SlideShare a Scribd company logo

Scaling AppSec through Education

G
Grant Ongers

Scaling AppSec through Education at DEF CON 29, AppSec Village. Presented by Grant Ongers, CTO at Secure Delivery and OWASP Global Board member.

1 of 60
Downloaded 10 times
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Scaling AppSec through Education DEF CON 29 - AppSec Village
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd About Secure Delivery We provide a world-class, predictable and proven programme of AppSec capability improvement that measurably reduces risk and scales as part of software delivery Our structured approach to delivering actionable AppSec knowledge is robust and forms the foundation of OWASP’s Open Application Security Curriculum.
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Grant Ongers (rewtd) Who I am. CTO and co-founder of Secure Delivery Current OWASP Global Foundation board member, I am a firm believer in security enabling delivery not blocking it. Well-known in the international InfoSec community (it's hard to forget the beard!), 10+ years of experience in Dev, 20 years in Ops and 30 years in Sec (mostly white hat) means I believe there's no such thing as DevSecOps - just DevOps done right. OWASP Open AppSec Curriculum project lead OWASP Cornucopia project lead
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Scaling Application Security in Large Organisations
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd What is Application Security?
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Application Security is an intrinsic quality of the software systems you’re building and of the processes used to deliver them. Product
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd PERFORMANCE EFFICIENCY COMPATIBILITY USABILITY RELIABILITY SECURITY MAINTAINABILITY PORTABILITY TIME BEHAVIOUR RESOURCE UTILISATION CAPACITY CO-EXISTENCE INTEROPERABILITY LEARNABILITY OPERABILITY USER ERROR PROTECTION AVAILABILITY FAULT TOLERANCE RECOVERABILITY MATURITY INTEGRITY NON-REPUDIATION ACCOUNTABILITY / AUTHENTICITY CONFIDENTIALITY ANALYSABILITY MODIFIABILITY MODULARITY / REUSABILITY TESTABILITY INSTALLABILITY ADAPTABILITY REPLACEABILITY ISO 25010 FUNCTIONAL SUITABILITY FUNCTIONAL CORRECTNESS FUNCTIONAL APPROPRIATENESS FUNCTIONAL COMPLETENESS ACCESSIBILITY Mainly things that people can see Mainly things that people can’t see
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Security through change BEING SECURE DELIVERING AT PACE OUR RISK APPETITE
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd A security incident is a trailing indicator of low product quality.
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd The four metrics that matter Higher performing organisations produce, and derive more value from, higher quality software delivered by their high-performing technology functions. Analysis1 shows there are four metrics that are strong leading indicators of high performing organisations: 1. Lead time 2. Deployment frequency 3. Mean time to restore 4. Change fail percentage 1 Forsgren, N., Kim, G. and Humble, J., 2018. Accelerate. IT Revolution Press. Maintainability, Portability, Reliability, Compatibility, Security?
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd All the problems are in your code Kuhn, D., Raunak, M. and Kacker, R. (2016). An Analysis of Vulnerability Trends. NIST. TRADITIONAL FOCUS Almost!
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ✓ Think about the performance impact of any changes during (sprint) planning and design ✓ Plan your overall system architecture with performance in mind ✓ Ensure everyone knows how to write performant code in the languages and frameworks you’re using ✓ Hire people with domain expertise in performance to train and work with teams and the wider business ✓ Peer-review code changes for the inevitable human mistakes that could affect performance ✓ Share known-performant code and internal libraries across teams ✓ Make performance a key consideration in the selection of any third-party services you depend on ✓ Automatically test all changes for performance regressions on every commit so developers can catch and fix them early ✓ Prioritise performance fixes in your backlog / development cycles ✓ Inject comprehensive telemetry into your systems to closely monitor performance in production ✓ Investigate & fix performance incidents in production and widely publish findings across the organisation to improve learning ✓ Have responsibility and accountability for performance with the people building the systems Ensuring Performance In Your Systems
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ✓ Think about the security impact of any changes during (sprint) planning and design ✓ Plan your overall system architecture with security in mind ✓ Ensure everyone knows how to write secure code in the languages and frameworks you’re using ✓ Hire people with domain expertise in security to train and work with teams and the wider business ✓ Peer-review code changes for the inevitable human mistakes that could affect security ✓ Share known-secure code and internal libraries across teams ✓ Make security a key consideration in the selection of any third-party services you depend on ✓ Automatically test all changes for security regressions on every commit so developers can catch and fix them early ✓ Prioritise security fixes in your backlog / development cycles ✓ Inject comprehensive telemetry into your systems to closely monitor security in production ✓ Investigate & fix security incidents in production and widely publish findings across the organisation to improve learning ✓ Have responsibility and accountability for security with the people building the systems Ensuring Performance In Your Systems Security
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Site Reliability Engineering A proven way to ensure the reliability aspect of quality whilst moving quickly: ➔ Reliability experts building self-service platforms for product teams to stay out of the delivery critical path and automating their own work heavily to reduce “toil” ➔ Launch Engineers working closely with product teams to educate and set them up for success with reliability from product launch ➔ Service Level Objectives quantify reliability requirements per-product using a Service Level Indicator (uptime) ➔ “Hand the pager back” operating model provides backpressure on development activities when a Service Level Objective is no longer met Can we apply this method to security?
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Product Security Engineering...
