Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Application Security at DevOps Speed and Portfolio Scale

1,031 views

Published on

Published on Nov 26, 2013
AppSec at DevOps Speed and Portfolio Scale - Jeff Williams

Watch this talk on YouTube: https://www.youtube.com/watch?v=cIvOth0fxmI

Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.

Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today's best software assurance techniques *can't*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.

Although we're making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It's not just security tools -- application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.

Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowing all the stakeholders in security to collaborate and finally become proactive.


Speaker

Jeff Williams

CEO, Aspect Security
Jeff is a founder and CEO of Aspect Security and recently launched Contrast Security, a new approach to application security analysis. Jeff was an OWASP Founder and served as Global Chairman from 2004 to 2012, contributing many projects including the OWASP Top Ten, WebGoat, ESAPI, ASVS, and more. Jeff is passionate about making it possible for anyone to do their own continuous application security in real time.

Published in: Technology
  • Be the first to comment

Application Security at DevOps Speed and Portfolio Scale

  1. 1. Application Security at DevOps Speed and Portfolio Scale Jeff Williams, CEO Aspect Security, Inc.
  2. 2. About Me
  3. 3. Application Security Is Healthcare
  4. 4. Sensors Are Revolutionizing Healthcare Your phone will know you’re sick before you do! Instrumenting the body means continuous realtime monitoring… Not periodic checkups
  5. 5. Traditional Tools and Techniques Are Failing… DevOps Agile Aspect Oriented Programming Libraries and Frameworks Serialized Objects Inversion of Control SOAP/REST Javascript Ajax Raw Socket Cloud Mobile
  6. 6. AppSec Progress Continuous AppSec Software Security
  7. 7. Starting Over
  8. 8. Defining “Portfolio Scale” The right defenses for every application are…  Present  Correct  Used Properly
  9. 9. Defining “DevOps Speed” Application security happens continuously and in real time
  10. 10. One Thing at a Time… Is my portfolio protected against clickjacking?
  11. 11. Gathering Intelligence Controller Business Functions Presentation Third Party Libraries Framework Application Server Platform Runtime Operating System Data Layer
  12. 12. Security Intelligence Sources Vulnerability Trace HTTP Traffic Backend Connections Data Flow Control Flow Libraries and Frameworks Configuration Data
  13. 13. Designing a Clickjacking Sensor Data Sources Analysis Technique  Environment Positive Dev SAST Negative CI Configuration DAST Sampling Data Flow IAST Intelligence Code  Experiment Style Manual HTTP Control Flow Libraries Connections   Test QA Passive Staging JUnit Security Choose based on: • Speed • Accuracy • Feedback • Scalability • Ease of Use • Cost Prod
  14. 14. Continuous ClickJacking Defense Verification A new HTTP sensor to verify that the X-Frame-Options header is set to DENY or SameOrigin on every webpage DEV CI Manual TEST QA Dynamic STAG Static SEC OPS Interactive Data Warehouse: Application Security Intelligence JUnit
  15. 15. Run Against Entire Portfolio TB RPC CM TY JJ F RH QP CO AS RA & IR XX X DD @ S Application Name Result Grade TBMarks 88% A RPC 0% F CaseyMotors 0% F Financials 72% C International Reporting 0% F … “Financials” ClickJacking Defense – C (72%) /home DENY /home/error.jsp - /home/index.jsp DENY /account /account/report.jsp … SAME-ORIGIN -
  16. 16. Check Your Headers https://cyh.herokuapp.com/cyh
  17. 17. Continuous AppSec Dashboard
  18. 18. One Small Step Towards Continuous AppSec • We transformed clickjacking verification to devops speed and portfolio scale! Before Annual pentest Negative signatures One app at a time After Continuous monitoring Positive verification Portfolio wide Okay, clickjacking. Big deal.
  19. 19. More Sensors… I want a sensor to verify… My business logic makes access control checks My libraries are free from known vulnerabilities My forms are not susceptible to CSRF attacks My interpreters are protected against injection My encryption is implemented correctly My application has no unknown connections And much more….
  20. 20. Access Control Intelligence Sensor Source File Result @PreAuthorize TestSBMBugtrackerController.java @PreAuthorize("hasAnyRole('ROLE_BUG_CREATE','ROLE_BUG_EDIT')") UpdateSBMBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_EDIT')") SelectBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_CREATE')") CheckAppStatusController.java MISSING ViewConsoleEventsController.java @PreAuthorize("hasRole('ROLE_CONSOLE_VIEW')") DeleteEngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_PROFILES')") DownloadEngineController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')") EngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')") ErrorController.java MISSING InboxController.java @PreAuthorize("isAuthenticated()") InstallationWizardController.java @PreAuthorize("isAuthenticated()") InviteAFriendController.java @PreAuthorize("isAuthenticated()") LoginController.java MISSING DeleteMessageController.java @PreAuthorize("isAuthenticated()") GetSystemMessagesController.java @PreAuthorize("isAdmin()")  Control Flow  SAST   Intelligence CI
