Application Security Foundations Level 1

My notes from Application Security Foundations Level 1 by the WeHackPurple Community

About this Course
  • History Lesson
    • 1995 - 1st bug bounty program by Netscape
    • 1996 - Smashing the stack for fun and profit on buffer overflow attacks
    • 2001 - OWASP was founded
    • 2006 - Microsoft book on SSLDc
    • 2008 - Verizon breach report
    • Insecure software
    • 2020 - Alice & Bob application security release
    • Tech Support - community@wehackpurple.com
  • Definitions
    • What is AppSec?
    • Secure Code review
    • Pentesting
    • SCA
  • Application Security Program
    • Formalised Steps
    • Adding Security tools
    • Creating Security requirements
    • Enforcing SSDLC
    • Reliably release secure software
  • DevSecOps
    • DevOps
Application Security Goals
  • Goals vs Activities
    • *Instead of listing activities, buying tools focus more on goals
  • Goals
    • Achievable
    • Realistic, still aggressive
    • Measure our progress
    • Effectiveness
    • Show value to the business
  • Goal: Inventory
    • A powerful thing
    • Entire organisation benefits from inventory
  • Goal: Finding Vulnerabilities
    • Find Vulnerabilities
      • Running code
      • Written code
      • 3rd party code
    • Ability to quickly release fixes
  • Goal: The Knowledge to Fix What You Have Found
    • Developer Education
    • Supporting Documentation
    • Eliminate bug classes
  • Goal: Effective Tooling
    • Proof of Concept
    • Automate as much as possible
    • Putting the tools into DevOps
    • Scanning each commit
  • Goal: Education and Reference Materials
    • Technical Library
    • Online Trainings
    • Formal Training
    • Lunch & Learns
    • Advocacy Program
    • Security Champions Program
  • Goal: Giving Developers Security Tools
    • Putting the power into the developer hands
    • Training the devs
    • Supporting the devs
    • Bonus: Writing your own tools, libraries
    • Example: Twitter uses typescript, they might have written their own tools, libraries
    • Self-service
  • Goal: Security Activities during the SDLC
    • Security activities at each stage of the SDLC
    • Requirements
    • Design - Book 1 hour meeting with the team and do whiteboard exercise
    • Coding
    • Testing
    • Deployment & Maintenance
    • Little activities make a big difference
    • Bonus: Security Sprint
      • Have a security team, get the appsec team to review the applications and 2 weeks of developers to fix those vulnerabilities.
    • Partnership Model
      • Involve AppSec team members with a development team in their activities for a week or two
  • Goal: Incident Response
    • IR team understand AppSec
    • Training the IR team about AppSec
    • Tools to Prevent
    • Tools to Detect
  • Goal: Continuous Improvement
    • Metrics
    • Experimentation
    • Feedback from any and all stakeholders
    • Look for patterns and trends
    • Talk to the dev teams
    • Where can we improve?
    • Is this process working for you?
  • Example Program Goals 1: Measure your current security progress and address fires
    • Scan all of you web apps with DAST tool
      • Scan 25 apps over 6 months
      • Compile the results
      • Access your top 3 vulnerabilities
      • Provide a lesson/training on these top 3 vulnerabilities
      • Work with teams to eliminate critical vulnerabilities in the next 3 months
      • Eliminate all the high vulnerabilities next
  • Example Program Goals 2: Getting everyone on the same plain field
    • Create repeatable and automated process
    • Put the code in the same source code management
    • Where AppSec team can run tests on the code
    • Modern Code repository
    • Weekly SCA and secret scanning
    • Weekly SAST Scans
    • Automate Ticket Creation
      • Beware of false positives
      • Start with critical, discuss with the teams. Then move to High
    • Penetration Test of 3 mission critical applications
  • Example Program Goals 3: Raise Security awareness & Culture Change
    • Security Champion Program
    • Training on Code review and Threat modelling
    • Work with security champions to threat model each apps
    • Security champions to review each PR
    • Secure code training for everyone
    • Assist the security champions
    • Provide Documentation Support
      • Secure coding guidelines
      • Web app security requirements
      • Secure Design discussions
      • Create a best practices documentation
  • Setting Your Goals:
  • AppSec Program Goal #1:
    • Teach developers about your top 3 security vulnerabilities in order to reduce their prevalence in your apps by 75%.
