Introduction to Application

Security (AppSec)

By Christophe Limpalair
Popular PHP Frameworks
Course Pre-Requisites
Course Pre-Requisites

2+ years of programming experience

Course Pre-Requisites

2+ years of programming experience

Familiar with software development models

Course Pre-Requisites

2+ years of programming experience

Familiar with software engineering

Course Pre-Requisites

2+ years of programming experience

Familiar with basics of application development

To secure applications, you have
to…

Quickly navigate and understand frameworks,

languages, and code
You will walk away with…
A thorough understanding of AppSec concepts,
and how they relate to:

‣ Web
‣ Mobile
‣ Cloud
Let’s answer questions you have
Let’s answer questions you have

‣What kinds of jobs can I get with AppSec skills?

‣ What are the requirement for those jobs?
‣ What kinds of salaries could I expect?
Let’s answer questions you have
‣ Salaries: ~$80k - $130k+
‣ You can expect to:
‣ Develop new (or modify existing) software following
security best practices
‣ Secure new or existing apps that others have developed
‣ Put yourself in an attacker’s shoes to identify potential
different paths of attack
Course Pre-Requisites

2+ years of programming experience

Familiar with software development models

Course Pre-Requisites

2+ years of programming experience

Familiar with software engineering

National Initiative for Cybersecurity Education

NICE Framework
 NICE Framework
Developed in partnership with:

‣ NICE

‣ The Office of the Secretary of Defense

‣ Department of Homeland Security

To provide a systematic and consistent way to:

‣ Organize the way we think and talk about cybersecurity

work

‣ Identify the knowledge, skills, and abilities (SKAs) to

perform cybersecurity tasks
 OWASP ASVS Objectives

‣ To provide us with a measurement on how much trust we

can place in our web application’s security

‣ To provide guidance as to what we should build into our

security controls to satisfy security requirements

‣ To provide a standard for application security verification

requirements in contracts with 3rd parties
 OWASP ASVS

Is a catalog of security requirements and verification criteria

V1.1 - Requirement Category

1.1.1 - Requirement written in a verifiable statement

 OWASP SAMM

Governance Design Implementation Verification Operations

Concerns processes
Focuses on processes Focuses on processes
and activities related Focused on processes
and activities for how and activities related
to how an organization and activities related Encompasses
an organization to how an organization
defines goals and to how an organization activities necessary to
manages software checks and tests
creates software builds and deploys ensure confidentiality,
development. Includes artifacts produced
within development software components integrity, and
cross-functional through software
projects. Usually and its related defects. availability are
groups involved in development. Typically
includes requirements The goal is to ship maintained through
development and includes QA work
gathering, high-level reliably working the lifetime of an app
business processes such as testing, but
architecture software with and its data.
established at the can also include other
specification and minimum defects
organization level review activities
detailed design
 OWASP SAMM
Governance Design Implementation Verification Operations

Architecture
Strategy & Metrics Threat Assessment Secure Build Incident Management
Assessment

Requirements-driven Environment
Policy & Compliance Security Requirements Secure Deployment
Testing Management

Operational
Education & Guidance Security Architecture Defect Management Security Testing
Management
 Governance -> Strategy & Metrics

Stream A Stream B
Maturity Level
Create and Promote Measure and Improve

Define metrics with insight into the effectiveness

Identify organization drivers as they relate to the
Level 1 and efficiency of the Application Security
organization’s risk tolerance
Program.

Publish a unified strategy for application Set targets and KPIs for measuring the program
Level 2
security effectiveness

Align the application security program to Influence the strategy based on the metrics and
Level 3
support the organization’s growth organizational needs
 OWASP Proactive Controls

V2.1.1 - “Verify that user set passwords are at least 12

characters in length”

User stories might be:

‣ As a user, I can enter a password that has a
minimum of 12 characters

‣ As a user, I can enter my username and

password to gain access to the application
 OWASP Proactive Controls

V2.1.1 - “Verify that user set passwords are at least 12

characters in length”

A misuse case might be:

‣ As an attacker, I can find passwords shorter than
12 characters
SQL Injection Example

