Day-to-day in AppSec
Init
day-to-day
What it takes
Mission Goals
Farfetch
Implement key security standards and best practices consistently across all stages of the Farfetch Software Development Life Cycle (SDLC).
Be enablers rather than gatekeepers
ADVISE RATHER THAN DICTATE
AUTOMATion
RISK-AWARE
REDUCE FRICTION
SECURITY IS HOLISTIC BUt KEEP RAISING THE BAR
DEVSECOPS
DEVSECOPS
DevSecOps
DevSecOps refers to the integration of security practices into a DevOps software delivery model.
DevOps is an organizational paradigm that aligns development and operations practices as a shared responsibility.
DevSecOps
it’s important to drive cultural and procedural changes that help raise security awareness and considerations early in the development process.
SECURity REQUIREMENTS
A security requirement is a statement of needed security functionality that ensures one of many different security properties of software is being satisfied.
SECURE Design
Secure design is a culture and methodology that constantly evaluates threats and ensures that code/Architecture is robustly designed and tested to prevent known attack methods.
SECURE Code
Secure coding standards are rules and guidelines used to prevent security vulnerabilities. Used effectively, these security standards prevent, detect, and eliminate errors that could compromise software security.
Testing
the process of testing, analyzing, and reporting on the security level of a software application.
Software composition analysis (SCA)
STATIC APPLICATION SECURITY TESTING (SAST)
DYNAMIC APPLICATION SECURITY TESTING (DAST)
Interactive application security testing (IAST)
Deployment
mechanism through which applications, modules, updates, and patches are delivered from developers to users.
Engagement
+
Sec Architecture Team
+
SCA + SAST + Sec Libs + Sec Champions + Code Guidelines + Sec Automation
+
DAST + Run Time Validation
+
BBP + Monitor
Secure SDLC
AppSeC Roles
Testing
Auditing Internal portfolio, enhancing and developing new automations for our Secure Software Development Life Cycle (SSDLC), and research and validate potential issues within our tech stack.
Testing
Improper Access Control on Several Files
Verbose Errors Returned
Introspection Enabled on GraphQL API
Web Cache Deception
Sensitive Info. Leakage to Third Parties
Personally Identifiable Information (PII) via GET
Vulnerabilities Examples
Training
Empower developers and engineers by providing focused security education. These sessions are designed to build practical skills and awareness around critical security topics in our applications and tech stack.
Security University
SQLI/NOSQLI
INSECURE DESERIALIZATION
XML EXTERNAL ENTITY (XXE)
Cross-site Scripting (XSS)
CRYPTOGRAPHY FOR DEVELOPERS
CROSS-SITE REQUEST FORGERY (CSRF)
OWASP (Mobile) TOP 10 (Web, iOS AND ANDROID)
Training
Architecture
Ensure that security is embedded from the early stages of new product and engineering developments and initiatives. Oversee the security aspects of the Internal processes, such as R.T.P., API specification, create and lead strategic initiatives, and contribute to global architecture efforts such as the F-Tech Radar.
Architecture
Audit Logs
Secret Management
Third Party Exposure
Internal Standardization of Evaluations
initiatives
Security Business Partner
Acts as an Security advocate and advisor for engineering and product teams, bridging the gap between security and business objectives. Ensures security requirements are understood and seamlessly integrated into development processes. Plays a key role in follow-ups on vulnerabilities and ensures issues are addressed effectively.
Security Business Partner
Dashboards
Engineering
Responsible for designing and developing specialized tools to meet the team's needs, with a focus on creating new automations that support in-house software, enhance daily workflows, and drive overall team efficiency.
