AppSec for Developers Workshop 3: Integrating security workflows into your dev environment (meetup recording)

The third and final part of our hands-on workshop series! In the third part we learned together how to integrate security workflows into our dev environment using the best free tools out there. In this hands-on workshop, we learn how to properly integrate and use code scanning and container scanning tools in our CI/CD, as well as install runtime security to prevent and block actual attacks. We understand how these type of tools work and how to best use them.

What you need for this session:

1. A GitHub account

2. A Heroku account

AppSec for Developers Workshop 2 – Writing secure code

In the second part of our 3-part workshop series we covered the interesting topic of how to write better, more secure code.

Using OWASP Juiceshop, which we used in the first part to detect and exploit vulnerabilities, we looked into what makes our code vulnerable to exploits such as SQL Injection and others. At the end, we learned about open source SAST tools we can use to detect vulnerabilities in our code.

AppSec for Developers Workshop 1 – Hacking our own app (meetup recording)

A recording of our first virtual workshop with our meetup community held on Aug 3, 2022.

In our 3-part live workshop series, our two security experts (and coders) Hillel Solow and Himanshu Joshi will take us through how to detect code vulnerabilities in our app the way attackers do, how to exploit these vulnerabilities, how to be a better coder, which open source tools you can use today to help you stay resilient to attacks, and finally, how to create an integrated security workflow in your dev environment.

What we did in Workshop #1:
Deploy our own app
Discover vulnerabilities – how to identify vulnerabilities like attackers
Attack our app – go back to our code to understand what made it possible to attack

How to protect your software supply chain

Your supply chain is everything that impacts what you end up running in production, which is your code, all your dependencies, and their dependencies, stuff that comes with base images for your containers, AMIs or other machine images, etc, and 3rd-party tools and libraries that you use in the pipeline.

Changes in any of the above, malicious or otherwise, can change what you’re running in production. What are the risks to that?

Supply chain attacks that compromise your application’s data or availability through changes in the application, and bugs, vandalism or acts of protest.

Three things you can do to improve your resilience to supply chain threats are: visibility – know what your dependencies are, making sure you have a process to detect new vulnerabilities in your deployed application and in new deployments, and considering to minimize your supply chain.

What’s the deal with our one line of code?

Yes, we mention that our solution takes one line of code to implement everywhere. Why is it important and what do you get in that one line of code? Our chairman Hillel Solow explains.

What is web application security

Yes, cloud adoption and APIs are almost buzzwords nowadays. But these technologies truly changed the game when it comes to the way apps are developed, but also the way they are (or should be) secured.

Attackers capitalize on the distributed nature of cloud-native applications and use things like injection attacks (SQL, Command, Code) to exploit common vulnerabilities that stem from that distributed, cloud-native nature of our apps.

When it comes to securing web applications in today’s world, sticking a WAF is not good enough. In fact, any security solution is not good enough if you don’t build a solid security culture across your teams (dev and sec).

What is RASP (Runtime Application Self Protection)

What is Runtime Application Self Protection (RASP)? How is it different than WAF? Which is better? 

Why should developers care about security

I’m a developer, why should I care about security?

Hillel Solow explains why caring about your app’s security is equally as important as caring about its performance.

Why web application & API security go hand in hand

Why web application security and API security go hand in hand?

Traditional #AppSec solutions were designed to protect web applications from the outside. Those web applications mostly delivered JavaScript, HTML, CSS and other dynamic content to web clients.

Nowadays, applications are also delivering APIs. This could be because it is a single page application that uses APIs to consume its dynamic content, or an application that is no longer truly a web application but rather a mobile application that uses APIs in the backend.

Our application servers are handing out data to both of these kind of applications at the same time, and having a security solution that understands what are web applications and what are API applications, and their respective threats, is crucial.

What is NoSQL Injection (Demo)

NoSQL databases are an alternative to databases that use SQL. Instead of storing data in tables, these databases store data in objects called documents, which are organized into collections. There is no standard query language for NoSQL databases, hence the name. Instead, each NoSQL platform uses its syntax and protocol.

What is SQL injection (Demo)

SQL Injection (SQLi) is a web security vulnerability that allows a malicious actor to inject malicious SQL statements in the queries an application makes to its database. It permits unauthorized entities to view data to which they should not have access, like other users’ information or any other data that the application can access. An attacker can modify or delete the data, forcing constant changes to the application’s content or behavior. SQL Injection can also lead to additional damages, such as compromising the underlying server or back-end infrastructure.

What is distributed web application security

Modern apps can be built from hundreds of microservices, interact with hundreds of APIs and are always cloud-native. So how do you secure them? Hillel Solow explains what are distributed apps and how ProtectOnce secured them.

Why you need to shift runtime security left

We’ve become so enamored with shifting things left, that some people are starting to put runtime security aside and focus entirely on things that can be done in the pipeline or earlier. Ignoring runtime security is a problem because in reality, even with a tightly controlled DevSecOps process, bad things are possible.

3 misconceptions about web application security

There are many misconceptions when it comes to AppSec or web application security. In this video Hillel Solow, CSO at ProtectOnce, covers the top 3 misconceptions and explains why you should reconsider these when you dealing with protecting your web applications and APIs.

What is code injection?

An unwritten rule when developing applications is to treat all data as untrusted data. Code injection is a method that a malicious actor uses to inject malicious code which takes advantage of a validation flaw in the software. Since the application cannot detect the malicious code from its own code, the attacker gains access to restricted information of the application.