AppSecSchool:
AppSec Table Top Exercises

Enjoy our additional free content from our channel
videos

AppSec Table Top Exercises

Tabletop Exercises for AppSec

Tabletop exercises offer a hands-on approach to understanding and improving application security. They are instrumental in identifying vulnerabilities, enhancing team collaboration, and providing real-world challenges.

Benefits of Tabletop Exercises

  • Strengthen Relationships: Forge better bonds within your team and with other departments.
  • Identify Blind Spots: Discover vulnerabilities and areas of improvement.
  • Engage Teams: Perfect for team activities, especially on slower days.
  • Interview Tool: Incorporate these scenarios as real-world problems during interviews.

Don't hesitate to modify the provided scenarios to cater to your organization's unique challenges. To spice things up, you can also introduce unexpected twists, such as 'X is currently on an overseas vacation and is unreachable'.

Scenarios

1. Going Live?

  • Situation: Post your morning coffee, an unplanned meeting with the engineering team reveals that an app set to launch tomorrow has a remote code execution vulnerability.

  • Points to Consider:

    • What immediate questions come to mind?
    • How would you approach this situation?

2. Log4j

  • Situation: A vulnerability akin to Log4j or Heartbleed affects your applications.

  • Points to Consider:

    • How do you determine the impacted applications?
    • What's your action plan for rectifying the situation?

3. No Bounty for You

  • Situation: A security researcher discovers a significant flaw in your main app but wants to bypass the official bug bounty program and its associated terms.

  • Points to Consider:

    • How do you manage this unconventional request?
    • Do you allow disclosure post-remediation or after a specified period?

4. The Leak

  • Situation: An inadvertent disclosure of a secret or private key on platforms like GitHub or StackOverflow by one of your team's developers.

  • Points to Consider:

    • What immediate actions are necessary?
    • How do you prevent such incidents in the future?

5. Dependency Confusion Attack

  • Situation: Your app falls prey to a Dependency Confusion Attack, identified when a service breakdown occurs during deployment.

  • Points to Consider:

    • What steps are vital to mitigate the damage?
    • How do you ensure this doesn't repeat?

Conclusion

Use these scenarios as a foundation and tailor them to your needs. Remember, the primary goal is continual growth, learning, and enhancement. Tabletop exercises are not just fun; they're an invaluable tool in refining your problem-solving and application security strategy. Dive in and start practicing today!