Moshe Zioni

WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "113"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "113"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "113"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "113"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [search_columns] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 1
            [update_post_term_cache] => 1
            [update_menu_item_cache] => 
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "113"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "113"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "113"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "113"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => SELECT   wp_posts.ID
					 FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
					 WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{faad52a78c936c4770959584f94f678738a55951f35fe5c0aa93ad4363668b19}\"113\"{faad52a78c936c4770959584f94f678738a55951f35fe5c0aa93ad4363668b19}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{faad52a78c936c4770959584f94f678738a55951f35fe5c0aa93ad4363668b19}\"113\"{faad52a78c936c4770959584f94f678738a55951f35fe5c0aa93ad4363668b19}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
					 GROUP BY wp_posts.ID
					 ORDER BY wp_posts.post_date DESC
					 
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 27220
                    [post_author] => 53
                    [post_date] => 2022-01-24 16:47:10
                    [post_date_gmt] => 2022-01-24 22:47:10
                    [post_content] => 




Watch Now








Overview 



Today's approaches to defense in depth for application security are siloed and lack context, thus results have fallen short. But a layered approach is the key to building a world-class AppSec program that spans the entire Software Development Lifecycle (SDLC). So, how does our approach need to change? 



In this webinar, you’ll hear from three experts at each of the core security touchpoints within the Software Development Life Cycle (SDLC): at the code level, pre-deployment, and post-deployment.



Speakers include Nabil Hannan, managing director at NetSPI, Moshe Zioni, VP of strategy research at Apiiro, and Samir Sherif, CISO at Imperva. 



During this webinar, speakers will discuss:




Key timeframes to implement security testing – and why 



How to incorporate risk context across the SDLC 



Best practices for application penetration testing and secure code review 



Proper implementation of application security tools for continuous monitoring 



Plus, more tips to achieve a layered application security strategy 




Key highlights:




1:21 – The state of AppSec testing 



3:55 – Contextual AppSec testing 



14:45 – Best practices for application pentesting and secure code review  



30:40 – The implementation journey 



42:00 – Q&A 








The State of AppSec Testing 



To get started, it’s important to have an understanding of the current state of today’s AppSec programs and application security in general.  



Key challenges with application security include:




Siloed: Application security programs are siloed in most organizations. AppSec-related activities often happen without being in sync with the rest of the organization, but effective application security requires collaboration across the board.




Lacks context: A lot of testing happens in different phases of the software development lifecycle (SDLC), but oftentimes it tends to lack context. Testing may be driven by customer needs or regulatory and compliance requirements, but often there’s not enough testing being done based on an organization’s software context and understanding when and why you need to test systems, other than specific requirements from external pressures. 




Results fall short: When application security testing is siloed, lacks context, and doesn’t have proper strategy, the results are more likely to fall short.   




A layered testing approach is the key to building a world-class AppSec testing program that spans the entire SDLC, including code level, pre-deployment, and post-deployment.   







Contextual AppSec Testing 



For AppSec testing to be effective, context from across the SDLC is required to understand risk.  



Some of the benefits of context in each stage across the SDLC include:




Design 

Prioritize and trigger threat model sessions



Trigger contextual compliance reviews 





Branch 

Trigger contextual security code reviews and enrich data from SAST/SCA/GWs 



Trigger contextual compliance reviews 



Automate manual risk questionnaires 



Automate code governance 





Repository 

Gain complete visibility into AppSec infrastructure and CSS 



Actionable remediation work plan 



Trigger incremental plan testing 



Reduce SAST & SCA FP and prioritize results 



Detect compromised results  





CI/CD 

Prevent build-time code injection attacks (SolarWinds)  










Best Practices for Application Pentesting and Secure Code Review  



Understanding best practices for application pentesting and secure code review can help ensure your approach is as effective as possible.



Here are some ways optimize your application pentesting: 



1. Risk-based pentesting is key 





Understand how your business makes money 



Prioritize remediation of vulnerabilities that pose the greatest risk to the organization 



Loop in finance and risk leadership 



Contextual pentesting 





2. Strategy is the future 





Informed pentesting is more valuable, as hackers aren’t bound by time 



Threat modeling and secure design reviews 



Pair point-in-time testing with always-on monitoring 



Bug bounty vs. pentesting 





3. Enable manual testing  





Enable your testing team to find vulnerabilities that tools miss 



According to NetSPI testing data, 63% of critical vulnerabilities are found through manual testing 



External network pentesting finds 10x more critical vulnerabilities than a single network vulnerability scanning tool 





4. Take a holistic approach 





Validation of security controls 



Understanding how everything works together  





Another important aspect is building an effective secure code review program. Some step to do this include:




Establish a security culture and listen to your developers 



Create simple and effective methodologies and processes 



Plan application onboarding and scan frequency 



Understand that remediation matters most 



Measure and improve over time  




As you formalize your company’s AppSec program, following a maturity checklist can help set the program up for success.



Make sure to include the following steps your application security program maturity checklist:




Formalize your roadmap 



Governance in the SDLC 



Establish metrics that matter 



Be an AppSec ambassador












The Journey to Implement AppSec 



When it comes to how an organization looks at and approaches application security in general, breadth is an important framework to redefine and conceptualize application security.



