 Welcome to my talk. App security does not need to be fun. Ignore an OSP to have a terrible time It's one of those talks where I thought of the name first and then wrote the talk all around it. I Think this way most good talks work. So I live in Chicago Better developer advocates. It's about 2016 I co-hosted a security repo podcast. Look it up. We just got Jason Haddick's episode drop today legendary hacker former CIO of Ubisoft Really pleasure to talk to him anyway find me out there on the internet MC Dwayne and have you chat about anything outside of tech? I love rock and roll Rock and roll before and some improv karaoke or awesome a jam. So hit me up about any of that stuff very briefly I work not that briefly. I work for company called get guardian. We are A code security platform focused around answering those two questions where I'm hard coded secrets throughout my Codebase and has my code leaked we help companies figure that out really quick I'm gonna talk about them We'll mention them later because we do sponsor some of the stuff but want to start out with Asking you know, what what does good security look like for our work? I think it actually has an answer because you can have a lot of answers to this but I think personally it looks like this We're sleeping at night. We don't have to get up for an alarm at 3 a.m. No one's calling us to come back into the office because something broke or because something had hacked And it also looks like this Nowhere near Wi-Fi you can confidently leave Cell reception that's how good your security is that's how good security looks It looks like this because you're at the concert and you don't have to leave before The They finish before the encore And ultimately it looks like this we're hanging out with their families doing what we want to do play a monopoly Or whatever you want to do with your past time But that's the general idea good security Comes at a human cost And when we pay that cost technically and correctly Then we get our human time back to ourselves and we don't need to suffer through it So what is bad security look like? Well, I think it looks a little bit like this It's isolating I don't know if you've ever read anything and then start staring out the window because wow I don't know who to talk to about this I've been there Absence of reason produces monsters or the sleeper reason produces monsters or famous sketching in the world Because we hear about these things like chat gpt or these new cvs and new vulnerabilities and wow does that affect me And now you're imagining all the scenarios where it's going to be log 4j again And honestly security is really boring sometimes If I have to read another 90 page PDF about anything I'm probably just going to fall asleep So Tolstoy said it very well and in a corona All happy families look alike but all unhappy families aren't happy in their own way And I think that is true of companies as well Because okay the biggest family of all everybody running log for shell out there or log for j And get hit by the cv That's a fun name by the way cv 2021 44 228 It's very symmetrical But yeah hit everybody Maybe some story you haven't heard about Another unhappy family uber They had a super admin get fished We got in there This is a 19 year old kid from the lapsis group Got in to uber found PowerShell scripts full of passwords And pwned them and taunted them in their own slack and even taunted hacker one They didn't believe them So he went to the New York Times That's all we know about the story Circle CI anybody affected by this earlier this year? Yep, so you know the story Basically third party are as an external developer gets hacked They injects a malware malware starts stealing credentials Then expel traits those credentials Then they use those credentials to get into customer accounts Fun fact a same day that they announced this a Independent security researcher said hey my honey tokens won't work Something's going on the circle CI in like two hours of this The other than making a formal announcement on January 4th So Security is important but security teams are way outnumbered Alex Rice said back at security 2022 It's about a hundred to one in your best organizations If your organization is smaller than a hundred it's probably Less than that but the same general ratio I've seen companies where it's as big as a hundred Ten developers to every one security person that's the company that's throwing people at the problem Because in dev sec ops because we're here to talk about dev ops and get ops and CD But dev sec ops says hey security should be everywhere We're gonna shift left which means we're gonna spread out our security through every stage That's what shift left was supposed to mean have a whole other talk about that how we kind of misinterpreted that And this is what a lot of companies interpreted that previous picture to mean Let's just give everybody a security hat and now congratulations dev ops team. You're not the security team Congratulations developer. You're now a security developer And how do security people spend their days while they spend their days catching up on CVE After CVE after NIST we're just in NIST 2.0 just got released by the way And we read PDF after PDF after PDF after PDF after PDF after PDF after PDF after PDF And we know about all of these threats And if you're new to security or even if you're a new security while it feels like you're the red queen Or you're Alice chasing the red queen where we have to run twice as fast as we currently are to get anywhere Run just as fast as you are to stay where you're at And about now if you're like, okay, you told me a bunch of horror stories Yes security is on my mind. We're making it worse I got some good news for you. There's been a group around for 20 years called OWASP That his entire mission is to help you be safe and to help you stay sane out there Because OWASP is not just