pushing left like a boss
play

Pushing Left, Like a Boss Application Security Foundations Tanya - PowerPoint PPT Presentation

Jun 22, 2023 •114 likes •434 views

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @sheHacksPurple About Me Who am I? Im Tanya Janca; Application security evangelist, web

  1. Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @sheHacksPurple

  3. About Me Who am I? I’m Tanya Janca; Application security evangelist, web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, OWASP Ottawa chapter leader, OWASP DevSlop project leader, effective altruist, software developer since the late 90’s. I have been paid to be geeky for over 20 years! I want software to be more secure so that I can use the internet safely. Seriously.

  4. The current state: Everyone is “getting hacked”

  5. The current state: We looking the wrong way.

  6. What is “AppSec”? In plain English

  7. The current state: Penetration Testing

  8. The current state: CIA

  9. About Me

  10. Pushing Left, Like a Boss!

  11. An AppSec Program: The Main Course

  12. An AppSec Program: The Main Course • Vulnerability (VA) Scans and Assessments • Threat Modeling • Secure Code Reviews (Static Code Analysis) • Penetration Tests (PenTests) • This applies to both Custom Apps and COTS

  13. An AppSec Program: The Gravy

  14. An AppSec Program: The Gravy • Educating Developers on Secure Coding Practices with workshops, talks, lessons • Secure Coding Standards • Responsible/Coordinated Disclosure • Secure code library and other reference materials

  15. An AppSec Program: Dessert!

  16. An AppSec Program: Dessert! • Bug Bounty Programs • Capture The Flag (CTF) contests • Red Team Exercises

  17. The big question …

  18. YOU pushing left: testing your code

  19. YOU pushing left: testing your code • Most people use a web proxy security scanner to test their web applications • It sits between your browser and the internet • It will automate tests for you, tell you what to fix, and, if it's a good one, HOW to fix the issues • There are paid and free options available • Don't use a scanner on an app you don't have permission to test, it's illegal

  20. YOU pushing left: testing your code -CAUTION

  21. YOU pushing left: testing your code -CAUTION • Ensure you have permission from your boss before you start, there may be policies against it (ask the security team too!) • Be considerate, scanners can hog resources • Be careful, scanners can be destructive • Back up your data before hand • This is an activity that requires some learning before you can start, to ensure you don't cause any damage or tick anyone off •

  22. YOU Pushing Left: Threat Modelling

  23. YOU Pushing Left: Threat Modelling • Figuring out negative use cases, and ways to defend against them • Basically a brainstorming session with programmers and security to figure out how someone may try to abuse your app • Search you code for these threats • Thinking like an adversary can not only uncover potential issues, it can be fun and educational.

  24. YOU Pushing Left: Reviewing your code

  25. YOU Pushing Left: Reviewing your code • Most people use a static code analyzer, but this can also be done manually • Search for your threat models • Even the most expensive tool produces many false positives, the 'work' in this exercise is figuring out what is a real issue and what is not • OWASP Dependancy check • You can find more than just security bugs

  26. YOU Pushing Left: Writing better code

  27. YOU Pushing Left: Writing better code • Train yourself on secure coding practices • There are tons of quality online resources, free and paid, as well as courses and conferences • Check online for the best and most secure way to do things, before you start coding • Become the security expert on your dev team, and help the rest of your team learn

  28. OWASP: Your new BFF

  29. Open Web Application Security Project

  30. ANY QUESTION S? Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple

Recommend

Being Your Own Boss need. Ill cover how to find work and how to work a project in a way that

Being Your Own Boss need. Ill cover how to find work and how to work a project in a way that

- Lisa 96 Notes - BEING YOUR OWN BOSS - Behind the myths and fears of consultingBeing Your Own Boss - Lisa 96 BEING YOUR OWN BOSS - Behind the myths and fears of consulting Im here to give you an understanding of what its like to be

275 views • 11 slides
Deploy Like A Boss Oliver Nicholas DEPLOY LIKE A BOSS THE JOURNEY FROM 2 SERVERS TO 20,000 THE

Deploy Like A Boss Oliver Nicholas DEPLOY LIKE A BOSS THE JOURNEY FROM 2 SERVERS TO 20,000 THE

Deploy Like A Boss Oliver Nicholas DEPLOY LIKE A BOSS THE JOURNEY FROM 2 SERVERS TO 20,000 THE DEPLOYMENT PIPELINE SECTION LOREM IPSUM DOLOR MARCH 1, 2015 3 UBER KEYNOTE TEMPLATE UBER TECHNOLOGIES, INC BUSINESS METRICS 311 Cities

1.11k views • 32 slides
BOSS Chemicals Company and Product Overview Agenda/Topics To Be Covered Who We Are Who

