SlideShare a Scribd company logo

Providence: rapid vulnerability prevention

Salesforce Engineering
Salesforce Engineering

Talk given by Max Feldman, Product Security Engineer at Salesforce, at AppSec USA. One challenging aspect of achieving software security is the struggle to catch up with the speed of development and deployment. We built Providence with the goal of preventing obvious bugs from ever being deployed into production. Providence is a lightweight and scalable tool which finds bugs and anti-patterns of varying complexity from code commits, and we’ve used it to prevent vulnerabilities ranging from XSS, to access control issues, to XXE. It works by continuously monitoring and pulling commits from version control systems and scanning them for bugs with rules defined in plugins. Additional plugins are easy to create and deploy, which has allowed for quick reaction to new bugs or problems as they are discovered. Providence is easily integrated with SDLC workflows or bug-tracking tools, and we will discuss how we have integrated it in-house in an unobtrusive manner. This model of addressing issues also provides relative immediacy of resolution; on average, potential problems found by Providence are resolved more quickly than other vulnerabilities because developers are presented the issues right after they commit the code, instead of weeks to months later. We are currently in the process of open-sourcing Providence in order to share the tool with the DevOps/security community (or any interested parties). This talk will cover the internals of Providence, its engine and plugin architecture (including examples of plugins and their ease of creation), as well as its integration with our SDLC and the faster and more efficient responses we’ve achieved as a result. We’re continuing to build new plugins and features, and we’re excited see what ideas others may have in mind!

Engineering
1 of 33
Providence: rapid vulnerability prevention Max Feldman, Xiaoran Wang, Hormzard Billimoria
Agenda • Background • Intro to Providence • Plugins, Plugins Demos • Our Deployment and Metrics • Future Work • Conclusion
Team Intro • Max Feldman • Xiaoran Wang www.attacker-domain.com • Hormazd Billimoria @hormazdb
Current state of SCA/RTA • Static code analysis – Slow, scans can’t catch up with daily deployment – thorough, but resource intensive – A lot of false positives • Run-time analysis – fast, but requires continuous building and running of application – may not hit all code paths – may require special instrumentation
What we needed • Something faster, more scalable – SCA - could take up to a few weeks for a complete scan – but many vulnerabilities are easier to find (exec, hardcoded passwords…) – in that time it’s also easy for devs to lose context
What we needed • Something easier to update – SCA can have complicated rules, higher learning curve – Ideal - rules which are easy to write, even for new users
What we needed • Something with low false negatives – if something is low-hanging fruit or easy to catch, we didn’t want to miss it – acceptable to have a bit more noise as long as we aren’t missing anything • Providence- check-in time analysis
Providence overview and architecture
How Providence works • Polls one or more version control systems, runs plugins against the commits – for us- p4 (and a bit of git), variety of plugins • Plugin finds something suspicious – looks up committer – files an investigation to the security person in charge of their area – more functionality possible • Plugins can look at the diffs, full code, whatever is necessary
Providence architecture
Providence architecture (cont.d) • scheduler – schedules things to run every x minutes – necessary when API doesn’t provide push • eg p4 • watcher engine – watchers correspond to a particular VCS – they have the code to interact with that api
Providence architecture (cont.d) • rule engine – if a change meets the criteria of a plugin, the plugin’s rules are run – could be a regex, with arbitrary logic – alerts and logging (or investigation creation) can be created as well • plugins – logics done on the diff (or the file itself) – the magic behind providence – we will dive into it more soon • alerts – email – custom alerts – custom integration with workflows
VCS integrations • we currently support – P4 – github (internal or external) • Extensions depend on ease of API • other things we would like to support – jira – hipchat – your platform of choice?
Benefits • doesn’t miss anything that comes in – rules are meant to be simpler, eg. searching for a certain line • immediacy of results – dev doesn’t have to context switch • rapid deployment of new rules – eg. new vuln comes out- add a new rule, from then on out it will be prevented • scalable • failure of one rule doesn’t affect others • lightweight
Providence plugins
Plugins • Runtime Exec • Direct usage of Crypto functions • IP whitelisting bypass • XXE
Plugins • Secret stored in the source code • Servlet created without access check • Usage of privileged modes in the source code • Direct access to sensitive services like HSM • XSS in HTML pages
PLUGINS DEMO • XXE in Java • LocalStorage in JavaScript
Plugin Demos (backup) - Java Rules
Plugin Demos (backup) - Java Source
Plugin Demos (backup) - Email Alert
Plugin Demos (backup) - JS Rules
Plugin Demos (backup) - JS File
Plugin Demos (backup) - Email Alert
Providence in SDLC, metrics
Deployment to SDLC • Integrate with bug tracking • Integrate with environment for stats/metrics
Metrics (March - mid august) • 48,000 commits • 250 alerts • 40 bugs prevented
Future work
Future work • run rules against all commits (go back to beginning of history) • more VCS • more plugins (alerts to new platforms) • more integrations with bug trackers, alert systems, etc. • IDE enhancements and process integrations. (pre, post commit)
Future stats and metrics • More advanced metrics – severity predictions/estimates • ML algorithms to evaluate likelihood of severity • More data- learn as we go, improve the accuracy and efficacy of Providence in our own SDLC and its effectiveness as a tool
Open Source • https://github.com/SalesforceEng/Providence • Welcome contributors/suggestions/sharing of knowledge and best practices
Conclusion • Providence is a new tool that bridges security automation and rapid, continuous deployment • How an organization can benefit from this tool • How Providence can be integrated into an organization’s SDLC • How to create and deploy plugins and rules for particular needs
thank y u