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Mapping SRE to Security Site Reliability Engineering Product Security Engineering Providing self-service platforms, automating own work heavily ✓ Working closely with product teams and educating ✓ Service Level Objective Service Level Objective Service Level Indicator Service Level Indicator “Hand the pager back”, backpressure on development activities “Express route” to production “Information radiators” ^ Security ^
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd What to measure and track ● Teams, products & the parts that make up products ● A clear, direct measure of security quality ● Measures across ways of working ● The four metrics that matter Who is contributing to what? Get this from the code See the list of practices: peer reviews, training, check JIRA for age of security tickets, etc.
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd SLOs at scale Up-to-date on security training Predictable, security-related project events Delivery process maturity & capabilities Direct measure of security quality Overall security level objective agreed
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Providing backpressure is essential ● Make security capabilities of teams visible across the org: dashboards, “information radiators” ● “Express Route” to production for teams meeting all organisational requirements, additional checks on changes from teams not assuring security themselves ● Make quality part of the delivery operating model. Clear RACI on all aspects of product quality—product owners are accountable for product quality and delivery teams are responsible for delivering the level of quality the product requires
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Security Defects and How to Find Them DESIGN CODE BUILD AUTOMATED TESTS MANUAL TESTS PRODUCTION OPS Secure software development training Agile threat modelling Static application security testing Code inspections Dynamic application security testing Interactive application security testing Mobile application security testing FOSS/COTS dependency checks (SCA) Infrastructure scanning Penetration tests Active monitoring Runtime Application Self-Protection https://youtu.be/clEu-sFKUDs
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Secure Software Development Training
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd OWASP Application Security Curriculum ● Open source initiative ○ OWASP, of course ● Based on OWASP standards ○ OWASP Top 10 ○ OWASP Cornucopia ○ OWASP Application Security Verification Standard (ASVS) ○ OWASP Software Assurance Maturity Model (SAMM) Developed in the open, made available to all and for anyone to contribute to Standing on the shoulders of giants {
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Application Security Fundamentals - OWASP Top 10
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Why use the OWASP Top 10, it’s obviously not meant to be a standard? But it has become the defacto standard - since adoption by the PCI Data Security Standard and it’s a good start The Top 10 Team have said so * * Top 10 Projects Team https://owasp.org/www-project-top-ten/2017/Foreword.html
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd About the Top 10
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd The Top 10 Details: Issue Types BUILD INPUT VALIDATION ACCESS Input Validation Errors Injection Attacks XML External Entities (XXE) Cross Site Scripting (XXS) Insecure Deserialization Access Errors Broken Authentication Sensitive Data Exposure Broken Access Control Building Errors Security Misconfiguration Insufficient Logging and Monitoring Using Components with Known Vulnerabilities
OWASP FOUNDATION owasp.org ASC Foundation: Introduction to AppSec Who is this aimed at? What are we covering? When are you able to take this course? Why are we doing this? All of product delivery from Product Owner to Engineer. The basics of AppSec and the Top 10. Whenever: This is foundational, there are no prerequisites to taking it. To provide everyone with the context and basic understanding.
A2: Broken Authentication // Very silly session IDs https://example.com/userApp?sessionId=14632 https://example.com/userApp?sessionId=14633 https://example.com/userApp?sessionId=14634 // Default credentials if (userName == 'admin' && password == 'letmein') { } Application functions related to authentication and session management are often implemented incorrectly. This allows attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Prevention: • Strong passwords & MFA. Use the updated NIST guidance, it’s good now! • Block or heavily rate limit repeated authentication attempts • Expire inactive sessions • Never implicitly trust Strong identity is the foundation of all security It’s not all about user identity. Machine identity also very important. Those of you building cloud-based services need to enforce strong authentication EVERYWHERE. Know about Zero Trust. Work towards it. NEVER implicitly trust a request because of its origin. Cryptographically strong identity EVERYWHERE. Direct Connect/ExpressRoute/Cloud Interconnect are EVIL. How about for internal / admin services (do you auth properly even there?!)
OWASP FOUNDATION TM OWASP Application Security Curriculum https://owasp.org/www-project-application-security-curriculum/ https://github.com/OWASP/Application-Security-Curriculum Find it here:
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Application Security Intermediate - OWASP Cornucopia
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Why use Cornucopia? Well, it encourages secure-by-design thinking, for developers, and because it simplifies issues described in the Top 10, while making them more generically applicable. Kind of the OWASP Top 5 * * Cornucopia Project Lead Grant Ongers - https://youtu.be/MnHCZozPHp4?t=995
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd About Cornucopia https://youtu.be/BZVoQurTEMc Twitter
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Learning Areas
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Authentication Verifying you are who who say you are, this is the basis of any auth system and the part that’s most often attacked.
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Authorization Verifying that you are permitted to do what you are attempting to do, this covers the realm of privilege escalation.
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Session Management Checking that Auth happens regularly. Not every moment, not every action but often enough. The balance being all important.
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Cryptography Whether this is encryption, or hashing. Whether it’s on the wire, or on disk, this is about protecting secrets. Really?
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Data Validation Validating inputs and encoding outputs. This basic hygiene when it comes to allowing users to interface with your application.
