SlideShare a Scribd company logo

Application security testing in the age of Agile development - by Julio Cesar Fort

Download as PPTX, PDF
Blaze Information Security
Blaze Information Security

Agile development methodologies have brought with them a myriad of challenges for security engineers. Old school application security testing no longer keeps pace with the rapid deployment of code, fast moving projects and change of requirements. This presentation aims to introduce how we security engineers are adapting to integrate application security testing and tools into the software development process and discuss the new role of QA engineer in taking ownership too of security of the product.

Software
1 of 39
Application security testing in the age of Agile development
Director of Professional Services at Blaze Information Security INTRO
AGENDA
Traditional penetration testing model
DEVELOPMENT METHODOLOGIESVS. SECURITY In the past decade or so there was a shift from waterfall to Agile development model. We went into Agile / DevOps but security was once again left out.
WATERFALL DEVELOPMENT PROCESS
CURRENT SOFTWARE DEVELOPMENT PROCESS
CURRENT SOFTWARE DEVELOPMENT PROCESS
Think of your system as a cake: security is often brushed on top of the cake, instead of being baked in as layers. PROBLEMATIC APPROACHTO SECURITY
You push code continuously, but why aren’t security initiatives continuous too? PROBLEMATIC APPROACHTO SECURITY
TRADITIONAL SECURITYTESTING ○ Penetrate and patch approach: has been done since the 60’s, with an uptick in the late 90’s and the current momentum since 2000’s ○ Traditional security testing only occurs right in the end of the process: after everything has been built, you bring in a team to review / break things ○ Time-boxed engagements: usually a team gets hired for 1 or 2 weeks for an assessment Impossible to get acquainted with the inner workings of the system and get the best bugs out of it
DISAVANTAGES OFTHE CURRENT APPROACH #1 ○ Things are broken: some defects are easier to fix, some others will require more time - delays in the GO-LIVE date ○ Trying to bolt security onto software after it had been developed produces an insufficiently secure product ○ Cost of fixing issues gradually increases as the end of the development cycle approaches
DISAVANTAGES OFTHE CURRENT APPROACH #1
DISAVANTAGES OFTHE CURRENT APPROACH #2 ○ Silo culture: breakers often lack the builders knowledge, edge cases and tricky bugs will be missed ○ Security becomes a bottleneck for faster releases
Application security engineering
MODERN SECURITY ENGINEERING IN SOFTWARE DEVELOPMENT ○ Build security in – since the early days of the project until the day it launches ○ Make security activities as an active part of the project sprint ○ Teams: add “adversarial thinking” into your user stories
Security Code Review Introduce Security Oriented Tests Risk Analysis Threat Modeling Security Requirements Abuse Cases SECURITY ACTIVITIES INTHE DEVELOPMENT PROCESS
SECURITY ACTIVITIES INTHE DEVELOPMENT PROCESS Vulnerability Scanning Penetration Testing
SECURITY ACTIVITIES INTHE DEVELOPMENT PROCESS SecOPS Continuous Penetration Testing
MODERN SECURITY ENGINEERING IN SOFTWARE DEVELOPMENT: INTHE IDEAL WORLD
AND INTHE REAL WORLD…
How can QA testers help?
TOWARDS SOFTWARE ASSURANCE ON A SHOESTRING What can we do as QA’s to help an average development team with little resources to improve security maturity?
TOWARDS SOFTWARE ASSURANCE ON A SHOESTRING ○ Ops team: add open-source security controls into your DevOps pipeline ○ Security team: teach QA’s application security basics and how to identify easy bugs
QUICK WIN #1: CROSS-SITE SCRIPTING ○ Cross-site scripting (XSS) is an attack that can compromise users of a website ○ Often used to execute scripts on the user’s browser ○ One of the most common class of vulnerability affecting web applications ○ Sample payload – how to test: “><script>alert(1)</script><“
QUICK WIN #2:TEMPLATE INJECTION ○ Server-SideTemplate Injection (SSTI) happens when user input is injected into a template and rendered by a template engine ○ Template rendering is frequently executed in server-side ○ Sample payload – how to test: {{7*7}}
QUICK WIN #3: IDOR ○ Insecure Direct Object Reference (IDOR) occurs when user input is used to access objects directly ○ IDORs are a common access control problem ○ This type of issue is usually easy to find ○ How to test: Seen ?id=1 - so why not cycle through id=2, id=3, id=4…
QUICK WIN #4: SERVER-SIDE REQUEST FORGERY ○ SSRF allows an attacker to instruct the application to issue requests on his/her behalf ○ It can be used to connect to resources located in the organization’s internal network, interacting with otherwise inaccessible back-end systems ○ The result of a successful SSRF can range from leaking cloud secret keys and even code execution ○ How to test: A parameter taking a URL?Try: https://www.myip.is If the IP isn’t yours but the server’s, you may have a SSRF
QUICK WIN #5: MISCONFIGURED AUTHORIZATION ○ The idea of authorization is to allow or restrict access to a given resource to a user ○ Horizontal vs.Vertical privilege escalations ○ How to test: get two sessions from different users (A and B).Try to use A’s session tokens to access the same resources expected only to be available for B
Conclusion
CONCLUSION ○ Security is not always that complicated and thinking this way makes it harder ○ Code is being pushed into production faster than ever before, and security did not catch up – but this is changing
Introducing security into the DevOps pipeline and QA even on a budget may yield good results if your team can’t afford dedicated specialists. CONCLUSION
A lot of application security testing is just glorified QA with different tools and hacker-sounding names. Really. CONCLUSION
With Agile, security is now part of everyone’s job. CONCLUSION
Application security testing in the age of Agile development - by Julio Cesar Fort
Application security testing in the age of Agile development - by Julio Cesar Fort
Application security testing in the age of Agile development - by Julio Cesar Fort