SELECT * FROM accounts WHERE custID =

‘“ + request.getParamater(“id”) + “‘;

http://example.com/app/accountView?
id=' or ‘1’='1

SELECT * FROM accounts WHERE custID =

‘’ or ‘1’=‘1’;
SQL Injection Example

SELECT * FROM accounts WHERE custID =

‘’ or ‘1’=‘1’;

SELECT * FROM accounts WHERE custID =

‘\’ or \’1\’=\’1’;
 Credential Stuffing Example
Collection of stolen
Bots Login Page
login credentials

U:
P:

U:
P:

U:
P:

U:
P:
Organizations who experienced a cloud
security incident in the last 12 months

Yes No

28%

72%

Source: https://www.isc2.org/-/media/ISC2/Landing-Pages/2019-Cloud-Security-Report-
ISC2.ashx?la=en
 Organizations who experienced a cloud
security incident in the last 12 months

27% 20% 19% 17%

Exposed Data Malware infection Account compromise vulnerability exploit

Source: https://www.isc2.org/-/media/ISC2/Landing-Pages/2019-Cloud-Security-Report-
ISC2.ashx?la=en
DoS Attack Website Customer
DDoS Attack Website Customer
 Victim Command & Control Botnet

‣ Spamming
‣ Credential Stuffing
‣ Brute force attacks
‣ DDoS
‣ Etc…
 OSI Model
Application
Layer 7
Network process to application

Presentation
Layer 6
Data representation and encryption

Session
Layer 5
Maintains connections & controls ports/sessions

Transport
Layer 4
End-to-end connections and reliability

Network
Layer 3
Path determination and IP

Data Link
Layer 2
Defines format of data on network

Physical
Layer 1
Media, signal, and binary transmission
 OSI Model -> Infrastructure Layer Attacks
Application
Layer 7
Network process to application

Presentation
Layer 6
Data representation and encryption ‣ Include attack vectors like SYN
Session
and UDP floods
Layer 5
Maintains connections & controls ports/sessions
‣ Usually larger in volume
Transport
Layer 4
End-to-end connections and reliability ‣ Aim to overload capacity of
Network
network or app servers
Layer 3
Path determination and IP
‣ Usually easier to detect &
Layer 2
Data Link defend
Defines format of data on network

Physical
Layer 1
Media, signal, and binary transmission
 OSI Model -> Application Layer Attacks
Application
Layer 7
Network process to application

Presentation
Layer 6
Data representation and encryption

Session
Layer 5
Maintains connections & controls ports/sessions ‣ Typically smaller in volume, and
can do more damage with
Layer 4
Transport fewer resources
End-to-end connections and reliability

Network
‣ Can be harder to prevent since
Layer 3
Path determination and IP it looks like legitimate traffic
Data Link
Layer 2
Defines format of data on network

Physical
Layer 1
Media, signal, and binary transmission
 Veracode State of Software Vol. 10

Apps with at least 1 flaw Apps with no found flaws Apps with at least 1 flaw Apps with no found flaws

9% 5%

iOS Android

91% 95%

Source: https://www.veracode.com/state-of-software-security-report
% Tested Mobile Apps with >= 1 Critical/High Severity Issue

90%

60%

30%

0%
2016 2017 2018

Source: https://community.microfocus.com/t5/Security-Blog/2019-AppSec-Risk-
Report-Key-Takeaways/ba-p/2701724
 Android

‣ Open source code, giving more customization options

‣ More flexibility

‣ Can create security weaknesses

‣ Many manufacturers with different software and hardware flavors

‣ Updates can be restricted

 iOS

‣ Not open source - Apple doesn’t release its source code

‣ Creates customization limits

‣ Those limits can be a positive for security

‣ Apple devices are tightly integrated between hardware & software

‣ iOS releases are pushed to all devices and users can apply those
updates faster
Considerations for mobile development