      • Possible supportive activities: * start a lunch and learn program and have one event per month, for at least 3 months.
  • AppSec Program Goal #2:
    • Stamp out XSS, completely.
      • Possible supportive activities:
      • have a deep dive lunch and learn about xss
      • send emails with info
      • add a test to every pipeline
      • reate unit tests using the XSS Filter Evasion Cheat Sheet from OWASP
  • AppSec Program Goal #3:
    • Implement a SCA program
    • Possible Support Activities:
      • Educate Developers about SBOM and have them create SBOMs for their applications, use a SCA tool which creates SBOMs and also does SCA
AppSec Activities - The Basics
  • Interactive Assignment: Assignment #2: AppSec Activities
    • Choosing activities to reach your goals. Below is the list of activities we discussed in class. Which ones will help you reach the goals you identified in the previous chapter? Which ones will help you reach your goals the most quickly? The least expensive? The most reliably? Which ones require the most time or manual toil?
    • Activities for AppSec Program Goal #1
      • Vulnerability (VA) Scans and Assessments
      • Gathering Metrics/ Measurement
      • Developer Education and Advocacy Programs
      • Security Reference Materials (including hardening guides)
      • Targeting an Entire Bug Classes
      • Security Regression Testing (with unit tests)
    • Activities for AppSec Program Goal #2
      • Secure Code Reviews (Static Application Security Testing)
      • Secure Coding Library/ Templates
      • Targeting an Entire Bug Classes
      • Forcing secure coding with IDE tooling
      • Giving Developers Security Tools
    • Activities for AppSec Program Goal #3
      • Software Composition Analysis (SCA)
      • Gathering Metrics/ Measurement
      • Forcing use of secure packages with proxying to secure package management tools
  • What are the different AppSec activities?
    • Strategy and Tactics
      • Strategy is the overall campaign plan (Goals)
      • Tactics actual means to gain an objective ( AppSec activities)
  • VA Scans and Security Assessments
    • VA Scans - Just running an automated scan
    • Security Assessments - Talking to people, running multiple tools, security controls
    • There are VA scanners, also known as DAST or “web app scanners” and other names. And then there are vulnerability or security assessments, an engagement with a trained professional who uses multiple tools and manual techniques to try to find all of your vulnerabilities.
  • Threat Modelling
    • Conversation between a security person, stakeholder product owner, Technical Stakeholder(Lead,Architect)
    • What are the threats to the system?
      • Mitigate
      • Reduce
      • Accept
      • Document
    • What does this app do?
      • What could go wrong?
      • What keeps you up at night?
      • How would you hack your app?
    • STRIDE
    • PASTA
    • Attack Trees
    • Talk with the Stakeholders
    • What risks exist?
    • How to stop them?
    • Document
  • Secure Code Review and SAST
    • Secure code review is Manual process
    • SAST is automated process
    • Run on code you wrote
      • Use secure coding guidelines
      • Peer reviews
  • Software Composition Analysis (SCA)
    • 3rd party components
      • Libraries
      • Packages
      • Frameworks
      • Plugins
  • Penetration Testing
AppSec Activities - Intermediate
  • Developer Education and Advocacy Programs
    • Developer Education
      • Educate them about security
      • Policies to be followed
      • Laws to be followed
      • Secure Design & Architecture
      • Threat modelling
      • Don’t assume they know
  • Advocacy Program
    • Culture change
    • Security is more fun, necessary, a part of quality
    • Security is enabler
  • Responsible Disclosure & Bug Bounty
    • Responsible Disclosure
      • Coordinated Disclosure
      • CVE assignment
    • Bug Bounty
      • Started by Microsoft
      • Run only if you have a good appsec program
      • Beg bounties
      • Be professional
      • Think about Triage
      • Fix as much as you can first
  • Helpful Policies, Guidelines and Standards
    • What are the devs doing?
