Hackers of India

AppSec 101: A Journey from Engineer to Hacker

By Arjun Gopalakrishna on 08 Aug 2021 @ Defcon : Appsec Village
πŸ“Ή Video πŸ”— Link
#secure-coding #security-assessment #ethical-hacking #secure-development #devsecops
Focus Areas: πŸ” Application Security , βš™οΈ DevSecOps , 🎯 Penetration Testing , πŸ” Vulnerability Management

Presentation Material

AI Generated Summary

The talk introduces application security (AppSec) as a critical component of modern secure software development, using a fictional case study of the “Tatter” anti-social network to illustrate the consequences of neglecting security practices. In the initial scenario (Tatter 1.0), the development team prioritized feature velocity over security, leading to multiple critical failures: hardcoded API keys in mobile applications, inadequate API rate limiting, weak password hashing (MD5), credential reuse between user accounts and source control, and a lack of multi-factor authentication. These flaws allowed attackers to extract secrets, enumerate usernames, crack passwords, access admin accounts, and ultimately exfiltrate source code and customer data from cloud storage, resulting in a catastrophic breach.

The talk then contrasts this with a secure development lifecycle (Tatter 2.0), where AppSec processes are integrated in parallel with each phase of the software development lifecycle (SDLC), a practice known as “shifting left.” Key techniques presented include: threat modeling during design, using data flow diagrams and the STRIDE framework to identify and mitigate risks like spoofing and information disclosure; security-focused code reviews to catch implementation flaws; Static Application Security Testing (SAST) tools to automatically scan committed code for vulnerabilities such as buffer overflows, injection flaws, and hardcoded secrets; and Dynamic Application Security Testing (DAST) including fuzzing and intercepting proxies (e.g., OWASP ZAP, Burp Suite) to test running applications for unexpected behavior. Software Composition Analysis (SCA) is also highlighted for managing risks in third-party dependencies.

The practical implication is that a structured AppSec program, incorporating these parallel processes, enables early detection and remediation of security issues when impact and cost are minimal, preventing large-scale breaches. The fictional outcome for Tatter 2.0 is a successful, secure launch, demonstrating the value of proactive security integration. The talk concludes by referencing educational resources like the OWASP Juice Shop vulnerable application and key literature on threat modeling and AppSec fundamentals.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.