core Security
Training
Establish
Security
Requirements
Create Quality
Gates / Bug Bars
Security &
Privacy Risk
Assessment
Establish Design
Requirements
Analyze Attack
Surface
Threat Modeling
Use Approved
Tools
Deprecate
Unsafe Function
Static Analysis
Dynamic
Analysis
Fuzz Testing
Attack Surface
Review
Incident
Response Plan
Final Security
Review
Release Archive
Execute Incident
Response Plan
Training Requirement Design Implementation Verification Release Response

14. 14
Roles and Responsibilities
Reviewer and Advisory Team Champions
Auditor Expert Security Champion Privacy Champion

15. 15
How do I get Started?
IDENTIFY SELF-
ASSES
IMPLEMEN
T

16. 16
Microsoft SDL Practices
Provide Training
Define Security
Requirements
Define Metrics and
Compliance
Reporting
Perform Threat
Modeling
Establish Design
Requirements
Define and Use
Cryptography
Standards
Manage the Security
Risk of Using Third-
Party Components
Use Approved Tools
Perform Static
Analysis Security
Testing (SAST)
Perform Dynamic
Analysis Security
Testing (DAST)
Perform Penetration
Testing
Establish a Standard
Incident Response
Process

17. 233 Needham St. Suite 450 Newton, MA,
02464
+1 617 454 1332 Fax: +1
617.454.1331
info@cybrella.io
Contact us:
facebook.com/cybrella
@cybrella
cybrella@gmail.com
Follow us on:

18. QNAP Supply
Chain
Vulnerabilities
Ver 2
Yoni Ramon
April 2022

19. $ whoami
19
 Yoni Ramon
 Long time Hacker, Penetration tester and a tech geek.
 Bug bounty hunter/Security researcher – Bugcrowd top 100
researcher HOF.
 Red Team Manager, Staff Security Engineer at Tesla.
 Member of Cybrella’s advisory board and provide in-depth security
expertise to Cybrella and their customers.
 Bonsai master in training 
• yoniramon@hotmail.com

20. Objectives
20
QNAP’s NAS security research
QNAP’s NAS security Vulnerabilities
What is QNAP’s NAS
Conclusions & Recommendations
What is a software supply chain

21. What is a software supply chain
21
The traditional definition of a supply chain comes from manufacturing; it is the chain of processes
required to make and supply something. It includes planning, supply of materials, manufacturing, and
retail. A software supply chain is similar, except instead of materials, it is code. Instead of
manufacturing, it is development. Instead of digging ore from the ground, code is sourced from
suppliers,
Why do we care?
your source code/Data will live in a private git repository, which could be part of your infrastructure
or SaaS provided by a vendor, as well as compiler tools, base container image registries, etc.

22. Case study
22
• SolarWinds
• GitHub
• Kronos
• NPM

23. What is QNAP’s NAS?
23

24. What is QNAP’s NAS?
24
• QNAP Taiwanese corporation that specializes in NAS/Cloud NAS (Network
Attached Storage), a file-level computer data storage server connected to a computer
network which is providing data access to a heterogeneous group of clients.
• QNAP appliances used for file sharing, virtualization, storage management and
surveillance applications.
• QNAP NAS solution is a world leader in network addressable storage devices and their
products are frequently used by organizations ranging from individuals, small SMBs to
some of the world’s largest enterprises.
• Customers of the NAS products are using “Helpdesk widget” which comes installed on many of the
vendor’s NAS devices just for "opening support tickets".

25. QNAP’s NAS Security Research
25
• Initial Research focusing on Common Injections and Overflows on the product level: CVE-2018-
0722, CVE-2018-0718, CVE-2018-0714, CVE-2017-13069.....

26. QNAP’s NAS Security Research
26

27. QNAP’s NAS Security Research
27
• The attack vector was through the “Helpdesk Widget” which was written in PHP, which makes it simple to
investigate.

28. QNAP’s NAS Security Research
28
• The customers API keys, including ApiKey and SecretKey, were written hardcoded in the Helpdesk
Application source code.
• Through a “google search” found extensive documentation for the product’s API, found that the REST API
has no concept of staff, team, or department permissions.
• The product’s own public documentation confirmed that the hardcoded API keys would in fact allow a
full access to all the data stored in the application.

29. QNAP’s NAS Security Research
29
• The REST API data returned by the application contained private and personal information.
• With access to emails, I was able to start searching for tickets associated with a specific email address or
domain.
• The conclusion was that the customers of the NAS products were using the Helpdesk Support Portal for
more than just opening support tickets.

30. QNAP’s NAS Security Vulnerabilities
30
Discovering Hardcoded Secret Keys
“To my surprise, the first file I opened in the helpdesk application contained hardcoded API keys.” He
reported. The below screenshot, Screenshot 1, is an actual capture made during Ramon’s test. To protect
QNAP and their customers the apiKey and secretKey have been obscured in the screenshot, but the
highlighted areas show where the keys existed in the file.
Screenshot 1 – Hardcoded API Keys

31. QNAP’s NAS Security Vulnerabilities
31
Confirming Validity and Permissions of Hardcoded Keys
The keys that I found in the file were valid, and determine what permissions were associated with them. A
quick google search and I found extensive documentation for the product’s API, which included the
following information”:
“The REST API does not require a staff user account to authenticate. The REST API authenticates to the
helpdesk using an API key and a secret. By using the API key, your connecting application gains access
to your helpdesk's data. This means that the REST API has no concept of staff, team, or department
permissions.” [Italics and underlining added].
Source: https://classichelp.kayako.com/hc/en-us/articles/360006459839-Kayako-REST-API

32. QNAP’s NAS Security Vulnerabilities
32
Data Leakage of Customers Data
The hardcoded API keys did indeed allow to search all the tickets stored on the application. And the ticket
IDs were all sequential and was able to easily access any ticket and it’s data.
Screenshot 2 – Able to Search All Tickets on Application

33. QNAP’s NAS Security Vulnerabilities
33
Private and Personal Information Discovered
The data returned by the application contained private and personal information that is potentially
damaging to the organization, their employees and partners, and to their customers. This type of personal
data is also especially useful to a hacker.
The ticket data in the application, included the following:
• Usernames
• Email addresses
• Ticket content
• Ticket attachment
• Ticket attachment ID
Screenshot 3 – Personal and Private Information

34. QNAP’s NAS Security Vulnerabilities
34
More Sensitive Data Revealed
Armed with personal and private information, was able to easily locate additional sensitive data. With
access to emails, was able to start searching for tickets associated with a specific email address or domain.
Discovered unpatched vulnerability reports for many of the users of the NAS equipment.
Some of these reports included the full exploit code within the ticket content. Many tickets also included
attachments containing full TCP Dumps and log files with lots of sensitive information.
Screenshot 4 – Attachments, Vulnerability Reports, TCPDumps

35. QNAP’s NAS Security Vulnerabilities
35
“The security flaw allowed full access to all data on the
platform’s support portal”

36. QNAP’s NAS Security remediation timeline
36
Timeline:
Thu 5/21/2020 - Initial report sent to security@qnap.com
Thu 5/21/2020 - QNAP escalated the issue to the security team.
Tue 6/2/2020 – API keys are rotated
Thu 6/11/2020 – QNAP issued CVE-2020-2500 and reward me with 500$ or a new NAS device.
(I already got 2 other NAS for reporting other issues; I think I’ll go for the 500$  )

37. Conclusions & Recommendations (supply chain)
37
• A criminal armed with the type of data exploited by this vulnerability could conceivably
mount a very sophisticated attack against a large number of organizations or individuals.
• Not only could complex phishing attacks be orchestrated, but nasty supply-chain strikes
could also be mounted.
• With a lot of organizations having literally thousands of suppliers, it’s not surprising that
many, if not most companies have experienced a supply-chain related breach within the
last year or two.
• Organizations need to protect themselves from vulnerabilities such as this one from QNAP
Via 3rd party/supplier risk assessments.

38. Conclusions & Recommendations(AppSec)
38
• Application security/product security should be implemented/required along side the
product life cycle.
• Don’t store hardcoded Keys in your code.
• Role base access control should be a fundamental requirement by Design…..
• Preform Penetration testing on an ongoing basis with trusted partners.
• Have a robust bounty program or VDP.

39. Thank You!
Questions?

40. 233 Needham St. Suite 450 Newton, MA,
02464
+1 617 454 1332 Fax: +1
617.454.1331
info@cybrella.io
Contact us:
facebook.com/cybrella
@cybrella
cybrella@gmail.com
Follow us on:

41. Cybrella AppSec Workshop
What you need to know
about protecting APIs

42. Giora Engel
Co-founder and CEO | Neosec
Co-chair of Fraud Control Task Force | FDX

43. Agenda
APIs and digital transformation
Challenges in securing APIs
API abuse case analysis
API priorities
Practical Guide: Where to start