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Miscellaneous The trump suite that contains all of the general nasties you can imagine.
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia to Application Security Curriculum ● Set up and play the game with developers ○ Guide them through the cards ● Encourage the cards use each sprint ○ Tagging stories in Jira ○ Retaining the score sheet Awkward! Developers don’t want AppSec folks there 1. Covers the “are they?” 2. Covers the “auditor asked” Twitter
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Application Security Tertiary Education - OWASP ASVS
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Why use the OWASP ASVS? It is a standard, it can be (and is) tested against, and it spells out the requirements for a good product, The Top 10 Team & the ASVS Team have said so * * ASVS Project Team https://owasp.org/www-project-application-security-verification-standard/
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ASVS Details: Suitability
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ASVS Details: Applicability
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ASVS Details: Learning Areas Architecture 43 items Authentication 57 items Session Management 20 items Access Control 10 items Validation 30 items Stored Cryptography 16 items Error Handling and Logging 13 items Data Protection 16 items Communications 8 items Malicious Code 10 items Business Logic 8 items File and Resources 15 items API and Web Service 15 items Configuration 24 items 286 total!
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ● Each ASVS Requirement is broken down: ○ Terms ○ Actions ● Each Term is mapped to a Unit ○ The weighting for each term is determined ● Each Action is Weighed ○ Bloom’s Taxonomy level (1 - 6) ASVS to AppSec Curriculum Yes, All 286 of them! It’s slow process
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd AppSec Curriculum: Bloom’s Taxonomy Theoretically could be a 6, but we’ve seen none so far Generally for AppSec (in all cases we’ve seen) 2 has been the lowest
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd 1.4.5 - Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles. unit: 'Authorization' terms: - 'feature-based access control' - 'role' - 'user' - 'Permissions' level: 2 unit: 'Application Development' terms: - 'feature' - 'data item' - 'the code' level: 2 notes: 'The essence of this requirement seems to be that authorization checks consider the combination of all role/group/user level permissions assigned, NOT just a single role assignment. Suggest a rewording to make the requirement clearer.' TODO: create https://www.owasp.org/www-community/controls/feature-based-access-control/ with info from: Kim, Dae-Kyoo & Kim, Sangsig & Lu, Lunjin & Kim, Suntae & Park, Sooyong. (2011). A feature-based approach for modeling role-based access control systems. Journal of Systems and Software. 84. 2035-2052. 10.1016/j.jss.2011.03.084. Actions
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Application Security Industry Training - OWASP SAMM
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Why use OWASP SAMM? Well, to start with it’s prescriptive, rather than descriptive. It also complements the ASVS. SAMM is often compared with BSIMM for this distinction * * SAMM Projects Team https://owaspsamm.org/blog/2020/10/29/comparing-bsimm-and-samm/
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd SAMM Details: Applicability 5 3@ 3@ (90 total) 2@
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd SAMM Details: Learning Areas Governance Strategy & Metrics Policy & Compliance Education & Guidance Design Threat Assessment Security Requirements Secure Architecture Implementation Secure Build Secure Deployment Defect Management Verification Architecture Analysis Requirements-driven Testing Security Testing Operations Incident Management Environment Management Operational Management What an idea!
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd SAMM to AppSec Curriculum ● Each SAMM Activity is broken down: ○ Actions ○ Terms ● Each Action is Weighed ○ Blooms Taxonomy level (2 - 6) ● Each Term is mapped to a Unit ○ The weighting for each term is determined Only 90 this time! Still takes a long time!
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Implementation | Secure Build | Build Process Maturity Level 1 Q: Do you have solid knowledge about dependencies you're relying on? Define the build process, breaking it down into a set of clear instructions to either be followed by a person or an automated tool. The build process definition describes the whole process end-to-end so that the person or tool can follow it consistently each time and produce the same result. The definition is stored centrally and accessible to any tools or people. Avoid storing multiple copies as they may become unaligned and outdated. The process definition does not include any secrets (specifically considering those needed during the build process). Review any build tools, ensuring that they are actively maintained by vendors and up-to-date with security patches. Harden each tool’s configuration so that it is aligned with vendor guidelines and industry best practices. Determine a value for each generated artifact that can be later used to verify its integrity, such as a signature or a hash. Protect this value and, if the artifact is signed, the private signing certificate. Ensure that build tools are routinely patched and properly hardened. module: ‘Release and Deployment' terms: - 'build process' - 'process definition - ‘build tools’ - ‘artifact’ level: 2 module: ‘Secrets Management' terms: - secrets level: 2 Actions
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Applying Training in Practice
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Getting the AppSec Curriculum ● Foundations are out there and ready to be used. ● The Intermediate ASC requires learning a game. ● The Tertiary and Industry ASC needs your help. ASC101 is available Play the game!
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd The Future
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Get Involved Join the Project https://owasp.org/www-project-application-security-curriculum/ https://github.com/OWASP/Application-Security-Curriculum Sponsor the Project https://owasp.org/www-policy/operational/grants Give us your Feedback grant.ongers@owasp.org twitter.com/rewtd @rewtd on Discord
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Answer the Survey! https://t.co/SiqeCBfg4D
Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Thank you! We hope you’ve gotten a lot out of today’s session. Any questions or feedback just send an email to feedback@securedelivery.io; we’re always looking to improve on what we do.
Ad

