Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal Asthana

Download as PPTX, PDF
OWASP Delhi
OWASP Delhi

Why listen to us? What is AppSec? Do I need AppSec? I want to but.. Presenting Affordable AppSec Still got hit?

1 of 12
Affordable AppSec for Startups OWASP and Null Delhi/NCR Chapter (Sandeep Singh, Vaibhav Gupta and Vishal Asthana)
Agenda • Why listen to us? • What is AppSec? • Do I need AppSec? • I want to but.. • Presenting Affordable AppSec • Still got hit? 2
Why listen to us? • No choice!  • We collectively represent [OWASP+Null] Delhi/NCR Chapter’s Management Team. • We are employed, so this is not a donation pitch! • We know lots of bits about AppSec Programs from current and past experience. • Vendor-neutral recommendations. 3
What is AppSec? • Application Security or Software Security • Conducting security activities through the development cycle in an attempt to improve the product’s security assurance posture. • Simply put, reducing the chances of breaches, hacks through exploitation of vulnerabilities in your underlying codebase (and the underlying environment in CI/CD setup). 4
Do I need AppSec? • Maybe not today but eventually you will! Why? • Compliance or regulatory requirements. • Client are increasingly demanding proof (supply chain assurance). • Reputational risk. • M&A mandate. • etc. • I’ll take care of it later then. • Trash that philosophy as it builds security debt. So? • Adds up and when left unchecked, becomes difficult to manage. • Damage potential is directly proportional. • So, Start AppSec early to build a solid foundation! 5
I want to but.. • ..the list of things to be done is way too long. • ..its a NFR (Non-Functional Requirement). Clients don’t really care. • …I’m a Start Up and could use the funds for something better. • …I’m on Agile, little time, 2 week Sprints. • …I’m a CI/CD shop, Lean StartUp (MVP), and deploy only 50 times a day. 6
Presenting Affordable AppSec • Use latest versions of 3rd party components esp. open source ones. • OpenSSL. Remember HeartBleed (www.heartbleed.com) in 2014. • Are you still using one of the affected versions? E.g.: 1.0.1 – 1.0.1f • Are you using a really old (but unaffected) version and happy that you are secure? E.g.: 0.9.8 • Use OWASP Dependency Check to simplify this process. (https://www.owasp.org/index.php/OWASP_Dependency_Check). • Use security protections provided by application frameworks and security libraries. E.g.: Microsoft Anti-XSS library in .NET, jsoup whitelist sanitizer, OWASP’s ESAPI etc. 7
Presenting Affordable AppSec (contd.) • Learn about Proactive Security Controls - https://www.owasp.org/index.php/OWASP_Proactive_Controls • Build them into your frameworks to create a Secure By Default state for developers. Eg: Preventing SQL injection by using parameterized queries. • Invest in getting your developers regularly trained (and tested) on secure coding and QA team on security testing. • SAFECode’s Guidance for Agile Practitioners - http://www.safecode.org/publication/SAFECode_Agile_Dev_Security 0712.pdf • OWASP Testing Guide – https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf 8
Presenting Affordable AppSec (contd.) • Deploy a WAF (Web Application Firewall). E.g.: ModSecurity. • Use compiler security flags. E.g.: For Buffer Overflows in C/C++ (/gs /nxcompat, /dep, /safeseh). • Keeping your servers (production, CI/CD, build etc.), dev. tools etc. patched. Why? • Network attacks – shells – oops! • CI/CD pipeline gives an automated way to deploy changes to production. • Talking about CI/CD.. • Code-driven configuration management. E.g.: Puppet, Chef, Ansible • Pen Testing frameworks. E.g.:Gauntlt, mittn 9
Presenting Affordable AppSec (contd.) • Manual code review of highly risky code – sensitive data, 3rd party interaction etc. • Eg: Symantec Decomposer vulnerability (http://googleprojectzero.blogspot.in/2016/06/how-to-compromise- enterprise-endpoint.html). • Symantec runs their unpackers in the Kernel – Excessive privileges! • Pre-deployment: • Internal CTFs (Capture-The-Flag) contests  L1/L2 manual penetration tests. • Pre-deployment configuration checks. E.g.: <debug> tags. 10
Still got hit? • Measures described previously would significantly reduce the attack surface, cannot make it zero. Why? • All complex attack scenarios or business logic flaws cannot be predicted. • So, why spend time on AppSec? • ..to improve your chances by making you a less attractive target for attackers. • Start AppSec early! 11
Thank You! 12

More Related Content

What's hot

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
SURBHI SAROHA
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
WrikeTechClub
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
AlienVault
 
Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1 Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1
Tripwire
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat Security Conference
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar
Rogue Wave Software
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
Avancercorp
 
OSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIMOSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIM
AlienVault
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
Tom Eston
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration Testing
Vikram Khanna
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 

