Building Application Security Teams

Dinis Cruz, CISO

Me▪ Developer for 25 years ▪ AppSec for 13 years ▪ Day jobs:

▪ Leader OWASP O2 Platform project ▪ Application Security Training ▪ Part of AppSec team of:

▪ The Hut Group ▪ BBC ▪ WorldFirst

▪ AppSec Consultant and Mentor ▪ CISO (soon)

▪ “I build AppSec teams….” ▪ https://twitter.com/DinisCruz ▪ http://blog.diniscruz.com ▪ http://leanpub.com/u/DinisCruz

CISO POINT VIEW

What type of security organisation to create▪ Create an environment and workflow where Security (InfoSec

and AppSec) is an enabler. ▪ Allow the business to ship faster with quality, security and

assurance ▪ InfoSec protects the organisation and operations ▪ AppSec protects the code created, used and bought ▪ Developers code in environments where it is very hard to

create security vulnerabilities ▪ Applications run in environments where security exploits are

contained and visible ▪ Align business risk appetite with reality (using proposed Risk

Workflow to allocate responsibility at the correct level)

How to embed security into the culture▪ Give security teams a mandate to focus on Quality, Testing

and Engineering ▪ Create a network of Security Champions ▪ Become the ‘Department of Yes’ ▪ Measure code pollution using Risk Workflow ▪ Understand that developers are key players and need to be

trusted ▪ Testing and Quality are core business requirements (and what

gives you speed) ▪ Create an central AppSec team (usually there is only an

InfoSec team)

What about security policies?▪ Security policies are the foundation of decisions ▪ They underpin the reason behind actions and risk accepted ▪ But, if not based on reality, most policies will NOT be ▪ read ▪ followed ▪ enforced

▪ For policies to work they need to be customised to its target (for example Secure coding standards for App XYZ)

▪ They also need to be delivered in the target’s environment (for example IDE)

Security magic pixie dust▪ If you don’t:

▪ have an AppSec team ▪ do Threat Models ▪ do weekly code reviews and security assessments ▪ have embedded security automation automation in your SDL pipeline ▪ have secure coding standards, bug-bounties, dependency

management ▪ …. and many other other AppSec activities

▪ There will be massive security vulnerabilities in the applications you use ▪ Because where is security going to come from? ▪ Without these activities:

▪ Your security model is based on the ‘skill level’ and ‘business model’ of your attackers

▪ … and … ’magic security pixie dust’ (which works until attacked)

WHERE IS APPSEC?

You are a software company▪ Even if your company does not hire developers, you are already

a ‘software company’ ▪ You probably don’t view Software Development as a core

competency, and don’t control the Software/Applications that run your business (which is a high risk)

▪ If your company operations, customer experiences and sales are controlled by software that you write, then you ARE A SOFTWARE COMPANY (regardless of industry sector you’re in) ▪ The question is how much does your board and exec team

realises that, and how much priority and focus is given to (secure) Software development

▪ ‘Code’ controls your company ▪ The question is how much do you ‘control’ your code

Quality on the code that runs your business▪ Quality is not something you can sprinkle at the end ▪ Security is just like Quality ▪ Specially Application Security (i.e. secure code) ▪ Key concept: ▪ You can use Security to measure quality ▪ because although ▪ not all quality issues are security issues ▪ all security issues are quality issues

If your not deploying daily/hourly▪ You’re not in the game ▪ Will struggle to innovate ▪ Depend on your competitors being worse than you

https://github.com/blog/1241-deploying-at-

http://joshuaseiden.com/blog/2013/12/amazon-deploys-to-production-

CISO MindMap

http://www.aurorait.com/2016/06/13/one-size-never-fits/

CISO MindMap (Zoomed in)

Top level functions (from CISO MindMap)▪ Business Enablement ▪ Selling InfoSec (Internal) ▪ Governance ▪ Security Operations ▪ Project Delivery Lifecycle ▪ Budget ▪ Security Architecture ▪ Compliance and Audit ▪ Legal and Human Resources ▪ Risk Management ▪ Identity Management

But where is Application Security?

Where is AppSec?

Should AppSec be this low down the priorities?

▪ Of course you need to get the other security functions right (Risk, Networks, SecOps) ▪ But if you don’t write or buy secure code, your assets will

be exposed ▪ In fact with the current move for DevOps, Continuous

Deployment and quick releases ▪ You will create an environment where security

vulnerabilities will be pushed into production in days (or hours)

▪ Application Security (AppSec) needs to be a first class citizen, with strong budget and staff

I like this Security Group Structure▪ Key Areas: ▪ SecOps ▪ SOC ▪ RISK ▪ AppSec ▪ Testing

▪ Also important: ▪ Security

Champions ▪ Knowledge ▪ RND

Example of Security Function Budget and Team

▪ Budget should be 4% of turn-over (same as GDPR max fine) ▪ 26 staff ▪ 4x Management (CISO, Senior Director InfoSec, Project Manager, PA) ▪ 8x SecOps (2x Network & Information Security, 2x End-User-

Computing, 2x DevOps, 2x SysAdmin)

▪ 4x Risk (DPO - Data Protection Officer, 2x Standards, Policy)

▪ 4x SOC (2x SOC SME and 2x SOC Engineer)

▪ 5x AppSec (Senior Architect Manager, 2x Senior Dev 2x Dev)

▪ 1x Testing (1x RedTeam)

▪ Each function has individual budget (for tools and 3rd party consulting services)

AppSec is a first class citizen

AppSec as a top level function

APPSEC FUNCTION

Service driven organisation▪ AppSec and Testing services can be requested by existing

Teams/Squads:

▪ External Pen-Tests ▪ Code Reviews (internal and external) ▪ Threat Modeling ▪ Static and Dynamic scanning of code ▪ AppSec Training ▪ AppSec Advisory Surgery

AppSec Functions Provided▪ Security Champions Network ▪ AppSec Risk Workflow ▪ AppSec knowledge base (Wiki based)

▪ AppSec Policy ▪ Secure Coding Standards (based on JIRA Risk issues and

OWASP ASVS) ▪ SDL (Secure Development Lifecycle) programme owner ▪ Internal and External Bug-Bounty management ▪ Maturity Models mapping (based on OwaspSAMM) ▪ Application Registry and Attack Surface mapping ▪ Visualisation of existing architecture/code and Business

reporting of existing risks

Security tools integration in SDL▪ Evaluate and deploy tools to perform Static (SAST) and

Dynamic (DAST) scans of existing Application and components

▪ Customisation of rules in order to create highly defensible findings

▪ Work with Security Champions on how to fix issues

APPSEC SQUAD

AppSec Squad is an horizontal service/team

focused on Securing Applications and code

AppSec Squad Function ▪ The AppSec Squad is focused on Secure Code and Fixes ▪ It is an horizontal team (vs dev squads/teams which are vertical)

▪ Works independently or directly with devs (on AppSec issues and fixes)

▪ Helps Security Champions in activities or code-fixes that require significant resources

▪ Independent from ‘product’ owners and deadlines ▪ Focus is on making applications/products more secure, resilient

and safe ▪ Made of developers and graduates ▪ Creates next generation of expert Security Champions

▪ 3 months rotation by internal developers/graduates

Security Features != AppSec Squad ▪ Security Features are focused on creating, coding, deploying

and maintaining business features that have a security angle to them ▪ 2FA (two-factor authentication) ▪ Secure file upload ▪ Data encryption ▪ HTTPS support ▪ Authentication/Authorization/RBAC improvements ▪ …other

▪ The AppSec Squad is focused on Secure Code, Security Testing and Visualisation/Documentation

