OWASP Global AppSec - Mobiquity’s Key Takeaways

Topics
Security, null
Author
Erik-Jan Davids
Publication Date
6 November 2019

OWASP Global AppSec - Mobiquity’s Key Takeaways

In late September Open Web Application Security Project (OWASP) hosted their Global AppSec conference in the RAI convention center in Amsterdam. We took the team out and enjoyed two full days of inspiration by a large variety of experts in the community. In this article we will share our key takeaways.

OWASP is a non-profit organization supported by a huge global community whose core purpose is to “be the thriving global community that drives visibility and evolution in the safety and security of the world’s software”. OWASP has been around for almost 20 years now and the adoption of their flagship projects has really been taking off since world scale digitization has pushed application security or information security in general to society level threats.

The conference schedule was nicely organized around OWASP’s builder, breaker, and defender communities, as well as some other tracks. Our personal and professional interests cover all of these but we found ourselves attending more builder related sessions. As security engineers who work for a digital agency that helps companies with their digital transformation, and that builds their next generation application landscape, we want to keep learning so we can stay ahead of the game and effectively collaborate with our engineering teams.

 

Security in and of delivery pipelines

CI/CD pipelines using tools like Jenkins have been around for a long time and have helped us to integrate and deliver code to target environments fast, frequent and consistent. A vast ecosystem of solutions and tools today offer nearly every capability imaginable but practically implementing security in and of the pipeline still requires a lot of planning and thought. Cloud native paradigms like containerization further abstract and accelerate solution delivery but they also add complexity and new security concerns (see also “container security” below). 

In “Controlled mayhem with cloud native security pipelines” Ben Pick and Jack Mannino provided a comprehensive overview of traditional vs. cloud native pipelines and common security considerations and pitfalls to take into consideration when designing your pipeline.

 

OWASP Global AppSec - Mobiquity’s Key Takeaways

Our takeaways from this session were:

  • The only way to keep up with recommended application security practices at scale is to automate them in our pipelines
  • Infrastructure as code gives us consistency across environments and the ability to scale fast but this also means that trust boundaries blur and security of environments moves into code repositories and pipelines, so we have to harden them and further lock down permissions
  • The tools and services that can help developers abstract some of the complexity of the cloud can have insecure defaults and the developers that use them often don’t have the knowledge or experience in infrastructure and security to understand the implications
  • It is essential for infrastructure and security professionals to familiarize themselves with cloud native design patterns and tools so they can collaborate with developers of cloud native applications and add their knowledge and expertise to ensure secure applications

In control of vulnerabilities

 

Vulnerabilities are everywhere and their numbers grow exponentially. How is your average developer supposed to think of every possible scenario as they are trying to solve a business problem? Specific vulnerabilities manifest themselves in many different ways but on a more abstract level the top 10 vulnerabilities haven’t changed all that much in the past decades. 

In “Security vulnerabilities decomposition: another way to look at vulnerabilities” Katy Anton took us through groups of vulnerabilities and the controls applied to prevent them.

 

You find a (security) bug and fix it. Or did you? It is not uncommon that bug fixes are incomplete because we don’t analyze beyond the initial bug report. A bug may be fixed for the reported steps to reproduce but a slight change in the steps may reveal the same bug. A bug may be fixed in one part of the code but all other instances of the same bug in other places of the code or in similar applications are left untouched. 

In “How to find and prevent entire classes of security vulnerabilities” Sam Lanning showed some great examples of this behaviour and provides guidance on how we can improve the impact of our bug fixing efforts.

OWASP Global AppSec - Mobiquity’s Key Takeaways

Our takeaways from these sessions were:

  • Many vulnerabilities can be grouped because they are caused by the same mistake (e.g. injection caused by interpreting data as code)
  • The secure design principles and security controls that prevent vulnerabilities are often the same (e.g. parametrization, output encoding and input validation)
  • If we shift our focus to implementing fundamental controls we can prioritize our efforts on those controls that have the biggest positive impact on preventing vulnerabilities
  • If we do better root cause analysis of security bugs we can increase the impact of our remediation efforts by fixing bugs more completely and everywhere
  • Translating lessons learned into custom checks for our code review and code analysis tools avoids the same mistake happening again in the future and in other projects

 

Agile threat modelling

Threat modelling has been increasing in popularity. Spending quality time with a team focussed on the security of whatever it is they are creating is invaluable. It’s more concrete than a security awareness training, it’s more transparent than reviewing documents, and it is an opportunity to influence design decisions very early on. It can also be a great team building activity and it can be fun for developers to think like an attacker for a change.

In “OWASP based threat modelling: creating a feedback model in an agile environment” Chaitanya Bhatt shared how he approaches threat modelling in a large scale agile environment.

 

In “Threat modelling stories from the trenches” David Johannson and Andrew Lee-Thorp shared some real world examples which challenge us to look beyond the first obvious threats.