What's hot (20)

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1 Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
 
OSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIMOSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIM
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration Testing
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 

Viewers also liked

Some Killer Slides
Some Killer SlidesSome Killer Slides
Some Killer Slides
pck100
 
CV_Nut Pinngoen
CV_Nut PinngoenCV_Nut Pinngoen
CV_Nut Pinngoen
nut pinngoen
 
Stuart hall
Stuart hall Stuart hall
Stuart hall
priyankachawla96
 
Micro news agency
Micro news agencyMicro news agency
Micro news agency
Jack740
 
All consuming news
All consuming newsAll consuming news
All consuming news
Jack740
 
United small business
United small businessUnited small business
United small business
Jack740
 
All consuming news
All consuming newsAll consuming news
All consuming news
Jack740
 
Gajendra_Resume1
Gajendra_Resume1Gajendra_Resume1
Gajendra_Resume1
Gajendra H S
 
Iso 9001 2008~2015 changes
Iso 9001 2008~2015 changesIso 9001 2008~2015 changes
Iso 9001 2008~2015 changes
Meisam J Moghadam
 
Change Management 13 things to consider
Change Management 13 things to considerChange Management 13 things to consider
Change Management 13 things to consider
pck100
 
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 MeetingCombating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
OWASP Delhi
 
Raport: poczucie atrakcyjności Polek
Raport: poczucie atrakcyjności PolekRaport: poczucie atrakcyjności Polek
Raport: poczucie atrakcyjności Polek
esexy
 
Oreskylaw
OreskylawOreskylaw
Oreskylaw
Jack740
 
Mapping your digital footprint by A K Goel
Mapping your digital footprint by A K GoelMapping your digital footprint by A K Goel
Mapping your digital footprint by A K Goel
OWASP Delhi
 

Viewers also liked (16)

Some Killer Slides
Some Killer SlidesSome Killer Slides
Some Killer Slides
 
J1 テイラー
J1 テイラーJ1 テイラー
J1 テイラー
 
CV_Nut Pinngoen
CV_Nut PinngoenCV_Nut Pinngoen
CV_Nut Pinngoen
 
Stuart hall
Stuart hall Stuart hall
Stuart hall
 
Micro news agency
Micro news agencyMicro news agency
Micro news agency
 
All consuming news
All consuming newsAll consuming news
All consuming news
 
United small business
United small businessUnited small business
United small business
 
All consuming news
All consuming newsAll consuming news
All consuming news
 
Gajendra_Resume1
Gajendra_Resume1Gajendra_Resume1
Gajendra_Resume1
 
Iso 9001 2008~2015 changes
Iso 9001 2008~2015 changesIso 9001 2008~2015 changes
Iso 9001 2008~2015 changes
 
Change Management 13 things to consider
Change Management 13 things to considerChange Management 13 things to consider
Change Management 13 things to consider
 
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 MeetingCombating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
 
Raport: poczucie atrakcyjności Polek
Raport: poczucie atrakcyjności PolekRaport: poczucie atrakcyjności Polek
Raport: poczucie atrakcyjności Polek
 
Mitsubishi company
Mitsubishi companyMitsubishi company
Mitsubishi company
 
Oreskylaw
OreskylawOreskylaw
Oreskylaw
 
Mapping your digital footprint by A K Goel
Mapping your digital footprint by A K GoelMapping your digital footprint by A K Goel
Mapping your digital footprint by A K Goel
 

Similar to Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal Asthana

Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Amazon Web Services
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
Josh Grossman
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
TuynNguyn819213
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
Testing in the new age of DevOps
Testing in the new age of DevOpsTesting in the new age of DevOps
Testing in the new age of DevOps
Moataz Mahmoud
 
DevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay ApplicationDevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay Application
Maruti Gollapudi
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
kunwaratul hax0r
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
Eklove Mohan
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
Mohammed A. Imran
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
Helen Bravo
 

Similar to Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal Asthana (20)

Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Testing in the new age of DevOps
Testing in the new age of DevOpsTesting in the new age of DevOps
Testing in the new age of DevOps
 
DevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay ApplicationDevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay Application
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
 

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
OWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
OWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
OWASP Delhi
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
OWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
OWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
OWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
OWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
OWASP Delhi
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
OWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
OWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
OWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
OWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi
 

More from OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 

Recently uploaded

Pune @Call @Girls 🛴 XXXXXXXXXX 🛴 available 24*7 cash payment book now pay later
Pune @Call @Girls 🛴 XXXXXXXXXX 🛴 available 24*7 cash payment book now pay laterPune @Call @Girls 🛴 XXXXXXXXXX 🛴 available 24*7 cash payment book now pay later
Pune @Call @Girls 🛴 XXXXXXXXXX 🛴 available 24*7 cash payment book now pay later
samyanvichadda
 
Cyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdfCyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdf
RohitRoshanBengROHIT
 
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
taqyea
 
sophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdfsophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdf
Thanksoan
 
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
taqyea
 
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
taqyea
 
Future Trends What's Next for UI UX Design on Websites
Future Trends What's Next for UI UX Design on WebsitesFuture Trends What's Next for UI UX Design on Websites
Future Trends What's Next for UI UX Design on Websites
Serva AppLabs
 
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any TimeAhmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
adityaroy0215
 
10th International Conference on Networks, Mobile Communications and Telema...
10th International Conference on Networks, Mobile Communications and Telema...10th International Conference on Networks, Mobile Communications and Telema...
10th International Conference on Networks, Mobile Communications and Telema...
ijp2p
 
Megalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor TerpercayaMegalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor Terpercaya
Megalive99
 
SlideEgg_200767-ICC Mens T20 World Cup 2024.pptx
SlideEgg_200767-ICC Mens T20 World Cup 2024.pptxSlideEgg_200767-ICC Mens T20 World Cup 2024.pptx
SlideEgg_200767-ICC Mens T20 World Cup 2024.pptx
NandakumarP24
 
Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)
Kashyap J
 
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
Disha Mukharji
 
一比一原版(soas毕业证书)英国伦敦大学亚非学院毕业证如何办理
一比一原版(soas毕业证书)英国伦敦大学亚非学院毕业证如何办理一比一原版(soas毕业证书)英国伦敦大学亚非学院毕业证如何办理
一比一原版(soas毕业证书)英国伦敦大学亚非学院毕业证如何办理
taqyea
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
taqyea
 
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
mvahxyy
 
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhấtBai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Thiên Đường Tình Yêu
 
一比一原版(warwick文凭证书)华威大学毕业证如何办理
一比一原版(warwick文凭证书)华威大学毕业证如何办理一比一原版(warwick文凭证书)华威大学毕业证如何办理
一比一原版(warwick文凭证书)华威大学毕业证如何办理
ysuah
 
Tama Tonga MFT T shirts Tama Tonga MFT T shirts
Tama Tonga MFT T shirts Tama Tonga MFT T shirtsTama Tonga MFT T shirts Tama Tonga MFT T shirts
Tama Tonga MFT T shirts Tama Tonga MFT T shirts
exgf28
 
Zephyr_CertificateOfCompletition_xxx.pdf
Zephyr_CertificateOfCompletition_xxx.pdfZephyr_CertificateOfCompletition_xxx.pdf
Zephyr_CertificateOfCompletition_xxx.pdf
AnielloGiugliano1
 

Recently uploaded (20)

Pune @Call @Girls 🛴 XXXXXXXXXX 🛴 available 24*7 cash payment book now pay later
Pune @Call @Girls 🛴 XXXXXXXXXX 🛴 available 24*7 cash payment book now pay laterPune @Call @Girls 🛴 XXXXXXXXXX 🛴 available 24*7 cash payment book now pay later
Pune @Call @Girls 🛴 XXXXXXXXXX 🛴 available 24*7 cash payment book now pay later
 
Cyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdfCyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdf
 
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
 
sophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdfsophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdf
 
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
 
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
 
Future Trends What's Next for UI UX Design on Websites
Future Trends What's Next for UI UX Design on WebsitesFuture Trends What's Next for UI UX Design on Websites
Future Trends What's Next for UI UX Design on Websites
 
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any TimeAhmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
 
10th International Conference on Networks, Mobile Communications and Telema...
10th International Conference on Networks, Mobile Communications and Telema...10th International Conference on Networks, Mobile Communications and Telema...
10th International Conference on Networks, Mobile Communications and Telema...
 
Megalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor TerpercayaMegalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor Terpercaya
 
SlideEgg_200767-ICC Mens T20 World Cup 2024.pptx
SlideEgg_200767-ICC Mens T20 World Cup 2024.pptxSlideEgg_200767-ICC Mens T20 World Cup 2024.pptx
SlideEgg_200767-ICC Mens T20 World Cup 2024.pptx
 
Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)
 
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
 
一比一原版(soas毕业证书)英国伦敦大学亚非学院毕业证如何办理
一比一原版(soas毕业证书)英国伦敦大学亚非学院毕业证如何办理一比一原版(soas毕业证书)英国伦敦大学亚非学院毕业证如何办理
一比一原版(soas毕业证书)英国伦敦大学亚非学院毕业证如何办理
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
 
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
 
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhấtBai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
 
一比一原版(warwick文凭证书)华威大学毕业证如何办理
一比一原版(warwick文凭证书)华威大学毕业证如何办理一比一原版(warwick文凭证书)华威大学毕业证如何办理
一比一原版(warwick文凭证书)华威大学毕业证如何办理
 
