Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ......
Transcript of Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ......
![Page 1: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/1.jpg)
Application Security Shay Fainberg
Product Security and Anti-FraudOutbrain
![Page 2: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/2.jpg)
Agenda
} What is Outbrain} Outbrain Application Security Challenge
} Application Security Mechanisms by Priority
![Page 3: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/3.jpg)
3
Over 20K Open Source
Libs
120 Code Changes In Production
A Day
260 Micro Services
Business Partner
150 Developers
6 Main Programming
Languages
Over 50 Open Source
Software
Over 50 External Services
![Page 4: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/4.jpg)
Security by Design
} Security is part of planning} Security is part of the Spec} Security is part of architecture forum
![Page 5: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/5.jpg)
Security by Design
![Page 6: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/6.jpg)
Security Code lib & Services
} Examples:
} If you have resources create wrappers
Security Mechanism Chosen Lib
Secure work with mySql(Avoid SQL injection)
Hibernate createQuery(parametrized query)
HTML input validation(Anti-XSS)
OWASP AntiSamy.Scan
Output encoding (Anti-XSS)
OWASP Java Encoder Encode.forHtmlContent
Hashing Passwords MessageDigest.getInstance("SHA-256")
![Page 7: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/7.jpg)
PT & Bug Bounty
} New features & reoccurring PTs} Free alternative:
![Page 8: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/8.jpg)
Open Source Libs Security
} Runs daily -> integrated to the CI
} Free alternative:
![Page 9: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/9.jpg)
Automatic Security Testing
JenkinsCoordinator
AppscanScan engine
ThreadFixResults Review
Tested App
StartingScan
Scan Results
![Page 10: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/10.jpg)
Automatic Security Testing Free
JenkinsCoordinator
OWASP ZAPScan engine
ThreadFixResults Review
Tested App
StartingScan
Scan Results
![Page 11: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/11.jpg)
Secret Management
} Passwords to services} Applicative encryption keys} Built-int cloud soutions: AWS KMS, Azure Key Vault
} Free Alternative:
} Vault Bonus - Dynamic secrets
![Page 12: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/12.jpg)
Web Application Firewall
} Cloud based WAF requires network acceleration
![Page 13: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/13.jpg)
Cheap Web Application Firewall
} Basic WAF capabilities} ~250$ annually
![Page 14: Shay Fainberg Product Security and Anti-Fraud Outbrain · Secret Management} Passwords to ... Built-int cloud soutions: AWS KMS, Azure Key Vault} Free Alternative:} Vault Bonus -](https://reader033.fdocuments.in/reader033/viewer/2022051410/6031fc3e3411144518326b97/html5/thumbnails/14.jpg)
Security Static Code Analysis
} Requires high security skillset} Takes time before you see good results
} Free alternative: