Application Security Shay Fainberg
Product Security and Anti-FraudOutbrain
Agenda
} What is Outbrain} Outbrain Application Security Challenge
} Application Security Mechanisms by Priority
3
Over 20K Open Source
Libs
120 Code Changes In Production
A Day
260 Micro Services
Business Partner
150 Developers
6 Main Programming
Languages
Over 50 Open Source
Software
Over 50 External Services
Security by Design
} Security is part of planning} Security is part of the Spec} Security is part of architecture forum
Security by Design
Security Code lib & Services
} Examples:
} If you have resources create wrappers
Security Mechanism Chosen Lib
Secure work with mySql(Avoid SQL injection)
Hibernate createQuery(parametrized query)
HTML input validation(Anti-XSS)
OWASP AntiSamy.Scan
Output encoding (Anti-XSS)
OWASP Java Encoder Encode.forHtmlContent
Hashing Passwords MessageDigest.getInstance("SHA-256")
PT & Bug Bounty
} New features & reoccurring PTs} Free alternative:
Open Source Libs Security
} Runs daily -> integrated to the CI
} Free alternative:
Automatic Security Testing
JenkinsCoordinator
AppscanScan engine
ThreadFixResults Review
Tested App
StartingScan
Scan Results
Automatic Security Testing Free
JenkinsCoordinator
OWASP ZAPScan engine
ThreadFixResults Review
Tested App
StartingScan
Scan Results
Secret Management
} Passwords to services} Applicative encryption keys} Built-int cloud soutions: AWS KMS, Azure Key Vault
} Free Alternative:
} Vault Bonus - Dynamic secrets
Web Application Firewall
} Cloud based WAF requires network acceleration
Cheap Web Application Firewall
} Basic WAF capabilities} ~250$ annually
Security Static Code Analysis
} Requires high security skillset} Takes time before you see good results
} Free alternative: