SlideShare a Scribd company logo

Application Security Workshop

Priyanka Aash
Priyanka Aash

Application Security Workshop (Web Attack Chaining,Understanding IAST/RASP,Realtime Polymorphism)

Technology
1 of 29
The science behind RASP & IAST Jitendra Chauhan Cigital Inc. Instrumentation & Taint Analysis
Agenda Web Security Evolution Marketing view of RASP and IAST Science Behind RASP and IAST Way Forward Q/A
Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI WAF Training Prevention Protection
DAST vs. SAST 4 + SQL Injection + Cross Site Scripting (XSS) + OS Commanding + HTTP Response Splitting + LDAP Injection + XPATH Injection + Path Traversal + Buffer Overflows + Format String Issues + Null Pointer Dereference + Threading Issues + Code Quality Issues + Insecure Crypto Issues + Issues in Non Web application Code - Higher number of FP - Run time Code generation - Dynamic Languages (Ruby + Python) Vulnerability Coverage + Runtime Privilege Issues + Authentication Issues + Session Management Issues + Insecure 3rd Party Libraries + Business Logic Vulnerabilities + Protocol Parser Issues - Web2.0, JSON, Flash, HTML 5.0, - Integrity and Availability violations - Long Execution Times
WAF vs. DAST WAF Positive Quick Turnaround Time (Virtual Patching) Drawbacks Signature based (False Negatives, Bypass) Manage Rules (Configure  QA  Deploy) False Positives (Business disruption) No Protection against Business Logic Vulnerabilities
Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid RASP IAST Prevention Protection
RASP Protection configured inside the application
IAST Place instrumentation inside the app to confirm vulnerabilities
Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid Security JVM Containers RASP IAST Security Coding IDE Botwall Intrusion Deception Prevention Protection
SQL Injection Example Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  DB Table   HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU: 10
How RASP Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Exception: Invalid SQL Query 4. Agent intercept malicious query at instrumented executeSQL method in JDBC 5. Agent respond back SQL Exception. Application will return back error to the attacker Account: SKU: Account: SKU: 11 Exception  
How IAST Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions SQL query  "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. DAST Engine sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Some Data. 4. Agent stores the malicious query at instrumented executeSQL method in JDBC 5. DB execute query containing attack and sends results back to application. Account: SKU: Account: SKU: 12 DAST Engine Correlation Engine HTTP request  DB Table   6. Application decrypts data as normal and sends results to the user HTTP response   Confirmed Vulnerability!!
Let us talk about some Science!!!
Components of RASP App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer Configuration
Components of IAST App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer CorrelationEngine
How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders Apache Tomcat b.class
How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders b.class Apache Tomcat
How Instrumentation Works? java -java agent:/path/to/agent.jar com/example/mains/QueryDBTransactions JVM Agent Agent.class: void premain(String agentArgs, Instrumentation inst) MyTransformer.class: byte[] transform( . . . , byte[] queryTransBytes) 1. call Agent premain in manifest 2. JVM registers my transformer 3. Give QueryDBTransaction bytes to MyTransformer 4. MyTransformer performs byte code manipulation QueryDBTransaction.class: void main(String[] args) 5. QueryDBTransactionloaded and main runs
Byte Code Manipulation (Class File format)
Byte Code Manipulation Class Parser Class Adapter Class Generator b.class Loaded into JVM Visit VisitMethod* VisitEnd Visit VisitMethod* VisitEnd New Classes New Methods New Fields
Dynamic Taint Analysis (Quick & Dirty) 21 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y)
Dynamic Taint Analysis (Quick & Dirty) 22 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted
Dynamic Taint Analysis (Quick & Dirty) 23 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted Tainted Untainted
Taint Propagtion 24 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Data derived from user input is tainted
Taint Sink 25 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Policy violation detected
Example Taint Propagation Rules 26
Challenges in Taint Analysis Under Tainting False Negatives Over Tainting False Positives Taint Sanitization False Positives
Challenges RASP Performance overhead of Instrumentation and Taint Analysis. Are you ready for it? Taint Analysis Challenges False Positives False Negatives No protection from logical vulnerabilities IAST Time to discover vs. time to fix Instrumentation of the production code Has all the limitation of DAST
QA

Recommended

From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
Goran Begic
 
Workshop : Application Security
Workshop : Application SecurityWorkshop : Application Security
Workshop : Application Security
Priyanka Aash
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 

Recommended

From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
Goran Begic
 
Workshop : Application Security
Workshop : Application SecurityWorkshop : Application Security
Workshop : Application Security
Priyanka Aash
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
Shelly Megan
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
iAppSecure Solutions
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Sathyanarayana Panduranga
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
Infosys Finacle
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
Sherif Koussa
 

More Related Content

What's hot

Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 

What's hot (20)

Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
 

Viewers also liked

What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
Sherif Koussa
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Sherif Koussa
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 

Viewers also liked (6)

What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 

Similar to Application Security Workshop

Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
ClubHack
 
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)
Rahul Singh
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
Nitesh_Sr._Java_developer_Lead
Nitesh_Sr._Java_developer_Lead Nitesh_Sr._Java_developer_Lead
Nitesh_Sr._Java_developer_Lead
Nitesh Dasari
 
CTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowCTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should Know
Spiffy
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
guest66dc5f
 

Similar to Application Security Workshop (20)

Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
Architecting For The Windows Azure Platform
Architecting For The Windows Azure PlatformArchitecting For The Windows Azure Platform
Architecting For The Windows Azure Platform
 
