Locking down internal apps presents unique and frustrating challenges for appsec teams. Your organization may have dozens if not hundreds of sensitive internal tools, dashboards, control panels, etc., running on heterogenous technical stacks with varying levels of code quality, technical debt, external dependencies, and maintenance commitments. How do you tackle this problem scalably with limited resources?

Come hear a dramatic and humorous tale of internal appsec and the technical and management lessons we learned along the way. Even if your focus is on securing external apps, this talk will be relevant for you. You'll hear about what worked well for us and what didn't, including:
- Finding a useful mental model to organize your roadmap
- Starting with the basics: authn/z, TLS, etc.
- Rolling out Content Security Policy
- Using SameSite cookies as a powerful entry point regulation mechanism
- Leveraging WAFs for useful detection and response
- Using internal apps as a training ground for new security engineers

Hongyi Hu
Security Engineer, Dropbox
Hongyi Hu is a security engineer at Dropbox, where he leads the Application Security team and frequently advises the Product and Privacy Counsel teams. He is passionate about solving problems where technology, people, and public policy intersect.

-

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...