18
Application Security Last Line of Defense Narudom Roongsiriwong, CISSP ASEAN IT Security Conference 2016 Critical C-Suite Security Knowledge Conference July 27, 2016 The Westin Grande Sukhumvit, Bangkok, Thailand

Application Security: Last Line of Defense

Embed Size (px)

Citation preview

Page 1: Application Security: Last Line of Defense

Application Security Last Line of Defense

Narudom Roongsiriwong, CISSP

ASEAN IT Security Conference 2016 Critical C-Suite Security Knowledge Conference

July 27, 2016 The Westin Grande Sukhumvit, Bangkok, Thailand

Page 2: Application Security: Last Line of Defense

About Me

• Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP)

• Consulting Team Member for National e-Payment project

• Consultant for OWASP Thailand Chapter

• Committee Member of Cloud Security Alliance (CSA), Thailand Chapter.

[email protected]

Page 3: Application Security: Last Line of Defense

Internet Lines of Defense

Source: IBM Software Group, Rational Software

Page 4: Application Security: Last Line of Defense

Does Firewall Really Prevent the Intrusion?

Source: Jeremiah Grossman, BlackHat 2001

Page 5: Application Security: Last Line of Defense

Does SSL/TLS Really Prevent the Intrusion?

Source: Jeremiah Grossman, BlackHat 2001

Page 6: Application Security: Last Line of Defense

Attackers have shifted their focus to target applications.

Improving user accessibility and ease of use also increases ease of access for attackers.

Application exploit toolkits are increasingly available on the attack marketplace.

Many major breaches in 2015 targeted applications.

Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise

Page 7: Application Security: Last Line of Defense

Most Web And Mobile Apps Contain Security Weaknesses that Can Open the Door to Attackers.

Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise

Page 8: Application Security: Last Line of Defense

Key Takeaways for Application Security

Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise

Page 9: Application Security: Last Line of Defense

What Are Application Security Risks?

Source: OWASP: Open Web Application Security Project

Page 10: Application Security: Last Line of Defense

www.owasp.org

Page 11: Application Security: Last Line of Defense

OWASP Top 10 2013 Risk

Source: OWASP: Open Web Application Security Project

Page 12: Application Security: Last Line of Defense

Security controls cannot deal with

broken business logic

such as A2, A4 and A7

Software weaknesses

reduction down to

zero is possible

Reduce Security Weaknesses vs Increase Security Controls

Page 13: Application Security: Last Line of Defense

So Where Do You Go from Here?

Page 14: Application Security: Last Line of Defense

OWASP Top 10 Proactive Controls

C1: Verify for Security Early and Often

C2: Parameterize Queries

C3: Encode Data

C4: Validate All Inputs

C5: Implement Identity and Authentication Controls

C6: Implement Appropriate Access Controls

C7: Protect Data

C8: Implement Logging and Intrusion Detection

C9: Leverage Security Frameworks and Libraries

C10: Error and Exception Handling

https://www.owasp.org/index.php/OWASP_Proactive_Controls

Page 15: Application Security: Last Line of Defense

Microsoft Security Development Lifecycle

https://www.microsoft.com/en-us/sdl

Page 16: Application Security: Last Line of Defense

Software Assurance Maturity Model

Source: OWASP’s Software Assurance Maturity Model (OpenSAMM)

https://www.owasp.org/index.php/OpenSamm

Page 17: Application Security: Last Line of Defense
Page 18: Application Security: Last Line of Defense

Martial & Magic Masterywatermark.dmsguild.com › pdf_previews › 174085-sample.pdfthe Chainmail armor of his people is the last line of defense against on oncoming Orcish hoard

Martial & Magic Masterywatermark.dmsguild.com › pdf_previews › 174085-sample.pdfthe Chainmail armor of his people is the last line of defense against on oncoming Orcish hoard

Documents
John Marcy December 18, 2012 Gl bal Last-Line of Defense (GOLD)

John Marcy December 18, 2012 Gl bal Last-Line of Defense (GOLD)

Documents
Database monitoring - First and Last Line of Defense

Database monitoring - First and Last Line of Defense

Technology
YOUR LAST LINE OF DEFENSE - IBM · YOUR LAST LINE OF DEFENSE Anthony Lim MBA CISSP FCITIL ... We Audit It Once a ... Parameter Tampering

YOUR LAST LINE OF DEFENSE - IBM · YOUR LAST LINE OF DEFENSE Anthony Lim MBA CISSP FCITIL ... We Audit It Once a ... Parameter Tampering

Documents
ruby.fgcu.eduruby.fgcu.edu/courses/cpacini/courses/common/cybercrimes.pdf · sures are not always successful, electronic crime detection represents the last line of defense regard-

ruby.fgcu.eduruby.fgcu.edu/courses/cpacini/courses/common/cybercrimes.pdf · sures are not always successful, electronic crime detection represents the last line of defense regard-

Documents
Lymphatic and Immune System The Body’s Defense. Nonspecific Defense First Line of Defense –Skin –Mucous Membrane –Secretions