StrongLoop Overview
StrongLoop OverviewStrongLoop Overview
StrongLoop Overview
 
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2
 
Observability in real time at scale
Observability in real time at scaleObservability in real time at scale
Observability in real time at scale
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Nitesh_Sr._Java_developer_Lead
Nitesh_Sr._Java_developer_Lead Nitesh_Sr._Java_developer_Lead
Nitesh_Sr._Java_developer_Lead
 
Rajeev_Resume
Rajeev_ResumeRajeev_Resume
Rajeev_Resume
 
Poly Source It Profile
Poly Source It ProfilePoly Source It Profile
Poly Source It Profile
 
Polysource It Profile
Polysource It ProfilePolysource It Profile
Polysource It Profile
 
CTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowCTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should Know
 
Power of ONE Automation through Web Services
Power of ONE Automation through Web ServicesPower of ONE Automation through Web Services
Power of ONE Automation through Web Services
 
aip-developer-intro_pag2015
aip-developer-intro_pag2015aip-developer-intro_pag2015
aip-developer-intro_pag2015
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
KASSAHUNSolomonResume
KASSAHUNSolomonResumeKASSAHUNSolomonResume
KASSAHUNSolomonResume
 
gofortution
gofortutiongofortution
gofortution
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

Application Security Workshop

  • 1. The science behind RASP & IAST Jitendra Chauhan Cigital Inc. Instrumentation & Taint Analysis
  • 2. Agenda Web Security Evolution Marketing view of RASP and IAST Science Behind RASP and IAST Way Forward Q/A
  • 3. Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI WAF Training Prevention Protection
  • 4. DAST vs. SAST 4 + SQL Injection + Cross Site Scripting (XSS) + OS Commanding + HTTP Response Splitting + LDAP Injection + XPATH Injection + Path Traversal + Buffer Overflows + Format String Issues + Null Pointer Dereference + Threading Issues + Code Quality Issues + Insecure Crypto Issues + Issues in Non Web application Code - Higher number of FP - Run time Code generation - Dynamic Languages (Ruby + Python) Vulnerability Coverage + Runtime Privilege Issues + Authentication Issues + Session Management Issues + Insecure 3rd Party Libraries + Business Logic Vulnerabilities + Protocol Parser Issues - Web2.0, JSON, Flash, HTML 5.0, - Integrity and Availability violations - Long Execution Times
  • 5. WAF vs. DAST WAF Positive Quick Turnaround Time (Virtual Patching) Drawbacks Signature based (False Negatives, Bypass) Manage Rules (Configure  QA  Deploy) False Positives (Business disruption) No Protection against Business Logic Vulnerabilities
  • 6. Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid RASP IAST Prevention Protection
  • 9. Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid Security JVM Containers RASP IAST Security Coding IDE Botwall Intrusion Deception Prevention Protection
  • 10. SQL Injection Example Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  DB Table   HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU: 10
  • 11. How RASP Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Exception: Invalid SQL Query 4. Agent intercept malicious query at instrumented executeSQL method in JDBC 5. Agent respond back SQL Exception. Application will return back error to the attacker Account: SKU: Account: SKU: 11 Exception  
  • 12. How IAST Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions SQL query  "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. DAST Engine sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Some Data. 4. Agent stores the malicious query at instrumented executeSQL method in JDBC 5. DB execute query containing attack and sends results back to application. Account: SKU: Account: SKU: 12 DAST Engine Correlation Engine HTTP request  DB Table   6. Application decrypts data as normal and sends results to the user HTTP response   Confirmed Vulnerability!!
  • 13. Let us talk about some Science!!!
  • 14. Components of RASP App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer Configuration
  • 15. Components of IAST App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer CorrelationEngine
  • 16. How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders Apache Tomcat b.class
  • 17. How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders b.class Apache Tomcat
  • 18. How Instrumentation Works? java -java agent:/path/to/agent.jar com/example/mains/QueryDBTransactions JVM Agent Agent.class: void premain(String agentArgs, Instrumentation inst) MyTransformer.class: byte[] transform( . . . , byte[] queryTransBytes) 1. call Agent premain in manifest 2. JVM registers my transformer 3. Give QueryDBTransaction bytes to MyTransformer 4. MyTransformer performs byte code manipulation QueryDBTransaction.class: void main(String[] args) 5. QueryDBTransactionloaded and main runs
  • 20. Byte Code Manipulation Class Parser Class Adapter Class Generator b.class Loaded into JVM Visit VisitMethod* VisitEnd Visit VisitMethod* VisitEnd New Classes New Methods New Fields
  • 21. Dynamic Taint Analysis (Quick & Dirty) 21 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y)
  • 22. Dynamic Taint Analysis (Quick & Dirty) 22 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted
  • 23. Dynamic Taint Analysis (Quick & Dirty) 23 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted Tainted Untainted
  • 24. Taint Propagtion 24 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Data derived from user input is tainted
  • 25. Taint Sink 25 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Policy violation detected
  • 27. Challenges in Taint Analysis Under Tainting False Negatives Over Tainting False Positives Taint Sanitization False Positives
  • 28. Challenges RASP Performance overhead of Instrumentation and Taint Analysis. Are you ready for it? Taint Analysis Challenges False Positives False Negatives No protection from logical vulnerabilities IAST Time to discover vs. time to fix Instrumentation of the production code Has all the limitation of DAST
  • 29. QA