    • Secure coding guidelines
    • Security requirements
    • Guidelines
      • This is how i would like you to do it
    • Standard
      • Enforce
    • Policies
      • High level enforcement
    • Help everyone to do their job securely
    • Be okay with bad feedback
    • Create guideline/standard for know vulnerabilities
    • Create helpful documentation
  • Giving Developers Security Tools
    • Secrets Scanner
    • SAST
    • Plugs right into their IDE
      • This will them to take the ownership
  • Secure Coding Library/ Templates
    • Secure Samples
    • Always ask permission before going into the code repo and doing something
    • Secure code Library with Templates
  • Security Reference Materials
    • Putting campaigns/posters in cafeteria or conference rooms
  • ‘The Partnership Model’
  • Metrics and Measurement
  • Security Regression Testing (with unit tests)
    • Take a copy of unit tests and write security tests
    • Positive unit tests
    • Negative unit tests
  • Capture The Flag and Other Forms of Gamification
    • CTFs
    • Cyber ranges
    • Secure coding challenges
  • Reviewing New Tech
    • Reviewing all new tools, frameworks, components, platforms, and other tech that the devs want to approve and/or offer security guidance on using them
  • Adding Security-Related IDE Plugins
    • Package management tools
    • Secure coding tools
  • Adding a shield in front of your app (WAF/RASP)
AppSec Activities - DevOps Flavoured
  • Adding Security Tooling to a Pipeline
    • Practice and Test pipeline
    • The Process
      • Clone their repo/pipeline
      • Add security
      • Needs to Fast and Accurate
    • Secrets Scan
  • Asynchronous Pipeline
    • Make your own
  • Red Teaming**
    • Blue team - Defends
    • Red team - Offense
    • Purple Team - Offense and Defense
  • Security Sprints
    • Sprints
      • 2-3-4 weeks focused on accomplishing some tasks
    • Security sprints
      • Prioritise
  • Asking directly for feedback from Dev & Ops
AppSec Activities - Advanced
  • Team-Specific Customised Security Training
    • Creating training for different areas of IT can get you really great results; faster pass off of incidents, less phishing clicks, and so much more!
    • Make it amusing using memes/jokes
  • Creating Custom Tools
    • Don’t make a custom tool (unless you must)
      • Sometimes there just isn’t a tool on the market that does what you need; this is when you must create your own
    • Advanced Security!
    • Examples
      • Defect Dojo
      • Repo Kid
    • Be Creative
  • Targeting an Entire Bug Class
    • Look for the top 3 vulnerabilities
    • Eliminate them
    • XSS and Security Headers
  • Table Top Exercises
    • Practicing for big events make sense, so why not practice emergencies?

AppSec Tooling - The Basics
  • Introduction to AppSec Tooling
    • DAST
    • SAST
    • What are you trying to do?
    • echnologies you use?
    • Frameworks you use
    • Try before you buy
    • POC
    • Invite Developers and Stakeholders for POC
  • Dynamic Application Security Testing (DAST)
    • Dynamic Application Security Testing tools (DAST) interact with your application as it is running live on a web server.
    • Fuzzer
    • Proxy
    • DAST
    • Who will be using the tool?