a tool. It's a community the same way that we're a community here at this event So OWASP.org is an awesome website if you like websites laid out like this The original founder of OWASP said in 2021 the problem with the OWASP website is the Byzantine mess I took that as a personal challenge and I wrote this talk But the mission is very simple. No more insecure software. This is an impossible journey Because it's impossible to make completely 100% foolproof always secure software because human beings are involved But we can get closer to it. Actually their entire mission statement reads like this That's a lot of words. So I think it boils down to this We have projects, communities, events, education, training, publications and resources And all of these together make up what OWASP is So projects are mostly what I'm going to talk about So the rest of the day I'm going to break down what is OWASP, how do you navigate it But then I'm going to end with four actual, you can walk out of this room and start using them Actually if you've got your computer open you can start using them before you leave the room So first understand that the basic unit of work So the basic unit of work in Git is the commit The basic unit of work in Kubernetes is What? Yes The basic unit of work in OWASP is the project So these are all open source repos run by volunteers New submissions come in from the community every week Last count and this was a few days ago so it might actually be a bit different now But 242 total projects in any state at all 155 are in some kind of usable state So what does that mean? Well they're basically four big categories They're constantly messing with this and tuning this So lab and incubator have now been conglomerated in the last few weeks But flagships are what we used to know as the big ones, the ones they're known for Last year in October they said we should have production projects because enterprises understand the concept of production As of this last time I checked, which was yesterday, nothing is qualified for production They set the standard very, very high so even their flagships aren't quite production projects Lab projects are on their way to flagships and incubators are newer There's a whole bunch of ones that are not there yet, they need work They even get to incubator status So we've got 18 flagships If you're going to start with OWASP it's probably where to go but don't jump over there quite yet 36 lab projects And 114 incubator projects and then everything else that adds up to that 255 hasn't made it yet So looking back here, these are the big ones that kind of span every developer in the world In some way or another, Cyclone DX is on here That's the standard behind, of course, where we get our S-bombs Juicyop, which I'll talk about later Top 10 zap And then as we go through labs and go through incubators We start getting more and more specific to things like API Specific APIs or specific languages as you roll through it OWASP also classifies everything as types of projects Not just what category they're under But so 109 code projects, 80 documentation projects for other What are those other projects? One's a podcast So they realized a few years ago, this is really a lot to go through from a list view And try to figure out on your own So they said, what if we mapped everything to the software development lifecycle Well, we can't map everything, that's a lot of projects So let's map at least the flagships So no matter where you are in the software development lifecycle There's this little map around CR, common requirement enumeration That explains what tool you should be looking at It makes it really easy to get started So this is on the project page So next time you're in the research phase, or the requirements of building phase Go look at what they got there It might help you out So you might be thinking, well, what's a CRE, like a common requirement enumeration? Well, that's a project unto itself Open CRE said there's too many numbers, there's too many things to keep track of Too many CWEs, CBEs, NIST, there are too many Let's just combine it into one number, and there you go So you can go over to that project and check out exactly how all things map together OWASP is also a community You might be thinking, okay, that's cool with projects and all But there is an OWASP chapter pretty much everywhere on earth I believe Vancouver, I didn't actually look that up before I started talking today But there's one in Seattle, right down the road A lot of them went virtual over COVID, of course There's probably one in your area, and they would love to talk to you I can tell you I've been to a lot of the virtual meetups of OWASP And they're all friendly People want to help, people really do want you to make secure software So come with your questions, and they'll always be happy to point you in the right direction Again, you're not alone, you don't have to stay out the window by yourself You can go talk to folks I mentioned earlier, GetGuardian, we sponsor a couple of different chapters around the world Including Paris, and that's the last meetup we had in person in October The Paris chapter rotates where they hold their meeting every month They hold events too, just like CD-Con Or GitOps-Con, and just like, well, as you can imagine Other things, so they have a big global event coming up in DC Global AppSec comes out in October There's a bunch of regional ones as well, it's a whole network of events So if any of this sounds like, hey I want to hear more about security for applications And get involved in this 20 year old community, show up to their events They also firmly believe in education So, there's not one section of the website that says education and training But there's a bunch of education and training scattered throughout What you're probably going to be better served by is going to Google, or your favorite search engine And