Prezi

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in the manual

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

OWASP - AppSec trends in agile, what can we learn from them?

Generic overview of AppSec trends & quick intro to Prezi solutions & plans (OWASP HU - 2013-06-03)
by Mihaly Zagon on 5 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of OWASP - AppSec trends in agile, what can we learn from them?

AppSec trends in agile, what can we learn from them?
Mihály Zágon
IT Security Engineer
@woff_itsec
IT Security Consultant @ Deloitte
IT Security Engineer @ Prezi
red
team only
red
&
blue
team
"traditional" dev environments
agile dev environment
vulnerabilities
version control systems
some kind of app level monitoring & alerting
(webapps only)
security of the users is important, right?
"slower"
dealing with source code & other secrets
Background
... and only a few are walking "with us"
No best practices (yet) ...
We are at the beginning of the road ...
SADB
automatic change alerting
regex incoming requests
monitoring app endpoints
detecting HTML / sql like inputs
grep not encoded inputs
attack driven testing
HTTP 500 responses
reflective XSS
monitoring & alerting
searching for internal secrets
paste sites
google docs
public s3 buckets...
bug bounty
Code review
Phabricator/Herald
security library mod
disabling CSRF/XSS validation
access-control-allow-*
new URL endpoints
Lint during dev & code review
Detecting untrusted reqs
browser XSS auditors
... just great ideas :)
Trends?
automating security code review (& everything)
bug bounty / vuln. submission form
monitoring incoming data
best practices aka the basics
finding vulns as soon as possible
(X-Frame-Options, CSRF tokens, STS, ...)
Summary
Where are we?
automating security code review
monitoring incoming data
best practices aka the basics
Plan samples
fine-tune existing stuff
phantomscanner @ jenkins
integrate commercial tools
log full HTTP request & response
Content Security Policy
full HTTPS + STS
we must give the right tools, but ...
... security is everybody's task
QUESTIONS
THANK YOU!
Security Automation DashBoard
notifying the right people
(developer & sec team)
static & dynamic code analysis
brakeman - rails security scanner
Put Your Robots to Work: Security Automation at Twitter - Justin Collins, Neil Matatall, Alex Smolen - http://videos.2012.appsecusa.org/video/54250716
Content Sec Policy (CSP)
mitigate XSS vulns
fine tune what JS can run on the page
e.g. disable in-line JS
allow only GA...
"monitor only" mode
alert if policy is violated
Threat deck
Ro-Sham-Bo
changes in critical code parts trigger manual review
Homebrew Defensive Security - Take matters into your own hands - http://www.slideshare.net/mimeframe/ruxcon-2012-15195589
Safe By Default Frameworks
X-Frame-Options
CSRF protection
encoding / escaping
catching exceptions
detect actions not initiated by the user
request signatures
origin headers
no block!
X-XSS-Protection: 1; mode=block
X-Frame-Options
intentional framing
user&time bound token
"safe by default"
input encoding before anything else
docroot vs. access logs
repoguard:
phantomscanner:
python, checking git diffs against regex patterns
... alternative: Herald
phantomjs
inspired by Etsy's "attack driven testing"
JSON test case, checking for reflective / stored XSS
Function 1
Function 2
Function n
...
Design
Implement
Test
Deploy
Design
Implement
Test
Deploy
Design
Implement
Test
Deploy
"quicker"
Goal:
security is integrated to dev

helping the developers
helping the IT sec team
response (detective)
prevent
Develop
Test
Deploy
Develop
Test
Deploy
phantomgang - dynamic analysis
mixed content
credentials through HTTP
old, vulnerable jQuery versions
forms w/o authenticity tokens
Browser security headers
Strict Transport Security (STS)
X-Frame-Options
X-Content-Type-Options
X-Xss-Protection
culture: collaboration is natural
See the full transcript