Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Practical DevSecOps Using Security Instrumentation

144 views

Published on

SpringOne 2020
Practical DevSecOps Using Security Instrumentation

Jeff Williams, CTO & Co-Founder at Contrast Security

Published in: Software
  • Be the first to comment

  • Be the first to like this

Practical DevSecOps Using Security Instrumentation

  1. 1. PRACTICAL DEVSECOPS USING SECURITY INSTRUMENTATION JEFF WILLIAMS, COFOUNDER AND CTO @PLANETLEVEL SPRINGONE 2020
  2. 2. “Security is limiting the speed of innovation” CHALLENGE: DEVSECOPS IN A FORTUNE 100 COMPANY CEO – “We are not running an insurance company per se, but a data and technology company” COMPLIANCE CLOUD & CONTAINERS DEVOPS FALSE POSITIVES ATTACKS OPEN SOURCE LEGACY APPSOUTSOURCING DIGITAL TRANSFORMATION
  3. 3. TRADITIONAL SECURITY (OUTSIDE – IN) LIBRARIES CUSTOM CODE SECURITY BACKLOG TRADITIONAL APPSEC IS KILLING INNOVATION
  4. 4. INSTRUMENTATION CHANGES EVERYTHING
  5. 5. 5 WHAT IS SECURITY INSTRUMENTATION? Platform Agent Loader ClassClassClass ClassClassClass Transformer Original Code Instrumented Code Add sensors here! Run instrumented code!
  6. 6. 6 SECURITY SPECIALISTS TRANSLATE NEW THREATS INTO RULES MEET YOUR NEW SECURITY “FRIEND” ON THE INSIDE! INSTRUMENTA TION PROVIDES INSTANT SECURITY FEEDBACK DEVELOPER USES APPLICATION NORMALLY, GETS INSTANT FEEDBACK
  7. 7. 7 FREE OPEN SOURCE INSTRUMENTATION: THE JAVA OBSERVABILITY TOOLKIT (JOT) https://github.com/planetlevel/jot
  8. 8. 8 DEMO: ACCESS CONTROL!
  9. 9. 9 DEMO: PREVENTING EXPRESSION LANGUAGE INJECTION ATTACKS WITH INSTRUMENTATION! Runtime Protection!
  10. 10. 10 In DEV and TEST RAS P Config Sensors Code Sensors Control Flow Sensors HTTP Sensors Backend Sensors Data Flow Sensors Library Sensors IAST In PROD ✘ Exploit Prevented Vulnerability Confirmed Config Sensors Code Sensors Control Flow Sensors HTTP Sensors Backend Sensors Data Flow Sensors Library Sensors Interactive Application Security Testing is simply using instrumentation to detect vulnerabilities. USE IT IN DEVELOPMENT. Runtime Application Self- Protection is simply using instrumentation to detect attacks and prevent exploits. USE IT IN PRODUCTION
  11. 11. PROD Continuous automated security testing and exploit prevention Instant Feedback Attacks MODERN SECURITY (INSIDE – OUT) DEV RUNTIME APP SERVER FRAMEWORKS LIBRARIES CUSTOM CODE Vulnerabilities Instrumentation (IAST, SCA, RASP) RUNTIME APP SERVER FRAMEWORKS LIBRARIES CUSTOM CODE SECURITY INSTRUMENTATION ACCELERATES INNOVATION CI/CD
  12. 12. SECURITY INSTRUMENATI ON PROVIDES A 40X IMPROVEMENT IN MTTR OVER SAST – SAST – IAST – IAST (BELOW AVERAGE BACKLOG) * DATA FROM CONTRAST 2020 APPSEC OBSERVABILITY REPORT AND VERACODE 2020 SOSS REPORT
  13. 13. Development Security Harmony
  14. 14. 14 https://www.contrastsecurity.com/ ce C O M M U N I T Y E D I T I O N AVAILABLE NOW COMING SOON A totally free and full-strength application security platform Protect against attacks with RASP Find vulnerabilities with IAST Secure open-source with SCA
  15. 15. ASK ME ANYTHING JEFF WILLIAMS, COFOUNDER AND CTO @PLANETLEVEL

×