Recommended

10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration
Coveros, Inc.
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOps
Coveros, Inc.
 
Breaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationBreaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an Application
Mark Rendell
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to Continuous
Parasoft
 
Software Quality as a Competitive Differentiator
Software Quality as a Competitive Differentiator Software Quality as a Competitive Differentiator
Software Quality as a Competitive Differentiator
DevOps.com
 
Best Practices for Shifting Left Performance and Accessibility Testing
Best Practices for Shifting Left Performance and Accessibility TestingBest Practices for Shifting Left Performance and Accessibility Testing
Best Practices for Shifting Left Performance and Accessibility Testing
Perfecto by Perforce
 
Software Quality as a Competitive Differentiator
Software Quality as a Competitive Differentiator Software Quality as a Competitive Differentiator
Software Quality as a Competitive Differentiator
DevOps.com
 
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CTDeliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Perfecto by Perforce
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
Priyanka Aash
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Jorge Hidalgo
 
DevOps the Big Picture for Testers by Joseph Ours
DevOps the Big Picture for Testers by Joseph OursDevOps the Big Picture for Testers by Joseph Ours
DevOps the Big Picture for Testers by Joseph Ours
QA or the Highway
 
DevOps at Lean Apps
DevOps at Lean AppsDevOps at Lean Apps
DevOps at Lean Apps
Lean Apps
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
App gate sdp_use_case_secure_devops
App gate sdp_use_case_secure_devopsApp gate sdp_use_case_secure_devops
App gate sdp_use_case_secure_devops
Cristian Garcia G.
 
DevOps_Automation White Paper
DevOps_Automation White PaperDevOps_Automation White Paper
DevOps_Automation White Paper
Toby Thorslund
 
Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...
Jonah Kowall
 
Software Quality as a Competitive Differentiator
Software Quality as a Competitive Differentiator Software Quality as a Competitive Differentiator
Software Quality as a Competitive Differentiator
DevOps.com
 
A day in the life with devops automation
A day in the life with devops automationA day in the life with devops automation
A day in the life with devops automation
John Wilmes
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
Enabling Continuous Quality in Mobile App Development
Enabling Continuous Quality in Mobile App DevelopmentEnabling Continuous Quality in Mobile App Development
Enabling Continuous Quality in Mobile App Development
Matthew Young
 
What you should know about software measurement platforms
What you should know about software measurement platformsWhat you should know about software measurement platforms
What you should know about software measurement platforms
CAST
 
ABC's of Service Virtualization
ABC's of Service VirtualizationABC's of Service Virtualization
ABC's of Service Virtualization
Parasoft
 
Quality Assurance Guidelines
Quality Assurance GuidelinesQuality Assurance Guidelines
Quality Assurance Guidelines
Tim Stribos
 
Breaking DevOps Illusion
Breaking DevOps IllusionBreaking DevOps Illusion
Breaking DevOps Illusion
DevOps Indonesia
 
NicoleMillesResumeQA_Mgr
NicoleMillesResumeQA_MgrNicoleMillesResumeQA_Mgr
NicoleMillesResumeQA_Mgr
Nicole Milles
 
Keeping Your Continuous Test Automation Suites Continuously Valuable in DevOps
Keeping Your Continuous Test Automation Suites Continuously Valuable in DevOpsKeeping Your Continuous Test Automation Suites Continuously Valuable in DevOps
Keeping Your Continuous Test Automation Suites Continuously Valuable in DevOps
Perfecto by Perforce
 
The best way to design secure software products
The best way to design secure software productsThe best way to design secure software products
The best way to design secure software products
LabSharegroup
 
Next generation software testing trends
Next generation software testing trendsNext generation software testing trends
Next generation software testing trends
Arun Kulkarni
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
Ad

More Related Content

What's hot (20)

Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
Priyanka Aash
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Jorge Hidalgo
 
DevOps the Big Picture for Testers by Joseph Ours
DevOps the Big Picture for Testers by Joseph OursDevOps the Big Picture for Testers by Joseph Ours
DevOps the Big Picture for Testers by Joseph Ours
QA or the Highway
 
DevOps at Lean Apps
DevOps at Lean AppsDevOps at Lean Apps
DevOps at Lean Apps
Lean Apps
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
App gate sdp_use_case_secure_devops
App gate sdp_use_case_secure_devopsApp gate sdp_use_case_secure_devops
App gate sdp_use_case_secure_devops
Cristian Garcia G.
 
DevOps_Automation White Paper
DevOps_Automation White PaperDevOps_Automation White Paper
DevOps_Automation White Paper
Toby Thorslund
 
Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...
Jonah Kowall
 
Software Quality as a Competitive Differentiator
Software Quality as a Competitive Differentiator Software Quality as a Competitive Differentiator
Software Quality as a Competitive Differentiator
DevOps.com
 
A day in the life with devops automation
A day in the life with devops automationA day in the life with devops automation
A day in the life with devops automation
John Wilmes
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
Enabling Continuous Quality in Mobile App Development
Enabling Continuous Quality in Mobile App DevelopmentEnabling Continuous Quality in Mobile App Development
Enabling Continuous Quality in Mobile App Development
Matthew Young
 
What you should know about software measurement platforms
What you should know about software measurement platformsWhat you should know about software measurement platforms
What you should know about software measurement platforms
CAST
 
ABC's of Service Virtualization
ABC's of Service VirtualizationABC's of Service Virtualization
ABC's of Service Virtualization
Parasoft
 
Quality Assurance Guidelines
Quality Assurance GuidelinesQuality Assurance Guidelines
Quality Assurance Guidelines
Tim Stribos
 
Breaking DevOps Illusion
Breaking DevOps IllusionBreaking DevOps Illusion
Breaking DevOps Illusion
DevOps Indonesia
 
NicoleMillesResumeQA_Mgr
NicoleMillesResumeQA_MgrNicoleMillesResumeQA_Mgr
NicoleMillesResumeQA_Mgr
Nicole Milles
 