‣ Stored data

‣ Web APIs and transport security settings

‣ Permissions

‣ Compiler options

‣ Root and jailbreak detection

‣ …
Web services MASVS Requirements Scope
ASVS Requirements Scope MASVS Requirements Scope
Web services
Organizations that experienced a cloud
security incident in the last 12 months

Yes No

28%

72%

Source: https://www.isc2.org/-/media/ISC2/Landing-Pages/2019-Cloud-Security-Report-
ISC2.ashx?la=en
 Most experienced security incidents in
past 12 months

Exposed Data

Malware Infection

Account Compromises

Vulnerability Exploit

0% 7% 14% 21% 28%

Source: https://www.isc2.org/-/media/ISC2/Landing-Pages/2019-Cloud-Security-Report-
ISC2.ashx?la=en
 3 Biggest Cloud Security Threats

Misconfiguration of
Unauthorized Access Insecure interfaces & APIs
Cloud Platform

Source: https://www.isc2.org/-/media/ISC2/Landing-Pages/2019-Cloud-Security-Report-
ISC2.ashx?la=en
 Top 3 barriers to cloud-based security
adoption

Staff expertise and

Budget challenges Data privacy concerns
training

Source: https://www.isc2.org/-/media/ISC2/Landing-Pages/2019-Cloud-Security-Report-
ISC2.ashx?la=en
 Top 2 barriers to cloud adoption

Fear of data security General security risk

loss & leakage

Source: https://www.isc2.org/-/media/ISC2/Landing-Pages/2019-Cloud-Security-Report-
ISC2.ashx?la=en
 Organizations that agree their employees
would benefit from security training and certs

Yes No

39%

61%

Source: https://www.isc2.org/-/media/ISC2/Landing-Pages/2019-Cloud-Security-Report-
ISC2.ashx?la=en
 Which topics would be most valuable for
ongoing training and education?

Cloud-enabled cybersecurity

Application Security

Incident Response

DevOps

Regulatory Compliance

Mobile Security

IoT

0% 12.5% 25% 37.5% 50%

Source: https://www.isc2.org/-/media/ISC2/Landing-Pages/2019-Cloud-Security-Report-
ISC2.ashx?la=en
Security issues that caused major breaches
and incidents in cloud environments

1. Misconfiguration

2. Identity & Access Management (IAM)

3. Poor Data Visibility

4. DDoS Attacks

5. Shared Data Responsibility Confusion

Source: https://www.hitachi-systems-security.com/blog/2019-cybersecurity-roundup-the-
state-of-cloud-security/
Misconfiguration
IAM in the Cloud
IAM in the Cloud

•Write access?
•Download access?
•Limit to 2 months?
•Corporate network only?
•Require MFA?
IAM in the Cloud
Poor Data Visibility
 Poor Data Visibility

API Call API Call

??? ???
DDoS Attacks
Shared Data Responsibility Confusion
 Shared Data Responsibility Confusion
Organizations that have experienced security events due
to confusion over who is responsible for data security

Yes No

18%

82%

Source: https://www.oracle.com/a/ocom/docs/cloud/cloud-threat-report-2019-executive-
summary.pdf
AWS Shared Responsibility Model
IAM: Access Control and Permissions

IAM
IAM: Access Control and Permissions

Policy
Amazon EC2 Amazon S3

Role

Username
Password
IAM: Access Control and Permissions

Data B
Policy
Amazon EC2 Amazon S3

Role
Data A
Username
Password
 IAM: Access Control and Permissions

Request Policy

API
GET
POST
… Role

Or
User
 IAM: Best Practices

‣ Lock down root account

‣ Use groups to assign permissions to users

‣ Always grant least-privileges

 Code Infrastructure
‣ Injection
Identity & Access
‣ XXE
‣ XSS ‣ Components w/ known
‣ Insecure Deserialization vulns

‣ Components w/ known
vulns

‣ Broken authentication
Data Logging & Monitoring
‣ Broken access control

‣ Insufficient logging &

‣ Sensitive data exposure
monitoring

* Security misconfiguration (applies everywhere)

Securing our API: Identity & Access

‣ Broken authentication
‣ Broken access control
 Securing our API: Identity & Access