44. APIs and Digital
Transformation

45. The API Security Environment
More API traffic
Existing application
security solutions not
built for APIs
83%
of web traffic
is APIs
By 2024, API abuses
and related data
breaches will nearly
double.1
1 Gartner: Top 10 Things Software Engineering Leaders Need to Know About APIs
2 Akamai: Blog - API Discovery and Profiling -- Visibility to Protection
More APIs deployed
every day
More API attacks

46. Payment Services
Fintech/
Banking
Healthcare
Open APIs: The New Network for B2B Connectivity
Merchant Merchant
Merchant
Merchant

47. Why APIs are the next security problem?
What digital transformation means to attackers.
Digital
Transformation
Yesterday’s Attacks Today’s Attacks
Target
Find data crown jewels
in the data center
Language
Packets & network traffic
How?
Closed, walled
environment. Penetrate
network before lateral
movement.
Target
Find the business logic and
data in APIs that is exposed
to external users
Language
API calls
(North-south & East-west)
How?
Data and transactions
exposed through APIs by
design. Compromise API
keys and credentials.

48. APIs and Digital Transformation
Stage 1
New Offering
New idea, product or
process.
Objective
To create new revenue
+ digital experience.
Stage 3
Open the API
Open portal to the
outside world that
exposes business
critical processes.
Objective
Control access using
private APIs that are
typically invite only.
Stage 2
Create New API
Design for customer or
partner access to new
process.
Objective
Positive customer
experience + fast go-
to-market.
Stage 4
Protect the APIs
Today, authenticated
APIs are assumed to
be safe.
Objective
- Inventory and Risk
Assessment
- Fix vulnerabilities
- Detect abuse
- Respond
automatically
Most
enterprises
are here

49. Challenges in
Securing APIs

50. Basic API Security is Necessary, But Not Sufficient
Known Threat Protection
(Bot Mitigation, WAF)
Authentication &
Authorization
(API Gateway)
DDoS Protection
(CDN)
Cloud Security
(CWPP, CSPM)
Account Takeover
Unauthorized
Data Access
Data
Harvesting
Authenticated Users & Partners
are the Riskiest
B2B / Partner
Integration
User Access
Fraud / Business
Logic Abuse

51. Attack Surface
Explosion
Distributed
Authorization
Business Logic
Complexity
New Challenges in API Architectures
Online Channels
Consumer Web / Mobile
• Web / mobile applications only
• Your code runs in the client
• End-user focused
• Interactive user session, can
step up auth when there is risk
• Backend was designed for the
home-grown frontend
API Channels
B2B Partners
• Many channels / clients
• Clients not under your control
• Many entities - user, partners -
each can be compromised
• Tokens are used long-term in the
background; can’t step up authn
• Multiple microservices, designed
to support any client
• Each microservice can only see
part of the picture

52. Abuse Case
Analysis

53. Abuse cases are not always vulnerabilities
Even perfectly written APIs
can be abused.
Credential stuffing in Financial
institutions
Reservation abuse in Hospitality
Trading platform
microtransaction automation in
Fintech
Payment abuse in Payments
etc....
Vulnerabilities Abuse Cases

54. API abuse case analysis
Identify what
you expose
New account creation
Paying invoices
Authentication
Reservation system
Payment transactions
Money movement
Gift card transactions
etc.....
Which entity
uses the API
B2B partners
Customers
Security risk
Entity becomes
compromised
Entity abuses or
misuses the API
Potential losses
Money
Information/data
Regulatory
compliance

55. API Priorities

56. What is your API landscape?
Busines
s Unit A
Busines
s Unit B
East-West APIs
Inside your organization
App A App B
App C
Outbound APIs
APIs you consume from outside
North-South
APIs you open to
the outside
Authenticated
Partner APIs | B2B
Web app, Mobile APIs | B2C
Mobile App
Website

57. Which API Problems?
Today’s Focus
Tomorrow’s Focus
Vulnerable APIs
Prevent OWASP Top 10 vulnerabilities
and misconfigurations from hitting
production.
Shadow APIs
Discover your complete API
footprint - including rogue, legacy,
admin, zombie, etc.
API Abuse
Stop business logic abuse such as data
scraping or data exfiltration using
behavioral analytics.