Recommended

Blaze Information Security: Slaying bugs and improving software security thro...
Blaze Information Security: Slaying bugs and improving software security thro...Blaze Information Security: Slaying bugs and improving software security thro...
Blaze Information Security: Slaying bugs and improving software security thro...Blaze Information Security
 
Blaze Information Security: The cost of fixing security vulnerabilities in ea...
Blaze Information Security: The cost of fixing security vulnerabilities in ea...Blaze Information Security: The cost of fixing security vulnerabilities in ea...
Blaze Information Security: The cost of fixing security vulnerabilities in ea...Blaze Information Security
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8sDevOps Indonesia
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 

Recommended

Blaze Information Security: Slaying bugs and improving software security thro...
Blaze Information Security: Slaying bugs and improving software security thro...Blaze Information Security: Slaying bugs and improving software security thro...
Blaze Information Security: Slaying bugs and improving software security thro...Blaze Information Security
 
Blaze Information Security: The cost of fixing security vulnerabilities in ea...
Blaze Information Security: The cost of fixing security vulnerabilities in ea...Blaze Information Security: The cost of fixing security vulnerabilities in ea...
Blaze Information Security: The cost of fixing security vulnerabilities in ea...Blaze Information Security
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8sDevOps Indonesia
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart wayEficode
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOpsFelicia Haggarty
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsWhiteSource
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityEficode
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projectsJose Manuel Ortega Candel
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
 

More Related Content

What's hot

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart wayEficode
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOpsFelicia Haggarty
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsWhiteSource
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityEficode
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 

What's hot (20)

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one ever
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
 

Similar to Application security testing in the age of Agile development - by Julio Cesar Fort

A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDev Software
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside OutUlisses Albuquerque
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
 

Similar to Application security testing in the age of Agile development - by Julio Cesar Fort (20)

A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLC
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside Out
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
 
Year Zero
Year ZeroYear Zero
Year Zero
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
 
Devsec ops
Devsec opsDevsec ops
Devsec ops
 

Recently uploaded

Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 

Recently uploaded (20)

Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 

Application security testing in the age of Agile development - by Julio Cesar Fort