Tama Tonga MFT T shirts Tama Tonga MFT T shirts
Tama Tonga MFT T shirts Tama Tonga MFT T shirtsTama Tonga MFT T shirts Tama Tonga MFT T shirts
Tama Tonga MFT T shirts Tama Tonga MFT T shirts
 
Zephyr_CertificateOfCompletition_xxx.pdf
Zephyr_CertificateOfCompletition_xxx.pdfZephyr_CertificateOfCompletition_xxx.pdf
Zephyr_CertificateOfCompletition_xxx.pdf
 

Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal Asthana

  • 1. Affordable AppSec for Startups OWASP and Null Delhi/NCR Chapter (Sandeep Singh, Vaibhav Gupta and Vishal Asthana)
  • 2. Agenda • Why listen to us? • What is AppSec? • Do I need AppSec? • I want to but.. • Presenting Affordable AppSec • Still got hit? 2
  • 3. Why listen to us? • No choice!  • We collectively represent [OWASP+Null] Delhi/NCR Chapter’s Management Team. • We are employed, so this is not a donation pitch! • We know lots of bits about AppSec Programs from current and past experience. • Vendor-neutral recommendations. 3
  • 4. What is AppSec? • Application Security or Software Security • Conducting security activities through the development cycle in an attempt to improve the product’s security assurance posture. • Simply put, reducing the chances of breaches, hacks through exploitation of vulnerabilities in your underlying codebase (and the underlying environment in CI/CD setup). 4
  • 5. Do I need AppSec? • Maybe not today but eventually you will! Why? • Compliance or regulatory requirements. • Client are increasingly demanding proof (supply chain assurance). • Reputational risk. • M&A mandate. • etc. • I’ll take care of it later then. • Trash that philosophy as it builds security debt. So? • Adds up and when left unchecked, becomes difficult to manage. • Damage potential is directly proportional. • So, Start AppSec early to build a solid foundation! 5
  • 6. I want to but.. • ..the list of things to be done is way too long. • ..its a NFR (Non-Functional Requirement). Clients don’t really care. • …I’m a Start Up and could use the funds for something better. • …I’m on Agile, little time, 2 week Sprints. • …I’m a CI/CD shop, Lean StartUp (MVP), and deploy only 50 times a day. 6
  • 7. Presenting Affordable AppSec • Use latest versions of 3rd party components esp. open source ones. • OpenSSL. Remember HeartBleed (www.heartbleed.com) in 2014. • Are you still using one of the affected versions? E.g.: 1.0.1 – 1.0.1f • Are you using a really old (but unaffected) version and happy that you are secure? E.g.: 0.9.8 • Use OWASP Dependency Check to simplify this process. (https://www.owasp.org/index.php/OWASP_Dependency_Check). • Use security protections provided by application frameworks and security libraries. E.g.: Microsoft Anti-XSS library in .NET, jsoup whitelist sanitizer, OWASP’s ESAPI etc. 7
  • 8. Presenting Affordable AppSec (contd.) • Learn about Proactive Security Controls - https://www.owasp.org/index.php/OWASP_Proactive_Controls • Build them into your frameworks to create a Secure By Default state for developers. Eg: Preventing SQL injection by using parameterized queries. • Invest in getting your developers regularly trained (and tested) on secure coding and QA team on security testing. • SAFECode’s Guidance for Agile Practitioners - http://www.safecode.org/publication/SAFECode_Agile_Dev_Security 0712.pdf • OWASP Testing Guide – https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf 8
  • 9. Presenting Affordable AppSec (contd.) • Deploy a WAF (Web Application Firewall). E.g.: ModSecurity. • Use compiler security flags. E.g.: For Buffer Overflows in C/C++ (/gs /nxcompat, /dep, /safeseh). • Keeping your servers (production, CI/CD, build etc.), dev. tools etc. patched. Why? • Network attacks – shells – oops! • CI/CD pipeline gives an automated way to deploy changes to production. • Talking about CI/CD.. • Code-driven configuration management. E.g.: Puppet, Chef, Ansible • Pen Testing frameworks. E.g.:Gauntlt, mittn 9
  • 10. Presenting Affordable AppSec (contd.) • Manual code review of highly risky code – sensitive data, 3rd party interaction etc. • Eg: Symantec Decomposer vulnerability (http://googleprojectzero.blogspot.in/2016/06/how-to-compromise- enterprise-endpoint.html). • Symantec runs their unpackers in the Kernel – Excessive privileges! • Pre-deployment: • Internal CTFs (Capture-The-Flag) contests  L1/L2 manual penetration tests. • Pre-deployment configuration checks. E.g.: <debug> tags. 10
  • 11. Still got hit? • Measures described previously would significantly reduce the attack surface, cannot make it zero. Why? • All complex attack scenarios or business logic flaws cannot be predicted. • So, why spend time on AppSec? • ..to improve your chances by making you a less attractive target for attackers. • Start AppSec early! 11