Presented on May 10, 2018 at OWASP Atlanta (https://www.meetup.com/OWASP-Atlanta/).
Over the last several years we’ve witnessed, and experienced, an advance towards new approaches in web technologies and the processes to deploy web applications. In this talk, we’ll explore and describe the “Modern Web”, discuss observations on the evolution of the Secure SDLC, recognize existing challenges in achieving real-time threat visibility once web applications are deployed to production, and finally, walk through the concepts that address the challenges in fast paced “agile” development cycles.
5. Frameworks & Architecture
● Client side, e.g. Angular, React, etc.
● Server side, Micro services, or API driven
Process
● Agile development cycles
● CI/CD
● DevOps
Platforms
● Cloud, e.g. IaaS and PaaS
● Containers
Describing the Modern Web
11. Agile!
Develop, test/verify, deploy to production. All
developers…
● Can have a copy of etsy.com on their laptops.
● Have access to deploy to production.
● Can deploy to production whenever they need to.
https://www.etsy.com
13. However, Agile!
If we can deploy faster we can respond to threats faster.
But, visibility of threats is required.
14. Reality Check
Recent observations
1. Large California based data management/analytics company in the midst
of a major shift to the cloud & agile development.
● Existing infosec team & process engaged.
● Legacy process and way of thinking got in the way.
● Infosec team taken off of cloud initiative.
● Building infosec/appsec practices within cloud team.
2. Large global firm in the financial services industry.
● New initiatives are agile and move fast.
● Security teams deliberately separated from new initiatives.
● Once initiative is off the ground, security team has to figure out how to catch up.
15. Reality Check
RSA Conference (2017) - “Tidal Forces: The changes ripping apart security
as we know it”, by Rich Mogull.
Great commentary blog post by James Wickett here, and tweets:
“I am not telling you what the future will be, I am telling you what people are doing today that
are ahead of you”
“The skills, tools and the entire security industry has a best used by date stamped on them”
“The three forces are SaaS, endpoints, IaaS... these are driving security disruption”
“It isn’t easy to shift professional skills, but you will have to find a way”
“We get to choose how we evolve...”
21. Summary of Challenges
● We operate in silos (security, development, operations)
● Limited visibility into what is actually happening (e.g. threats).
● Static signatures resulting in false positives and disrupting the
development cycle, and even breaking production.
● Resource spend on maintaining/tuning, rather than on what is
important - mitigating threats.
● Existing solutions don’t scale well, not architected for cloud, not
built for the modern web.
24. Visibility that is Strategic
What type of attack traffic
are your apps
experiencing?
Which apps, and which
parts of your apps are
being targeted?
What type of anomalous
traffic are your apps
experiencing?
25. Visibility that is Tactical
Dashboards on display.
Integration into devops
tool chain.
API for automation and
integration into other
monitoring solutions.
26. Detection & Blocking
Little to no tuning, no learning
mode.
Throttled blocking.
Only block requests containing
attacks.
Decision transparency.
27. Business Risk
Account takeover.
High risk transactions.
Bots.
Instrumenting your applications.
Going above and beyond the typical OWASP top 10 type attacks...
31. Leverage Modern Cloud Platforms
Rotate, Repave, and Repair
https://builttoadapt.io/the-three-r-s-of-enterprise-security-rotate-repave-and-repair-f64f6d6ba29d
Cloud Foundry
https://www.cloudfoundry.org/
Be agile in production, keep moving!
Rotate Credentials
Disable Persistence
Patch Immediately
32. AppSec for the Modern Web
Continuously increasing the cost for attackers
33. Solution Options
Engineer application instrumentation.
https://codeascraft.com/2011/02/15/measure-anything-measure-everything/
https://vimeo.com/54107692
Start with Open Source and engineer around it.
https://github.com/nbs-system/naxsi
http://appsensor.org/
Vendors, there are a few ;-)
34. Q & A
More @ https://labs.signalsciences.com
Thank You!