Keeping Your Continuous Test Automation Suites Continuously Valuable in DevOps
Keeping Your Continuous Test Automation Suites Continuously Valuable in DevOpsKeeping Your Continuous Test Automation Suites Continuously Valuable in DevOps
Keeping Your Continuous Test Automation Suites Continuously Valuable in DevOps
Perfecto by Perforce
 
The best way to design secure software products
The best way to design secure software productsThe best way to design secure software products
The best way to design secure software products
LabSharegroup
 
Next generation software testing trends
Next generation software testing trendsNext generation software testing trends
Next generation software testing trends
Arun Kulkarni
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
Priyanka Aash
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Jorge Hidalgo
 
DevOps the Big Picture for Testers by Joseph Ours
DevOps the Big Picture for Testers by Joseph OursDevOps the Big Picture for Testers by Joseph Ours
DevOps the Big Picture for Testers by Joseph Ours
QA or the Highway
 
DevOps at Lean Apps
DevOps at Lean AppsDevOps at Lean Apps
DevOps at Lean Apps
Lean Apps
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
App gate sdp_use_case_secure_devops
App gate sdp_use_case_secure_devopsApp gate sdp_use_case_secure_devops
App gate sdp_use_case_secure_devops
Cristian Garcia G.
 
DevOps_Automation White Paper
DevOps_Automation White PaperDevOps_Automation White Paper
DevOps_Automation White Paper
Toby Thorslund
 
Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...
Jonah Kowall
 
Software Quality as a Competitive Differentiator
Software Quality as a Competitive Differentiator Software Quality as a Competitive Differentiator
Software Quality as a Competitive Differentiator
DevOps.com
 
A day in the life with devops automation
A day in the life with devops automationA day in the life with devops automation
A day in the life with devops automation
John Wilmes
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
Enabling Continuous Quality in Mobile App Development
Enabling Continuous Quality in Mobile App DevelopmentEnabling Continuous Quality in Mobile App Development
Enabling Continuous Quality in Mobile App Development
Matthew Young
 
What you should know about software measurement platforms
What you should know about software measurement platformsWhat you should know about software measurement platforms
What you should know about software measurement platforms
CAST
 
ABC's of Service Virtualization
ABC's of Service VirtualizationABC's of Service Virtualization
ABC's of Service Virtualization
Parasoft
 
Quality Assurance Guidelines
Quality Assurance GuidelinesQuality Assurance Guidelines
Quality Assurance Guidelines
Tim Stribos
 
Breaking DevOps Illusion
Breaking DevOps IllusionBreaking DevOps Illusion
Breaking DevOps Illusion
DevOps Indonesia
 
NicoleMillesResumeQA_Mgr
NicoleMillesResumeQA_MgrNicoleMillesResumeQA_Mgr
NicoleMillesResumeQA_Mgr
Nicole Milles
 
Keeping Your Continuous Test Automation Suites Continuously Valuable in DevOps
Keeping Your Continuous Test Automation Suites Continuously Valuable in DevOpsKeeping Your Continuous Test Automation Suites Continuously Valuable in DevOps
Keeping Your Continuous Test Automation Suites Continuously Valuable in DevOps
Perfecto by Perforce
 
The best way to design secure software products
The best way to design secure software productsThe best way to design secure software products
The best way to design secure software products
LabSharegroup
 
Next generation software testing trends
Next generation software testing trendsNext generation software testing trends
Next generation software testing trends
Arun Kulkarni
 

Similar to Scaling AppSec through Education (20)

Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle
Enov8
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
Top 5 DevOps Technology trends for 2022
Top 5 DevOps Technology trends for 2022Top 5 DevOps Technology trends for 2022
Top 5 DevOps Technology trends for 2022
Neenanath3
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
DevOps.com
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Deborah Schalm
 
Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
TechWell
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
MobibizIndia1
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptx
Arthur528009
 
5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud
tCell
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
XebiaLabs
 
SIG-product-overview.pdf
SIG-product-overview.pdfSIG-product-overview.pdf
SIG-product-overview.pdf
Aklnt
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
Jon Lundquist
 
2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security
Shawn Wells
 
Embrace DevSecOps for Modern Payment Apps
Embrace DevSecOps for Modern Payment AppsEmbrace DevSecOps for Modern Payment Apps
Embrace DevSecOps for Modern Payment Apps
Opus
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
Sanjeev Sharma
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle
Enov8
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
Top 5 DevOps Technology trends for 2022
Top 5 DevOps Technology trends for 2022Top 5 DevOps Technology trends for 2022
Top 5 DevOps Technology trends for 2022
Neenanath3
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
DevOps.com
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Deborah Schalm
 
Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
TechWell
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
MobibizIndia1
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptx
Arthur528009
 
5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud
tCell
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
XebiaLabs
 
SIG-product-overview.pdf
SIG-product-overview.pdfSIG-product-overview.pdf
SIG-product-overview.pdf
Aklnt
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
Jon Lundquist
 
2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security
Shawn Wells
 
Embrace DevSecOps for Modern Payment Apps
Embrace DevSecOps for Modern Payment AppsEmbrace DevSecOps for Modern Payment Apps
Embrace DevSecOps for Modern Payment Apps
Opus
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
Sanjeev Sharma
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Ad

Recently uploaded (20)

WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New VersionPixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
saimabibi60507
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New VersionPixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
saimabibi60507
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Ad

