With 73% of all cyber attacks happening on web applications* last year, there’s little doubt application layers and web-related attacks pose a significant risk to most organizations. However typical investment to protect common attack targets (content management systems and ecommerce platforms) don’t correspond.
This webinar examines the growth of applications in enterprise architecture and the risks associated with agile development, plus expert advice and real world examples on how to scope and build an successful application security program that will maximize coverage and optimize your limited resource
5. Everything is an app
5
Business Drivers
Digital Transformation
• Customer experience
• Internal automation
• Supply chain efficiency
Mobile device proliferation
• Consumer expectation
6. 6
Everything is an app
Process drivers
Agile development
• Shorter time to features
DevOps
• Eliminating handoffs
Photo: Dave Allen
https://bloomfieldfinancial.co.uk/blog/25-5-reasons-computer-programmers-often-have-poor-pension-retirement-plans
7. Everything is an app
7
Operational Drivers
Virtualized
• Faster spin up
Cloud
• Lower capitalized cost
Container
• Less management and
administration
8. Everything is an app
8
Security drivers
Security is considered, later
• How to build a culture of security
awareness?
Security likes stability
• How to create a repeatable and
timely process?
• How to fit with DevOps?
Image: Pete Cheslock @petecheslock
https://vimeo.com/129822165
9. Familiar security process
9
Objectives for Appsec program
• Better security
• Focus for limited resources
• Meet compliance policies
• Build security awareness
Measure and
shrink the attack
surface…
and maintain it at
the smallest level
12. Application life cycle
12
Development Pre-production Production
Code and commit
Continuous
integration
& automated
testing
Complete
build & test
Gate 1 Gate 2
Non-
functional
testing
UAT Ongoing
assessments
13. Application life cycle
13
Development Pre-production Production
Code and commit
Continuous
integration
& automated
testing
Complete
build & test
Gate 1 Gate 2
Non-
functional
testing
UAT Ongoing
assessments
Internal Development
14. Application life cycle
14
Development Pre-production Production
Design &
develop
Build
& test
Gate 1 Gate 2
Non-
functional
testing
UAT Ongoing
assessments
Internal Development
COTS + Customize
15. Application life cycle
15
Development Pre-production Production
Gate 1 Gate 2
Non-
functional
testing
UAT Ongoing
assessments
Internal Development
COTS + Customize
Outsourced Development
18. 18
The hacker pivot
Photo: Jim Goodrich, Stacey Peralta rides the Willis pool in the San Fernando Valley. October 1977.
https://mpora.com/skateboarding/history-of-surfing-skating-snowboarding
Establish objective
Attack multiple entry points
Move laterally to objective
19. 19
Tools in the AST kit
SAST - Static
Automated
Focused on developers
Noisy
20. 20
Tools in the AST kit
SAST - Static
Automated
Focused on developers
Noisy
DAST - Dynamic
Automated
Operational system test
Can’t address all cases
21. 21
Tools in the AST kit
SAST - Static
Automated
Focused on developers
Noisy
DAST - Dynamic
Automated
Operational system test
Can’t address all cases
Penetration Test
Manual
Most comprehensive
Low frequency use
22. 22
Tools in the AST kit
SAST - Static
Automated
Focused on developers
Noisy
DAST - Dynamic
Automated
Operational system test
Can’t address all cases
Penetration Test
Manual
Most comprehensive
Low frequency use
MAST – Mobile
Partially automated
Focused on developers
Lots of variants of test
target
23. 23
Tools in the AST kit
SAST - Static
Automated
Focused on developers
Noisy
DAST - Dynamic
Automated
Operational system test
Can’t address all cases
Penetration Test
Manual
Most comprehensive
Low frequency use
MAST – Mobile
Partially automated
Focused on developers
Lots of variants of test
target
IAST – Interactive
Automated
Included in code
Related to RASP
(runtime app self protection)
24. 24
Tools in the AST kit
SAST - Static
Automated
Focused on developers
Noisy
DAST - Dynamic
Automated
Operational system test
Can’t address all cases
Penetration Test
Manual
Most comprehensive
Low frequency use
MAST – Mobile
Partially automated
Focused on developers
Lots of variants of test
target
IAST – Interactive
Automated
Included in code
Related to RASP
(runtime app self protection)
Bug Bounty
Manual
Independent security
researchers
Pay by finding
25. Application life cycle
25
Development Pre-production Production
Code and commit
Continuous
integration
& automated
testing
Complete
build & test
Gate 1 Gate 2
Non-
functional
testing
UAT Ongoing
assessments
SAST
IAST
DAST
MAST
Bug Bounty
Penetration Test
26. 26
“The whole is greater
than the sum of its parts.”
- Aristotle
31. OWASP top 10
31
Most critical web application security risks
• Some areas are easy to automate
• Other areas are not
Focused on the application
OWASP risk model
• Likelihood – threat agent, vulnerability
• Impact – technical, business
New
New
New
32. What about ?
32
Common framework to compare vulnerabilities
• Applications
• Infrastructure
• Data
State of the art
• Still somewhat blunt
33. Priority for remediation
33
Simple risk = f( likelihood, impact)
• Not directly calculated from test result
Severity of vulnerability
• Alternate approach
• Directly calculated (CVSS score)
Streamline effort invested based on
application complexity
Very Low
(1)
Low
(2)
Medium
(3)
High
(4)
Very High
(5)
Very Low
(1)
Low
(2)
Medium
(3)
High
(4)
Very High
(5)
Likelihood
Impact
34. Distribution
34
Application and Infrastructure issue routing
• System owners, Data owners
• DevOps
• Service Management
Supporting processes
• Recreate, scoring
• Verification of resolution
• Automate as Appsec program matures
• Trends over time to build security awareness
36. Initiate your Appsec program
36
• Include security in development SOW
• Monitor included software and
infrastructure components for updates
• Pen test app and infrastructure on each
release
(Outpost24 Snapshot / SWAT, Outscan / EWP)
• Track accepted / resolved risk, manage
recurrence
Outsourced Development
Internal Development
COTS + Customize
• Manage 3rd party software and
infrastructure in DevOps cycle
• Dynamic app and infrastructure on each
release (Outpost24 SWAT / Scale, Outscan / EWP)
• Automate distribution of AST results in
DevOps flow
• Include accepted / resolved risk in
release planning
• Define scope of assessment from business criticality and release frequency
Where does the application run?
Where does the data reside?
What weaknesses will allow an attacker to control the server, and pivot to the application?
Cloud is different
Authorization for assessment?
Cloud console (or container manager) for configuration issues