Recommended

DevOps in Salesforce AppCloud
DevOps in Salesforce AppCloudDevOps in Salesforce AppCloud
DevOps in Salesforce AppCloudrsg00usa
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneyVeracode
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
Resilience and Compliance at Speed and Scale
Resilience and Compliance at Speed and ScaleResilience and Compliance at Speed and Scale
Resilience and Compliance at Speed and ScaleJason Chan
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 

Recommended

DevOps in Salesforce AppCloud
DevOps in Salesforce AppCloudDevOps in Salesforce AppCloud
DevOps in Salesforce AppCloudrsg00usa
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneyVeracode
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
Resilience and Compliance at Speed and Scale
Resilience and Compliance at Speed and ScaleResilience and Compliance at Speed and Scale
Resilience and Compliance at Speed and ScaleJason Chan
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
American Megatrends India Corporate Profile
American Megatrends India Corporate ProfileAmerican Megatrends India Corporate Profile
American Megatrends India Corporate ProfileAmerican Megatrends India
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept PresentationAbhay Bhargav
 
Resilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons LearnedResilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons LearnedJason Chan
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA ChennaiAbhay Bhargav
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Virtual Forge
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything CA Technologies
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...Jules Pierre-Louis
 
Open Source Infrastructure / Development & Security > How to make it work?
Open Source Infrastructure / Development & Security > How to make it work? Open Source Infrastructure / Development & Security > How to make it work?
Open Source Infrastructure / Development & Security > How to make it work? Kangaroot
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and SecurityJason Chan
 
Top 10 Tips for Securing and Scaling Atlassian Cloud
Top 10 Tips for Securing and Scaling Atlassian CloudTop 10 Tips for Securing and Scaling Atlassian Cloud
Top 10 Tips for Securing and Scaling Atlassian CloudAtlassian
 
From rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaFrom rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaDevSecCon
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOpsMaytal Levi
 
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...garrett honeycutt
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOpsPawel Krawczyk
 
Integrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and HowIntegrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and HowDevOps.com
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Devops as a service
Devops as a serviceDevops as a service
Devops as a serviceSaravanan Subburayal
 

More Related Content

What's hot

we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept PresentationAbhay Bhargav
 
Resilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons LearnedResilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons LearnedJason Chan
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA ChennaiAbhay Bhargav
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Virtual Forge
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything CA Technologies
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...Jules Pierre-Louis
 
Open Source Infrastructure / Development & Security > How to make it work?
Open Source Infrastructure / Development & Security > How to make it work? Open Source Infrastructure / Development & Security > How to make it work?
Open Source Infrastructure / Development & Security > How to make it work? Kangaroot
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and SecurityJason Chan
 
Top 10 Tips for Securing and Scaling Atlassian Cloud
Top 10 Tips for Securing and Scaling Atlassian CloudTop 10 Tips for Securing and Scaling Atlassian Cloud
Top 10 Tips for Securing and Scaling Atlassian CloudAtlassian
 
From rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaFrom rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaDevSecCon
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOpsMaytal Levi
 
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...garrett honeycutt
 
Integrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and HowIntegrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and HowDevOps.com
 

What's hot (20)

American Megatrends India Corporate Profile
American Megatrends India Corporate ProfileAmerican Megatrends India Corporate Profile
American Megatrends India Corporate Profile
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
 
Resilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons LearnedResilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons Learned
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - Manager
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
 
Open Source Infrastructure / Development & Security > How to make it work?
Open Source Infrastructure / Development & Security > How to make it work? Open Source Infrastructure / Development & Security > How to make it work?
Open Source Infrastructure / Development & Security > How to make it work?
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
 
Top 10 Tips for Securing and Scaling Atlassian Cloud
Top 10 Tips for Securing and Scaling Atlassian CloudTop 10 Tips for Securing and Scaling Atlassian Cloud
Top 10 Tips for Securing and Scaling Atlassian Cloud
 
From rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaFrom rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter Chestna
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. Control
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOps
 
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
Integrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and HowIntegrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and How
 

Similar to Providence: rapid vulnerability prevention

Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Profiling and Tuning a Web Application - The Dirty Details
Profiling and Tuning a Web Application - The Dirty DetailsProfiling and Tuning a Web Application - The Dirty Details
Profiling and Tuning a Web Application - The Dirty DetailsAchievers Tech
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous TestingParasoft
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Denim Group
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisBrendan Gregg
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 

Similar to Providence: rapid vulnerability prevention (20)

Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Devops as a service
Devops as a serviceDevops as a service
Devops as a service
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Profiling and Tuning a Web Application - The Dirty Details
Profiling and Tuning a Web Application - The Dirty DetailsProfiling and Tuning a Web Application - The Dirty Details
Profiling and Tuning a Web Application - The Dirty Details
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
Salesforce static code analysis
Salesforce static code analysisSalesforce static code analysis
Salesforce static code analysis
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous Testing
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Redundant devops
Redundant devopsRedundant devops
Redundant devops
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance Analysis
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 

More from Salesforce Engineering

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackSalesforce Engineering
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudSalesforce Engineering
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data AnalysisSalesforce Engineering
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveSalesforce Engineering
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteSalesforce Engineering
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesSalesforce Engineering
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Engineering
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro ServicesSalesforce Engineering
 

More from Salesforce Engineering (20)

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With Webpack
 
Scaling HBase for Big Data
Scaling HBase for Big DataScaling HBase for Big Data
Scaling HBase for Big Data
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the Cloud
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data Analysis
 
Apache HBase State of the Project
Apache HBase State of the ProjectApache HBase State of the Project
Apache HBase State of the Project
 
Hit the Trail with Trailhead
Hit the Trail with TrailheadHit the Trail with Trailhead
Hit the Trail with Trailhead
 
HBase/PHOENIX @ Scale
HBase/PHOENIX @ ScaleHBase/PHOENIX @ Scale
HBase/PHOENIX @ Scale
 
Scaling up data science applications
Scaling up data science applicationsScaling up data science applications
Scaling up data science applications
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already Have
 
Monitoring @ Scale in Salesforce
Monitoring @ Scale in SalesforceMonitoring @ Scale in Salesforce
Monitoring @ Scale in Salesforce
 
Performance Tuning with XHProf
Performance Tuning with XHProfPerformance Tuning with XHProf
Performance Tuning with XHProf
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 Miles
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
 
Koober Preduction IO Presentation
Koober Preduction IO PresentationKoober Preduction IO Presentation
Koober Preduction IO Presentation
 
Finding Security Issues Fast!
Finding Security Issues Fast!Finding Security Issues Fast!
Finding Security Issues Fast!
 