Engineering
Reporter Tool
Dashboards
AppSec C2
F-Tech Risk Register
Daemon Tool
Watchdog
Subdomain Takeover Automation
Checkode / SonarQube Issues Monitoring
Security Champions HQ
Tools
Reporter Tool
Reporter tool
Daemon tool
Risk Register
WatchDog
Cross Initiaves
The Security Champion community plays a key role in strengthening the overall security of the software development lifecycle. Each Security Champion is essential in boosting their team's security posture by providing support across multiple areas.
security Champions
Cross Initiaves
Maintaining and updating documentation for secure development, processes, and tooling to ensure accuracy and relevance. This improved F-Tech's engineering and product teams' capacity for "self-service".
secure Development Documentation
Cross Initiaves
Support compliance with regulatory obligations, manage risks, and uphold governance standards by contributing to policy development, providing technical expertise for security controls, collecting evidence for audits, addressing findings, and assisting with training and awareness efforts.
Support GRC Team
others
Maintain and update security tooling, such as FFbin, JSON Editor, and CyberChef, to ensure their ongoing usage. It includes troubleshooting issues and supporting the adoption of these tools across different teams and areas.
Support Security Tooling
All Together
AppSEC as a Discipline
CONTINUOUs CHALLENGES
Keep
portfolios
updated
Keep relationships w/ Product and Engineering
Keep TECHNICALLY updated
Always looking for IMPROVEMENT OPPORTUNITIES
Tech stack changes, new automations, feature revamps, new products...
One Team, One Voice!
Keep the Basics Right!
Hands-on!
We want to build a client chat!
Put on your thinking cap and dig deep into what might go wrong
function BAU() {
str = document.getElementById("xpto-field").value;
extra = "<input type='text' value='" + str + "'/>"
document.getElementById("output-div").innerHTML = extra;
}What's Wrong with this code?
'><img src onerror=alert(1)> (Breaking HTML Attribute to HTML Tag)
' onfocus="alert(1)" (HTML Attribute)function BAU() {
str = document.getElementById("xpto-field").value;
encoded = encodeURI(str);
extra = "<input type='text' value='" + encoded + "'/>"
document.getElementById("output-div").innerHTML = extra;
}Fix
<!-- Using Safe DOM APIs -->
function BAU() {
str = document.getElementById("xpto-field").value;
var extra = document.createElement("input");
extra.type = "text"
extra.value = str
document.body.appendChild(extra);
}Hey, we are integrating w/ this brand new marketing partner.
Put on your thinking cap and dig deep into what might go wrong
Content-Security-Policy: script-src 'self' https://cdnjs.cloudflare.com/;
object-src 'none' ; report-to /Report-parsing-url;What's Wrong with this Policy?
"><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"></script>
<div ng-app ng-csp ng-click=$event.view.alert(1337)>APIs are Everywhere, is CSRF still a thing?
Are we vulnerable or not...
AND SINCE IT'S AN API DO YOU HAVE ANY OTHER SUGGESTION?
Anything else?
Content-Security-Policy: sandbox; default-src 'none'; frame-ancestors 'none';
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubDomains;
Content-Disposition: attachment; filename="api.json"
Remove Proprietary Headers (X-Powered-By, Server, X-AspNet-Version, X-AspNetMvc-Version, ...)
Need to confirm that all responses go out with the appropriate content-type
and charset (E.g. Content-Type: application/json; charset=utf-8)What's wrong?
$ dig jenkins.company.info
; <<>> DiG 9.20.9-1-Debian <<>> jenkins.company.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36255
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;jenkins.company.info. IN A
;; ANSWER SECTION:
jenkins.company.info. 300 IN CNAME rmgt-we-vm-jenkins.westeurope.cloudapp.azure.com.
rmgt-we-vm-jenkins.westeurope.cloudapp.azure.com. 10 IN A 51.145.155.113
;; Query time: 2156 msec
;; SERVER: 192.168.2.1#53(192.168.2.1) (UDP)
;; WHEN: Thu Jun 05 19:47:14 WEST 2025
;; MSG SIZE rcvd: 124
Special Thanks
To AppSec team
and Friends!
The End!
Images Credits: "Minions"
Copyright Universal Pictures and Illumination Entertainment
Day-To-Day in AppSec
By Renato Rodrigues