saying, oh-wasp education, oh-wasp training possibilities Starting there, and you'll find a bunch of ways to get there But there is one I will call out, SecureFlag SecureFlag is its own entity, they are their own company They are not run by oh-wasp, not directly anyway However, if you are an oh-wasp member, which costs $50 American a year, or $500 for your life For lifetime, you can join oh-wasp and then you get free access to this thing Well, for your entire run of your membership So what is SecureFlag? It's a giant ongoing capture-the-flag training platform You want to go participate in an endless capture-the-flag event? Here it is, as a website You can get certifications through it, you can deep dive into just about anything you can think of across the security spectrum They also make a bunch of resources out there available This admittedly overlaps with projects quite a bit, and this is where it starts getting confusing Like, well, isn't that a resource, or is that a publication, or is that a project? Just assume it's a project. They do print paper books. I've never bought one But they also make them available online for free for the most part Your mileage may vary Okay, 15 minutes in, and everybody's probably thinking, okay, you just gave me a bunch of laundry lists, and I'm just as lost as when we started I agree That's why I'm going to boil it down to these four things If you are working in tech at all, which I assume everyone in this room is, and everyone watching at home is Then the first one is for you If you want to start learning more about general security around pretty much any topic And move toward a more secure space, then the first two are for you If you're building applications and want to see how not to do it Or have an example of something you can attack and start tearing apart to understand how to build insecure software Then the first three are for you And if you want to actually attack things, if you actually want to go red team Red teaming is the art of pen testing Of actually attacking things and figuring out what the vulnerabilities lay Then all of these are for you But am I surprised you might get to the end and be like, oh, I didn't even know that was a possibility So let's talk about the top 10s first First off, who is familiar with the OWASP top 10? About half the room Good Everyone should be familiar, I believe OWASP set out a mission years ago to say, what are the most common vulnerabilities people should be paying attention to? Let's compile that into one easy to manage list And they did In 2021, they came out the newest version They updated every three to seven years I'm not making that up Go look at how often they release That's how often they have this conversation And it breaks down all of this in great detail Explains where they got these numbers What CWEs It matches More very importantly Overview and how to prevent So if you're thinking, how do I make my application more secure How can I make the security team like me more? Not that anyone's goal in life is to make the security team like you But if you want to get on their good side Bring up like, hey, I was reading the top 10 list And I want to make it more secure by adding this feature I want to make sure we harden to this thing based on what I read in the top 10 They would love to have that conversation with you, I promise you Your security team will love that conversation And they'll help you out Surprise, there's not just one top 10 list anymore There used to be But now there are 17 13 are in some kind of a usable state I say usable state Because some of these are just blank profiles that have nothing there yet One of the newer ones is one I think everyone in this room should probably be familiar with Or at least should be On your radar now is the Kubernetes 2022 There are like four people that work on this They desperately need more input and help So if you're a captain, Kubernetes captain out there Or you want to move toward that in your life This is probably a good way to get some Something for your resume Is to help have this conversation with them They have even have a zero for getting started with the thing But we're not going to climb through that today That's for you to do But yeah, mobile security Oh, control off There we go CI, CD security, same thing Insufficient flow control mechanisms Poison pipeline execution Insufficient PBAC So yeah, it gets updated from time to time If your concerns aren't on this list Again, do a pull request Go have that conversation out in the Slack There we go So that is everyone should be familiar with at least that Next up, cheat sheets You want to sound smart real fast about technology? Cheat sheets are for you Cheatsheetseries.oosp.org Pick a topic There are dozens and dozens And there's a full breakdown on the concept A bunch of great graphics you can steal And well, everything you need to know From a high level of how to approach it From a security perspective So if your CIO overwalks in and says What do we know about security with Kubernetes? You can frantically Google this And start reading off facts If you do that in person, that's going to be weird But if you do it on a video call You sound pretty smart And you're not going to be wrong The goats Greatest of all time, maybe Who here is familiar with WebGote? Cool, we got two hands, awesome OOSP said, hey, what if we built Specifically insecure applications That are easy to tell that they're broken So they started doing that WebGote, NodeGote Wrong Secrets is a particular place in my heart Because it shows you how not to do Secrets management How to do it wrong, there it is PyGote, ChainGote, LaravelGote Depending on what goat you want But these all pair of comparison To the true greatest of all time Juice Shop I could feel my machine getting warm Because it's running in the background Juice Shop is Well, a juice shop It is Extremely well documented Bug