Microservices
MicroservicesMicroservices
Microservices
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro Services
 
The Future of Hbase
The Future of HbaseThe Future of Hbase
The Future of Hbase
 

Recently uploaded

BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 

Recently uploaded (20)

BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 

Providence: rapid vulnerability prevention

  • 1. Providence: rapid vulnerability prevention Max Feldman, Xiaoran Wang, Hormzard Billimoria
  • 2. Agenda • Background • Intro to Providence • Plugins, Plugins Demos • Our Deployment and Metrics • Future Work • Conclusion
  • 3. Team Intro • Max Feldman • Xiaoran Wang www.attacker-domain.com • Hormazd Billimoria @hormazdb
  • 4. Current state of SCA/RTA • Static code analysis – Slow, scans can’t catch up with daily deployment – thorough, but resource intensive – A lot of false positives • Run-time analysis – fast, but requires continuous building and running of application – may not hit all code paths – may require special instrumentation
  • 5. What we needed • Something faster, more scalable – SCA - could take up to a few weeks for a complete scan – but many vulnerabilities are easier to find (exec, hardcoded passwords…) – in that time it’s also easy for devs to lose context
  • 6. What we needed • Something easier to update – SCA can have complicated rules, higher learning curve – Ideal - rules which are easy to write, even for new users
  • 7. What we needed • Something with low false negatives – if something is low-hanging fruit or easy to catch, we didn’t want to miss it – acceptable to have a bit more noise as long as we aren’t missing anything • Providence- check-in time analysis
  • 8. Providence overview and architecture
  • 9. How Providence works • Polls one or more version control systems, runs plugins against the commits – for us- p4 (and a bit of git), variety of plugins • Plugin finds something suspicious – looks up committer – files an investigation to the security person in charge of their area – more functionality possible • Plugins can look at the diffs, full code, whatever is necessary
  • 11. Providence architecture (cont.d) • scheduler – schedules things to run every x minutes – necessary when API doesn’t provide push • eg p4 • watcher engine – watchers correspond to a particular VCS – they have the code to interact with that api
  • 12. Providence architecture (cont.d) • rule engine – if a change meets the criteria of a plugin, the plugin’s rules are run – could be a regex, with arbitrary logic – alerts and logging (or investigation creation) can be created as well • plugins – logics done on the diff (or the file itself) – the magic behind providence – we will dive into it more soon • alerts – email – custom alerts – custom integration with workflows
  • 13. VCS integrations • we currently support – P4 – github (internal or external) • Extensions depend on ease of API • other things we would like to support – jira – hipchat – your platform of choice?
  • 14. Benefits • doesn’t miss anything that comes in – rules are meant to be simpler, eg. searching for a certain line • immediacy of results – dev doesn’t have to context switch • rapid deployment of new rules – eg. new vuln comes out- add a new rule, from then on out it will be prevented • scalable • failure of one rule doesn’t affect others • lightweight
  • 16. Plugins • Runtime Exec • Direct usage of Crypto functions • IP whitelisting bypass • XXE
  • 17. Plugins • Secret stored in the source code • Servlet created without access check • Usage of privileged modes in the source code • Direct access to sensitive services like HSM • XSS in HTML pages
  • 18. PLUGINS DEMO • XXE in Java • LocalStorage in JavaScript
  • 19. Plugin Demos (backup) - Java Rules
  • 20. Plugin Demos (backup) - Java Source
  • 21. Plugin Demos (backup) - Email Alert
  • 22. Plugin Demos (backup) - JS Rules
  • 24. Plugin Demos (backup) - Email Alert
  • 26. Deployment to SDLC • Integrate with bug tracking • Integrate with environment for stats/metrics
  • 27. Metrics (March - mid august) • 48,000 commits • 250 alerts • 40 bugs prevented
  • 29. Future work • run rules against all commits (go back to beginning of history) • more VCS • more plugins (alerts to new platforms) • more integrations with bug trackers, alert systems, etc. • IDE enhancements and process integrations. (pre, post commit)
  • 30. Future stats and metrics • More advanced metrics – severity predictions/estimates • ML algorithms to evaluate likelihood of severity • More data- learn as we go, improve the accuracy and efficacy of Providence in our own SDLC and its effectiveness as a tool
  • 31. Open Source • https://github.com/SalesforceEng/Providence • Welcome contributors/suggestions/sharing of knowledge and best practices
  • 32. Conclusion • Providence is a new tool that bridges security automation and rapid, continuous deployment • How an organization can benefit from this tool • How Providence can be integrated into an organization’s SDLC • How to create and deploy plugins and rules for particular needs

Editor's Notes

  1. Hormazd
  2. all
  3. Split this diagram and have sub-diagrams for all
  4. more details about the scheduler, engines, etc. show code?