Lymphatic and Immune System The Body’s Defense. Nonspecific Defense First Line of Defense –Skin –Mucous Membrane –Secretions

Documents
Título da apresentação · Business units Safety & Risk Internal audit 8 1st layer 2nd layer 2nd line of defense 3rd line of defense 1st line of defense Executive Board Board of

Título da apresentação · Business units Safety & Risk Internal audit 8 1st layer 2nd layer 2nd line of defense 3rd line of defense 1st line of defense Executive Board Board of

Documents
The Last Line of Defense

The Last Line of Defense

Documents
Innate Immunity- First Line of Defense

Innate Immunity- First Line of Defense

Documents
Pack-Line Defense - WordPress.com

Pack-Line Defense - WordPress.com

Documents
First Line of Defense against Counterfeits - Hammond

First Line of Defense against Counterfeits - Hammond

Documents
Dentrix Passwords: Your First Line of Defense

Dentrix Passwords: Your First Line of Defense

Documents
“Buried Infrastructure’s Last Line of Defense” Excavation Alert Systems, LLC. Damage Prevention Systems for Buried Infrastructure Ryan Dunn 660 Hunters

“Buried Infrastructure’s Last Line of Defense” Excavation Alert Systems, LLC. Damage Prevention Systems for Buried Infrastructure Ryan Dunn 660 Hunters

Documents
3rd Line Of Defense

3rd Line Of Defense

Education
Pacific Exercises - SLDinfo.com - Second Line of Defense

Pacific Exercises - SLDinfo.com - Second Line of Defense

Documents
Organizing the Last Line of Defense before hitting the Memory Wall for Chip-Multiprocessors (CMPs)

Organizing the Last Line of Defense before hitting the Memory Wall for Chip-Multiprocessors (CMPs)

Documents
Underground Utility Tape - Empire Levelempirelevel.com/pdf/16-EMP-0106_UndergroundTape_Catalog...Underground Warning Tape is the last line of defense for your underground utility

Underground Utility Tape - Empire Levelempirelevel.com/pdf/16-EMP-0106_UndergroundTape_Catalog...Underground Warning Tape is the last line of defense for your underground utility

Documents
Lymphatic System The Body’s Defense System. Nonspecific Defense First Line of Defense –Skin –Mucous Membrane –Secretions

Lymphatic System The Body’s Defense System. Nonspecific Defense First Line of Defense –Skin –Mucous Membrane –Secretions

Documents
Immunity First Line of Defense - MCCC

Immunity First Line of Defense - MCCC

Documents
1- First line of defense: Plant perimeter protection 2- Second line of defense: Chemical warfare - Terpenes

1- First line of defense: Plant perimeter protection 2- Second line of defense: Chemical warfare - Terpenes

Documents
Second Line of Defense Training

Second Line of Defense Training

Documents
PRESSURE PACK LINE MAN to MAN DEFENSE - 94 … PACK LINE MAN to MAN DEFENSE We have successfully employed the PRESSURE PACK LINE MAN to MAN DEFENSE for over 15 years, at both the NCAA

PRESSURE PACK LINE MAN to MAN DEFENSE - 94 … PACK LINE MAN to MAN DEFENSE We have successfully employed the PRESSURE PACK LINE MAN to MAN DEFENSE for over 15 years, at both the NCAA

Documents
Non-Specific Resistance First Line of Defense * External physical barriers * Chemical Defenses Second Line of Defense: * Leukocytes & Lymphatic System

Non-Specific Resistance First Line of Defense * External physical barriers * Chemical Defenses Second Line of Defense: * Leukocytes & Lymphatic System

Documents
Bracing the Last Line of Defense Against Midair Collisions

Bracing the Last Line of Defense Against Midair Collisions

Documents
last in line last in school 2009

last in line last in school 2009

Documents
Immunity Biology 2122 Chapter 21. Introduction Innate or nonspecific defense: – First-line of defense – Second-line of defense The adaptive or specific

Immunity Biology 2122 Chapter 21. Introduction Innate or nonspecific defense: – First-line of defense – Second-line of defense The adaptive or specific

Documents
Plant Defenses 1- First line of defense: Plant perimeter protection 2- Second line of defense: Chemical warfare 3- Mutalistic Relationships

Plant Defenses 1- First line of defense: Plant perimeter protection 2- Second line of defense: Chemical warfare 3- Mutalistic Relationships

Documents
Our First Line of Defense

Our First Line of Defense

Documents
The Auxiliary Units: Britain's Last Line of Defense During

The Auxiliary Units: Britain's Last Line of Defense During

Documents
GENERATING TECHNOLOGY IMPACT Genpact user ......GENERATING TECHNOLOGY IMPACT Genpact user-acceptance testing: Reliable last line of defense DESIGN • TRANSFORM • RUN Solution Overview

GENERATING TECHNOLOGY IMPACT Genpact user ......GENERATING TECHNOLOGY IMPACT Genpact user-acceptance testing: Reliable last line of defense DESIGN • TRANSFORM • RUN Solution Overview

Documents