Presented on May 10, 2018 at OWASP Atlanta (https://www.meetup.com/OWASP-Atlanta/). Over the last several years we’ve witnessed, and experienced, an advance towards new approaches in web technologies and the processes to deploy web applications. In this talk, we’ll explore and describe the “Modern Web”, discuss observations on the evolution of the Secure SDLC, recognize existing challenges in achieving real-time threat visibility once web applications are deployed to production, and finally, walk through the concepts that address the challenges in fast paced “agile” development cycles.

1. Application Security for the
Modern Web
OWASP
5/10/2018

2. BIO
Career Summary
● WebDev, DBA, SA, IT Auditor (~7 yrs)
● AppSec in Financials, EY & GS (~9 yrs)
On the socials
● Twitter: @foospidy
● Github: http://github.com/foospidy
● LinkedIn: http://linkedin.pxmx.io
● Blog: http://pxmx.io
Phillip Maddux
Trusted AppSec Advisor and
Senior Solutions Engineer
@ Signal Sciences
https://signalsciences.com
Honeypot Enthusiast
● HoneyPy
● HoneyDB

3. 1. Modern Web
2. Observations of Secure SDLC
3. Legacy Threat Visibility
4. A Better Way
5. Q & A
Agenda

4. Modern Web
Describing the modern web

5. Frameworks & Architecture
● Client side, e.g. Angular, React, etc.
● Server side, Micro services, or API driven
Process
● Agile development cycles
● CI/CD
● DevOps
Platforms
● Cloud, e.g. IaaS and PaaS
● Containers
Describing the Modern Web

6. DevOps Enables the Modern Web

7. ...is about services, frequent deployments,
and scalability.
The Modern Web...

8. Observations
Secure SDLC

9. Secure SDLC Evolution

10. ML4 - Ultimate Secure SDLC Fantasy

11. Agile!
Develop, test/verify, deploy to production. All
developers…
● Can have a copy of etsy.com on their laptops.
● Have access to deploy to production.
● Can deploy to production whenever they need to.
https://www.etsy.com

12. Agile?

13. However, Agile!
If we can deploy faster we can respond to threats faster.
But, visibility of threats is required.

14. Reality Check
Recent observations
1. Large California based data management/analytics company in the midst
of a major shift to the cloud & agile development.
● Existing infosec team & process engaged.
● Legacy process and way of thinking got in the way.
● Infosec team taken off of cloud initiative.
● Building infosec/appsec practices within cloud team.
2. Large global firm in the financial services industry.
● New initiatives are agile and move fast.
● Security teams deliberately separated from new initiatives.
● Once initiative is off the ground, security team has to figure out how to catch up.

15. Reality Check
RSA Conference (2017) - “Tidal Forces: The changes ripping apart security
as we know it”, by Rich Mogull.
Great commentary blog post by James Wickett here, and tweets:
“I am not telling you what the future will be, I am telling you what people are doing today that
are ahead of you”
“The skills, tools and the entire security industry has a best used by date stamped on them”
“The three forces are SaaS, endpoints, IaaS... these are driving security disruption”
“It isn’t easy to shift professional skills, but you will have to find a way”
“We get to choose how we evolve...”

16. Threat Visibility
The legacy approach

17. What happens after prod?

18. Logs

19. WAFs

20. WAFs… are you kidding me?

21. Summary of Challenges
● We operate in silos (security, development, operations)
● Limited visibility into what is actually happening (e.g. threats).
● Static signatures resulting in false positives and disrupting the
development cycle, and even breaking production.
● Resource spend on maintaining/tuning, rather than on what is
important - mitigating threats.
● Existing solutions don’t scale well, not architected for cloud, not
built for the modern web.

22. A Better Way
There has to be one

23. AppSec for the Modern Web

24. Visibility that is Strategic
What type of attack traffic
are your apps
experiencing?
Which apps, and which
parts of your apps are
being targeted?
What type of anomalous
traffic are your apps
experiencing?

25. Visibility that is Tactical
Dashboards on display.
Integration into devops
tool chain.
API for automation and
integration into other
monitoring solutions.

26. Detection & Blocking
Little to no tuning, no learning
mode.
Throttled blocking.
Only block requests containing
attacks.
Decision transparency.

27. Business Risk
Account takeover.
High risk transactions.
Bots.
Instrumenting your applications.
Going above and beyond the typical OWASP top 10 type attacks...

28. Instrumentation & Correlations
● Attacks + anomalous responses
● Attacks + sensitive transactions
● Distinct changes in traffic patterns
● Automation (Bots) + user actions

29. Defending the Modern Web
Visibility that enables defending applications in real time.
You can’t defend against threats you can’t see.

30. Scalability
Scalable across cloud,
multi-cloud, and on-prem.
Frictionless deployment.
Work regardless of app stack or
language.
Performance and reliability.

31. Leverage Modern Cloud Platforms
Rotate, Repave, and Repair
https://builttoadapt.io/the-three-r-s-of-enterprise-security-rotate-repave-and-repair-f64f6d6ba29d
Cloud Foundry
https://www.cloudfoundry.org/
Be agile in production, keep moving!
Rotate Credentials
Disable Persistence
Patch Immediately

32. AppSec for the Modern Web
Continuously increasing the cost for attackers

33. Solution Options
Engineer application instrumentation.
https://codeascraft.com/2011/02/15/measure-anything-measure-everything/
https://vimeo.com/54107692
Start with Open Source and engineer around it.
https://github.com/nbs-system/naxsi
http://appsensor.org/
Vendors, there are a few ;-)

34. Q & A
More @ https://labs.signalsciences.com
Thank You!