DevSecCon, profile picture
Uploaded byDevSecCon
PDF, PPTX144 views

DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preventing your Success by Pete Chestna

The document summarizes Peter Chestna's presentation on common application security (AppSec) anti-patterns and practical solutions. It discusses how InfoSec differs from AppSec in terms of maturity. It then outlines several common AppSec anti-patterns such as only focusing on critical applications, not properly managing open source components, and having a security mandate without relationships. For each anti-pattern, it provides strategies for practical solutions such as comprehensive security policies, mapping all applications to a maturity model, selecting appropriate security metrics, and establishing an open source incident response plan.

Embed presentation

Download as PDF, PPTX
Join the conversation #DevSecCon PETER CHESTNA Maginot Line Common AppSec Anti-Patterns
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 @PeteChestna Who am I? • 25+ Years Software Development Experience • 11+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES3 @PeteChestna Agenda • InfoSec vs. AppSec maturity • Common anti-patterns • Practical solutions
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES InfoSec vs. AppSec
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5 @PeteChestna InfoSec
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES6 @PeteChestna AppSec
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES AppSec Anti-Patterns
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES8 @PeteChestna AP: The Goal?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9 @PeteChestna AP: The Goal?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES10 @PeteChestna AP: The Goal?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES11 @PeteChestna AP: The Goal? Find TrackDevelop Fix Re-test Develop Bug No Bug Develop Develop Develop
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12 @PeteChestna AP: The Goal?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13 @PeteChestna Measurement is Key
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14 @PeteChestna Training and Awareness
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15 @PeteChestna Train Yourself on the Process
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES16 @PeteChestna Help them fix what they find
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17 @PeteChestna AP: Security Mandate
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18 @PeteChestna AP: Security Mandate
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES19 @PeteChestna Relationships
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES20 @PeteChestna Mutual Accountability
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES21 AP: Protect Just the Critical Applications Retailer How: Sophisticated kill chain including exploitation of vulnerable web application Result: Hackers stole names, mailing addresses, phone numbers and email addresses for more than 70 million shoppers Financial Institution How: Vulnerability on website built and maintained by third-party vendor in support of a charity. Result: Usernames and passwords for 76 million households and 7 million business were stolen
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES22 @PeteChestna AP: Protect Just the Critical Applications Strategy: Comprehensive AppSec • Application Inventory • Map to Maturity Model • Set Security Policies • Select Metrics • Report Regularly
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES23 @PeteChestna AP: Protect Just the Critical Applications Strategy: Map All Applications to Maturity Model Baseline Ostrich Reactive Proactive Adaptive
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES24 @PeteChestna AP: Protect Just the Critical Applications Strategy: Select Metrics Per Application • Scanned vs Unscanned • Only include policy flaws • Flaws Found vs. Fixed • Flaws Introduced • Utilization • Automation
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES25 @PeteChestna AP: Protect Just the Critical Applications Strategy: Report Regularly • Fair and transparent • Per Application • Per Team • Per Management Level • Include Maturity Level • Gamify if possible
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES26 @PeteChestna AP: What Open Source? Healthcare Provider How: Targeted a flaw in OpenSSL, CVE-2014-0160, better known as Heartbleed Result: The theft of Social Security Numbers and other personal data belonging to 4.5 million patients Financial Institution How: Hackers exploited a known vulnerability in an open source component Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs.
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES27 @PeteChestna Built Mostly from Components 80% to 95% of modern apps consist of assembled components. Proprietary Code Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES28 @PeteChestna Open Source – More or Less Secure? • Defect rate in open source is no better or worse than first party code • The difference is that developers never revisit • Integrated and abandoned • It’s not a problem until a vulnerability is discovered
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES29 @PeteChestna Integrated and Abandoned Explicitly - Struts
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES30 @PeteChestna Integrated and Abandoned Implicitly – Apache Commons Collections
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES31 @PeteChestna Component Family Tree – Apache Commons Collection (ACC) 3.2.1 Apache Commons Collections 3.2.1 (1290) Apache Commons BeanUtils (1348) Spring Web (1779) Spring Framework (501) ... Core Hibernate ORM Functionality (1185) Spring TestContext Framework (3007) Spring Web MVC (1314) ... Apache Commons Configuration (803) Hadoop Core (399) SonarQube Plugin API (262) ... Apache Velocity (748) Spring Context Support (916) SnakeYAM (519) ... Within 5 generations, 80,323 components contain ACC 3.2.1 The components are then used in millions of software applications >26% of software applications had ACC 3.2.1 50.3% of software applications had some vulnerable version of ACC
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES32 @PeteChestna AP: What Open Source? Strategy: Security Champions
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES33 @PeteChestna AP: What Open Source? Strategy: Assess MTTR • How quickly can you ship a code change? • For each application: – Methodology – Test automation – Time to deploy – CI/CD? – Minutes/Hours/Days/Weeks?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES34 @PeteChestna AP: What Open Source? Strategy: OSS Incident Response Plan • Monitor for new CVEs • Triage CVE based on: – Database of applications – CVSS score – Known exploit • Disseminate to champions – Vulnerability assessment – Remediation plan – Notification of remediation or mitigation
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES42 @PeteChestna Conclusions
Join the conversation #DevSecCon Thank You

