Why AppSec?

Sit down and enjoy a thought experiment to understand why we need application security in an enterprise and commercial setting.

AppSec stands for Application Security. The phrase encapsulates the effort to secure the applications from malicious actors.

To understand the importance, let's consider the following scenario: You're just a kid, and it's your first job delivering newspapers to apartment buildings. Congratz! They love your work, but some of the buildings are locked at 5 am, let's be frank, it's too early, and not a single soul is out there. This difficulty would potentially cost you your job! So you are forced to find solutions and be creative about it.

You stand in front of the first building on your newspaper delivery route, and of course, the door is closed. What would you do? Assume it will get progressively more complex with each building to bypass the security controls!

1. The obvious first thing is checking if the door is locked. It Opens, great success!

2. You stand in front of the next building now the door won't easily open! You try to knock. Maybe someone will hear and open it for you. It works!

3. To the next building! Now knocking doesn't work, and you try to ring all the intercom bells hoping someone will open it for you. It works

4. You try a different maneuver, slide your credit card into the door frame and open the latch!

5. The Next building has a latch protector, bummer! You take out your lock picking kit, hoping the next building won't have any security pins that would take too much time to break in.

6. Of course, there are security pins. Lock picking is no longer effective within the timeframe. Now you can access a code. Which code do you try? You'd randomly try codes. It's going to take hours! But one would work.

7. Next, maybe some buttons are worn out? You'd reduce the problem to 1x2x3x4 possible combinations. Not that hard!

8. Next, it locks after a few tries, so 24 combinations wouldn't be enough. You look for the gunk residue thinking that oils from the finger would be reduced with each button press! It works!

9. The Next building will have a clean screen with no residue. What now?

10. What about the building with the NFC card? Would your flipper toy come in handy?

As you can see, the security controls introduced constantly have bypasses, and hackers would always find novel and creative ways to exploit.

An Application Security Engineer's job is to help design the latch, the keypad, and the NFC reader with security checks. We also keep testing for new techniques, bypasses, and injections and always think outside the box. If we think maliciously, we can suggest the best solutions.

We automate QA and security testings. We scan the code using tools to help us identify security holes. We help with architecture decisions, Threat models that would help us understand the risks. We review Code to find business logic faults that would cost a lot of money if exploited.

Security Assurance Model

Application security consists of Methodology, Tools, best practices, and mitigations of code vulnerabilities. To achieve Completeness, we employ Security Assurance Models, OWASP's is a popular one with plenty of information to assist.

OWASP Software Assurance Maturity Model

1. Security by design, achieved by security programs and governance, begins with Applications specifications and vendor agreements

2. Education, developers training, and security awareness

3. Threat modeling, Secure Architecture

4. Securing CI/CD pipelines, automating the build, Source Code Composition(secure dependencies)

5. Secret management

6. Tracking issues, defects, vulnerabilities, logging, etc.

7. Security Control, Security Verifications

8. Blue Team: Incident response, Data protection