pushing left like a boss
play

Pushing Left, Like a Boss Application Security Foundations Tanya - PowerPoint PPT Presentation

Jun 22, 2023 •114 likes •434 views

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @sheHacksPurple About Me Who am I? Im Tanya Janca; Application security evangelist, web

  1. Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @sheHacksPurple

  3. About Me Who am I? I’m Tanya Janca; Application security evangelist, web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, OWASP Ottawa chapter leader, OWASP DevSlop project leader, effective altruist, software developer since the late 90’s. I have been paid to be geeky for over 20 years! I want software to be more secure so that I can use the internet safely. Seriously.

  4. The current state: Everyone is “getting hacked”

  5. The current state: We looking the wrong way.

  6. What is “AppSec”? In plain English

  7. The current state: Penetration Testing

  8. The current state: CIA

  9. About Me

  10. Pushing Left, Like a Boss!

  11. An AppSec Program: The Main Course

  12. An AppSec Program: The Main Course • Vulnerability (VA) Scans and Assessments • Threat Modeling • Secure Code Reviews (Static Code Analysis) • Penetration Tests (PenTests) • This applies to both Custom Apps and COTS

  13. An AppSec Program: The Gravy

  14. An AppSec Program: The Gravy • Educating Developers on Secure Coding Practices with workshops, talks, lessons • Secure Coding Standards • Responsible/Coordinated Disclosure • Secure code library and other reference materials

  15. An AppSec Program: Dessert!

  16. An AppSec Program: Dessert! • Bug Bounty Programs • Capture The Flag (CTF) contests • Red Team Exercises

  17. The big question …

  18. YOU pushing left: testing your code

  19. YOU pushing left: testing your code • Most people use a web proxy security scanner to test their web applications • It sits between your browser and the internet • It will automate tests for you, tell you what to fix, and, if it's a good one, HOW to fix the issues • There are paid and free options available • Don't use a scanner on an app you don't have permission to test, it's illegal

  20. YOU pushing left: testing your code -CAUTION

  21. YOU pushing left: testing your code -CAUTION • Ensure you have permission from your boss before you start, there may be policies against it (ask the security team too!) • Be considerate, scanners can hog resources • Be careful, scanners can be destructive • Back up your data before hand • This is an activity that requires some learning before you can start, to ensure you don't cause any damage or tick anyone off •

  22. YOU Pushing Left: Threat Modelling

  23. YOU Pushing Left: Threat Modelling • Figuring out negative use cases, and ways to defend against them • Basically a brainstorming session with programmers and security to figure out how someone may try to abuse your app • Search you code for these threats • Thinking like an adversary can not only uncover potential issues, it can be fun and educational.

  24. YOU Pushing Left: Reviewing your code

  25. YOU Pushing Left: Reviewing your code • Most people use a static code analyzer, but this can also be done manually • Search for your threat models • Even the most expensive tool produces many false positives, the 'work' in this exercise is figuring out what is a real issue and what is not • OWASP Dependancy check • You can find more than just security bugs

  26. YOU Pushing Left: Writing better code

  27. YOU Pushing Left: Writing better code • Train yourself on secure coding practices • There are tons of quality online resources, free and paid, as well as courses and conferences • Check online for the best and most secure way to do things, before you start coding • Become the security expert on your dev team, and help the rest of your team learn

  28. OWASP: Your new BFF

  29. Open Web Application Security Project

  30. ANY QUESTION S? Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Being Your Own Boss need. Ill cover how to find work and how to work a project in a way that

Being Your Own Boss need. Ill cover how to find work and how to work a project in a way that

- Lisa 96 Notes - BEING YOUR OWN BOSS - Behind the myths and fears of consultingBeing Your Own Boss - Lisa 96 BEING YOUR OWN BOSS - Behind the myths and fears of consulting Im here to give you an understanding of what its like to be

275 views • 11 slides
Deploy Like A Boss Oliver Nicholas DEPLOY LIKE A BOSS THE JOURNEY FROM 2 SERVERS TO 20,000 THE

Deploy Like A Boss Oliver Nicholas DEPLOY LIKE A BOSS THE JOURNEY FROM 2 SERVERS TO 20,000 THE

Deploy Like A Boss Oliver Nicholas DEPLOY LIKE A BOSS THE JOURNEY FROM 2 SERVERS TO 20,000 THE DEPLOYMENT PIPELINE SECTION LOREM IPSUM DOLOR MARCH 1, 2015 3 UBER KEYNOTE TEMPLATE UBER TECHNOLOGIES, INC BUSINESS METRICS 311 Cities

1.11k views • 32 slides
BOSS Chemicals Company and Product Overview Agenda/Topics To Be Covered Who We Are Who

BOSS Chemicals Company and Product Overview Agenda/Topics To Be Covered Who We Are Who