Scaling AppSec through Education

  • 1. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Scaling AppSec through Education DEF CON 29 - AppSec Village
  • 2. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd About Secure Delivery We provide a world-class, predictable and proven programme of AppSec capability improvement that measurably reduces risk and scales as part of software delivery Our structured approach to delivering actionable AppSec knowledge is robust and forms the foundation of OWASP’s Open Application Security Curriculum.
  • 3. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Grant Ongers (rewtd) Who I am. CTO and co-founder of Secure Delivery Current OWASP Global Foundation board member, I am a firm believer in security enabling delivery not blocking it. Well-known in the international InfoSec community (it's hard to forget the beard!), 10+ years of experience in Dev, 20 years in Ops and 30 years in Sec (mostly white hat) means I believe there's no such thing as DevSecOps - just DevOps done right. OWASP Open AppSec Curriculum project lead OWASP Cornucopia project lead
  • 4. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Scaling Application Security in Large Organisations
  • 5. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd What is Application Security?
  • 6. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Application Security is an intrinsic quality of the software systems you’re building and of the processes used to deliver them. Product
  • 7. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd PERFORMANCE EFFICIENCY COMPATIBILITY USABILITY RELIABILITY SECURITY MAINTAINABILITY PORTABILITY TIME BEHAVIOUR RESOURCE UTILISATION CAPACITY CO-EXISTENCE INTEROPERABILITY LEARNABILITY OPERABILITY USER ERROR PROTECTION AVAILABILITY FAULT TOLERANCE RECOVERABILITY MATURITY INTEGRITY NON-REPUDIATION ACCOUNTABILITY / AUTHENTICITY CONFIDENTIALITY ANALYSABILITY MODIFIABILITY MODULARITY / REUSABILITY TESTABILITY INSTALLABILITY ADAPTABILITY REPLACEABILITY ISO 25010 FUNCTIONAL SUITABILITY FUNCTIONAL CORRECTNESS FUNCTIONAL APPROPRIATENESS FUNCTIONAL COMPLETENESS ACCESSIBILITY Mainly things that people can see Mainly things that people can’t see
  • 8. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Security through change BEING SECURE DELIVERING AT PACE OUR RISK APPETITE
  • 9. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd A security incident is a trailing indicator of low product quality.
  • 10. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd The four metrics that matter Higher performing organisations produce, and derive more value from, higher quality software delivered by their high-performing technology functions. Analysis1 shows there are four metrics that are strong leading indicators of high performing organisations: 1. Lead time 2. Deployment frequency 3. Mean time to restore 4. Change fail percentage 1 Forsgren, N., Kim, G. and Humble, J., 2018. Accelerate. IT Revolution Press. Maintainability, Portability, Reliability, Compatibility, Security?
  • 11. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd All the problems are in your code Kuhn, D., Raunak, M. and Kacker, R. (2016). An Analysis of Vulnerability Trends. NIST. TRADITIONAL FOCUS Almost!
  • 12. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ✓ Think about the performance impact of any changes during (sprint) planning and design ✓ Plan your overall system architecture with performance in mind ✓ Ensure everyone knows how to write performant code in the languages and frameworks you’re using ✓ Hire people with domain expertise in performance to train and work with teams and the wider business ✓ Peer-review code changes for the inevitable human mistakes that could affect performance ✓ Share known-performant code and internal libraries across teams ✓ Make performance a key consideration in the selection of any third-party services you depend on ✓ Automatically test all changes for performance regressions on every commit so developers can catch and fix them early ✓ Prioritise performance fixes in your backlog / development cycles ✓ Inject comprehensive telemetry into your systems to closely monitor performance in production ✓ Investigate & fix performance incidents in production and widely publish findings across the organisation to improve learning ✓ Have responsibility and accountability for performance with the people building the systems Ensuring Performance In Your Systems
  • 13. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ✓ Think about the security impact of any changes during (sprint) planning and design ✓ Plan your overall system architecture with security in mind ✓ Ensure everyone knows how to write secure code in the languages and frameworks you’re using ✓ Hire people with domain expertise in security to train and work with teams and the wider business ✓ Peer-review code changes for the inevitable human mistakes that could affect security ✓ Share known-secure code and internal libraries across teams ✓ Make security a key consideration in the selection of any third-party services you depend on ✓ Automatically test all changes for security regressions on every commit so developers can catch and fix them early ✓ Prioritise security fixes in your backlog / development cycles ✓ Inject comprehensive telemetry into your systems to closely monitor security in production ✓ Investigate & fix security incidents in production and widely publish findings across the organisation to improve learning ✓ Have responsibility and accountability for security with the people building the systems Ensuring Performance In Your Systems Security
  • 14. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Site Reliability Engineering A proven way to ensure the reliability aspect of quality whilst moving quickly: ➔ Reliability experts building self-service platforms for product teams to stay out of the delivery critical path and automating their own work heavily to reduce “toil” ➔ Launch Engineers working closely with product teams to educate and set them up for success with reliability from product launch ➔ Service Level Objectives quantify reliability requirements per-product using a Service Level Indicator (uptime) ➔ “Hand the pager back” operating model provides backpressure on development activities when a Service Level Objective is no longer met Can we apply this method to security?
  • 15. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Product Security Engineering...
  • 16. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Mapping SRE to Security Site Reliability Engineering Product Security Engineering Providing self-service platforms, automating own work heavily ✓ Working closely with product teams and educating ✓ Service Level Objective Service Level Objective Service Level Indicator Service Level Indicator “Hand the pager back”, backpressure on development activities “Express route” to production “Information radiators” ^ Security ^
