![Page 1: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/1.jpg)
Luca Carettoni Application Security Recipes for Fast-Paced Environments
![Page 2: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/2.jpg)
About Me
• AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn),
Director of Security (Addepar), Senior Security Researcher (Matasano), ….
• Warsaw <—> San Francisco
![Page 3: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/3.jpg)
Fast-Paced Environments
![Page 4: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/4.jpg)
For software development• New code is quickly created and deployed • e.g. Startups, Agile SDLC shops, …
• Facebook’s “Move Fast and Break Things”
![Page 5: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/5.jpg)
PEOPLE PROCESSES TECHNOLOGY
Good Application Security is all about
![Page 6: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/6.jpg)
MANY TALENTED PEOPLE EFFICIENT PROCESSES STATE-OF-THE-ART TECHNOLOGY
Good Application Security in fast-paced environments is all about
![Page 7: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/7.jpg)
PEOPLE
![Page 8: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/8.jpg)
Security Talent Shortage• 189,000 LinkedIn members in InfoSec roles • 10 countries make up 75% of the talent poll • Employer demand • US 4:3 • Singapore 5:1 • … • Italy 50:1
• https://engineering.linkedin.com/security/exploring-information-security-talent-pool
![Page 9: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/9.jpg)
How many?• Rule of 2% works for small companies only • In practice, you’re lucky if you have
budget and you can hire 1%
![Page 10: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/10.jpg)
PEOPLE - Take away
• Talented security professionals are difficult to find, hire, engage and retain
• Schools, universities won't catch up soon • They’re your most precious asset
![Page 11: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/11.jpg)
PROCESSES
![Page 12: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/12.jpg)
Waterfall
![Page 13: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/13.jpg)
DevOps
![Page 14: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/14.jpg)
Divide et impera
![Page 15: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/15.jpg)
Risk matrix to drive testing effort
![Page 16: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/16.jpg)
Likelihood• Service exposure • Software maturity • Use of modern web frameworks with
built-in security mechanisms • Confidence around your detection
mechanisms and incident response
![Page 17: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/17.jpg)
Impact• Value of protected assets • Bug classes • Focus on game-over bugs only • Focus on mitigations
• Prefer code coverage vs attack coverage
![Page 18: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/18.jpg)
Home-field advantage• Bugs tend to cluster. Spend time doing
extra clean-up • Always combine dynamic testing with
source code reviews (graybox testing) • Invest in framework-level protections
![Page 19: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/19.jpg)
Translate security in numbers• Build your own security metrics
• # bugs discovered before prod • # bugs discovered by external parties • # bugs fixed • # incidents • # bug bounty payouts • …
• Include those metrics in your reports to both developers and exec
![Page 20: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/20.jpg)
PROCESSES - Take away• Releasing more code requires continuous AND
focused testing • Forget the “once-a-year pentest" approach • Use likelihood and impact to drive your testing
effort • Maximize your home-field advantage • Share your numbers with the rest of the organization
![Page 21: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/21.jpg)
TECHNOLOGY
![Page 22: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/22.jpg)
True fact• No security boxes with blinking lights that
you can plug-in and walk away from
![Page 23: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/23.jpg)
(Most) security tools are expensive
• Not just talking about $$$ • Evaluating, installing, tuning a security
tool take time and resources • Also, you need knowledgable people to
properly install, use and maintain
![Page 24: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/24.jpg)
One step at a time• Don’t aim at the top from day one • Instead, improve overtime
• E.g. Fortify SCA vs RepoGuard vs $grep
![Page 25: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/25.jpg)
Automation• Take more risk today, and invest in
security automation for tomorrow • “If it can be automated, it should be
automated”
![Page 26: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/26.jpg)
A few examples 1/2• Continuous port-scanning with a $0 solution based on
NMAP • Add NSE scripts and you get basic vulnerability
scanning • AWS/Azure/<yourFavouriteCloud> APIs for
enumeration and services discovery • SSH key provisioning service for temporary access to
servers
![Page 27: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/27.jpg)
A few examples 2/2• Full web scanning automation
![Page 28: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/28.jpg)
TECHNOLOGY - Take away• Devote resources to security automation • Having a big budget won’t necessary solve
your security problems • People and tools are complementary • If you need to choose, invest in a good
security engineer
![Page 30: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/30.jpg)
Images• https://thenypost.files.wordpress.com/2014/01/business-
woman.jpg?quality=90&strip=all&w=664&h=441&crop=1 • https://qph.ec.quoracdn.net/main-
qimg-4a656858b49a971c2464ba7b1ef062f7
• https://www.pivotpointsecurity.com/wp-content/uploads/2016/08/Updated-Risk-Matrix.jpg
• http://www.mbxdesign.com/images/11.png • https://duncan.codes/assets/images/posts/cucumber-testing-
diagram.png
![Page 31: Application Security Recipes for Fast-Paced Environments · 2020. 6. 17. · About Me • AppSec since 2004 • Doyensec Co-founder • Former AppSec Manager (LinkedIn), Director](https://reader035.vdocuments.site/reader035/viewer/2022071007/5fc43d6fcd3f6277bd3a7054/html5/thumbnails/31.jpg)