Example of AppSec Squad driven projects* ▪ Mass fixing ‘systemic’ security vulnerability ▪ Create targeted and global SAST rules (scale security knowledge) ▪ Create Attack Surface mapping tool ▪ Web Services Visualisation tool ▪ Standard Schemas and validation across the company ▪ Application registry (and app-to-app connections) ▪ Security focused (unit/integration) tests ▪ Performance and DoS testing/visualisation ▪ Add reaction and mitigation capabilities (to app, not network)

RBAC visualisation and testing ▪ Apps containerisation and instrumentation *Security Champions to be involved in these projects

Team▪ Project Manager: 1x ▪ AppSec Specialist: 1x ▪ AppSec Developers: 2x to 4x ▪ AppSec Graduates: 2x to 4x

AppSec Developers (2 to 4) ▪ Activities:

▪ Fix Security issues ▪ Improve QA environments ▪ Write tests ▪ Harden Dev environment (creating secure-by-default APIs and

runtimes) ▪ Improve apps logging capabilities and visualisation ▪ Create data-flow and architecture diagrams from code (used by

Threat models) ▪ Skills:

▪ experts in language(s) used in company ▪ Interested in AppSec and Security ▪ Able to write code fixes and tests with confidence and speed Able to

find innovative solutions for improving the Test and QA environments

AppSec Graduates: 2 to 4 ▪ Activities: ▪ Simple/known security code fixes ▪ Support AppSec Function activities ▪ Support Security Champion’s activities ▪ Help with JIRA tickets maintenance ▪ Help with Threat Model diagrams

▪ Skills: ▪ Developers ▪ Passion for AppSec and Security

SECURITY CHAMPIONS

SCs Roles and Responsibilities▪ Allocated to each Squad ▪ SME for all AppSec issues related to allocated tribe ▪ Maintain JIRA tickets for allocated code-base (projects and

components) ▪ Write Security Focused tests and embed SDL practices into CI

pipeline ▪ Triage AppSec Findings and Fix relevant issues

More expanded definition

If you don’t have an SC, get a Mug

JIRA RISK WORKFLOW

JIRA RISK Workflow

Key for AppSec JIRA workflow is this button

PATH #1 - Fix issue

PATH #2 - Accept and Approve RISK

PATH #2 - Variation when risk not approved

JIRA Risk workflow▪ Open JIRA issues for all AppSec issues ▪ Write passing tests for issues reported ▪ Manage using AppSec RISK workflow ▪ Fix Path: Open, Allocated for Fix, Fix, Test Fix, Close ▪ Accept Risk Path: Open, Accept Risk, Approve Risk,

(Expire Risk) ▪ Automatically report RISK’s status

Separate JIRA project▪ This is a separate JIRA repo from the one used by devs

▪ I like to call that project ‘RISK’ ▪ This avoids project ‘issue creation’ politics and ‘safe harbour for:

▪ known issues ▪ ’shadow of a vulnerability’ issues ▪ ‘this could be an problem…’ issues ▪ ‘app is still in development’ issues

▪ When deciding to fix an issue: ▪ that is the moment to create an issue in the target project

JIRA (or whatever bug tracking system they used) ▪ When issue is fixed (and closed on target project JIRA):

▪ AppSec confirms fix and closes RISK

Always moving until fix or acceptance▪ Key is to understand that issues need to be moving on one of

two paths: ▪ Fix ▪ Risk Accepted (and approved) ▪ Risks (i.e. issues) are never in ‘Backlog’ ▪ If an issue is stuck in ‘allocated for fix’, then it will be

moved into the ‘Awaiting Risk Acceptance’ stage

You need volume▪ If you don’t have 350+ issues on your JIRA RISK Project, you

are not playing (and don’t have enough visibility into what is really going on)

▪ Allow team A to see what team B had (and scale due due to issue description reuse)

▪ Problem is not teams with 50 issues, prob is team with 5 issues

▪ This is perfect for Gamification and to provide visibility into who to reward (and promote)