BOSS Chemicals Company and Product Overview Agenda/Topics To Be Covered Who We Are Who

BOSS Chemicals Company and Product Overview Agenda/Topics To Be Covered Who We Are Who have we worked with? BOSS-155 BOSS-155 Comparative Data BOSS-155 Comparative Data, p2 BOSS-155 Comparative Data, p3 BOSS

299 views • 19 slides
Lya emission from z=2-3 galaxies in SDSS/BOSS Rupert Croft + Other members of SDSS III/BOSS Ly

Lya emission from z=2-3 galaxies in SDSS/BOSS Rupert Croft + Other members of SDSS III/BOSS Ly

Lya emission from z=2-3 galaxies in SDSS/BOSS Rupert Croft + Other members of SDSS III/BOSS Ly working group: Talk plan: (1) Intro: Lya emission in the high-z universe -Lya emitting galaxies (Lya emitters) -Lya emission from IGM

507 views • 31 slides
Headteacher Briefings Spring Term 2016-17 The Ladder of Intervention Strategy into Practice

Headteacher Briefings Spring Term 2016-17 The Ladder of Intervention Strategy into Practice

Headteacher Briefings Spring Term 2016-17 The Ladder of Intervention Strategy into Practice BOSS and LTLC Updates Impact on Rate of Permanent Exclusion BOSS Update Caroline Lambert, Service Manager Kevin Jeffery, Education Consultant BOSS

1.3k views • 117 slides
Who s the Boss of You? s the Boss of You? Who By By Jeff, Marisol, Chatrian, and Buddy

Who s the Boss of You? s the Boss of You? Who By By Jeff, Marisol, Chatrian, and Buddy

Who s the Boss of You? s the Boss of You? Who By By Jeff, Marisol, Chatrian, and Buddy Jeff, Marisol, Chatrian, and Buddy Who s the Boss of You? s the Boss of You? Who Kids these days have lots of Kids these days have lots

249 views • 11 slides
BOSS OSS GP P SE SERI RIES 2017 S Seaso ason Europes fastest FIA Racing Series The The

BOSS OSS GP P SE SERI RIES 2017 S Seaso ason Europes fastest FIA Racing Series The The

BOSS OSS GP P SE SERI RIES 2017 S Seaso ason Europes fastest FIA Racing Series The The Se Series The abbreviation BOSS stands for Big Open Single Seaters, which means that all race cars from former Formula 1 to GP2, IndyCar, World

357 views • 17 slides
AW Left Cervical Radiculopathy Presentation World class swimmer with left scapular pain

AW Left Cervical Radiculopathy Presentation World class swimmer with left scapular pain

AW Left Cervical Radiculopathy Presentation World class swimmer with left scapular pain radiating into long finger. 3/5 left Triceps and 4/5 left grip. Unable to train due to pain and weakness. Initial X-rays 5-6 6-7 Options? 5-6

499 views • 26 slides
3D for the public viewers Binocular (perceivable with 2 eyes) Left Right Left eye How to

3D for the public viewers Binocular (perceivable with 2 eyes) Left Right Left eye How to

3D for the public viewers Binocular (perceivable with 2 eyes) Left Right Left eye How to direct Optical the left and right images to Splitter Right eye the correct eye? Anaglyph Blue filter Red filter Transmission 475nm 650nm

738 views • 34 slides
Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients

Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients

Semigroups of Left I-quotients Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients Outline Background 1 Inverse hull of left I-quotients of left ample semigroups 2 Extension of homomorphisms 3

794 views • 44 slides
#prep X Assembly 02: Left Fan In this guide, we attach Left filament fan to the X carriage.

#prep X Assembly 02: Left Fan In this guide, we attach Left filament fan to the X carriage.

#prep X Assembly 02: Left Fan In this guide, we attach Left filament fan to the X carriage. _________________________________________________________________ Left Filament Fan You'll need: Green left filament fan shroud Pink left filament fan

428 views • 6 slides
Pushing the limits: Climate and Range Distribution of Two Forest Pests *****Colloque prsent en

Pushing the limits: Climate and Range Distribution of Two Forest Pests *****Colloque prsent en

1 Pushing the limits: Climate and Range Distribution of Two Forest Pests *****Colloque prsent en anglais***** Kishan Sambaraju, chercheur scientifique Modlisation des pidmiologies RNCan-SCF-CFL 2 Pushing the limits: Climate and range

1.16k views • 50 slides
1 2 So who died and appointed me boss? What do I even know? I dont have a certification. I

1 2 So who died and appointed me boss? What do I even know? I dont have a certification. I

1 2 So who died and appointed me boss? What do I even know? I dont have a certification. I dont habitually use assistive technology to access the web. My job description doesnt include anything about accessibility, but Im the one