  • 17. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd What to measure and track ● Teams, products & the parts that make up products ● A clear, direct measure of security quality ● Measures across ways of working ● The four metrics that matter Who is contributing to what? Get this from the code See the list of practices: peer reviews, training, check JIRA for age of security tickets, etc.
  • 18. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd SLOs at scale Up-to-date on security training Predictable, security-related project events Delivery process maturity & capabilities Direct measure of security quality Overall security level objective agreed
  • 19. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Providing backpressure is essential ● Make security capabilities of teams visible across the org: dashboards, “information radiators” ● “Express Route” to production for teams meeting all organisational requirements, additional checks on changes from teams not assuring security themselves ● Make quality part of the delivery operating model. Clear RACI on all aspects of product quality—product owners are accountable for product quality and delivery teams are responsible for delivering the level of quality the product requires
  • 20. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Security Defects and How to Find Them DESIGN CODE BUILD AUTOMATED TESTS MANUAL TESTS PRODUCTION OPS Secure software development training Agile threat modelling Static application security testing Code inspections Dynamic application security testing Interactive application security testing Mobile application security testing FOSS/COTS dependency checks (SCA) Infrastructure scanning Penetration tests Active monitoring Runtime Application Self-Protection https://youtu.be/clEu-sFKUDs
  • 21. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Secure Software Development Training
  • 22. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd OWASP Application Security Curriculum ● Open source initiative ○ OWASP, of course ● Based on OWASP standards ○ OWASP Top 10 ○ OWASP Cornucopia ○ OWASP Application Security Verification Standard (ASVS) ○ OWASP Software Assurance Maturity Model (SAMM) Developed in the open, made available to all and for anyone to contribute to Standing on the shoulders of giants {
  • 23. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Application Security Fundamentals - OWASP Top 10
  • 24. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Why use the OWASP Top 10, it’s obviously not meant to be a standard? But it has become the defacto standard - since adoption by the PCI Data Security Standard and it’s a good start The Top 10 Team have said so * * Top 10 Projects Team https://owasp.org/www-project-top-ten/2017/Foreword.html
  • 25. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd About the Top 10
  • 26. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd The Top 10 Details: Issue Types BUILD INPUT VALIDATION ACCESS Input Validation Errors Injection Attacks XML External Entities (XXE) Cross Site Scripting (XXS) Insecure Deserialization Access Errors Broken Authentication Sensitive Data Exposure Broken Access Control Building Errors Security Misconfiguration Insufficient Logging and Monitoring Using Components with Known Vulnerabilities
  • 27. OWASP FOUNDATION owasp.org ASC Foundation: Introduction to AppSec Who is this aimed at? What are we covering? When are you able to take this course? Why are we doing this? All of product delivery from Product Owner to Engineer. The basics of AppSec and the Top 10. Whenever: This is foundational, there are no prerequisites to taking it. To provide everyone with the context and basic understanding.
  • 28. A2: Broken Authentication // Very silly session IDs https://example.com/userApp?sessionId=14632 https://example.com/userApp?sessionId=14633 https://example.com/userApp?sessionId=14634 // Default credentials if (userName == 'admin' && password == 'letmein') { } Application functions related to authentication and session management are often implemented incorrectly. This allows attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Prevention: • Strong passwords & MFA. Use the updated NIST guidance, it’s good now! • Block or heavily rate limit repeated authentication attempts • Expire inactive sessions • Never implicitly trust Strong identity is the foundation of all security It’s not all about user identity. Machine identity also very important. Those of you building cloud-based services need to enforce strong authentication EVERYWHERE. Know about Zero Trust. Work towards it. NEVER implicitly trust a request because of its origin. Cryptographically strong identity EVERYWHERE. Direct Connect/ExpressRoute/Cloud Interconnect are EVIL. How about for internal / admin services (do you auth properly even there?!)
  • 29. OWASP FOUNDATION TM OWASP Application Security Curriculum https://owasp.org/www-project-application-security-curriculum/ https://github.com/OWASP/Application-Security-Curriculum Find it here:
  • 30. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Application Security Intermediate - OWASP Cornucopia
  • 31. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Why use Cornucopia? Well, it encourages secure-by-design thinking, for developers, and because it simplifies issues described in the Top 10, while making them more generically applicable. Kind of the OWASP Top 5 * * Cornucopia Project Lead Grant Ongers - https://youtu.be/MnHCZozPHp4?t=995
  • 32. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd About Cornucopia https://youtu.be/BZVoQurTEMc Twitter
  • 33. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Learning Areas
  • 34. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Authentication Verifying you are who who say you are, this is the basis of any auth system and the part that’s most often attacked.
  • 35. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Authorization Verifying that you are permitted to do what you are attempting to do, this covers the realm of privilege escalation.
  • 36. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Session Management Checking that Auth happens regularly. Not every moment, not every action but often enough. The balance being all important.
  • 37. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Cryptography Whether this is encryption, or hashing. Whether it’s on the wire, or on disk, this is about protecting secrets. Really?
  • 38. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Data Validation Validating inputs and encoding outputs. This basic hygiene when it comes to allowing users to interface with your application.
  • 39. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia Details: Miscellaneous The trump suite that contains all of the general nasties you can imagine.