This framework includes: 




Shift-left to dev training and code analysis 



Heavy focus on in-app and perimeter protections 



Shift-right to advanced, proactive, and managed services  




Left-to-right application security features the following solutions: 




Awareness and education

Learning, training, threat modeling 





Code analysis

SAST, DAST, IAST, SCA, code risk 





In-app protection 

RASP, CWPP (EW) 





Perimeter protection 

WAAP, CWPP (NS), DDoS, Zero Trust 





Advanced solutions 

Bot, insights, fraud, 3rd party, TI, CDR, DLP 





Proactive solutions 

VM, CSPM, CIEM, BAS, EASM, MDR 










Partner with NetSPI to Improve Application Security  



NetSPI’s Application Security as a Service helps organizations manage multiple areas of their application security program.



Our AppSec as a service capabilities combine the power of technology through our vulnerability management and orchestration platform with our leading cybersecurity consulting services featuring expert human pentesters to ensure you can build and manage a world-class application security program.



Learn more about our AppSec as a service offerings and partner with NetSPI to drive your application security program forward to meet your security objectives. Schedule a demo today. 







[wonderplugin_video iframe="https://youtu.be/bml1NTFqxFA" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]






                    [post_title] => Application Security In Depth: Understanding The Three Layers Of AppSec Testing
                    [post_excerpt] => 
                    [post_status] => publish
                    [comment_status] => closed
                    [ping_status] => closed
                    [post_password] => 
                    [post_name] => application-security-in-depth-understanding-the-three-layers-of-appsec-testing
                    [to_ping] => 
                    [pinged] => 
                    [post_modified] => 2023-07-12 12:43:09
                    [post_modified_gmt] => 2023-07-12 17:43:09
                    [post_content_filtered] => 
                    [post_parent] => 0
                    [guid] => https://www.netspi.com/?post_type=webinars&p=27220
                    [menu_order] => 50
                    [post_type] => webinars
                    [post_mime_type] => 
                    [comment_count] => 0
                    [filter] => raw
                )

        )

    [post_count] => 1
    [current_post] => -1
    [before_loop] => 1
    [in_the_loop] => 
    [post] => WP_Post Object
        (
            [ID] => 27220
            [post_author] => 53
            [post_date] => 2022-01-24 16:47:10
            [post_date_gmt] => 2022-01-24 22:47:10
            [post_content] => 




Watch Now








Overview 



Today's approaches to defense in depth for application security are siloed and lack context, thus results have fallen short. But a layered approach is the key to building a world-class AppSec program that spans the entire Software Development Lifecycle (SDLC). So, how does our approach need to change? 



In this webinar, you’ll hear from three experts at each of the core security touchpoints within the Software Development Life Cycle (SDLC): at the code level, pre-deployment, and post-deployment.



Speakers include Nabil Hannan, managing director at NetSPI, Moshe Zioni, VP of strategy research at Apiiro, and Samir Sherif, CISO at Imperva. 



During this webinar, speakers will discuss:




Key timeframes to implement security testing – and why 



How to incorporate risk context across the SDLC 



Best practices for application penetration testing and secure code review 



Proper implementation of application security tools for continuous monitoring 



Plus, more tips to achieve a layered application security strategy 




Key highlights:




1:21 – The state of AppSec testing 



3:55 – Contextual AppSec testing 



14:45 – Best practices for application pentesting and secure code review  



30:40 – The implementation journey 



42:00 – Q&A 








The State of AppSec Testing 



To get started, it’s important to have an understanding of the current state of today’s AppSec programs and application security in general.  



Key challenges with application security include:




Siloed: Application security programs are siloed in most organizations. AppSec-related activities often happen without being in sync with the rest of the organization, but effective application security requires collaboration across the board.




Lacks context: A lot of testing happens in different phases of the software development lifecycle (SDLC), but oftentimes it tends to lack context. Testing may be driven by customer needs or regulatory and compliance requirements, but often there’s not enough testing being done based on an organization’s software context and understanding when and why you need to test systems, other than specific requirements from external pressures. 




Results fall short: When application security testing is siloed, lacks context, and doesn’t have proper strategy, the results are more likely to fall short.   




A layered testing approach is the key to building a world-class AppSec testing program that spans the entire SDLC, including code level, pre-deployment, and post-deployment.   







Contextual AppSec Testing 



For AppSec testing to be effective, context from across the SDLC is required to understand risk.  



Some of the benefits of context in each stage across the SDLC include:




Design 

Prioritize and trigger threat model sessions



Trigger contextual compliance reviews 





Branch 

Trigger contextual security code reviews and enrich data from SAST/SCA/GWs 



Trigger contextual compliance reviews 



Automate manual risk questionnaires 



Automate code governance 





Repository 

Gain complete visibility into AppSec infrastructure and CSS 



Actionable remediation work plan 



Trigger incremental plan testing 



Reduce SAST & SCA FP and prioritize results 



Detect compromised results  





CI/CD 

Prevent build-time code injection attacks (SolarWinds)  










Best Practices for Application Pentesting and Secure Code Review  



Understanding best practices for application pentesting and secure code review can help ensure your approach is as effective as possible.