BOSS Chemicals Company and Product Overview Agenda/Topics To Be Covered Who We Are Who have we worked with? BOSS-155 BOSS-155 Comparative Data BOSS-155 Comparative Data, p2 BOSS-155 Comparative Data, p3 BOSS

299 views • 19 slides
Lya emission from z=2-3 galaxies in SDSS/BOSS Rupert Croft + Other members of SDSS III/BOSS Ly

Lya emission from z=2-3 galaxies in SDSS/BOSS Rupert Croft + Other members of SDSS III/BOSS Ly

Lya emission from z=2-3 galaxies in SDSS/BOSS Rupert Croft + Other members of SDSS III/BOSS Ly working group: Talk plan: (1) Intro: Lya emission in the high-z universe -Lya emitting galaxies (Lya emitters) -Lya emission from IGM

507 views • 31 slides
Headteacher Briefings Spring Term 2016-17 The Ladder of Intervention Strategy into Practice

Headteacher Briefings Spring Term 2016-17 The Ladder of Intervention Strategy into Practice

Headteacher Briefings Spring Term 2016-17 The Ladder of Intervention Strategy into Practice BOSS and LTLC Updates Impact on Rate of Permanent Exclusion BOSS Update Caroline Lambert, Service Manager Kevin Jeffery, Education Consultant BOSS

1.3k views • 117 slides
Who s the Boss of You? s the Boss of You? Who By By Jeff, Marisol, Chatrian, and Buddy

Who s the Boss of You? s the Boss of You? Who By By Jeff, Marisol, Chatrian, and Buddy

Who s the Boss of You? s the Boss of You? Who By By Jeff, Marisol, Chatrian, and Buddy Jeff, Marisol, Chatrian, and Buddy Who s the Boss of You? s the Boss of You? Who Kids these days have lots of Kids these days have lots

249 views • 11 slides
BOSS OSS GP P SE SERI RIES 2017 S Seaso ason Europes fastest FIA Racing Series The The

BOSS OSS GP P SE SERI RIES 2017 S Seaso ason Europes fastest FIA Racing Series The The

BOSS OSS GP P SE SERI RIES 2017 S Seaso ason Europes fastest FIA Racing Series The The Se Series The abbreviation BOSS stands for Big Open Single Seaters, which means that all race cars from former Formula 1 to GP2, IndyCar, World

357 views • 17 slides
AW Left Cervical Radiculopathy Presentation World class swimmer with left scapular pain

AW Left Cervical Radiculopathy Presentation World class swimmer with left scapular pain

AW Left Cervical Radiculopathy Presentation World class swimmer with left scapular pain radiating into long finger. 3/5 left Triceps and 4/5 left grip. Unable to train due to pain and weakness. Initial X-rays 5-6 6-7 Options? 5-6

499 views • 26 slides
3D for the public viewers Binocular (perceivable with 2 eyes) Left Right Left eye How to

3D for the public viewers Binocular (perceivable with 2 eyes) Left Right Left eye How to

3D for the public viewers Binocular (perceivable with 2 eyes) Left Right Left eye How to direct Optical the left and right images to Splitter Right eye the correct eye? Anaglyph Blue filter Red filter Transmission 475nm 650nm

738 views • 34 slides
Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients

Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients

Semigroups of Left I-quotients Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients Outline Background 1 Inverse hull of left I-quotients of left ample semigroups 2 Extension of homomorphisms 3

794 views • 44 slides
#prep X Assembly 02: Left Fan In this guide, we attach Left filament fan to the X carriage.

#prep X Assembly 02: Left Fan In this guide, we attach Left filament fan to the X carriage.

#prep X Assembly 02: Left Fan In this guide, we attach Left filament fan to the X carriage. _________________________________________________________________ Left Filament Fan You'll need: Green left filament fan shroud Pink left filament fan

428 views • 6 slides
Pushing the limits: Climate and Range Distribution of Two Forest Pests *****Colloque prsent en

Pushing the limits: Climate and Range Distribution of Two Forest Pests *****Colloque prsent en

1 Pushing the limits: Climate and Range Distribution of Two Forest Pests *****Colloque prsent en anglais***** Kishan Sambaraju, chercheur scientifique Modlisation des pidmiologies RNCan-SCF-CFL 2 Pushing the limits: Climate and range

1.16k views • 50 slides
1 2 So who died and appointed me boss? What do I even know? I dont have a certification. I

1 2 So who died and appointed me boss? What do I even know? I dont have a certification. I

1 2 So who died and appointed me boss? What do I even know? I dont have a certification. I dont habitually use assistive technology to access the web. My job description doesnt include anything about accessibility, but Im the one

622 views • 47 slides
Eliminating left recursion (informally) Direct left rec. For each A -> A 1 | ... | A

Eliminating left recursion (informally) Direct left rec. For each A -> A 1 | ... | A

Eliminating left recursion (informally) Direct left rec. For each A -> A 1 | ... | A n | 1 | ... | n Rewrite: A -> 1A' | ... | n A' Introduce: A' -> 1A' | ... | nA' | Indirect left rec. A

555 views • 12 slides
Pushing the Limits of Kernel Networking Networking Services Team, Red Hat Alexander Duyck August

Pushing the Limits of Kernel Networking Networking Services Team, Red Hat Alexander Duyck August

Pushing the Limits of Kernel Networking Networking Services Team, Red Hat Alexander Duyck August 19 th , 2015 1 Pushing the Limits of Kernel Networking Agenda Identifying the Limits Memory Locality Effect Death by Interrupts

454 views • 18 slides
DFSS, & QFD / House of Quality By Group 4 Our example: Your boss comes up to you and says

DFSS, & QFD / House of Quality By Group 4 Our example: Your boss comes up to you and says

DFSS, & QFD / House of Quality By Group 4 Our example: Your boss comes up to you and says that he needs a new kind of rebar that is more durable than the kind the company currently produces Following the design for six sigma (DMADV)

708 views • 17 slides
A MySQL Perspective John Scott Mailchimp What is Mailchimps secret sauce? Hint: Its not

A MySQL Perspective John Scott Mailchimp What is Mailchimps secret sauce? Hint: Its not

Mailchimp Scale: A MySQL Perspective John Scott Mailchimp What is Mailchimps secret sauce? Hint: Its not much of a secret. 2 Focus on the small business Empowering the Underdog 3 We give marketers production-ready

940 views • 82 slides
Globalization of Service ShinMing Guo NKFUST Domestic Growth & Expansion

Globalization of Service ShinMing Guo NKFUST Domestic Growth & Expansion

Globalization of Service ShinMing Guo NKFUST Domestic Growth & Expansion Franchising International Strategies Planning International Operations Is Globalization Good? Yum! Brands, Inc. Owns KFC, Pizza

165 views • 12 slides
2018 Wahhshon Shiann Whitebean Sh Shewalksabout. t.com I made a digital clearing in

2018 Wahhshon Shiann Whitebean Sh Shewalksabout. t.com I made a digital clearing in

2018 Wahhshon Shiann Whitebean Sh Shewalksabout. t.com I made a digital clearing in the woods and it is bursting with life and purpose! 2018 Wahhshon Shiann Whitebean Rotinonhsin:ni life embodies not just the past,

788 views • 10 slides
Improving Scalability of Xen: the 3,000 domains experiment Wei Liu <wei.liu2@citrix.com>

Improving Scalability of Xen: the 3,000 domains experiment Wei Liu <wei.liu2@citrix.com>

Improving Scalability of Xen: the 3,000 domains experiment Wei Liu <wei.liu2@citrix.com> Xen: the gears of the cloud large user base estimated more than 10 million individuals users power the largest clouds in production

708 views • 34 slides
Beyond SM and Heavy Flavor Physics Results from Tevatron Introduction Collider experiments

Beyond SM and Heavy Flavor Physics Results from Tevatron Introduction Collider experiments

Beyond SM and Heavy Flavor Physics Results from Tevatron Introduction Collider experiments support a synergy between exotics searches and heavy flavor physics in their quest for physics Beyond Standard Model. Exotics searches exploit

591 views • 38 slides
Market Imperfections (Welch, Chapter 11) Ivo Welch UCLA Anderson School, Corporate Finance,

Market Imperfections (Welch, Chapter 11) Ivo Welch UCLA Anderson School, Corporate Finance,

Market Imperfections (Welch, Chapter 11) Ivo Welch UCLA Anderson School, Corporate Finance, Winter 2017 February 6, 2018 Did you bring your calculator? Did you read these notes and the chapter ahead of time? 1/1 Maintained Assumptions In

900 views • 56 slides
Diving Deeper: How to intervene in infrastructure projects February 6, 2017 Agenda How to

Diving Deeper: How to intervene in infrastructure projects February 6, 2017 Agenda How to

Diving Deeper: How to intervene in infrastructure projects February 6, 2017 Agenda How to intervene in P3 deals Understanding existing financial obligations and financing schemes Advocating for community benefits Resources

448 views • 29 slides
Dataflow: The Road Less Complex Steven Swanson Andrew Schwerin Ken Michelson Mark Oskin

Dataflow: The Road Less Complex Steven Swanson Andrew Schwerin Ken Michelson Mark Oskin

Dataflow: The Road Less Complex Steven Swanson Andrew Schwerin Ken Michelson Mark Oskin University of Washington Sponsored by NSF and Intel Things to keep you up at night (~2016) Opportunities 8 billion transistors; 28Ghz One

909 views • 23 slides

More recommend