4. ✤ Let’s start with what it is not:
• Firewalls, secure network protocols,
• Antivirus and Phishing attacks
• Intrusion Detection
• SoCs, ...
What is AppSec?
6. ✤ Application Security is:
• A quality aspect of your application
• And contributes to the business success the same way UX Design,
Usability and Performance do.
• In other words, is my application used the way it is intended to.
What is AppSec?
7. ✤ Security was traditionally in the hands of Network folks
• Suddenly, they become responsible for applications...
• ... And applied the same audit-like principals.
Why AppSec == Pain?
8.
9. ✤ Things slowly evolved
• From performing “Penetration Tests” once a year
• To doing a Pentest for every release (a few times a year)
Pentest to the rescue
Great, we all love Pentests, right?
19. ✤ No more pdf/doc/xls!
✤ Security uses the same language as the dev team.
✤ Security as part of existing environments/workflows.
✤ Security work is completed in-cycle.
✤ Not all apps have the same security requirements.
Some general hygiene
24. ✤ Functional security requirement are related to:
- Authentication & Access Control
- Data Integrity
- Wrong password lockouts
✤ Non-functional requirements are related to:
- Password policies
- Characteristics of audit logs
- Backups
Functional vs Non-Functional
25. • It all starts with the backlog & security is a part of this:
• 1. As an anonymous user I want to see the entire book selection, ...
• 2. As a logged-in user I want to see my entire purchase history, ...
• 3. As a customer I want to ensure my privacy when using a public wifi , ...
(Security) Requirements
- User Story and it’s acceptance criteria is unrelated to security
- User Story and it’s acceptance criteria is security sensitive [tagged]
- “One-off” (Security) User story [tagged]
26. v Architecture & Design Review & Threat Modelling
Think like a hacker
v Design Guidelines are invaluable.
Use existing design patterns
v Helps to reducing the ongoing amount of work
Secure by Design
27. ✤ Assorted Secure Coding Guidelines in the repo
✤ Pairing for more complex stories
✤ Pull requests for security relevant stories are reviewed
- Code reviews are important (especially for increased speed).
Secure Coding
29. ✤ Code coverage is key aspect of quality
100% is just the beginning
✤ Security related acceptance criteria makes a difference
Both for manual and automated tests
✤ The more that is automated the better
Security Unit Tests
30. ✤ Open source projects can help
- Gauntlt
- BDD-Security
Security Unit Tests
31. ✤ Continue demonstrating the new attributes/features and their
impact on users
✤ What were the security considerations for this new feature
✤ In the retrospective share those lessons learned
Sprint Review & Retro
42. ✤ Start with embedding your friendly AppSec guy
✤ Transfer knowledge, find a security champion
✤ Step back and advise
✤ Iterate continuously– don’t go for big bang
✤ Keep adding automation
✤ Churn out awesome (& secure) releases at the speed of DevOps
From Zero to Hero