Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps

1,334 views

Published on

Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.

Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.

Published in: Internet
  • accessibility Books Library allowing access to top content, including thousands of title from favorite author, plus the ability to read or download a huge selection of books for your pc or smartphone within minutes DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ...................................ALL FOR EBOOKS................................................. Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps

  1. 1. Continuous Application Security at Scale with IAST and RASP Transforming DevOps into DevSecOps Jeff Williams, CTO and founder Contrast Security @planetlevel OWASP NOVA – July 2016
  2. 2. 2 A BRIEF HISTORY OF APPLICATION SECURITY AUTOMATION DAST (Dynamic AppSecTesting) WAF (Web Application Firewall) SAST (Static AppSecTesting) IDS/IPS (Intrusion Detection/ Prevention System) Development (find vulnerabilities) Operations (block attacks) IAST (Interactive AppSecTesting) RASP (Runtime Application Self-Protection) UnifiedAgent IAST and RASP 2002 2002 20142012 2015
  3. 3. WARNING: Security has detected and blocked an attempted attack. This attack has been fully logged and may be further investigated. If you believe you have received this message in error, please contact security@company.com with the details of the incident. In 17 years of noisy pentesting, I have seen many stack traces, many error messages, and many requests to “please try again.” I have never been identified as an attacker. Madness.
  4. 4. 5 APPSEC IS GETTING HARDER EVERY DAY! Explosive growth in libraries and frameworks Libraries Microservices, APIs, REST, SOAP, single- page apps Services Rapidly growing use of cloud and containers Cloud High speed software development Agile Legacy application security tools can’t handle the speed, size, and complexity of modern software development
  5. 5. 6 OWASP Benchmark 21,000 test cases across a range of true and false vulnerabilities Free Open Reproducible Sponsored by DHS IAST-01 33%
  6. 6. 7 THE TRUE COST OF FALSE POSITIVES Tool App 400 PossibleVulnerabilities In two days, we can triage 100 of 400 “possibles.” (10% true positives) We can confirm 10 of 40 real vulnerabilities. Security Scanner PDF Report We will miss 30 of 40 real vulnerabilities.
  7. 7. 8 WHAT’S YOUR ACTSOA? ANNUAL COST TO SECURE ONE APPLICATION Cost Factor Description Cost License Cost Typical per-application annual license. This cost is $0 if relying on a manual pentest and/or manual code review. Analysis Actually assessing an application typically takes 2-4 weeks for a manual review, 1 for an automated scan. Triage Experts must eliminate false positives from automated tool results. Plan on several per assessment, zero for manual reviews. Reporting Every vulnerability needs to get risk rated, written up, tracked, reported, and closed. Dashboards need to be created. Figure one day per assessment. Remediation Full cost to remediate and deploy fixes. Typical application has 22 vulnerabilities at hours each at $100/hr totaling roughly $44,000. $$$$ Retest The retest verifies that issues identified have been fixed appropriately. Typically the retest costs about 25% of original assessment. Management If running a scanning program, several headcount will be needed to manage the schedule, contracts, and infrastructure required. TOTAL ?
  8. 8. 9 ACCURACY, AUTOMATION, AND SCALABILITY You can’t scale appsec without highly accurate tools (both true positives and true negatives) Because inaccuracies require experts… …and experts don’t scale.
  9. 9. 10 TRADITIONAL VS. CONTINUOUS
  10. 10. 11 CONTINUOUS APPLICATION SECURITY Development and Operations Push code to production with fully automated security support Application Security Security experts deliver security as code Management Management makes informed decisions with detailed security analytics New Code Production
  11. 11. 12 CONTINUOUS APPLICATION SECURITY New Code Production Development and Operations Standard Defenses Attack Protection Security Integration Application Security Security Research (Internal) Threat Intelligence (External) Security Architecture Management Security Orchestration Security Training
  12. 12. 4. The use of measuring instruments to monitor and control a process. It is the art and science of measurement and control of process variables within a production, laboratory, or manufacturing area.
  13. 13. Source instrumentation Inject simple static method call
  14. 14. Binary instrumentation • Widely used • CPU Performance • Memory • Logging • Security • … • Lots of libraries • ASM (Java) • BCEL (Java) • Javassist (Java) • MBEL (.NET) • RAIL (.NET) • …
  15. 15. Dynamic binary instrumentation! Runtime Environment ClassClassClass ClassClassClass Agent ClassClassClass ClassClassClass Binary code is enhanced as it loads ClassClassClass ClassClassClassOriginal Binary Code Command and Control Dashboard Instrumented Binary Code
  16. 16. 17 Runtime INSTRUMENTATION IN ACTION App Server Frameworks Libraries Custom Code Your application stack Instrumentation Agent 1 Add agent -javaagent:appsec.jar 2 Agent instruments running application 4 Dashboard provides visibility and control 3 Agent blocks attacks and finds vulnerabilities Dashboard Attacks and vulnerabilities
  17. 17. 18 Security context assembled within agent DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES Developer Tester User Attacker Controller Validation Session Business Logic Data Layer SQL API Database HTTP Request Validation Tags Data Tracking Data Parsing Escaping Tags Query Vulnerability? Attack?    Sensors woven into running application
  18. 18. 19 Software is a black box. STOP TALKING ABOUT “STATIC” AND “DYNAMIC” HTTP Traffic Code Frameworks Libraries Runtime Data Flow Runtime Control Flow Backend Connections Configuration Data Server Configuration Etc… Platform Runtime Software Architecture SAST DAST WAF Instrumentation Talk about what information you need to confirm a vulnerability or an attack
  19. 19. 20 Instrumentation speed and accuracy dominates SAST and DAST OWASP Benchmark - 21,000 test cases across a range of vulnerabilities 33% 100% Sponsored by DHS 92% IAST-01
  20. 20. RAS P RAS P RAS P WA F GET /foo?name='%20or%20 %20'1'='1 HTTP/1.0 GET /foo?name='%20or%20 %20'1'='1 HTTP/1.0 WAF RASP Three problems: 1) Bottleneck 2) No context 3) Impedance RAS P stmt.execute( "select * from table where id ='1' or '1'='1'" ); APPLICATION DECISION POINT PERIMETER DECISION POINT
  21. 21. Instrumentation performance – same as code WebGoat RASP Processing Typical traffic 50 microseconds Mixed traffic 170 microseconds Heavy attack traffic 230 microseconds • Number of applications doesn’t matter • No bottleneck on either bandwidth or CPU millionths of a second
  22. 22. Application Platform Instrumentation adds a security assessment and protection API to every application Physical Host or VM Container OS Container Runtime 3rd Party Frameworks 3rd Party Libraries Apps and APIs Examples… • Report all use of DES/MD5 • Turn off XML doctype • Set X-Frame-Options • Report SQL injection vulns • Log all failed authentications • Block Spring EL attacks • Report vulnerable libraries • Deploy virtual patches • Block apps with old jQuery Your standard application stack(s) RAS P
  23. 23. Instrumented application portfolio AppSec Control Plane User Planepartners users employees devices hackers bots organized crimeinsiders operations information security application security developmentcompliance Visibility • Attacks • Vulnerabilities • Enhanced logging • Application profiles • Libraries and frameworks • Software architecture Control • Attack protection policy • Secure coding policy • Library policy • Crypto policy • Connection policy • Configuration policy CONTAINERS
  24. 24. THANK YOU Jeff Williams jeff.williams@contrastsecurity.com @planetlevel http://contrastsecurity.com “Leader” “Visionary” “Innovator”

×