Why AppSec is Key for Your Dev Toolbox

Listen to this podcast on iTunes, Spotify or wherever you find your favorite audio content.
In this edition of the Beyond the Perimeter Podcast, we discussed the Poshmark data breach and interviewed Avi Douglen from Bounce Security about Application security risks.

Breach of the Month: Poshmark

On August 1, clothing marketplace Poshmark confirmed they had experienced a data breach. Poshmark is said to have some 50 million users.

The looted data includes customers’ full names, genders, cities, email addresses, linked social media profiles, and account passwords—but in a hashed cryptographic form. 

Due to the breach, the company is telling its customers to watch out for phishing emails, especially those that look like they are coming from Poshmark.

In a blog post by Poshmark, they warned their users with the following statement, “Be aware that Poshmark would not ask for personal information such as your login information or password in email communications. If an email you received asks you for this information, the email was not sent by Poshmark and may be an attempt to steal your personal data.”

In this episode, I talked to Avi Douglen to learn more about his experience in application security and why businesses should look into adopting an application security program internally. 

Not The Common Career Path to Security

There is no one true path to a career in cybersecurity. Some people will have the aspiration from a young age to work in security and some will learn on the go. In Douglen’s case, he was at the right place at the right time: “I actually kind of fell into it. I started my career doing software development of a product that I was working on and the security always seemed a bit dodgy. But whatever, you know. I’m a new programmer. What do I know about it? But then I got recruited to go work actually at the Israeli Police as a developer of security software, security infrastructure for all the very sensitive systems as I’m sure you can imagine. While I was there, of course, we’re developing security products. So I was part of identity management, permission controls and access controls before that was even a thing.

Like many security professionals, Douglen gained his security experience on the go. “I learned from actually testing things out because this was back before security was so popular. There were so many things and it was like OWASP was barely starting and this was back in like 2001. I discovered all the security aspects as we went on and kind of as the requirements came from the field and from the developers that had their own requirements but we don’t know how to deal with these.”
By gaining this experience over time, it led Douglen to a career in application security. “I got recruited into a security consulting company and I came in knowing a lot about security requirements from the developer side. So from there, I kind of found my home so to speak in application security and software security.”

Application Security is a Shared Responsibility

When asking Douglen what his thoughts were about those whose responsibility it is to conduct application security, he commented that it’s a tough thing to answer. “That’s a really interesting question and I would push that back to say, OK, who’s responsible for the quality of software? Well, sure, it’s the organization and sure you do expect a developer to be responsible for the quality of the code they put out, right? Obviously you’re not going to hire somebody to write code if they don’t know how to write code. But the organization absolutely needs to support that. You need to have time and the right tools for application security. You need to have the education and process, methodology and it needs to really be treated – from my perspective, it needs to be treated exactly like the quality of software and it’s one aspect of quality. You can’t be an excellent programmer if you’re not also doing security. It really comes down to how you’re producing software.”

Douglen believes that it’s not only on the developers who are actually writing the code. “I don’t think it should all be on the developer side, not at all. But it definitely needs to be one part of it. There are definitely organizations and there are developers that try to push the code out as fast as possible and don’t really care about bugs or passing tests or even if it really works. You know, if it compiles on my machine, I will push it to GitHub, right? On the other hand, obviously we can’t fault all on the developer side because not all software security is in code and I really think that security just needs to be one other aspect of everything that everybody does. So DevOps folks are doing DevOps and security needs to be part of it. Their pipeline needs to be secure and if they’re doing unit testing and things like that, they obviously need to be security unit testing.”

Organizations Still Have Room For Growth With AppSec  

When asked are organizations more equipped with application security, Douglen commented it depends on the organization. “There are two completely different types of organizations and you really can’t correlate them. Some of the more mature, more responsible, more security-minded organizations will distribute across the graph as you would expect and some of them are early in their journey and some of them don’t have a full program and some of them do, some of them are more evolved.  On the other hand, some that you would expect to be more evolved and have a full program don’t necessarily and they never will and even if you try and push it into them, it will not succeed and just too much heavy decades of legacy, legacy of code, legacy of process, legacy of people sometimes, that you – that will never change. So breaking it down to your question, I would say it’s a tough question because I think most companies are not where they should be. Many are on the right path.”

Douglen highlighted the importance of open source security tools as something that developers at organizations can start adopting in their application security toolbox. ”There are some great static analysis products called SAST, static application security testing, which basically is an automated way to scan your code and these are great and you got some tools which will monitor your dependencies and your components. Open source components can have a known vulnerability in one of the versions of the components that you’re using and usually, most products will have several dozen dependencies, external dependencies at least in a trivial application. Sometimes it could easily be hundreds or more. So there are some great tools out there. I just saw one of the vendors come out with an open-source plug-in for a visual studio code that will monitor in code and it will tell you that this library actually has vulnerabilities. You should upgrade or use a different library.” 

Huge Advocate of OWASP Projects 

Douglen is extremely active in the OWASP community and in his spare time, he is taking part in his own OWASP project. And when asked which projects he recommends listeners to check out the list goes on. “There are a bunch of great projects out there. I am part of a sub-project which is a Threat Modeling Cookbook, which is starting to put out a whole bunch of “recipes,” kind of like threat patterns. So if you put in a bunch of Docker microservices. Then there’s a set of threats that you need to consider and take care of and you don’t need to spend two days of threat modeling this infrastructure and you have a set of common standard mitigations that you can use without having to consult the security expert. So all these things is – that’s where we’re headed to try and create that and flesh that out”

OWASP has an endless amount of projects for free for developers and security experts. When asked which projects Douglen recommends listeners to check out,  the list goes on. “There’s a lot of great projects depending on where you’re coming from. First I will call out to OWASP ZAP. That’s an interactive proxy which does a lot more than that. Not only does it monitor and intercept any requests being sent between your browser and the server. It has a lot of dynamic attack functions. So it would kind of test your web application as you’re testing it and it supports a great API. So you can integrate this and I know a lot of QA teams and DevOps teams that have integrated this in automated tests and yeah, you can definitely invest and get a great commercial product, web scanners, you know. But this integrates better than some of the other products out there and the ZAP API is great.”

Douglen also recommended how noobs can get started with OWASP projects. “Go to OWASP.org, click on projects. You get a whole library of projects there. Another project that I really like especially for people starting to discover this field of application security is what’s called the OWASP Juice Shop which I say is the best place to never ever, ever, ever buy juice online. It’s basically a modern webshop to buy juice except that you never actually get the juice. What you do get is a whole bunch of built-in vulnerabilities, which are common for modern applications. So it’s great for exercising, for learning and for practicing different vulnerabilities and finding out how SQL injection works and how cross-site scripting works and dozens of others. It’s one of the best capture-the-flag apps out there.”
To hear the entire interview with Avi please listen to the full podcast here. You can follow Avi on Twitter @sec_tigger.

To sign up for OWASP Appsec Israel visit https://appsecil.org/

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.