1. You can get a heck of a long way with very little
Vince Sesto spoke about using Anchore to scan container images for vulnerable / out of date packages and dependencies. I’ve seen organisations spend ludicrous money on SAST and DAST products that have fancy words like "machine learning", "heuristics" or "advanced AI" on their marketing pages. Don’t get me wrong, these tools have their place, but for many a tight security budget they’re simply out of reach.
A far more basic and boring sounding check for outdated dependencies will get you a long way to a more secure stack for a fraction of the cost. Whether it’s your containers, OS or application libraries - making sure your third party dependencies are up to date is one of the best ways to protect yourself. Many packaging tools offer a built in command such as NPM's audit command. While some might scoff and say these tools aren’t very good they offer a lot more that nothing at all and will only cost you your time to implement.
Another great tool worth mentioning (an OWASP Day sponsor) is Snyk, they provide dependency checking that is easy to use, free for Open Source projects and doesn’t cost the earth. I use it on some of my personal projects and find it really useful for nagging me to keep my dependencies up to date.
2. Automation is key
As developers, our entire job is making computers do things without our help. Yet sometimes we let things slip and do something manually “just this once”, which turns into not “getting around” to automating it, which turns into hours and days wasted doing something that should have been automated long ago.
As much as DevSecOps is a buzzword, embedding automated security checks and controls into your build and deploy processes has a far higher cost:benefit ratio than scanning in production or periodic security tests. The amount of tools available, from dependency scanning above, to expanding unit and integration test suites to cover negative test cases, common attacks and security regressions, and more traditional static and dynamic application security testing tools is staggering.
There were too many open source and reasonably priced “as a service” offerings to name, needless to say there are plenty of easy to implement solutions that don’t cost the earth and make a massive difference to your security posture.
3. Checklists are your friend
A post about OWASP day would be incomplete without talking about the OWASP Top 10. More than that the OWASP has a vast array of lists, cheat sheets and in-depth guides on almost all facets of software development. However as we heard from Daniel Zollinger speaking about checklists and their use in aviation and medicine - check lists don't work by themselves, they only serve as a reminder of all the things you need to do. If you aren't familiar with the things on your list they're not going to help! Whoever is using the checklists needs to understand what it is they need to do.
Another source of checklists mentioned at OWASP Day was AWS Whitepapers, I’d also add blogs to the list. In general if you’re going to do something in AWS, chances are AWS has published guidance to help you along the way. For example here is the top 10 security items to improve in your AWS account security.