  • 1.
  • 2.
  • 3. Application security testing in the age of Agile development
  • 4. Director of Professional Services at Blaze Information Security INTRO
  • 7. DEVELOPMENT METHODOLOGIESVS. SECURITY In the past decade or so there was a shift from waterfall to Agile development model. We went into Agile / DevOps but security was once again left out.
  • 11. Think of your system as a cake: security is often brushed on top of the cake, instead of being baked in as layers. PROBLEMATIC APPROACHTO SECURITY
  • 12. You push code continuously, but why aren’t security initiatives continuous too? PROBLEMATIC APPROACHTO SECURITY
  • 13. TRADITIONAL SECURITYTESTING ○ Penetrate and patch approach: has been done since the 60’s, with an uptick in the late 90’s and the current momentum since 2000’s ○ Traditional security testing only occurs right in the end of the process: after everything has been built, you bring in a team to review / break things ○ Time-boxed engagements: usually a team gets hired for 1 or 2 weeks for an assessment Impossible to get acquainted with the inner workings of the system and get the best bugs out of it
  • 14. DISAVANTAGES OFTHE CURRENT APPROACH #1 ○ Things are broken: some defects are easier to fix, some others will require more time - delays in the GO-LIVE date ○ Trying to bolt security onto software after it had been developed produces an insufficiently secure product ○ Cost of fixing issues gradually increases as the end of the development cycle approaches
  • 16. DISAVANTAGES OFTHE CURRENT APPROACH #2 ○ Silo culture: breakers often lack the builders knowledge, edge cases and tricky bugs will be missed ○ Security becomes a bottleneck for faster releases
  • 18. MODERN SECURITY ENGINEERING IN SOFTWARE DEVELOPMENT ○ Build security in – since the early days of the project until the day it launches ○ Make security activities as an active part of the project sprint ○ Teams: add “adversarial thinking” into your user stories
  • 19. Security Code Review Introduce Security Oriented Tests Risk Analysis Threat Modeling Security Requirements Abuse Cases SECURITY ACTIVITIES INTHE DEVELOPMENT PROCESS
  • 20. SECURITY ACTIVITIES INTHE DEVELOPMENT PROCESS Vulnerability Scanning Penetration Testing
  • 21. SECURITY ACTIVITIES INTHE DEVELOPMENT PROCESS SecOPS Continuous Penetration Testing
  • 22. MODERN SECURITY ENGINEERING IN SOFTWARE DEVELOPMENT: INTHE IDEAL WORLD
  • 23. AND INTHE REAL WORLD…
  • 25. TOWARDS SOFTWARE ASSURANCE ON A SHOESTRING What can we do as QA’s to help an average development team with little resources to improve security maturity?
  • 26. TOWARDS SOFTWARE ASSURANCE ON A SHOESTRING ○ Ops team: add open-source security controls into your DevOps pipeline ○ Security team: teach QA’s application security basics and how to identify easy bugs
  • 27. QUICK WIN #1: CROSS-SITE SCRIPTING ○ Cross-site scripting (XSS) is an attack that can compromise users of a website ○ Often used to execute scripts on the user’s browser ○ One of the most common class of vulnerability affecting web applications ○ Sample payload – how to test: “><script>alert(1)</script><“
  • 28. QUICK WIN #2:TEMPLATE INJECTION ○ Server-SideTemplate Injection (SSTI) happens when user input is injected into a template and rendered by a template engine ○ Template rendering is frequently executed in server-side ○ Sample payload – how to test: {{7*7}}
  • 29. QUICK WIN #3: IDOR ○ Insecure Direct Object Reference (IDOR) occurs when user input is used to access objects directly ○ IDORs are a common access control problem ○ This type of issue is usually easy to find ○ How to test: Seen ?id=1 - so why not cycle through id=2, id=3, id=4…
  • 30. QUICK WIN #4: SERVER-SIDE REQUEST FORGERY ○ SSRF allows an attacker to instruct the application to issue requests on his/her behalf ○ It can be used to connect to resources located in the organization’s internal network, interacting with otherwise inaccessible back-end systems ○ The result of a successful SSRF can range from leaking cloud secret keys and even code execution ○ How to test: A parameter taking a URL?Try: https://www.myip.is If the IP isn’t yours but the server’s, you may have a SSRF
  • 31. QUICK WIN #5: MISCONFIGURED AUTHORIZATION ○ The idea of authorization is to allow or restrict access to a given resource to a user ○ Horizontal vs.Vertical privilege escalations ○ How to test: get two sessions from different users (A and B).Try to use A’s session tokens to access the same resources expected only to be available for B
  • 33. CONCLUSION ○ Security is not always that complicated and thinking this way makes it harder ○ Code is being pushed into production faster than ever before, and security did not catch up – but this is changing
  • 34. Introducing security into the DevOps pipeline and QA even on a budget may yield good results if your team can’t afford dedicated specialists. CONCLUSION
  • 35. A lot of application security testing is just glorified QA with different tools and hacker-sounding names. Really. CONCLUSION
  • 36. With Agile, security is now part of everyone’s job. CONCLUSION

