Application Security Foundations Level 1

My notes from Application Security Foundations Level 1 by the WeHackPurple Community

About this Course

History Lesson
- 1995 - 1st bug bounty program by Netscape
- 1996 - Smashing the stack for fun and profit on buffer overflow attacks
- 2001 - OWASP was founded
- 2006 - Microsoft book on SSLDc
- 2008 - Verizon breach report
- Insecure software
- 2020 - Alice & Bob application security release
- Tech Support - community@wehackpurple.com
Definitions
- What is AppSec?
- Secure Code review
- Pentesting
- SCA
Application Security Program
- Formalised Steps
- Adding Security tools
- Creating Security requirements
- Enforcing SSDLC
- Reliably release secure software
DevSecOps
- DevOps

Application Security Goals

Goals vs Activities
- *Instead of listing activities, buying tools focus more on goals
Goals
- Achievable
- Realistic, still aggressive
- Measure our progress
- Effectiveness
- Show value to the business
Goal: Inventory
- A powerful thing
- Entire organisation benefits from inventory
Goal: Finding Vulnerabilities
- Find Vulnerabilities
  - Running code
  - Written code
  - 3rd party code
- Ability to quickly release fixes
Goal: The Knowledge to Fix What You Have Found
- Developer Education
- Supporting Documentation
- Eliminate bug classes
Goal: Effective Tooling
- Proof of Concept
- Automate as much as possible
- Putting the tools into DevOps
- Scanning each commit
Goal: Education and Reference Materials
- Technical Library
- Online Trainings
- Formal Training
- Lunch & Learns
- Advocacy Program
- Security Champions Program
Goal: Giving Developers Security Tools
- Putting the power into the developer hands
- Training the devs
- Supporting the devs
- Bonus: Writing your own tools, libraries
- Example: Twitter uses typescript, they might have written their own tools, libraries
- Self-service
Goal: Security Activities during the SDLC
- Security activities at each stage of the SDLC
- Requirements
- Design - Book 1 hour meeting with the team and do whiteboard exercise
- Coding
- Testing
- Deployment & Maintenance
- Little activities make a big difference
- Bonus: Security Sprint
  - Have a security team, get the appsec team to review the applications and 2 weeks of developers to fix those vulnerabilities.
- Partnership Model
  - Involve AppSec team members with a development team in their activities for a week or two
Goal: Incident Response
- IR team understand AppSec
- Training the IR team about AppSec
- Tools to Prevent
- Tools to Detect
Goal: Continuous Improvement
- Metrics
- Experimentation
- Feedback from any and all stakeholders
- Look for patterns and trends
- Talk to the dev teams
- Where can we improve?
- Is this process working for you?
Example Program Goals 1: Measure your current security progress and address fires
- Scan all of you web apps with DAST tool
  - Scan 25 apps over 6 months
  - Compile the results
  - Access your top 3 vulnerabilities
  - Provide a lesson/training on these top 3 vulnerabilities
  - Work with teams to eliminate critical vulnerabilities in the next 3 months
  - Eliminate all the high vulnerabilities next
Example Program Goals 2: Getting everyone on the same plain field
- Create repeatable and automated process
- Put the code in the same source code management
- Where AppSec team can run tests on the code
- Modern Code repository
- Weekly SCA and secret scanning
- Weekly SAST Scans
- Automate Ticket Creation
  - Beware of false positives
  - Start with critical, discuss with the teams. Then move to High
- Penetration Test of 3 mission critical applications
Example Program Goals 3: Raise Security awareness & Culture Change
- Security Champion Program
- Training on Code review and Threat modelling
- Work with security champions to threat model each apps
- Security champions to review each PR
- Secure code training for everyone
- Assist the security champions
- Provide Documentation Support
  - Secure coding guidelines
  - Web app security requirements
  - Secure Design discussions
  - Create a best practices documentation
Setting Your Goals:
AppSec Program Goal #1:
- Teach developers about your top 3 security vulnerabilities in order to reduce their prevalence in your apps by 75%.
  - Possible supportive activities: * start a lunch and learn program and have one event per month, for at least 3 months.
AppSec Program Goal #2:
- Stamp out XSS, completely.
  - Possible supportive activities:
  - have a deep dive lunch and learn about xss
  - send emails with info
  - add a test to every pipeline
  - reate unit tests using the XSS Filter Evasion Cheat Sheet from OWASP
AppSec Program Goal #3:
- Implement a SCA program
- Possible Support Activities:
  - Educate Developers about SBOM and have them create SBOMs for their applications, use a SCA tool which creates SBOMs and also does SCA

AppSec Activities - The Basics

Interactive Assignment: Assignment #2: AppSec Activities
- Choosing activities to reach your goals. Below is the list of activities we discussed in class. Which ones will help you reach the goals you identified in the previous chapter? Which ones will help you reach your goals the most quickly? The least expensive? The most reliably? Which ones require the most time or manual toil?
- Activities for AppSec Program Goal #1
  - Vulnerability (VA) Scans and Assessments
  - Gathering Metrics/ Measurement
  - Developer Education and Advocacy Programs
  - Security Reference Materials (including hardening guides)
  - Targeting an Entire Bug Classes
  - Security Regression Testing (with unit tests)
- Activities for AppSec Program Goal #2
  - Secure Code Reviews (Static Application Security Testing)
  - Secure Coding Library/ Templates
  - Targeting an Entire Bug Classes
  - Forcing secure coding with IDE tooling
  - Giving Developers Security Tools
- Activities for AppSec Program Goal #3
  - Software Composition Analysis (SCA)
  - Gathering Metrics/ Measurement
  - Forcing use of secure packages with proxying to secure package management tools
What are the different AppSec activities?
- Strategy and Tactics
  - Strategy is the overall campaign plan (Goals)
  - Tactics actual means to gain an objective ( AppSec activities)
VA Scans and Security Assessments
- VA Scans - Just running an automated scan
- Security Assessments - Talking to people, running multiple tools, security controls
- There are VA scanners, also known as DAST or “web app scanners” and other names. And then there are vulnerability or security assessments, an engagement with a trained professional who uses multiple tools and manual techniques to try to find all of your vulnerabilities.
Threat Modelling
- Conversation between a security person, stakeholder product owner, Technical Stakeholder(Lead,Architect)
- What are the threats to the system?
  - Mitigate
  - Reduce
  - Accept
  - Document
- What does this app do?
  - What could go wrong?
  - What keeps you up at night?
  - How would you hack your app?
- STRIDE
- PASTA
- Attack Trees
- Talk with the Stakeholders
- What risks exist?
- How to stop them?
- Document
Secure Code Review and SAST
- Secure code review is Manual process
- SAST is automated process
- Run on code you wrote
  - Use secure coding guidelines
  - Peer reviews
Software Composition Analysis (SCA)
- 3rd party components
  - Libraries
  - Packages
  - Frameworks
  - Plugins
Penetration Testing

AppSec Activities - Intermediate

Developer Education and Advocacy Programs
- Developer Education
  - Educate them about security
  - Policies to be followed
  - Laws to be followed
  - Secure Design & Architecture
  - Threat modelling
  - Don’t assume they know
Advocacy Program
- Culture change
- Security is more fun, necessary, a part of quality
- Security is enabler
Responsible Disclosure & Bug Bounty
- Responsible Disclosure
  - Coordinated Disclosure
  - CVE assignment
- Bug Bounty
  - Started by Microsoft
  - Run only if you have a good appsec program
  - Beg bounties
  - Be professional
  - Think about Triage
  - Fix as much as you can first
Helpful Policies, Guidelines and Standards
- What are the devs doing?
- Secure coding guidelines
- Security requirements
- Guidelines
  - This is how i would like you to do it
- Standard
  - Enforce
- Policies
  - High level enforcement
- Help everyone to do their job securely
- Be okay with bad feedback
- Create guideline/standard for know vulnerabilities
- Create helpful documentation
Giving Developers Security Tools
- Secrets Scanner
- SAST
- Plugs right into their IDE
  - This will them to take the ownership
Secure Coding Library/ Templates
- Secure Samples
- Always ask permission before going into the code repo and doing something
- Secure code Library with Templates
Security Reference Materials
- Putting campaigns/posters in cafeteria or conference rooms
‘The Partnership Model’
- The Partnership Model’, the idea of pairing a security professional with each new software project. They follow the entire project, finding all of the security answers
- Start security as early as you can
- Get feedbacks
- Scaling Appsec at Netflix
- Scaling Appsec at Netflix (Part 2)](https://netflixtechblog.com/scaling-appsec-at-netflix-part-2-c9e0f1488bc5)
Metrics and Measurement
- Gathering metrics and improve the program
  - Examples 1:
    - After incident
    - Incident report
    - Post mortem report
    - Use Data
    - Tanya Janca - Security Metrics That Matter
Security Regression Testing (with unit tests)
- Take a copy of unit tests and write security tests
- Positive unit tests
- Negative unit tests
Capture The Flag and Other Forms of Gamification
- CTFs
- Cyber ranges
- Secure coding challenges
Reviewing New Tech
- Reviewing all new tools, frameworks, components, platforms, and other tech that the devs want to approve and/or offer security guidance on using them
Adding Security-Related IDE Plugins
- Package management tools
- Secure coding tools
Adding a shield in front of your app (WAF/RASP)

AppSec Activities - DevOps Flavoured

Adding Security Tooling to a Pipeline
- Practice and Test pipeline
- The Process
  - Clone their repo/pipeline
  - Add security
  - Needs to Fast and Accurate
- Secrets Scan
Asynchronous Pipeline
- Make your own
Red Teaming**
- Blue team - Defends
- Red team - Offense
- Purple Team - Offense and Defense
Security Sprints
- Sprints
  - 2-3-4 weeks focused on accomplishing some tasks
- Security sprints
  - Prioritise
Asking directly for feedback from Dev & Ops

AppSec Activities - Advanced

Team-Specific Customised Security Training
- Creating training for different areas of IT can get you really great results; faster pass off of incidents, less phishing clicks, and so much more!
- Make it amusing using memes/jokes
Creating Custom Tools
- Don’t make a custom tool (unless you must)
  - Sometimes there just isn’t a tool on the market that does what you need; this is when you must create your own
- Advanced Security!
- Examples
  - Defect Dojo
  - Repo Kid
- Be Creative
Targeting an Entire Bug Class
- Look for the top 3 vulnerabilities
- Eliminate them
- XSS and Security Headers
Table Top Exercises
- Practicing for big events make sense, so why not practice emergencies?