More Related Content

PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PPTX
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
byDevSecCon
 
PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
PDF
In graph we trust: Microservices, GraphQL and security challenges
byMohammed A. Imran
 
PDF
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
byDevSecCon
 
PDF
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
byDevSecCon
 
PDF
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
byDevSecCon
 
PDF
DevSecCon London 2018: Open DevSecOps
byDevSecCon
 
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
byDevSecCon
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
In graph we trust: Microservices, GraphQL and security challenges
byMohammed A. Imran
 
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
byDevSecCon
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
byDevSecCon
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
byDevSecCon
 
DevSecCon London 2018: Open DevSecOps
byDevSecCon
 

What's hot

PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
PPTX
DevSecOps : an Introduction
byPrashanth B. P.
 
PDF
DevOps or DevSecOps
byMichelangelo van Dam
 
PDF
Serverless Security: Doing Security in 100 milliseconds
byJames Wickett
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PPTX
DevOps Friendly Doc Publishing for APIs & Microservices
bySonatype
 
PPTX
Defining DevSecOps
byUchit Vyas ☁
 
PDF
Security as Code: A DevSecOps Approach
byVMware Tanzu
 
PDF
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
PDF
Hacker Games & DevSecOps
bylokori
 
PDF
DevSecCon London 2017: Hands-on secure software development from design to de...
byDevSecCon
 
PPTX
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
PDF
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
byDevSecCon
 
PDF
Attacking Pipelines--Security meets Continuous Delivery
byJames Wickett
 
PDF
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
bySecureSoftwareDevOn SecureSoftwareDevOn
 
PPTX
DevOps Days Columbus - Derek Weeks - 2019
bySonatype
 
PDF
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
byDevSecCon
 
PDF
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
byjerryhargrove
 
PDF
Security in serverless world
byYan Cui
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
DevSecOps : an Introduction
byPrashanth B. P.
 
DevOps or DevSecOps
byMichelangelo van Dam
 
Serverless Security: Doing Security in 100 milliseconds
byJames Wickett
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
DevOps Friendly Doc Publishing for APIs & Microservices
bySonatype
 
Defining DevSecOps
byUchit Vyas ☁
 
Security as Code: A DevSecOps Approach
byVMware Tanzu
 
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
Hacker Games & DevSecOps
bylokori
 
DevSecCon London 2017: Hands-on secure software development from design to de...
byDevSecCon
 
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
byDevSecCon
 
Attacking Pipelines--Security meets Continuous Delivery
byJames Wickett
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
bySecureSoftwareDevOn SecureSoftwareDevOn
 
DevOps Days Columbus - Derek Weeks - 2019
bySonatype
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
byDevSecCon
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
byjerryhargrove
 
Security in serverless world
byYan Cui
 

Similar to DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preventing your Success by Pete Chestna

ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
byMatt Tesauro
 
PPTX
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
byMichael Man
 
PDF
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
PDF
The State of Software Security 2022 SOSS - Solution
byNeelKamalSingh8
 
PDF
Veracode Corporate Overview - Print
byAndrew Kanikuru
 
PDF
From Rogue One to Rebel Alliance: Building Developers into Security Champions
byDigital Transformation EXPO Event Series
 
PDF
Protect Your Organization Against Known Security Defects
byDeborah Schalm
 
PDF
Devops: Security's big opportunity by Peter Chestna
byDevSecCon
 
PDF
Building Blocks of Secure Development: How to Make Open Source Work for You
bySBWebinars
 
PDF
How Components Increase Speed and Risk
byCA Technologies
 
PDF
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
bySynopsys Software Integrity Group
 
PPTX
7 Reasons Your Applications are Attractive to Adversaries
byDerek E. Weeks
 
PDF
We are excited to announce that our new State of Software Security (SOSS) rep...
byAmpliz
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
byThreat Stack
 