Here are some ways optimize your application pentesting: 



1. Risk-based pentesting is key 





Understand how your business makes money 



Prioritize remediation of vulnerabilities that pose the greatest risk to the organization 



Loop in finance and risk leadership 



Contextual pentesting 





2. Strategy is the future 





Informed pentesting is more valuable, as hackers aren’t bound by time 



Threat modeling and secure design reviews 



Pair point-in-time testing with always-on monitoring 



Bug bounty vs. pentesting 





3. Enable manual testing  





Enable your testing team to find vulnerabilities that tools miss 



According to NetSPI testing data, 63% of critical vulnerabilities are found through manual testing 



External network pentesting finds 10x more critical vulnerabilities than a single network vulnerability scanning tool 





4. Take a holistic approach 





Validation of security controls 



Understanding how everything works together  





Another important aspect is building an effective secure code review program. Some step to do this include:




Establish a security culture and listen to your developers 



Create simple and effective methodologies and processes 



Plan application onboarding and scan frequency 



Understand that remediation matters most 



Measure and improve over time  




As you formalize your company’s AppSec program, following a maturity checklist can help set the program up for success.



Make sure to include the following steps your application security program maturity checklist:




Formalize your roadmap 



Governance in the SDLC 



Establish metrics that matter 



Be an AppSec ambassador












The Journey to Implement AppSec 



When it comes to how an organization looks at and approaches application security in general, breadth is an important framework to redefine and conceptualize application security.



This framework includes: 




Shift-left to dev training and code analysis 



Heavy focus on in-app and perimeter protections 



Shift-right to advanced, proactive, and managed services  




Left-to-right application security features the following solutions: 




Awareness and education

Learning, training, threat modeling 





Code analysis

SAST, DAST, IAST, SCA, code risk 





In-app protection 

RASP, CWPP (EW) 





Perimeter protection 

WAAP, CWPP (NS), DDoS, Zero Trust 





Advanced solutions 

Bot, insights, fraud, 3rd party, TI, CDR, DLP 





Proactive solutions 

VM, CSPM, CIEM, BAS, EASM, MDR 










Partner with NetSPI to Improve Application Security  



NetSPI’s Application Security as a Service helps organizations manage multiple areas of their application security program.



Our AppSec as a service capabilities combine the power of technology through our vulnerability management and orchestration platform with our leading cybersecurity consulting services featuring expert human pentesters to ensure you can build and manage a world-class application security program.



Learn more about our AppSec as a service offerings and partner with NetSPI to drive your application security program forward to meet your security objectives. Schedule a demo today. 







[wonderplugin_video iframe="https://youtu.be/bml1NTFqxFA" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]






            [post_title] => Application Security In Depth: Understanding The Three Layers Of AppSec Testing
            [post_excerpt] => 
            [post_status] => publish
            [comment_status] => closed
            [ping_status] => closed
            [post_password] => 
            [post_name] => application-security-in-depth-understanding-the-three-layers-of-appsec-testing
            [to_ping] => 
            [pinged] => 
            [post_modified] => 2023-07-12 12:43:09
            [post_modified_gmt] => 2023-07-12 17:43:09
            [post_content_filtered] => 
            [post_parent] => 0
            [guid] => https://www.netspi.com/?post_type=webinars&p=27220
            [menu_order] => 50
            [post_type] => webinars
            [post_mime_type] => 
            [comment_count] => 0
            [filter] => raw
        )

    [comment_count] => 0
    [current_comment] => -1
    [found_posts] => 1
    [max_num_pages] => 0
    [max_num_comment_pages] => 0
    [is_single] => 
    [is_preview] => 
    [is_page] => 
    [is_archive] => 
    [is_date] => 
    [is_year] => 
    [is_month] => 
    [is_day] => 
    [is_time] => 
    [is_author] => 
    [is_category] => 
    [is_tag] => 
    [is_tax] => 
    [is_search] => 
    [is_feed] => 
    [is_comment_feed] => 
    [is_trackback] => 
    [is_home] => 1
    [is_privacy_policy] => 
    [is_404] => 
    [is_embed] => 
    [is_paged] => 
    [is_admin] => 
    [is_attachment] => 
    [is_singular] => 
    [is_robots] => 
    [is_favicon] => 
    [is_posts_page] => 
    [is_post_type_archive] => 
    [query_vars_hash:WP_Query:private] => 4124f3658160e7025526070371853926
    [query_vars_changed:WP_Query:private] => 
    [thumbnails_cached] => 
    [allow_query_attachment_by_filename:protected] => 
    [stopwords:WP_Query:private] => 
    [compat_fields:WP_Query:private] => Array
        (
            [0] => query_vars_hash
            [1] => query_vars_changed
        )

    [compat_methods:WP_Query:private] => Array
        (
            [0] => init_query_flags
            [1] => parse_tax_query
        )

)

WEBINAR

Application Security In Depth: Understanding The Three Layers Of AppSec Testing

Moshe Zioni

January 24, 2022