622 views • 47 slides
Eliminating left recursion (informally) Direct left rec. For each A -> A 1 | ... | A

Eliminating left recursion (informally) Direct left rec. For each A -> A 1 | ... | A

Eliminating left recursion (informally) Direct left rec. For each A -> A 1 | ... | A n | 1 | ... | n Rewrite: A -> 1A' | ... | n A' Introduce: A' -> 1A' | ... | nA' | Indirect left rec. A

555 views • 12 slides
Pushing the Limits of Kernel Networking Networking Services Team, Red Hat Alexander Duyck August

Pushing the Limits of Kernel Networking Networking Services Team, Red Hat Alexander Duyck August

Pushing the Limits of Kernel Networking Networking Services Team, Red Hat Alexander Duyck August 19 th , 2015 1 Pushing the Limits of Kernel Networking Agenda Identifying the Limits Memory Locality Effect Death by Interrupts

454 views • 18 slides
DFSS, & QFD / House of Quality By Group 4 Our example: Your boss comes up to you and says

DFSS, & QFD / House of Quality By Group 4 Our example: Your boss comes up to you and says

DFSS, & QFD / House of Quality By Group 4 Our example: Your boss comes up to you and says that he needs a new kind of rebar that is more durable than the kind the company currently produces Following the design for six sigma (DMADV)

708 views • 17 slides
Knew Knew What I hat I Know Know Now ow How to Navigate Questrom Like a Boss REMIND ME

Knew Knew What I hat I Know Know Now ow How to Navigate Questrom Like a Boss REMIND ME

I Wish I Wish That I hat I Knew Knew What I hat I Know Know Now ow How to Navigate Questrom Like a Boss REMIND ME AGAIN, WHAT ARE MY RESOURCES? The Undergraduate Development Center (UDC) Academic Advising Major? Summer

147 views • 13 slides
Pushing IA to the (SNR) Limit: M. Guillaud Experimental Results from the Vienna MIMO Testbed

Pushing IA to the (SNR) Limit: M. Guillaud Experimental Results from the Vienna MIMO Testbed

telecommunications institute of Pushing IA to the (SNR) limit Pushing IA to the (SNR) Limit: M. Guillaud Experimental Results from the Vienna MIMO Testbed Objectives IA in theory... ... and in practice Maxime Guillaud Vienna MIMO Testbed

548 views • 32 slides
No Child Left Behind No Child Left Behind Our Children Are Our Future: No Child Left Behind A

No Child Left Behind No Child Left Behind Our Children Are Our Future: No Child Left Behind A

No Child Left Behind No Child Left Behind Our Children Are Our Future: No Child Left Behind A New Era in Education A New Era in Education When it comes to the education of our childrenfailure is not an option. President George W.

671 views • 39 slides
HOW TO GET A JOB LIKE Society of Ohio Archivists A BOSS Collette N. McDonough, CA OVERVIEW

HOW TO GET A JOB LIKE Society of Ohio Archivists A BOSS Collette N. McDonough, CA OVERVIEW

May 17, 2019 HOW TO GET A JOB LIKE Society of Ohio Archivists A BOSS Collette N. McDonough, CA OVERVIEW Before the search Internships References Networking Resumes and cover letters The hunt The interview BEFORE

394 views • 23 slides
Pushing the boundaries of the SEP experimenting with new modes of research evaluation in the

Pushing the boundaries of the SEP experimenting with new modes of research evaluation in the

Pushing the boundaries of the SEP experimenting with new modes of research evaluation in the Dutch academic landscape Dr. Thed van Leeuwen Centre for Science and Technology Studies (CWTS), Leiden University Annual NARMA Meeting Lillestrom ,

528 views • 37 slides
Pushing the Boundaries An introduction and discussion on blockchain and how this technology could

Pushing the Boundaries An introduction and discussion on blockchain and how this technology could

Pushing the Boundaries An introduction and discussion on blockchain and how this technology could impact healthcare Dr Michael Costello Dr Robert Laidlaw General Manager Healthdirect Australia Founder of Secure Health Chain Dr Ian Graham Prof

255 views • 8 slides
Paycheck Protection Program: What Businesses Should Know PRESEN SENTED B BY: LEE EE D BOSS,

Paycheck Protection Program: What Businesses Should Know PRESEN SENTED B BY: LEE EE D BOSS,

Paycheck Protection Program: What Businesses Should Know PRESEN SENTED B BY: LEE EE D BOSS, SS, C CPA, M MBA FRANK K PI PINA, CPA PA SH SHER ERISE D E D RITTER TER, CPA PA, CGFM FM, PSA SA KYLE N NEELD, C CPA, C CGMA, PS

558 views • 23 slides
T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic Monitor.

834 views • 70 slides

More recommend