PDF
Hacker-powered Software Development
byAssembla
 
PDF
ScotSecure 2020
byRay Bugg
 
PDF
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
bySonatype
 
PPTX
Web security – everything we know is wrong cloud version
byEoin Keary
 
PDF
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
PPT
Software Security in the Real World
byMark Curphey
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
byMatt Tesauro
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
byMichael Man
 
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
The State of Software Security 2022 SOSS - Solution
byNeelKamalSingh8
 
Veracode Corporate Overview - Print
byAndrew Kanikuru
 
From Rogue One to Rebel Alliance: Building Developers into Security Champions
byDigital Transformation EXPO Event Series
 
Protect Your Organization Against Known Security Defects
byDeborah Schalm
 
Devops: Security's big opportunity by Peter Chestna
byDevSecCon
 
Building Blocks of Secure Development: How to Make Open Source Work for You
bySBWebinars
 
How Components Increase Speed and Risk
byCA Technologies
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
bySynopsys Software Integrity Group
 
7 Reasons Your Applications are Attractive to Adversaries
byDerek E. Weeks
 
We are excited to announce that our new State of Software Security (SOSS) rep...
byAmpliz
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
byThreat Stack
 
Hacker-powered Software Development
byAssembla
 
ScotSecure 2020
byRay Bugg
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
bySonatype
 
Web security – everything we know is wrong cloud version
byEoin Keary
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
Software Security in the Real World
byMark Curphey
 

More from DevSecCon

PPTX
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Preventative Security for Kubernetes
byDevSecCon
 
PDF
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
byDevSecCon
 
PDF
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
byDevSecCon
 
PPTX
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
byDevSecCon
 
PPTX
DevSecCon London 2018: Is your supply chain your achille's heel
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
byDevSecCon
 
PPTX
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
byDevSecCon
 
PPTX
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
byDevSecCon
 
PPTX
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
byDevSecCon
 
PDF
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
byDevSecCon
 
PPTX
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
byDevSecCon
 
PDF
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
byDevSecCon
 
PDF
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
byDevSecCon
 
PPTX
DevSecCon London 2018: Get rid of these TLS certificates
byDevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
byDevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
byDevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
byDevSecCon
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
byDevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
byDevSecCon
 
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
byDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
byDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
byDevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
byDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
byDevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
byDevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
byDevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
byDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
byDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
byDevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
byDevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
byDevSecCon
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
byDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
byDevSecCon
 

Recently uploaded

PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
What's Driving Growth in the Video Surveillance Market 2025?
byMemoori
 
PPTX
Cyber Security Quiz 1st Year CSE CS Students
bynirmalamca
 
PDF
Analyze Servers and Get Support - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
Tune System Performance - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Manage Network Security (Firewall) in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Reset RHEL Root User Password - RHCSA.pdf
byLinuxCert Guru
 
PDF
Implement Advanced Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
Digital Garage Certification - Google - Viktor Huszag - Online Marketing Fund...
byViktor Huszag
 
PPTX
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
PDF
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
What's Driving Growth in the Video Surveillance Market 2025?
byMemoori
 
Cyber Security Quiz 1st Year CSE CS Students
bynirmalamca
 
Analyze Servers and Get Support - RHCSA (RH124).pdf
byLinuxCert Guru
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Tune System Performance - RHCSA (RH134).pdf
byLinuxCert Guru
 
Manage Network Security (Firewall) in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Reset RHEL Root User Password - RHCSA.pdf
byLinuxCert Guru
 
Implement Advanced Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Digital Garage Certification - Google - Viktor Huszag - Online Marketing Fund...
byViktor Huszag
 
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 

DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preventing your Success by Pete Chestna

  • 1.
    Join the conversation#DevSecCon PETER CHESTNA Maginot Line Common AppSec Anti-Patterns
  • 2.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES2 @PeteChestna Who am I? • 25+ Years Software Development Experience • 11+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey
  • 3.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES3 @PeteChestna Agenda • InfoSec vs. AppSec maturity • Common anti-patterns • Practical solutions
  • 4.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES4 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES InfoSec vs. AppSec
  • 5.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES5 @PeteChestna InfoSec
  • 6.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES6 @PeteChestna AppSec
  • 7.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES7 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES AppSec Anti-Patterns
  • 8.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES8 @PeteChestna AP: The Goal?
  • 9.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES9 @PeteChestna AP: The Goal?
  • 10.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES10 @PeteChestna AP: The Goal?
  • 11.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES11 @PeteChestna AP: The Goal? Find TrackDevelop Fix Re-test Develop Bug No Bug Develop Develop Develop
  • 12.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES12 @PeteChestna AP: The Goal?
  • 13.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES13 @PeteChestna Measurement is Key
  • 14.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES14 @PeteChestna Training and Awareness
  • 15.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES15 @PeteChestna Train Yourself on the Process
  • 16.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES16 @PeteChestna Help them fix what they find
  • 17.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES17 @PeteChestna AP: Security Mandate
  • 18.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES18 @PeteChestna AP: Security Mandate
  • 19.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES19 @PeteChestna Relationships
  • 20.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES20 @PeteChestna Mutual Accountability
  • 21.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES21 AP: Protect Just the Critical Applications Retailer How: Sophisticated kill chain including exploitation of vulnerable web application Result: Hackers stole names, mailing addresses, phone numbers and email addresses for more than 70 million shoppers Financial Institution How: Vulnerability on website built and maintained by third-party vendor in support of a charity. Result: Usernames and passwords for 76 million households and 7 million business were stolen
  • 22.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES22 @PeteChestna AP: Protect Just the Critical Applications Strategy: Comprehensive AppSec • Application Inventory • Map to Maturity Model • Set Security Policies • Select Metrics • Report Regularly
  • 23.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES23 @PeteChestna AP: Protect Just the Critical Applications Strategy: Map All Applications to Maturity Model Baseline Ostrich Reactive Proactive Adaptive
  • 24.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES24 @PeteChestna AP: Protect Just the Critical Applications Strategy: Select Metrics Per Application • Scanned vs Unscanned • Only include policy flaws • Flaws Found vs. Fixed • Flaws Introduced • Utilization • Automation
  • 25.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES25 @PeteChestna AP: Protect Just the Critical Applications Strategy: Report Regularly • Fair and transparent • Per Application • Per Team • Per Management Level • Include Maturity Level • Gamify if possible
  • 26.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES26 @PeteChestna AP: What Open Source? Healthcare Provider How: Targeted a flaw in OpenSSL, CVE-2014-0160, better known as Heartbleed Result: The theft of Social Security Numbers and other personal data belonging to 4.5 million patients Financial Institution How: Hackers exploited a known vulnerability in an open source component Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs.
  • 27.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES27 @PeteChestna Built Mostly from Components 80% to 95% of modern apps consist of assembled components. Proprietary Code Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source
  • 28.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES28 @PeteChestna Open Source – More or Less Secure? • Defect rate in open source is no better or worse than first party code • The difference is that developers never revisit • Integrated and abandoned • It’s not a problem until a vulnerability is discovered
  • 29.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES29 @PeteChestna Integrated and Abandoned Explicitly - Struts
  • 30.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES30 @PeteChestna Integrated and Abandoned Implicitly – Apache Commons Collections
  • 31.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES31 @PeteChestna Component Family Tree – Apache Commons Collection (ACC) 3.2.1 Apache Commons Collections 3.2.1 (1290) Apache Commons BeanUtils (1348) Spring Web (1779) Spring Framework (501) ... Core Hibernate ORM Functionality (1185) Spring TestContext Framework (3007) Spring Web MVC (1314) ... Apache Commons Configuration (803) Hadoop Core (399) SonarQube Plugin API (262) ... Apache Velocity (748) Spring Context Support (916) SnakeYAM (519) ... Within 5 generations, 80,323 components contain ACC 3.2.1 The components are then used in millions of software applications >26% of software applications had ACC 3.2.1 50.3% of software applications had some vulnerable version of ACC
  • 32.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES32 @PeteChestna AP: What Open Source? Strategy: Security Champions
  • 33.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES33 @PeteChestna AP: What Open Source? Strategy: Assess MTTR • How quickly can you ship a code change? • For each application: – Methodology – Test automation – Time to deploy – CI/CD? – Minutes/Hours/Days/Weeks?
  • 34.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES34 @PeteChestna AP: What Open Source? Strategy: OSS Incident Response Plan • Monitor for new CVEs • Triage CVE based on: – Database of applications – CVSS score – Known exploit • Disseminate to champions – Vulnerability assessment – Remediation plan – Notification of remediation or mitigation
  • 35.
    © 2017 VERACODEINC. ACQUIRED BY CA TECHNOLOGIES42 @PeteChestna Conclusions
  • 36.
    Join the conversation#DevSecCon Thank You