  • Static Application Security Testing (SAST)
    • SAST looks at your application’s code. It parses it into tiny pieces and looks for places where security problems may lie
    • Parsing
    • Grepping
    • Symbolic Execution
  • Software Composition Analysis Tools
    • Scans 3rd party code/frameworks/libraries/packages
    • Weekly SCA on codebase
    • Manual Scanning
    • Automated scanning from the pipeline
  • VM & Container VA scanners
    • Scanners that verify the operating system version, patches and configurations of servers, virtual machines and containers are generally called “VA Scanners”
    • Agent based scanners
    • Looks for
      • Missing patches
      • Poor configurations
AppSec Tooling - Intermediate
  • API Tools that Speak Directly to the API
  • Web Application Firewall (WAF)
    • Blocking Rules
    • Alerting Rules
    • WAF should not be a first line of defense
    • ModSecurity by OWASP
      • Coreruleset
  • Vulnerability Management
  • Secret Management
  • Secret Scanning
    • Secret scanners use regex (regular expressions) to search for long, random values (lots of entropy) to see if a ‘secret’ is in your code
    • Passwords, keys, licenses, etc, at all potential secrets, which should not be stored in your code
  • IDE Tools and Hooks
  • Pipeline Tooling
    • Fast and Accurate
    • Configurable and tuning
    • Only check the delta
  • Unit Test Creativity
    • Get a copy of unit tests
      • Fail gracefully for vulnerabilities like XSS
  • Repository Scanning
    • Another activity we can do is scan code every time it’s pushed to the version control or code repository.
    • Helps developers get important security feedback, earlier in the SDLC
    • SAST
    • SCA
      • No interruptions
      • Reviewed by Security person or champion
    • Use GitHub actions
  • Integrating Your Bug Tracker
  • Package Management Proxies
AppSec Tooling - Modern Twist
  • Interactive Application Security Testing (IAST)
    • Interactive Application Security Testing (IAST)
    • Uses a mix of static and dynamic analysis, to find bugs as you use your app.
    • Invented by Contrast security
    • IAST cannot find bugs when your application is not in use, and will not find bugs in the parts of your applications that are not called/accessed
    • Running IAST while you are performing a penetration test, a security assessment, automated or manual testing or quality assurance are the best ways to get the most value from this kind of tool
  • Runtime Application Security Protection (RASP)
    • Scans during run time
    • Runtime Application Security Protection is a type of shield for your app
    • Installed within your application as a binary and requires ‘instrumentation’ for it to work properly.
    • Your application must also be written in a supported language and framework in order to get full value from this tool
    • Usually installed only on production
  • Service Mesh
    • This tool does not require code changes, it is installed as a layer of infrastructure
    • Service mesh manages communications for all of your APIs, so they are fast, efficient and reliable. Plus, it’s encrypted!
  • API Gateway
    • An API Gateway is used to protect your APIs from abuse, over-use and other mishandling.
    • Rate limitation
    • Resource Quotas
    • Authentication & Authorization
    • Caching
    • Data validation
    • Analytics
    • Additional Layer of defense
  • Application and Web Asset Inventory
    • You can’t protect what you don’t know
    • SBOM
    • Helps incident responders
  • SIEM + App integration
AppSec Adjacent Tooling
  • Cloud Native
    • Cloud native are applications created only to work in the cloud (not on-prem/in your own data center)
    • Some cloud native tools are only compatible with one or two public clouds, while some are interoperable (able to work properly) with any public cloud or vendor
  • Application Control Tooling
    • Application Control Tooling allows software on the ‘approved list’ to run on servers, and blocks everything else
    • Note: This type of software is sometimes called ‘Application Whitelisting’
    • Application Control vs Application Whitelisting
  • File Integrity Monitoring
    • File Integrity Monitoring ensures that no system software can be changed by malicious actors and/or software
  • Updating Your Goals
    • Goal #:
    • Description/name of goal:
      1. What are you going to accomplish? Be extremely specific?
      2. Which application(s), systems or networks? Name them?
      3. When will you aim to achieve this goal? Are there steps you can list or a timeline you can provide?
      4. Why did you select this goal? What value will it bring to your org?
      5. Are you being realistic? Is the cost of this goal going to provide significantly more value to your org? Management will really want to know the answer to this, be ready.
      6. What AppSec activities will help you achieve this goal?
      7. What Tools will you use to help you achieve this goal?
Conclusion