 

OWASP Global AppSec - Mobiquity’s Key Takeaways

Our takeaways from these sessions were:

  • An approach based on policy, standards and (top x) controls can produce more repeatable and meaningful results
  • Agile risk assessments must take into account expansion of the landscape and building risks upon risks
  • Analysis and feedback of threat modelling results (“threat surfing”) can provide insights into your organization wide threat landscape
  • Threat baselines can help set priorities for threat analysis and proactive security training
  • The quality of the output of a threat modelling session still depends on the experience and expertise of the people involved

 

Driving continuous improvement with OWASP SAMM

 

We are big fans of the Software Assurance Maturity Model (SAMM) and the 2.0 beta version has been out for some time now. SAMM provides a maturity model for organizations to analyse and improve their software security posture. It breaks down recommended practices by business function and maturity level and gives detailed guidance on these practices. This helps organizations to drive continuous improvement through an iterative approach. 

In “OWASP SAMM2 - your dynamic software security journey” Sebastien Deleersnyder provided an overview of both the current model (v1.5) and the new beta (v2.0).

 

In “Secure agile development according to SAMM” Rob Van Der Veer presented the agile notes which provide additional guidance on how to embed security activities in agile organizations.

OWASP Global AppSec - Mobiquity’s Key Takeaways

Our key takeaways from these sessions:

  • SAMM 2 offers support for modern Agile DevOps practices and has become project methodology agnostic
  • The current beta seem stable enough for early adopters - but watch Github for updates
  • SAMM can be useful as a benchmark when discussing expectations with senior stakeholders, and when mapping security activities to a product roadmap
  • SAMM offers supporting resources such as the assessment toolbox
  • There is specific guidance for agile organizations

 

Container security

Containers are everywhere and they are here to stay. The concept of containerization is very powerful but with great power also comes great responsibility. The biggest challenges when securing container based applications is that the number of components to secure has drastically increased and that the responsibility to design and secure these components has shifted from infrastructure specialists to software developers who don’t usually have a lot of experience in network design, system administration, and security.

 

Dirk Wetter presented a new OWASP project for a Docker Top 10. Dirk sets out in a great amount of detail how the use of containers can be dangerous if not properly designed and maintained and proposes 10 areas of controls which help reduce the attack surface.

OWASP Global AppSec - Mobiquity’s Key Takeaways

Docker Top 10 on Github:

  • D01 - Secure User Mapping
  • D02 - Patch Management
  • D03 - Network Segmentation and Firewalling
  • D04 - Secure Defaults and Hardening
  • D05 - Maintain Security Contexts
  • D06 - Protect Secrets
  • D07 - Resource Protection
  • D08 - Container Image Integrity and Origin
  • D09 - Follow Immutable Paradigm
  • D10 - Logging

Our takeaways from this session were:

  • Container security is mostly about system and network security
  • Controls like patch management, hardening and secrets management are not new but there are more layers, instances and people involved than in traditional environments
  • Orchestration systems must be tightly locked down because they control everything
  • We cannot let developers be solely responsible for something they don’t understand
  • This is definitely a project to watch

 

Other interesting talks

 

There was so much more! Below are some sessions we attended that we wanted to call out.

In “Unlikely allies: how HR can help build a security-first culture” Alison Eastaway explained how HR can help to make security a priority and to keep it fun. A must see for all security and HR officers.

 

JavaScript is everywhere, frontend and backend, and the (r)evolution of JavaScript frameworks is moving at a thrilling pace. There are big differences between frameworks when it comes to security in terms of capabilities, maturity, defaults, and more. In “How do JavaScript frameworks impact the security of applications?” Ksenia Peguero shared research she did on public code repositories to understand how the choice of JavaScript frameworks affected the application’s resilience against common vulnerabilities like XSS, CSRF, etc.

 

Serialization and deserialization is used in many places when data is exchanged between (sub)systems or components. A good example is when an object in a browser is sent as json text to a backend API or vise versa but there are also many other forms and applications. In this example when the json text is deserialized back to an object, this is potentially very dangerous transformation and the application should not trust the serialized input as an attacker may have modified its content and cause the unintended creation of objects or properties which in turn can have all sorts of adverse effects. In “[In]secure deserialisation, and how [not] to do it” Alexei Kojenov set out a collection of examples how (not) to do this.

 

In “Five key trends in application security” Ameya Talwalkar summed up five key trends he sees in the application security landscape. Ameya underpins these trends by showing concrete examples of real-world threats and attacks. We are warned.

OWASP Global AppSec - Mobiquity’s Key Takeaways

Wrapping up

We had two great days with our team. We learned a lot and left with a healthy dose of fresh inspiration. The task at hand can be quite intimidating but the collective knowledge of the community helps us plan for impact.

Our key takeaways in a nutshell?

  • We must automate and delegate to keep up
  • We must continuously learn and share knowledge to avoid old mistakes in new ways
  • We should focus on controls that impact entire organizations

Are you, like us, still hungry for more? Since last week all the videos are available on the OWASP YouTube channel so you can watch sessions you missed.

Thanks for reading and thank you OWASP!

 

Let our expertise complement yours

Give us your information below to start the conversation.