asec t07r efficacy of layered application security through the lens of hacker

2020-03-01 60浏览

  • 1.#RSAC SESSIONID:ASEC-T07R EFFICACY OF LAYERED APPLICATION SECURITY THROUGH THE LENS OF HACKER 1 Gyan Prakash Bill Yue Chen Chief Security Architect VISA Inc. Chief Security Architect VISA Inc.
  • 2.Agenda #RSAC Threat Model Observations Optimizing App Security Life-Cycle Controls Agility with Security What Pen Test Should Focus on Recommendations 2
  • 3.A Tight Race #RSAC “Know yourself, also know your rival.” -Sun Tzu, 545-470 B.C. Phishing 3 Brut force Malware Data
  • 4.Threat Model Over The Kill Chain #RSAC Scans, DNS, Asset discovery, Social Eng., etc. Malware, Open Source Poisoning, Faked Web, etc. Weaponizing 4 ML Assisted Social Engineering Passive Traps & Proactive Attacks Delivery Recon. Advanced Spearphishing (e.g. SNAP_R) Camouflaged Actions, APT, Outbound control exploit Network, Infra, OWASP Vuln IAM Issues, etc. Act. & Obj. Installation Exploit Automated CAPTCHA Reader C&C Advanced PW Guessing (e.g. PassGAN)
  • 5.Just Overwhelming! Binary Composition Web Vul. Scanner App Vul. Monitoring RASP #RSAC SAST Pen Test DAST 5 WAF IAST
  • 6.Observations #RSAC H s d re d n u Thousands 6
  • 7.Observations:Application Vulnerabilities #RSAC Flawed Authentication Security Misconfigurations Sensitive Data Exposure Insecure TLS/SSL usage Cross-Site scripting Injection Using vulnerable components Inappropriate error handling CSRF 7
  • 8.Optimizing App Security Coverage #RSAC o o o o o 8 SAST IAST More Than One Third Around Two Third Injections Sensitive Data Exposure XML External Entities (XXE) Cross-Site Scripting Insecure Deserialization o o o o o o o Injections Sensitive Data Exposure XML External Entities (XXE) Cross-Site Scripting Insecure Deserialization Security Misconfigurations 3rd Party Vulnerable Lib DAST Around One Third o o o o o Injections Sensitive Data Exposure XML External Entities (XXE) Cross-Site Scripting Security Misconfigurations
  • 9.Security Embedded with Agile #RSAC SAST Developer Workspace Daily Builds SAST IAST CI Automation DAST SPRINT 1 - 3 weeks IAST SAST Product Backlog 9 Sprint Backlog Iteration Product Shipping
  • 10.Security Embedded with Agile #RSAC > 80 % with << SAST Developer Workspace Daily Builds SAST IAST CI Automation DAST SPRINT 1 - 3 weeks IAST SAST Product Backlog 10 Sprint Backlog Iteration Product Shipping
  • 11.#RSAC 11
  • 12.What Pen Test should focus on? #RSAC Authentication & Authorization Authentication flow and design, Passwords, 2FA, Security questions, Access Control Session management Business Logic All possible bypassing issues Data flows that are not covered by scanners, such as email, SSH, SAML etc. Examine Attack surface Sampling test Injection, XSS, to validate SAST/IAST/DAST controls Last but not the least, Infrastructure 12
  • 13.Completing the Puzzle #RSAC SAST Developer Workspace Daily Builds SAST IAST CI Automation DAST SPRINT 1 - 3 weeks IAST SAST Pen Test Product Backlog 13 Sprint Backlog Iteration Product Shipping
  • 14.Recommendations #RSAC Shift Left – Train and Empower Developers to Security Champions Automation - Empower engineers with SAST, IAST, OSS, and WVS Pen test smartly – Focus on the limitation area of tools Implement multi-factor authentication Check password blacklist Phishing/social engineering awareness training 14
  • 15.Questions & Answers SAST Web Vul. Scanner Developer Workspace Daily Builds Real time Analytics SAST IAST CI Automation WAF DAST SPRINT 1 - 3 weeks IAST SAST PRODUCTION Pen Test Sprint Backlog #RSAC Iteration Product Shipping