Application Security Shay Fainberg

Product Security and Anti-FraudOutbrain

Agenda

} What is Outbrain} Outbrain Application Security Challenge

} Application Security Mechanisms by Priority

3

Over 20K Open Source

Libs

120 Code Changes In Production

A Day

260 Micro Services

Business Partner

150 Developers

6 Main Programming

Languages

Over 50 Open Source

Software

Over 50 External Services

Security by Design

} Security is part of planning} Security is part of the Spec} Security is part of architecture forum

Security by Design

Security Code lib & Services

} Examples:

} If you have resources create wrappers

Security Mechanism Chosen Lib

Secure work with mySql(Avoid SQL injection)

Hibernate createQuery(parametrized query)

HTML input validation(Anti-XSS)

OWASP AntiSamy.Scan

Output encoding (Anti-XSS)

OWASP Java Encoder Encode.forHtmlContent

Hashing Passwords MessageDigest.getInstance("SHA-256")

PT & Bug Bounty

} New features & reoccurring PTs} Free alternative:

Open Source Libs Security

} Runs daily -> integrated to the CI

} Free alternative:

Automatic Security Testing

JenkinsCoordinator

AppscanScan engine

ThreadFixResults Review

Tested App

StartingScan

Scan Results

Automatic Security Testing Free

JenkinsCoordinator

OWASP ZAPScan engine

ThreadFixResults Review

Tested App

StartingScan

Scan Results

Secret Management

} Passwords to services} Applicative encryption keys} Built-int cloud soutions: AWS KMS, Azure Key Vault

} Free Alternative:

} Vault Bonus - Dynamic secrets

Web Application Firewall

} Cloud based WAF requires network acceleration

Cheap Web Application Firewall

} Basic WAF capabilities} ~250$ annually

Security Static Code Analysis

} Requires high security skillset} Takes time before you see good results

} Free alternative: