This slide set describes developing an AppSec culture in your projects. This includes how to implement security risk assessment program, threat modeling and security designs and tools for security Automation.

1. How to develop an AppSec culture
in your project
Nirosh

2. A bit about Me
I’m a Senior Security Engineer & Pentester. I have nearly three years of experience in
Information Security and Secure Software Development.
Educational Background
• BSc. Eng (Hons) in Computer Science and Engineering - University of Moratuwa, Sri Lanka
• MSc in Security Engineering (Reading) - University of Moratuwa, Sri Lanka
Certifications
 Web application Penetration Tester (eWPT) - eLearnSecurity
Certificate ID: EWPT-343
 Certified Ethical Hacker (CEHv9) – EC Council
Certification Number: ECC39012388466
 Certified Information Security Expert (CISE) – Innobuzz
License Number: 30471

3. Why AppSec is a major concern?
From https://www.akamai.com/
(2018/08/12 – 2018/08/19)

4. Why web application attacks occur?
Application Developers
and QA Professionals
Don’t Know Security
“As an Application
Developer, I can build
great features and
functions while
meeting deadlines,
but I don’t know how
to develop my web
application with
security as a
feature.”
Steve Carter

5. Security
Assessments
What ? Why? How ?

6. • Periodic Assessments – Once in every quarter ( Recommended)
Vulnerability Assessments
• Twice a year
Penetration Testing
• Twice a year
Security Code Reviews

7. Risk Classification Methodology
Risks can be classified using the following methodology:
Risk = Impact × Likelihood
Reference: OWASP Standards

9. Security in Agile
• Dedicated sprint focusing on application security
• Stories implemented are security related
• Code is reviewed
Security
Sprint
Approach
• Similar to Microsoft Security Development
Lifecycle (SDL)
• Consists of the requirements and stories
essential to security
• No software should ever be released without
requirements being met
Every Sprint
Approach

10. Secure
Software
Development
Process
•Guide Developers to follow
Secure Coding Guidelines
•Help QAs to integrate basic
security test checklist into
their regular test cases
•Threat Modeling and Security
Designs

11. Threat
Modeling What is it?

12. It is a structured
approach that
enables you to
identify,
quantify, and
address the
security risks
associated with
an application Step 4 Validate
Step 3 Determine countermeasures
and mitigation
Step 2 Identify threats
Step 1 Diagrams

13. An Example – User Login

14. Username harvesting – Show generic error message

15. Too user friendly. :P

16. Case Study:
• A Norway based professional company uses a software application
which can allow users to book professionals (Electrician, Plumber)
and request professional services through the company.
• They wanted a new feature in this application which can allow users
to upload and download property documents and maintenance
documents. Access to these documents must be strictly restricted to
relevant users.

17. • Since last week, the dev team is designing the new feature for the
website, that will enable authenticated users to upload and download
property documents.
• The architects will reuse the existing infrastructure whenever possible
(they already have user accounts).
• One of the board members got to know about these cyber attackers
and the crazy attacks they perform which can easily damage the
business and its reputation.

18. • He also heard about the threat modeling which helps project teams
to identify major threats and take necessary security measures before
they even start implementation.
• He hired you to help project team with this.

19. Data Flow Diagram

20. What can go wrong?
Microsoft’s STRIDE Model
• Spoofing - Impersonate User
• Tampering - Maliciously change/modify persistent data, such as
persistent data in a database, and the alteration of data in transit
• Repudiation - Perform an illegal action and deny it.
• Information Disclosure - Read a file that one was not granted access
to, or to read data in transit
• Denial of Service - Deny access to valid users
• Elevation of Privilege - Gain privileged access or gain unauthorized
access

21. Threat Model

22. Threats in detail..

23. Secure Design
Principles /
Trust Model
Authentication
Authorization
Cookie Management
Data/Input Validation
Error Handling/Information leakage
Logging/Auditing
Cryptography
Secure Code Environment
Session Management

24. Mitigation and Countermeasures

25. Security Automation
using Tools
How?

26. Web Application Security Risks
For 2017, the OWASP Top 10 Most Critical Web Application Security
Risks are:

27. Tools & Technologies
Vulnerability Assessment & Pentesting
-OWASP ZAP, Burp suite Scanner, Acunetix, SQLMap, Kali Linux, Arachni
-With lots of Manual effort- OWASP/ SANS security assessment guidelines
-Third party libraries – OWASP Dependency Check, RetireJs
Server-side Security Assessment Tools
-Nessus, Nmap, Nikto, OpenVAS, Wireshark, Metasploit framework
Static Code Analysis
-Manual Code Review, Findsecbug/PMD
You can use commercial tools to perform assessments if you can purchase them

28. Demo

30. Acunetix Web App Scanner