Upload
narudom-roongsiriwong-cissp
View
539
Download
3
Embed Size (px)
Citation preview
Application Security Last Line of Defense
Narudom Roongsiriwong, CISSP
ASEAN IT Security Conference 2016 Critical C-Suite Security Knowledge Conference
July 27, 2016 The Westin Grande Sukhumvit, Bangkok, Thailand
About Me
• Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP)
• Consulting Team Member for National e-Payment project
• Consultant for OWASP Thailand Chapter
• Committee Member of Cloud Security Alliance (CSA), Thailand Chapter.
Attackers have shifted their focus to target applications.
Improving user accessibility and ease of use also increases ease of access for attackers.
Application exploit toolkits are increasingly available on the attack marketplace.
Many major breaches in 2015 targeted applications.
Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise
Most Web And Mobile Apps Contain Security Weaknesses that Can Open the Door to Attackers.
Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise
Key Takeaways for Application Security
Source: Cyber Risk Report 2016 highlights, Hewlett Packard Enterprise
Security controls cannot deal with
broken business logic
such as A2, A4 and A7
Software weaknesses
reduction down to
zero is possible
Reduce Security Weaknesses vs Increase Security Controls
OWASP Top 10 Proactive Controls
C1: Verify for Security Early and Often
C2: Parameterize Queries
C3: Encode Data
C4: Validate All Inputs
C5: Implement Identity and Authentication Controls
C6: Implement Appropriate Access Controls
C7: Protect Data
C8: Implement Logging and Intrusion Detection
C9: Leverage Security Frameworks and Libraries
C10: Error and Exception Handling
https://www.owasp.org/index.php/OWASP_Proactive_Controls
Software Assurance Maturity Model
Source: OWASP’s Software Assurance Maturity Model (OpenSAMM)
https://www.owasp.org/index.php/OpenSamm