Presentation Material
Abstract
The talk is about the importance of application security (AppSec) in modern software development due to the increasing number of applications being built, bought, and downloaded. As applications are the main source of security breaches, organizations need to establish strong AppSec programs to ensure weaknesses are identified and resolved early in the development cycle. However, small startups with limited budgets may struggle to establish a dedicated AppSec team, making it important to focus on key areas such as establishing baseline knowledge, implementing basic security controls, prioritizing security based on risk, and continuous monitoring and improvement. The talk will cover ways to build a business case for investing in AppSec programs and establishing benchmarks and metrics for success.
AI Generated Summary
The talk addressed the implementation of a cost-effective application security (AppSec) program, specifically for organizations with limited budgets such as startups and midsize businesses. It emphasized that a robust AppSec program is essential regardless of size, as 86% of breaches occur at the application layer, and even well-resourced companies face breaches.
The core framework presented revolved around three pillars: people, process, and tools. For people, the focus was on fostering a security-first culture through developer education and establishing security champions. Process involved integrating security into the software development lifecycle (SDLC) via a secure development lifecycle (SDLC), including incident response playbooks and vulnerability management workflows. Tools were recommended for automation and detection within DevOps pipelines.
Key open-source tools and techniques were highlighted. For requirements gathering and threat modeling, the OWASP Security Knowledge Framework and OWASP pytm (threat modeling as code) were suggested. For vulnerability detection, the talk advocated for a layered approach beyond just SAST and SCA, recommending OWASP ZAP for dynamic testing, dependency check for software composition analysis (SCA), and Cyclone DX for generating software bill of materials (SBOMs). DefectDojo was presented as an open-source defect tracking and metrics dashboard. The OWASP Application Security Verification Standard (ASVS) was recommended as a comprehensive checklist for various maturity levels.
Practical implications included starting with open-source tools to assess organizational appetite before investing in commercial solutions. Integrating security tools early in the SDLC, such as enabling GitHub Dependabot, was stressed to manage open-source supply chain risks. The talk underscored that securing internal dependencies and educating development teams on existing resources like OWASP projects are critical first steps. It concluded that a feasible, cost-effective program is achievable by strategically combining these open-source resources with process improvements and developer training.