Outpost24 Webinar - Five steps to build a killer Application Security Program
Download as PPTX, PDF0 likes79 views
In this webinar, our expert will take you through how to build a continuous application security program following 5 key steps
Ad
More Related Content
What's hot (19)
Similar to Outpost24 Webinar - Five steps to build a killer Application Security Program (20)
Ad
More from Outpost24 (20)
Ad
Recently uploaded (20)
![Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version](https://cdn.slidesharecdn.com/ss_thumbnails/fashionevolution2-250322112409-f76abaa7-250428124909-b51264ff-250504160528-fc2bb1c5-thumbnail.jpg?width=560&fit=bounds)
Outpost24 Webinar - Five steps to build a killer Application Security Program
- 1. Outpost24 Template 2019 5 Steps to build a continuous Application Security Program Data Classification: External February 2022 February 2022
- 2. Outpost24 Group leads to cyber risk reduction 2 Technology Assets Applications – website, CMS, shopping carts Critical data – PII and cardholder data Cloud infrastructure – AWS, Azure, Docker Endpoints – desktop, laptop, smartphone Data center – data storage, backup, recovery User access – password and credential Malware Ransomware kit Data breach Vulnerability exploits Phishing attempts Credential stuffing Crytojacking Cyber Threats Where can attackers gain access and disrupt, extort, or steal? Who are the attackers, who are they targeting, and what techniques do they use? Outpost24 Group uniquely bridges these domains with continuous risk assessment • Security assessment of all technology assets • Intelligence about threat actors and their methods of attack • Combined into the most effective prescriptive actions that reduce business risk at the least cost
- 3. Why an Application Security program is important 3
- 4. 4 • More than just vulnerability scanning your applications every month • Understanding • What you think you have deployed • What you really have deployed • What your overall application attack surface looks like • Taking decisive action, applying a range of tools to reduce risk • Creating a continuous feedback loop What is an Application Security program
- 5. 5 steps to achieve an AppSec program 5 Continuous attack surface discovery 1 Using Penetration testing as a service over traditional Pen Testing 2 Risk based prioritization of discovered vulnerabilities 3 Retesting and verification of findings 4 Continuously repeat the process throughout the applications lifecycle 5
- 6. Outpost24 Template 2019 1. Assess your Application attack surface 6
- 7. 7 • What you know (your Ecommerce system) • What you don’t know • IOT devices • Benefits • Marketing campaigns • Acquisitions • Other 3rd party sites (employee benefits) • These make up your addressable application attack surface What makes up my Application attack surface
- 8. 8 • Use OSINT techniques to discover potential weakness and entry points • R1: Gather information • R2: Determine the range (domain) • R3: Identify active web applications • R4: Discover open doors and entry points (7 vectors) • R5: Fingerprint the web app (score) • R6: Uncover components behind those doors (components detection) • R7: Map the apps (crawl) How to identify your application attack surface
- 9. 9 • Basic understanding of the web application • Don’t need to understand DEVOPS or be an Appsec Guru • Mostly what we would call ‘Basic security best practice’ Assess the Apps for possible risk
- 10. Application Risk Score (ARS) 10 Application Name Surface Score Criticality Update frequency Appsec Program Availability Confidentiality Integrity demo1.com 20.45 2 2 2 1 5 demo2.com 20.22 3 2 2 2 9
- 11. An attack surface mapped 11
- 12. Which leads to informed choice of tools • Make informed choices about tools, solutions and services • Critical applications : Continuous hybrid application testing • Less critical : DAST scanning + one time penetration test • Identify IOT devices, turn off access or block with firewall • Start to inform development decisions • SCA for 3rd party components • SAST or IAT for code improvements • Build a continuous application security assessment program 12
- 13. Outpost24 Template 2019 2. Deploy PTaaS rather than traditional penetration testing 13
- 14. $$ $$$$ $$$$$$ The hidden costs of an Application Pen Test • Go to tender • Find your supplier • Scope out the app • Negotiate the contract • Wait for the test to be completed • Manually translate to actionable items • Wait for remediation 14 • A day rate
- 15. What is Penetration testing as a service (PTaaS) 15 Delivery of on demand penetration testing services through a portal Blends (or gives options to select) automated scanning with manual driven testing Can be singular (one time) or continuous assessment (year long) Can be both network infrastructure and / or Application security based.
- 16. Penetration Testing as a Service - Benefits 16 Speed of delivery • Tests can be initiated within days, not weeks Collaboration • Organisations can talk to the testing team through the portal for information on findings Validation of findings • Through unlimited verification requests Reporting to meet your needs • Reports can be delivered as and when you need them Better ROI • Compared to traditional pen testing
- 17. Outpost24 Template 2019 3. Apply a risk-based remediation strategy 17
- 18. Why Risk based approach to remediation • Emphasis on what vulnerabilities are being exploited in the wild • Remediate these first to reduce exploit risk • Works well for CVE based vulnerabilities but less so for CWE only • But, as you will see, they can be complex & time consuming 18
- 19. 1. Adopt the MITRE CWE scoring model 19 • We can adopt the CWE scoring method to define risk • But you'd have to do this manually beyond the top 40 • Can be a useful manual gauge for focused remediation • Your AppSec tools need to allow CWE risk categorization
- 20. 2. Use threat intelligence tactically • Understand • What threat actors are doing? • How are they attacking? • What regions are they operating in? • What sectors are they targeting? • Figure out • Does any of this apply to me? 20
- 21. 3. Map your organization again Mitre Att&ck 21
- 22. 4. Combine for a unified view of risk 22 Driven by threat intelligence from multiple sources
- 23. 5. Drill into your applications, assess risk, remediate 23 Working view for all AppStaks in a single business area
- 24. Outpost24 Template 2019 4. Continuous retesting and verification to reduce Attack surface 24
- 25. Collaboration • Key to really understanding issues and knowing if you’ve fixed them • Are you able to message your tester at will to get answers? • Do you feel your in a partnership with your testing company? 25
- 26. 26 • Collaboration is important for verification • Ability to ask your testers to check you’ve fixed the problem – verification • Do this unlimited times through-out the subscription period Verification
- 27. Retest, regularly 27 Retesting of the application allows you to understand: •If things are being fixed organically across sprints •New vulnerabilities are being introduced •You're shrinking your attack surface Having this as part of your service is critical to managing and reducing your attack surface.
- 28. Outpost24 Template 2019 5. Create a continuous loop throughout the applications lifecycle 28
- 29. Adopt a continuous approach to application security 29
- 30. 5 Steps to drive Application security 30 Continuous attack surface discovery 1 Using Penetration testing as a service over traditional Pen Testing 2 Risk based prioritization of discovered vulnerabilities 3 Retesting and verification of findings 4 Continuously repeat the process throughout the applications lifecycle 5
Editor's Notes
- #3: Provide examples of what the tech assets are Start with this before NIST
- #15: Most security practitioners know about vulnerability assessment (looking for CVEs and misconfigured ports) - But how does that change when you delegate some trust to your cloud provider? Most security practitioners know about penetration testing - But applications are being released faster, and continue to be the richest targets for data breaches Where is your data stored, and who has access to it? Who are your users, and what systems and data do they have access to?