free, they're very proud That it's the bug free application That is completely insecure They're on version 14 right now This, if you watch another video Based on this video Go find this presentation From last year, it is amazing He walks through what you can do with it Because you're thinking, okay So it's an application I can go Look at the code, sure, it's open source But I'll just give it away If you go to Slash scoreboard Score dashboard Did I spell it wrong? Oh, I put a dash in it for some reason What's wrong with me? I guess it needed the hashtag on there Anyway, there we go, score dashboard That was great, there's also you can get to it from the side menu I was trying to URL manipulate and I don't know why It's hard to type because I'm at a weird angle up here Anyway, what you're looking at Is a full blown training series On how to start attacking websites With full instructions Buried in here, that's one of the goals Is to find the tutorials And help you along the way Finding the scoreboard is actually one of the first things But you can do things like bully the chat bot Have you ever bullied a chat bot in real life? Do you know that there are people doing that constantly? Yes, if you once you figure out it's a AI Just keep asking for that discount Because it's trained to not let you go unhappy So eventually we give up, most of them will That developers don't want you to be happy as a user Anyway, you can also run this As a complete capture of the flag for your team There's full instructions on how to run this On a secure private network This is an amazingly well documented project Again, that video will put you on the right path On how to leverage it for your teams So we talked about top 10 cheat sheets Goats, now Zap Zap, the Zet Attack Proxy The most dangerous thing they make Who here has ever run Zap? Nobody I talk a lot of security conferences And normally there's more people than that But Zet Attack Proxy Well, is an attack tool It goes through and tries to brute force its way in It tries to cross site script It tries to do all sorts of nefarious things Do not run Zap against things you don't own Or have explicit permission to use against One of the things you can own An attack is Jew Shop This is fairly new to Zap Is the HUD mode So it's a hover over display mode I don't know what it stands for I'm running out of time So you can click on things And then go look at... I forgot to make a full screen And go look and say, alright, here's exactly what just happened And we can start getting into the details of The alerts on, hey What's actually wrong with this On this particular page You can start seeing... Oh, I got some warnings here Medium Yeah, content security policy header not set Across domain misconfiguration What on earth does that mean? Well, if you go back to this interface It will start showing you Oh, there's the CVE is specifically Tied to that vulnerability So now you can go start looking at Well, how did they fix it? How should I fix it? How should I approach this? If you're using up to date patched software The good chance you won't have to manually do a lot of this But HUD will very quickly show you Where all the flaws are in your applications And I have about a minute left So I'm going to wrap it up here Yeah, again, I'm sure you see CVE And all the other stuff, cool So there's that I just showed you Same conclusion, it's dangerous out there There's a whole world of people that want you to be safe Some of them belong to an organization called OWASP And they'll love to hang out with you Sleep better at night knowing that your application Isn't going to get hacked At least not with the most common vulnerabilities People still might get in But if you can shoo off 80, 90% of attackers Because, oh, that vulnerability is closed I'm just going to move on to my day You'll sleep better Start here, start with the top 10 If you're not familiar with the top 10 Just start there And move the way through And remember Jew Shop is really fun I'm Duane, I live in Chicago I've been a developer advocate since about 2016 Found me on the internet at MC Duane And I'm happy to talk about anything Outside the tech as well Any questions before we get kicked off stage? I think it's a matter of two things, honestly One, it's right after lunch on the last day Of the conference That actually factors into it Realistically Two, security One of my favorite sayings I heard in the last year Was most developers don't think about security last Because they're not thinking about security And I think that's kind of the mindset Of a lot of the world Of like, well, security is something That gets handled by other people That will get added into the mix So for those of you all here I'm really appreciative that you're here And learning about this The other thing I think factors into it Is one earth's a wasp Like, sure, my talk title is luring Obviously you're here But that's like the Unfortunately, the Side of what's falling into is like Oh, wasp is that thing over there That I heard about That was, excuse the expression That was my dad's security org I'm all about the new stuff now What can they offer me? And I think they're a victim A little bit as an organization Of what the original founder said That they became a Byzantine mess Like, all the projects in their democracy Pull into different directions Like I said, people working on the Kubernetes top 10 There's like three people As why there are not more people in this room Well, honestly, there's a lot of really great talks This thing And if you're here to further your skills In building GitOps Yeah, maybe in a different room So, yeah I don't have a good answer there, man But that's a good question Anybody else? I'll throw these slides on my Twitter And a mastodon later today If you're a mastodon social person So, unseen away in a mastodon social In that, I will give up the room So, thank you very much