Editor's Notes

  1. My name is Julio, I am currently a partner and director of services at Blaze Information Security. We are a cybersecurity consultancy company offering a range of technical services for customers in Europe and Latin America, mostly related to application security.
  2. Here’s the brief agenda. We start talking about the traditional penetration testing model, then speak about modern security engineering activities and move on to answer how QA testers can help and finally conclude the talk.
  3. So, we will now discuss briefly the current penetration test model applied by most organizations out there
  4. So as you guys know very well, waterfall software development process was the thing until a couple of years ago, maybe a decade or so. Now many modern organizations shifted into agile and all this paradigm of move fast and break things, and so on, but again security takes the back-seat and is rarely considered a priority.
  5. Now we have a brief overview of the regular activities that are performed in the waterfall software development process. As you can imagine, we can bring in a few security activities in each step.
  6. We now have agile and DevOps, which are more or less – at least my understanding as a non-software developer and QA tester, that it is fairly similar to waterfall, however that process happens much more often and in faster iterations.
  7. The current approach to security is, in my opinion, problematic. Think of your system as a cake: often security is brushed on, like cream or a cherry on top of the cake. Instead of baking it into the foundations of the cake, as layers. And this attempt to retro-fit security into a system that was never designed with it in the first place usually creates a system that is insufficiently insecure, and will bring a lot more costs in the end of the day, as we will see later.
  8. And in the age of agile, you push code continuously – is your security continuous too?
  9. Traditional security testing has been happening since maybe the 60’s, I guess it was the US Airforce who started it, commissioning penetration testing of their old old computer systems. This penetrate and patch approach has gained the shape and form it has since the 1990’s, when the first IT security companies started to appear in the market and to be honest, not much has changed since then. That is, it’s almost 30 years and we’re doing the same thing. Again, we try to bring security in a pretty late stage of the project and assessments are usually time-boxed: 1, 2, 3 weeks that in many cases makes it difficult to get acquainted with the inner workings of the system, fully understand the business logic, etc. These approaches have, obviously, some disadvantages as we will see later.
  10. What if things are broken and your go-live date is next week? What if it is a design error and not a simple implementation bug? As we will see in the upcoming slide, cost of fixing issues grows exponentially as the end of the development cycle approaches.
  11. So as we can see here, a research from IBM Rational says it can cost up to 30 times MORE to fix issues depending on the phase it is in the development, whereas in the very beginning it is like a lot lower than this.
  12. The current approach of testing in the end not only can cause costs to go higher, but it also does not leverage the internal knowledge and communication between teams, and the builder’s knowledge is important to find the edge cases and tricky bugs. On top of that, by testing only in the end security can become a bottleneck for faster releases.
  13. But all of this is in the ideal world, where we will have training, consultancy from experts, threat modeling, source code review, DevSecOps, etc. We know this is in many cases not feasible for most organizations.
  14. So in the real world, with a lot of luck you may get a penetration test once a year. And often because it was mandated by a customer or a partner. But remember, we push code out sometimes daily and might have a much wider security technical debt than we think. So how can QA testers help?
  15. What can you QA testers help a development team to improve security?
  16. Of course, we are talking about collaboration here and there must be the involvement of a few other teams too such as the Ops and Security team. In my opinion, what the security team can do best is to train QA testers the basics of application security and how to identify the quick wins.
  17. One of the first quick wins we can talk about is cross-site scripting. (Read the slides)
  18. Template injection happens when the user input is injected into a template and rendered as such by the template engine. It is frequently executed in server-side and we know template languages can be sometimes very powerful, to the point we can do introspection, read configuration objects of the application, and even execute code.