Efforts in Scaling Application Security Programs
- 1. Efforts in Scaling Application Security Programs July 26, 2018
- 2. • Eric Fay • Scrantonian in Santa Monica – {Insert Office reference here} • Manager of AppSec @ Hulu • Former InfoSec @ Dow Jones whoami
- 3. • Retrospective of starting and growing an application security program • Timeline – 2014 - Yesterday • Broken into loose phases – Open Pastures – Expansion – Maturing – Future Agenda
- 4. Phase 1 - Open Pastures ~2014
- 5. • Smart engineers • No full time AppSec • Agile development processes – Deploy everything, everywhere, anytime, always. • Mostly monolithic applications • Free Video-On-Demand (FVOD) • Subscription Video-On-Demand (SVOD) P1 - Landscape
- 6. • Learn the lay of the land • Determine most business critical workflows • Focus risk/vuln identification on those workflows • Establish relationships with dev teams. P1 - Goals
- 7. • Met with dev leads and tech leaders • Learned architecture of services • Manual & Automated security testing on critical workflows • Acquired DAST tool P1 - Actions Taken
- 8. • Dynamic Analysis will find some low hanging fruit with little effort. • Establishing connections with development leads is invaluable. • Success criteria for tools is drastically different than it is today P1 - Lessons Learned
- 9. Phase 2 - Expansion
- 10. • Familiar with critical apps & services • Identified & mitigated immediate risks • You are now the security goto for some teams. • 1-2 full time AppSec • Have baseline scanning tools • Teams are beginning to move to microservice architecture • FVOD • SVOD • No-ADs SVOD • Addons P2 - Landscape
- 11. • Create tools to automate processes • Expand tool coverage • Security in SDLC • Secure code education P2 - Goals
- 12. • Acquired RASP tool • Started Bug Bounty program • Automatic static code scanning for Rails (BrakeyBrake) • Monitoring TLS health (HowsMyTLS) • Monitoring external surface (ExternalExposure) • S3 access control monitoring (LeakyBuckets) • Held internal security talks P2 - Actions Taken
- 13. • RASP was a high effort, low return. • Monitoring tools that were built allowed us to automate away manual work and begin to track metrics. • Bug bounty provided an immediate return • Focused talks with individual teams was valuable P2 - Lessons learned
- 14. Phase 3 - Maturing
- 15. • 3-4 full time AppSec • Teams moving to centralized CI/CD processes • Everything is microservice • SVOD • No-ADs SVOD • Addons • Live TV P3 - Landscape
- 16. • Remediate classes of vulnerabilities and org wide risk • Get security further in the SDLC • Increase team efficiencies • Formalize security workflows & processes • Formalize security education P3 - Goals
- 17. • Static code analysis in CI/CD pipelines • Security involvement into our external exposure process • Formalize security workflows • Acquired WAF solution • Acquired education content • Content Security Policy P3 - Actions Taken
- 18. • Static code CI/CD integration very valuable • Hooking into established processes allowed lower friction interactions • Formalizing assessment processes increased team efficiencies • WAF integration was a high return • Formal education should have been prioritized earlier • CSP is hard to scale properly P3 - Lessons Learned
- 19. Phase 4 - Future
- 20. • Automated vulnerability exploitation detection • Tighter security integrations in SDLC • Education Events • Creation of security libraries for development teams to enable security in their development frameworks. • Pushing security as just another consideration of development teams P4 - Potential
- 21. THANK YOU ● @icanhasfay ● /in/appsec