58. Practical Guide:
Where to start?

59. API Security Model
How mature is your organization?
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Visibility to API
activity
API Discovery Risk Audit Behavioral
Detection
Response Investigate and
Threat Hunt
Do you have logs for
API environment?
Do you have access
to the logs?
Are your logs
sufficient?
Do you know all your
microservices?
Do you know all your
APIs?
What is your risk
posture?
• Misconfigured?
• Errors?
• Documented?
• Sensitive data?
Can you detect
misuse or business
abuse?
Can you identify the
entities in your APIs?
Deploy automated
responses?
Are responses
customizable?
Can you find threats
in your past data?
Can you hunt for
threats?
Use your own data.
Sensors not
required.
Breadth of coverage
is most important.
Audit of entire
estate, not just
where sensors
deployed.
Behavioral analytics
requires data &
SaaS.
Open platform to
create response
playbooks.
Requires historical
data and SaaS.

60. Investigations &
Threat Hunting
Better visibility by using modern techniques
Anti-virus EDR/XDR
Legacy Application
Security
Neosec API Detection
& Response
Signatures
Single request (Data not stored)
In-line
True behavioral
analytics
All requests over time
(Data stored in cloud)
SaaS service
Enterprise security
Application security
Detection method
Data evaluated
Deployment
Threat Hunting

61. Breadth of Discovery Matters
Continuous discovery
Continuously discovers new APIs from your own
technology stack.
API Gateways CDNs Reverse
Proxies
Improved Visibility
Never lose sight of your API inventory
ever again.
WAFs Logging platforms
Platform/Log Integration: CDN, API Gateway
Traffic Mirroring: Public Cloud & Orchestration
Container orchestration Public Cloud

62. Vulnerable APIs
Shadow APIs API Abuse
Continuous API
Discovery
Risk audit &
Posture Alerts
Behavioral Alerts
Detection & Response
Reinventing API Security
AI-Driven | 100% SaaS Platform | Data rich | API Detection and Response
Visibility & Investigations & Threat Hunting

63. API Security
Resource
Please visit our
API Security Fundamentals
resource page at
Neosec.com

64. Thank you

65. Application
Security
Services
Ver 2
Customer Story

66. Alon Mantsur
Cybrella Founder, and CEO
2
I started my cyber career 25 years ago when I was serving in a special technology
unit in the IDF, since then I founded 5 businesses in the cyber field.
Following my release from the military, in 2003 I established 2BSecure – one of the
leading cybersecurity services companies in Israel. We were the first MSSP, as well
as the first application security consultancy provider in Israel. Eventually,
2BSecure was acquired by Matrix, the largest IT company in Israel.
I founded Cybrella in 2019 to duplicate the success we had with 2BSecure into the
US market.
Cybrella offers professional cybersecurity services for small to medium sized
businesses, and to larger enterprises looking to expand their cybersecurity
capabilities.

67. Agenda
67
Cybrella Application Security Service Approach
Use Case - Startup from the Digital Marketing
Space
Deliverable - Vulnerability Lifecycle

68. The Journey building the Secured Product by NIST
68
Verification
• Pentest
• Attack Surface Review
• CSPM
Release
• Incident Respond Plan
• Finale Security Review
• Release Archive
Design
• Threat Modelling
• Analysis Attack
Surface
Product Security
Requirements
• Classify Application
Business Risk (1-3)
• Establish Security
Requirements
• Create Quality Gates / Bag
Bars
• Security & Privacy Risk
Assessments
Requirements
Design
02
Implement
03
Verify
04
Release
05
Recover
06
01
Implementation
• Deprecate Unsafe
Functions
• Security Tests Based On
Business Risk
Classification
• Static Analysis
• Open Source Analysis
• DAST
• IAC
• Containers
Recover
• Recovery Planning
improvements
• Communications

69. Integrate Security into Your Product DNA
AppSec – Cybrella Approach
69
Cybrella’s application security teams help the DevOps
in any stage of the lifecycle that the application is in,
from design/architecture to deployment.
Cybrella's applications security experts with a
background in developing and coding in broad types of
applications and domains - Web, Cloud, Mobile, IoT,
Embedded, etc.
Cybrella works closely with the DevOps team to
educate them in developing secure applications. We
also build the controllers and assess the systems to
identify and mitigate vulnerabilities and keep our clients'
apps' confidence and one step ahead of the hackers.