  21. 21. RO LE _A RO PP LIC LE AT _A IO RO PP LIC N_ LE AT DE _A LE IO PP TE RO LIC N_ LE GR AT _T O IO RO RA N_ U P CE LE RE S_ _T RA DEL ET RO E CE LE S_ TE _T SE RO RA CE NDM LE _S _E E A AIL RO NG IN RCH LE E_ _E NG D O RO W IN LE NL E_ _C ON PRO OAD RO SO F LE LE ILES _B _V RO UG TR IEW LE AC _B KE RO UG R_ TR LE VI AC _B K E EW UG RO R_ TR LE CR AC _A UD K E E AT RO R_ E IT LE DE _ E _ VI EW LET RO NG E IN LE E_ _L A IB R A CT I VI RY _S TY EA RC Generated Access Control Matrix from Code TracesGetBugtrackersController.java TracesGetUsersController.java TracesJIRAExportController.java TracesMergeController.java TracesSaveStatusController.java TracesSearchController.java O O O O O O TracesSendToBugtrackersController.java TracesTreeController.java TracesViewerController.java TraceViewerWorkingNotificationController.java ViewTracesController.java UpdateAppConfigurationController.java BannerController.java BillingAccountActivityController.java BillingApplyPaymentController.java BillingAppsController.java BillingExecuteOrderController.java O O O O O O O O O O O
  22. 22. Known Vulnerable Libraries Sensor Run DependencyCheck during every build  Libraries (and do a build once a month even if nothing changed)  SAST   Negative CI
  23. 23. CSRF Defense Sensor  HTTP  Passive   Positive QA • Run tests through ZAP • ZEST to check CSRF Token • Get results via ZAP REST API
  24. 24. Canonicalization Correctness Sensor  Code  JUnit   Positive Staging
  25. 25. Injection Sensors Use IAST tools for DFA vulnerabilities  Data Flow  IAST   Negative Dev
  26. 26. Architecture, Inventory, and More… • What would you like to gather from all your applications? • Inventory? Architecture? Outbound connections? Lines of code? Security components? • All possible…. and all at devops speed and portfolio scale
  27. 27. Building Continuous AppSec DEV CI Manual TEST QA Dynamic STAG Static SEC OPS Interactive Data Warehouse: Application Security Intelligence JUnit
  28. 28. Sensors? How do you know what sensors you need? 1) 2) 3) 4) The OWASP Top Ten? What your tools are good at? What your pentester thinks is important? Actually figure out what matters?
  29. 29. Aspect 2013 Global AppSec Risk Report Applications with at Least One Vulnerability in Category 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Higher Risk Lower Risk
  30. 30. What’s In Your Expected Model? Expected Requirements Threat Model Abuse Cases Policy Standards… There is no security without a model
  31. 31. What Are You Actually Testing? Pentest Code Review Tools Arch Review … Actual
  32. 32. Unfortunately… Expected Not being tested (aka RISK) Actual Doesn’t need testing (aka WASTE)
  33. 33. Are You Secure? Secure?
  34. 34. Aligning Sensors with Business Concerns Business Concerns Defense Strategies Actual Defenses Sensors Data Protection Fraud Minimize Sensitive Data Availability Role Based Access Control Encrypt Data in Storage and Transit Logging and Intrusion Detection Full Disk Encryption with TrueCrypt Programmatic Encryption with ESAPI TLS Everywhere with Venafi Libraries Present and Up-to-date Encryption Correctness with Junit Tests ESAPI Used Properly
  35. 35. Continuous Application Security! Translate “expected” into sensors New Threats, Business Priorities Expected Application Portfolio A A A A A A A A A A Application security dashboards A A Actual A A A A A A
  36. 36. How to Get Started Choose a sensor Build it with developers Deploy your sensor Create a dashboard using Excel
  37. 37. Transforming AppSec AppSec Optimization AppSec as Business Driver AppSec Strategy AppSec Monitoring AppSec Compliance We will never improve if our only metric is whether we are doing what everyone else is doing
  38. 38. Thank You! Please stop by the Contrast Security booth! @planetlevel
  39. 39. Expected:Tracking Coverage Infrastructure Security Secure Development Logging and Accountability Security Verification Data Protection ▼ Minimal data collection ▼… Incident Response ▼ Strong encryption in storage and transit ▼ All external connections use SSL ▼ All internal connections use SSL ▼ SSL hardened according to OWASP ▼ All highly sensitive data encrypted ▼ Encryption uses standard control ▼ Encryption uses AES, no CBC or ECB ▼ Universal authentication ▼… ▼ Pervasive access control ▼… ▼ Injection defenses ▼ Strict positive validation of all input ▼ Use of parameterized interfaces ▼ All parsers hardened ▼ XML parsers set to not use DOCTYPE ▼ Browser set no content sniffing header ▼ Etc… ▼ Use Hibernate and secure coding ▼ Use JQuery and secure coding ▼ Etc…
  40. 40. Enterprise Controls Dashboard Expected Defense Authentication Authorization Defense Present? Defense Correct? Applications Tested? Training and Support       Cryptography Validation Escaping Tokens Logging Intrusion Detection Random Numbers Browser Security Safe API Wrappers Object Reference Management Error Handling      

×