Hackfest 2024 - 16-bit Edition

Introduction → What is Application security ?

Have you ever wondered who’s behind those mysterious vulnerabilities that appear in your product team’s backlog? Today, we’ll dive into the the world of Application Security, the unsung hero of software development.

Application Security is all about keeping our software safe, from vulnerabilities buried in your legacy code to threat actors trying to take advantage of unpatched libraries. But If these vulnerabilities comes from code itself, why isn’t it the developers job to handle AppSec?

I’ll break down the role of App Sec in an organization, highlighting it’s importance and the value it brings. I’ll also cover the key principles that define AppSec. While also comparing the different type app sec can have and how it plays with other security teams in the organization. I’ll explain the proper mindset to have to be successful and how AppSec drives business success by making sure security is built-in everything we do.

My AppSec Journey - From Zero to Hero

I didn’t start out in AppSec—I was a developer first. I’ll walk through my journey from being a junior developer in a bank to securing software for a fast-paced HRIS company. I’ll talk about the challenges I faced, including dealing with imposter syndrome, and how earning my CISSP certification was a game-changer for me. The key is to accept that this is a never ending journey and you’ll be a student for the rest of your career, which I call “embrace the process”.

Starting my career as a developer is something I’m really grateful for; I wouldn’t be able to do what I do today without it. Having a background in development in App Sec is a significant advantage because it helps understand the challenges developers face; balancing deadlines, writing quality code, having good quality assurance. The key is to make their day-to-day easier, not harder. Your ultimate goal is to implement security initiatives that will pay off and drive business forward.

I’ll share some lessons I learned along the way. Like the "Fake It Till You Make It" approach and the importance of soft skills in the App Sec world. An old boss once told me “Attitude over Aptitude” and I agree. In this sort of job, where building relationship is key, soft skills will carry you a long way. Confidence is key, If you don’t know, no one does

Day-to-day - Small Changes Today, Big Wins Tomorrow

In the day-to-day life, you’ll have a lot of tasks and responsibilities that keep things dynamic. One of the main task (and my favorite) is answering developers questions. This is where soft skills come into play: building strong relationships with developers is key. By helping them with their security challenges, you’ll gradually show them the importance of adding security best practices into their code. You’ll subtly shift the mindset towards a "shift left" approach, which is the ultimate goal!

At my current company, we have a ritual called “Tech Designs,” where we review the technical aspects of new initiatives or features. AppSec's involvement is crucial, as it ensures security considerations are integrated from the very beginning. We also conduct threat modeling during these sessions, which helps us identify and address potential vulnerabilities early on. This practice not only enhances our security posture but also reinforces the “shift left” and “security by design” approaches with our teams.

Additionally, you might manage a bug bounty program, handle security incidents or lead pen testing activities.

At the end of the day, you’ll handle multiple tasks, that are all tied by a common goal: driving the business forward and building a strong security culture across the organization.

Required skills and learning paths - From learning to executing

Starting in Application Security can be overwhelming due to the amount of knowledge required, but you may already possess many of the skills without realizing it! Here’s some of the top technical and soft skills and how to acquire them.

Technical Skills

• Understanding of Secure Coding Practices

  • Why: When reviewing code or participating in tech designs
  • How: Practice secure coding in projects and learn about key security principles such as the CIA triad, the “shift left” mentality and security by design.

• Knowledge of Security Vulnerabilities

  • Why: Understand the risks associated with vulnerabilities and what attackers can achieve with them
  • How: Review the OWASP Top Ten, read bug bounty articles, and participate in CTF and security labs

• Knowledge of Compliance

  • Why: Understand legal implication and requirements for handling user data
  • How: Learn about the compliance requirement like Law 25 (Quebec), PIPEDA (Canada) or GDPR (Europe)

Soft Skills

• Effective Communication

  • Why: To clearly explain security risks and their implications to both technical and non-technical stakeholders
  • How: Write clear and detailed reports and understand your audience

• Relationship Building

  • Why: To be seen as an ally who supports and drives the business forward
  • How: Understand their day-to-day challenges, work with them and make decisions that consider their needs.

• Empathy and Patience

  • Why: Helps understand and address challenges faced by others
  • How: Learn and practice active listening

• Persuasive Skills

  • Why: To convince stakeholders of the importance of addressing security risks and the potential losses or impacts of not mitigating these risks.
  • How: Learn how to address and present the risk

• Problem-Solving

  • Why: When managing security incidents or resolving security challenge
  • How: Participate in hackathons, CTF or training platforms

Tips - How to Be a Pro at AppSec

When you first start into security, you’ll probably have the mindset of “let’s fix everything.” While this approach sounds great in theory, it’s impossible to do in practice. If you want to sleep at night, it’s crucial to realize that security is a marathon, not a sprint. You won’t be able to address every issue or cover every vulnerability all at once. Once you accept this reality, you can focus on prioritizing the critical risks and drafting a plan.

What surprised me the most when I started in AppSec is the amount of adversity you face. You’ll often find yourself balancing security needs with business objectives. Even more when working with teams under strict deadlines and managing backlogs full of new and shiny features. How do you sell them on fixing a boring potential security vulnerability? What if you need to convince a non-technical PM? Learning to help them understand the risks and make necessary compromises (without compromising overall security) is a key skill you’ll need.

Conclusion - How do I start?

How to break into App Sec.

Recommendations on :
- Certification
- Books
- Online platforms
- CTFs