AppSec Tooling - The Basics

Introduction to AppSec Tooling
- DAST
- SAST
- What are you trying to do?
- echnologies you use?
- Frameworks you use
- Try before you buy
- POC
- Invite Developers and Stakeholders for POC
Dynamic Application Security Testing (DAST)
- Dynamic Application Security Testing tools (DAST) interact with your application as it is running live on a web server.
- Fuzzer
- Proxy
- DAST
- Who will be using the tool?
Static Application Security Testing (SAST)
- SAST looks at your application’s code. It parses it into tiny pieces and looks for places where security problems may lie
- Parsing
- Grepping
- Symbolic Execution
Software Composition Analysis Tools
- Scans 3rd party code/frameworks/libraries/packages
- Weekly SCA on codebase
- Manual Scanning
- Automated scanning from the pipeline
VM & Container VA scanners
- Scanners that verify the operating system version, patches and configurations of servers, virtual machines and containers are generally called “VA Scanners”
- Agent based scanners
- Looks for
  - Missing patches
  - Poor configurations

AppSec Tooling - Intermediate

API Tools that Speak Directly to the API
Web Application Firewall (WAF)
- Blocking Rules
- Alerting Rules
- WAF should not be a first line of defense
- ModSecurity by OWASP
  - Coreruleset
Vulnerability Management
Secret Management
Secret Scanning
- Secret scanners use regex (regular expressions) to search for long, random values (lots of entropy) to see if a ‘secret’ is in your code
- Passwords, keys, licenses, etc, at all potential secrets, which should not be stored in your code
IDE Tools and Hooks
Pipeline Tooling
- Fast and Accurate
- Configurable and tuning
- Only check the delta
Unit Test Creativity
- Get a copy of unit tests
  - Fail gracefully for vulnerabilities like XSS
Repository Scanning
- Another activity we can do is scan code every time it’s pushed to the version control or code repository.
- Helps developers get important security feedback, earlier in the SDLC
- SAST
- SCA
  - No interruptions
  - Reviewed by Security person or champion
- Use GitHub actions
Integrating Your Bug Tracker
Package Management Proxies

AppSec Tooling - Modern Twist

Interactive Application Security Testing (IAST)
- Interactive Application Security Testing (IAST)
- Uses a mix of static and dynamic analysis, to find bugs as you use your app.
- Invented by Contrast security
- IAST cannot find bugs when your application is not in use, and will not find bugs in the parts of your applications that are not called/accessed
- Running IAST while you are performing a penetration test, a security assessment, automated or manual testing or quality assurance are the best ways to get the most value from this kind of tool
Runtime Application Security Protection (RASP)
- Scans during run time
- Runtime Application Security Protection is a type of shield for your app
- Installed within your application as a binary and requires ‘instrumentation’ for it to work properly.
- Your application must also be written in a supported language and framework in order to get full value from this tool
- Usually installed only on production
Service Mesh
- This tool does not require code changes, it is installed as a layer of infrastructure
- Service mesh manages communications for all of your APIs, so they are fast, efficient and reliable. Plus, it’s encrypted!
API Gateway
- An API Gateway is used to protect your APIs from abuse, over-use and other mishandling.
- Rate limitation
- Resource Quotas
- Authentication & Authorization
- Caching
- Data validation
- Analytics
- Additional Layer of defense
Application and Web Asset Inventory
- You can’t protect what you don’t know
- SBOM
- Helps incident responders
SIEM + App integration

AppSec Adjacent Tooling

Cloud Native
- Cloud native are applications created only to work in the cloud (not on-prem/in your own data center)
- Some cloud native tools are only compatible with one or two public clouds, while some are interoperable (able to work properly) with any public cloud or vendor
Application Control Tooling
- Application Control Tooling allows software on the ‘approved list’ to run on servers, and blocks everything else
- Note: This type of software is sometimes called ‘Application Whitelisting’
- Application Control vs Application Whitelisting
File Integrity Monitoring
- File Integrity Monitoring ensures that no system software can be changed by malicious actors and/or software
Updating Your Goals
- Goal #:
- Description/name of goal:
  1. What are you going to accomplish? Be extremely specific?
  2. Which application(s), systems or networks? Name them?
  3. When will you aim to achieve this goal? Are there steps you can list or a timeline you can provide?
  4. Why did you select this goal? What value will it bring to your org?
  5. Are you being realistic? Is the cost of this goal going to provide significantly more value to your org? Management will really want to know the answer to this, be ready.
  6. What AppSec activities will help you achieve this goal?
  7. What Tools will you use to help you achieve this goal?

Conclusion

Resources