Three main ways to secure access to our APIs

‣ IAM
‣ Amazon Cognito
‣ Lambda authorizers (OAuth / SAML)
 Securing our API: Identity & Access

Three main ways to secure access to our APIs

‣ IAM
‣ Amazon Cognito
‣ Lambda authorizers (OAuth / SAML)

+ API keys
 Web Application Firewall

Request
Firewall Authorization API
GET
POST
…
Rules ‣ IAM
‣ Amazon Cognito
‣ Lambda authorizers

Block: + API keys

‣ SQL injection
‣ Malicious scripts
‣ Brute-force attacks
‣…
 Securing our API: Code

OWASP-listed risks we can expect here:

‣ Injections (ie: SQL Injections)
‣ XXE
‣ XSS
‣ Insecure Deserialization
‣ Using components with known vulnerabilities
 Securing our API: Code

API Gateway API Code

Generates SSL Checks

certificate encryption key
 Securing our API: Data

Request Data Storage

API
1. Request sent 2. API pulls data
GET
POST
…

Data processing
4. API sends response back 3. API processes the data
 Securing our API: Data

Request Data Storage

API
1. Request sent 2. API pulls data
GET
POST
…

Data processing
4. API sends response back 3. API processes the data
 Securing our API: Data

Request Data Storage

API
1. Request sent 2. API pulls data
GET
POST
…

Data processing
4. API sends response back 3. API processes the data
 Securing our API: Data

‣ Password: iamagreenbutterfly0298

‣ Salt: th3b1u3b0n3t

‣ Salted input: th3b1u3b0n3tiamagreenbutterfly0298

‣ Hash (SHA-256):
7528ed35c6ebf7e4661a02fd98ab88d92ccf4e48a4b27338f
cc194b90ae8855c
 Securing our API: Infrastructure

Expected risks here:

‣ Components with known vulnerabilities
‣ DDoS attacks
Securing our API: Logging & Monitoring
 Securing our API: Logging & Monitoring

Serves 2 main purposes for security:

1. Stop attackers who are probing your systems
2. Identify a breach, including how it happened
and the extent of damages
 Maintain Define

Generic
SDLC
Deploy Design

Develop
 Prioritization

‣ Focus on security holes that are real

risks to the business
‣ Use Risk and Threat Modeling
‣ Use SAMM and the ASVS to build a
requirements list
‣ Test by comparing those
requirements to the state of the app
 Prioritization

‣ Choose a set of metrics to measure

the effectiveness of your testing
‣ Manually inspect & review
 Code tests

‣ Unit
‣ Integration
‣ System
‣ Acceptance
 Static Analysis
Code

!
 Dynamic Analysis
Code

!
Manual Review

Code
!
Research by Veracode found that organizations
which scan their code more than
300/year
Had
5x
less security debt than organizations
which didn’t

Source: https://www.veracode.com/state-of-software-security-report
Pentesting
 Maintain Define

Pentesting

Generic
SDLC
Deploy Design

Develop
 Documentation and reports

‣ Make sure you have buy-in from the rest of

the team so that they use the system
‣ Keep it simple and communicate effectively
‣ Describe clearly how it can be abused and
give real examples
‣ Provide a proper risk rating
‣ Fit in to existing development flow
 Maintain Define

Generic
SDLC
Deploy Design

Develop
Tools People

Processes
 Where you
want to be
Where you
are now
 Where you
want to be
Where you
are now

‣ NICE Framework

‣ Online job postings

 Your desired app
security state
Your app now
 Your desired app
security state
Your app now

‣ SAMM
‣ ASVS
‣ Threat Modeling
‣ Proactive Controls
‣ …
 Understand the top risks

Understand the biggest web, mobile, and cloud

app risks so that we can:
‣ Properly identify them in our apps and 3rd party
components
‣ Properly fix any found vulnerability
‣ Educate the rest of our team on the impact and
importance of these risks
Application Security Testing

‣ Static Analysis
‣ Dynamic Analysis
‣ Manual Review
‣ Pentesting
‣ and others
Thanks for taking the
course!