  • 40. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Cornucopia to Application Security Curriculum ● Set up and play the game with developers ○ Guide them through the cards ● Encourage the cards use each sprint ○ Tagging stories in Jira ○ Retaining the score sheet Awkward! Developers don’t want AppSec folks there 1. Covers the “are they?” 2. Covers the “auditor asked” Twitter
  • 41. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Application Security Tertiary Education - OWASP ASVS
  • 42. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Why use the OWASP ASVS? It is a standard, it can be (and is) tested against, and it spells out the requirements for a good product, The Top 10 Team & the ASVS Team have said so * * ASVS Project Team https://owasp.org/www-project-application-security-verification-standard/
  • 43. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ASVS Details: Suitability
  • 44. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ASVS Details: Applicability
  • 45. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ASVS Details: Learning Areas Architecture 43 items Authentication 57 items Session Management 20 items Access Control 10 items Validation 30 items Stored Cryptography 16 items Error Handling and Logging 13 items Data Protection 16 items Communications 8 items Malicious Code 10 items Business Logic 8 items File and Resources 15 items API and Web Service 15 items Configuration 24 items 286 total!
  • 46. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd ● Each ASVS Requirement is broken down: ○ Terms ○ Actions ● Each Term is mapped to a Unit ○ The weighting for each term is determined ● Each Action is Weighed ○ Bloom’s Taxonomy level (1 - 6) ASVS to AppSec Curriculum Yes, All 286 of them! It’s slow process
  • 47. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd AppSec Curriculum: Bloom’s Taxonomy Theoretically could be a 6, but we’ve seen none so far Generally for AppSec (in all cases we’ve seen) 2 has been the lowest
  • 48. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd 1.4.5 - Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles. unit: 'Authorization' terms: - 'feature-based access control' - 'role' - 'user' - 'Permissions' level: 2 unit: 'Application Development' terms: - 'feature' - 'data item' - 'the code' level: 2 notes: 'The essence of this requirement seems to be that authorization checks consider the combination of all role/group/user level permissions assigned, NOT just a single role assignment. Suggest a rewording to make the requirement clearer.' TODO: create https://www.owasp.org/www-community/controls/feature-based-access-control/ with info from: Kim, Dae-Kyoo & Kim, Sangsig & Lu, Lunjin & Kim, Suntae & Park, Sooyong. (2011). A feature-based approach for modeling role-based access control systems. Journal of Systems and Software. 84. 2035-2052. 10.1016/j.jss.2011.03.084. Actions
  • 49. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Application Security Industry Training - OWASP SAMM
  • 50. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Why use OWASP SAMM? Well, to start with it’s prescriptive, rather than descriptive. It also complements the ASVS. SAMM is often compared with BSIMM for this distinction * * SAMM Projects Team https://owaspsamm.org/blog/2020/10/29/comparing-bsimm-and-samm/
  • 51. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd SAMM Details: Applicability 5 3@ 3@ (90 total) 2@
  • 52. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd SAMM Details: Learning Areas Governance Strategy & Metrics Policy & Compliance Education & Guidance Design Threat Assessment Security Requirements Secure Architecture Implementation Secure Build Secure Deployment Defect Management Verification Architecture Analysis Requirements-driven Testing Security Testing Operations Incident Management Environment Management Operational Management What an idea!
  • 53. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd SAMM to AppSec Curriculum ● Each SAMM Activity is broken down: ○ Actions ○ Terms ● Each Action is Weighed ○ Blooms Taxonomy level (2 - 6) ● Each Term is mapped to a Unit ○ The weighting for each term is determined Only 90 this time! Still takes a long time!
  • 54. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Implementation | Secure Build | Build Process Maturity Level 1 Q: Do you have solid knowledge about dependencies you're relying on? Define the build process, breaking it down into a set of clear instructions to either be followed by a person or an automated tool. The build process definition describes the whole process end-to-end so that the person or tool can follow it consistently each time and produce the same result. The definition is stored centrally and accessible to any tools or people. Avoid storing multiple copies as they may become unaligned and outdated. The process definition does not include any secrets (specifically considering those needed during the build process). Review any build tools, ensuring that they are actively maintained by vendors and up-to-date with security patches. Harden each tool’s configuration so that it is aligned with vendor guidelines and industry best practices. Determine a value for each generated artifact that can be later used to verify its integrity, such as a signature or a hash. Protect this value and, if the artifact is signed, the private signing certificate. Ensure that build tools are routinely patched and properly hardened. module: ‘Release and Deployment' terms: - 'build process' - 'process definition - ‘build tools’ - ‘artifact’ level: 2 module: ‘Secrets Management' terms: - secrets level: 2 Actions
  • 55. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Applying Training in Practice
  • 56. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Getting the AppSec Curriculum ● Foundations are out there and ready to be used. ● The Intermediate ASC requires learning a game. ● The Tertiary and Industry ASC needs your help. ASC101 is available Play the game!
  • 57. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd The Future
  • 58. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Get Involved Join the Project https://owasp.org/www-project-application-security-curriculum/ https://github.com/OWASP/Application-Security-Curriculum Sponsor the Project https://owasp.org/www-policy/operational/grants Give us your Feedback [email protected] twitter.com/rewtd @rewtd on Discord
  • 59. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Answer the Survey! https://t.co/SiqeCBfg4D
  • 60. Copyright © 2020-2021 Secure Delivery. DEF CON 29 AppSec Village. @rewtd Thank you! We hope you’ve gotten a lot out of today’s session. Any questions or feedback just send an email to [email protected]; we’re always looking to improve on what we do.