Threat model▪ All issues identified in Threat Models are added to the JIRA

RISK project ▪ Create Threat models by ▪ layer ▪ feature ▪ bug

▪ … that is a topic for another talk

JIRA AppSec Dashboards

Weekly emails with Risk status

Full details on “SecDevOps Risk Workflow” book

▪ Get it for free at https://leanpub.com/secdevops

GDPR

GDPR (for Apps)▪ All this applies to GDPR ▪ If you trade with EU customers you will need to do it ▪ GDPR should be easy if you have an ▪ SOC ▪ Effective RISK team (with DPO) ▪ SecOps team ▪ AppSec team

▪ See great presentation at https://www.owasp.org/images/c/c8/2017-01-25,GDPR_Readiness-Handout.pdf (some screenshots shown in next slide)

7 Key principles enshrined in the EU GDPR

Twelve steps towards GDPR Readiness (1/2)

https://www.owasp.org/images/c/c8/2017-01-25,GDPR_Readiness-Handout.pdf

Twelve steps towards GDPR Readiness (2/2)

MATURITY MODELS

OwaspSAMM and BSIMM

https://www.owasp.org/index.php/OWASP_SAMM_Project

https://www.bsimm.com/

OWASP Maturity-Models project▪ Tool to help collect and visualise maturity models date ▪ Open source https://github.com/owasp/maturity-models ▪ All data stored as Json using Git as data store ▪ Supports both OwaspSAMM and BSIMM schemas ▪ REST API to consume data ▪ Easy to deploy using docker image ▪ 97% to 100% code coverage ▪ Try it out on QA server http://138.68.145.52

BUILDING APPSEC TEAMS

You can’t hire AppSec specialists▪ AppSec specialists will cost £120k+ (UK/US) and even then, they

might not be aligned with your values, technologies or focus ▪ Best to hire (internally) developers

▪ from £50k to £80k ▪ invest %25 of salary in Education/Knowledge (£12,5k to £20k)

▪ OWASP conferences (US or EU + regional) ▪ OWASP Summits ▪ BlackHat, DefCon, HITBSecConf, Shmoocon , DevSecCon

conferences ▪ Classroom based training sessions with security experts ▪ Web based learning tools (massive innovation in this area) ▪ Books, books, books, books

▪ 20% of their time allocated to learning and RnD (1 day a week)

Build your AppSec team from inside▪ Ideal path is:

▪ Company hires Developers ▪ passes internal quality control, culture and skill’s requirements

▪ Developer applies to become a Security Champion ▪ Developer likes being a Security Champion and applies to an

open position in the AppSec Team (or other Security Function) ▪ Another option is:

▪ Hire specific individuals from 3rd-party ‘Application Security focused’ or ‘Quality development focused’ companies

▪ Give them a job :) (with full transparency and support from 3rd party company)

▪ ‘Worse case scenario’ ▪ Hire developers from outside (via recruiters or directly)

OWASP

Epicentre of Application Security▪ Best (dedicated) AppSec conferences of the year ▪ 100s of chapters around the world ▪ 100s of research projects on AppSec ▪ All released under OpenSource and Creative Common

licenses ▪ Best concentration of AppSec talent in the world ▪ Please join, collaborate, participate

Conferences

Chapters

Projects - Flagship

Projects - Labs

Projects - Incubator

OWASP Summits▪ Imagine a place where (some of) the best Application Security and

OWASP minds come together to collaborate and work ▪ … a meeting of minds focused on solving hard problems that we

all have everyday ▪ … a place where security experts, developers, users, government

agencies and vendors work together on shared goals ▪ … a place where you will find like minded individuals that care

deeply about what you are passionate about ▪ … an environment designed for maximum geek-time, synergies

and collaboration ▪ … basically it’s AppSec from 8am till 2 am (next day)

▪ This place is something that only OWASP can create ▪ This place is an OWASP Summit

Summit - 2008

Summit 2011

OWASP Summit 2017 (June 12,16)▪ http://owaspsummit.org/

Industry working together on hard problems

THANKSAny questions?