70. Application security from the design stage
70
• It is known that identifying and fixing security vulnerabilities late in the development process cost
much more than earlier identification
• According to IBM, the costs of identification of security bug can even cost 100 times more when
identification in maintenance stage rater than in earlier design stages
• On average, over 70% of the IT security budget is spent on Infrastructure, yet over 75% of attacks
happen at the Application level
• According to Microsoft Research, only 1/3 of developers are confident that they write secure code
People Procedures Technology

71. Developers Technology Human Resource
The Startup’s AppSec Challenges’
71
Penetration Test
Quality
Formal Training VS
Coaching & Continuous
Education
Scale
Management

72.  Started the program with 12 developers, now they have 60 developers for 2 business
application (SASS Products)
 ~1 M Lines of Code
 SCM – Gitlab.com ;
 DevOps – Kubernetes ; Containers;
 Ticketing – Jira (Cloud)
 Languages:
 Java + Scala
 .NET Core over Linux
 DB MSSQ
 Cloud over AWS.
 SAST/FOSS as a service by Checkmarx
 Location : US and Canada.
The Startup Application Environment
7
2

73. Application Security Organization - Key Players
73
Software
Architects
System
Architects
AppSec
Manager
Sales/Product
Drive new
Requirements
Support for
new Designs
GRC AppSec Expert
Security
Architect
DevSecOps
Team I
Dev Team Dev Team
Dev Team
Security
Champion
Team II
Dev Team Dev Team
Dev Team
Security
Champion
Team III
Dev Team Dev Team
Dev Team
Security
Champion
Team IV
Dev Team Dev Team
Dev Team
Security
Champion

74. Phase “0” Planning- Executive Directive and Alignment
74
Business
Requirements
• Compliance
SOC2/ISO27001/GD
PR
• SLA
• Liabilities
Prepare a Plan to
address the Risks
and Needs
• SDLC Program
• SecOps
• Compliance
Standards
(ISO/SOC2)
Management
Alignment
• Set clear Policy to
follow
• Assign Security
Champion Program
• Resources and
Budget
• Implementation &
Execution
• KPI Tracking

75. Cybrella AppSec Program – Phase I
75
R&D Manager /
CTO
AppSec Strategic
Advisor 10H/Months
Product
Subject Matter Expert
Developers
AppSec Architect
20H/Months

76. Cybrella AppSec Program – Phase II
76
R&D Manager /
CTO
AppSec Strategic
Advisor 10H/Month
Product
Subject Matter Expert
Code Review
50H/Month
Developers
AppSec Architect
10H/Month

77. Organization Chart – As Of Today
77
CISO
R&D
AppSec Manager
10H/Month
GRC
Subject Matter Expert
Code Review
140H/Month
Penetration Tests
20H/Month
DevOps
DevSecOps
IT Sec
AppSec Architect
10H/Month
PMO
10H/Month

78. AppSec Program from Zero to Hero
78
Threat Modeling
& Design
Product
Security
Requirements
SAST & DAST
Implementation
Penetration Testing
&
Attack Surface
Review
Incident
Respond &
Recovery Plan
ARO +
0
ARO +
12
ARO + 9
ARO +
1
ARO +
3

79. Building SAST Program
7
9
Kick-Start – First
Product /Project
[ 6-8 Weeks ]
 Initial Project
onboarding
 SDLC Integration
 Architecture Review
 Reporting Integration
 Ticketing Integration
 Training
Continuous AppSec Improvement
[ Rest of the contract period ] – 2-3
Projects/Month
 Consulting
advised
 QBR quarterly
 Dedicated
delivery manager
– Weekly calls
 Results Review
 KPI Review
 Activity Reports
Ongoing Support
Program
Management
Adoption
Discover
Integrate
Roll Out
For each project:
 Threat modeling +
Architecture review
 Code Review
 Results review
 Results clean up
 Mitigation advice
 Rules tuning
 Information
gathering
 Configure Users &
Policies
POV

80. It's a Journey, Be ready for changes if needed 80
24
Hours
2-4
Weeks
Daily Scrum Meeting
Potentially Shippable
Product Increment
Retrospective
Sprint Backlog
Product backlog

81. Where are the Flows Managed ?
81
Integrate the process to where developers live
JIRA:
• Security Requirements
• Security bugs
SCM
• Integrate the scanners results to show in
the SCM
Additional Tools
• Dashboard
• Vulnerabilities Lifecycle

82. Deliverable – A Vulnerability Lifecycle
82
New Finding
Know
what to
do?
False
Positive
?
Set
Priority
Suggest
False
Positive
Security
Champions
CX
Description
Code
Bashing
AppSec
Expert
Verification
Resolve
Verify
(Rescan)
Fix it Open Ticket
Risk
Acceptance
Backlog
No
No
Yes
Yes
Escalatio
n
Other,
Handle
later
High
&
Urgent
No
Yes

83. 233 Needham St. Suite 450 Newton, MA,
02464
+1 617 454 1332 Fax: +1
617.454.1331
info@cybrella.io
Contact us:
facebook.com/cybrella
@cybrella
cybrella@gmail.com
Follow us on:

84. Thank You!
Questions?
To be
continued…