SlideShare a Scribd company logo

Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps

Download as PPTX, PDF
Jeff Williams
Jeff Williams

Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way. Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.

Internet
1 of 25
Continuous Application Security at Scale with IAST and RASP Transforming DevOps into DevSecOps Jeff Williams, CTO and founder Contrast Security @planetlevel OWASP NOVA – July 2016
2 A BRIEF HISTORY OF APPLICATION SECURITY AUTOMATION DAST (Dynamic AppSecTesting) WAF (Web Application Firewall) SAST (Static AppSecTesting) IDS/IPS (Intrusion Detection/ Prevention System) Development (find vulnerabilities) Operations (block attacks) IAST (Interactive AppSecTesting) RASP (Runtime Application Self-Protection) UnifiedAgent IAST and RASP 2002 2002 20142012 2015
WARNING: Security has detected and blocked an attempted attack. This attack has been fully logged and may be further investigated. If you believe you have received this message in error, please contact security@company.com with the details of the incident. In 17 years of noisy pentesting, I have seen many stack traces, many error messages, and many requests to “please try again.” I have never been identified as an attacker. Madness.
5 APPSEC IS GETTING HARDER EVERY DAY! Explosive growth in libraries and frameworks Libraries Microservices, APIs, REST, SOAP, single- page apps Services Rapidly growing use of cloud and containers Cloud High speed software development Agile Legacy application security tools can’t handle the speed, size, and complexity of modern software development
6 OWASP Benchmark 21,000 test cases across a range of true and false vulnerabilities Free Open Reproducible Sponsored by DHS IAST-01 33%
7 THE TRUE COST OF FALSE POSITIVES Tool App 400 PossibleVulnerabilities In two days, we can triage 100 of 400 “possibles.” (10% true positives) We can confirm 10 of 40 real vulnerabilities. Security Scanner PDF Report We will miss 30 of 40 real vulnerabilities.
8 WHAT’S YOUR ACTSOA? ANNUAL COST TO SECURE ONE APPLICATION Cost Factor Description Cost License Cost Typical per-application annual license. This cost is $0 if relying on a manual pentest and/or manual code review. Analysis Actually assessing an application typically takes 2-4 weeks for a manual review, 1 for an automated scan. Triage Experts must eliminate false positives from automated tool results. Plan on several per assessment, zero for manual reviews. Reporting Every vulnerability needs to get risk rated, written up, tracked, reported, and closed. Dashboards need to be created. Figure one day per assessment. Remediation Full cost to remediate and deploy fixes. Typical application has 22 vulnerabilities at hours each at $100/hr totaling roughly $44,000. $$$$ Retest The retest verifies that issues identified have been fixed appropriately. Typically the retest costs about 25% of original assessment. Management If running a scanning program, several headcount will be needed to manage the schedule, contracts, and infrastructure required. TOTAL ?
9 ACCURACY, AUTOMATION, AND SCALABILITY You can’t scale appsec without highly accurate tools (both true positives and true negatives) Because inaccuracies require experts… …and experts don’t scale.
10 TRADITIONAL VS. CONTINUOUS
11 CONTINUOUS APPLICATION SECURITY Development and Operations Push code to production with fully automated security support Application Security Security experts deliver security as code Management Management makes informed decisions with detailed security analytics New Code Production
12 CONTINUOUS APPLICATION SECURITY New Code Production Development and Operations Standard Defenses Attack Protection Security Integration Application Security Security Research (Internal) Threat Intelligence (External) Security Architecture Management Security Orchestration Security Training
4. The use of measuring instruments to monitor and control a process. It is the art and science of measurement and control of process variables within a production, laboratory, or manufacturing area.
Source instrumentation Inject simple static method call
Binary instrumentation • Widely used • CPU Performance • Memory • Logging • Security • … • Lots of libraries • ASM (Java) • BCEL (Java) • Javassist (Java) • MBEL (.NET) • RAIL (.NET) • …
Dynamic binary instrumentation! Runtime Environment ClassClassClass ClassClassClass Agent ClassClassClass ClassClassClass Binary code is enhanced as it loads ClassClassClass ClassClassClassOriginal Binary Code Command and Control Dashboard Instrumented Binary Code
17 Runtime INSTRUMENTATION IN ACTION App Server Frameworks Libraries Custom Code Your application stack Instrumentation Agent 1 Add agent -javaagent:appsec.jar 2 Agent instruments running application 4 Dashboard provides visibility and control 3 Agent blocks attacks and finds vulnerabilities Dashboard Attacks and vulnerabilities
18 Security context assembled within agent DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES Developer Tester User Attacker Controller Validation Session Business Logic Data Layer SQL API Database HTTP Request Validation Tags Data Tracking Data Parsing Escaping Tags Query Vulnerability? Attack?    Sensors woven into running application
19 Software is a black box. STOP TALKING ABOUT “STATIC” AND “DYNAMIC” HTTP Traffic Code Frameworks Libraries Runtime Data Flow Runtime Control Flow Backend Connections Configuration Data Server Configuration Etc… Platform Runtime Software Architecture SAST DAST WAF Instrumentation Talk about what information you need to confirm a vulnerability or an attack
20 Instrumentation speed and accuracy dominates SAST and DAST OWASP Benchmark - 21,000 test cases across a range of vulnerabilities 33% 100% Sponsored by DHS 92% IAST-01
RAS P RAS P RAS P WA F GET /foo?name='%20or%20 %20'1'='1 HTTP/1.0 GET /foo?name='%20or%20 %20'1'='1 HTTP/1.0 WAF RASP Three problems: 1) Bottleneck 2) No context 3) Impedance RAS P stmt.execute( "select * from table where id ='1' or '1'='1'" ); APPLICATION DECISION POINT PERIMETER DECISION POINT
Instrumentation performance – same as code WebGoat RASP Processing Typical traffic 50 microseconds Mixed traffic 170 microseconds Heavy attack traffic 230 microseconds • Number of applications doesn’t matter • No bottleneck on either bandwidth or CPU millionths of a second
Application Platform Instrumentation adds a security assessment and protection API to every application Physical Host or VM Container OS Container Runtime 3rd Party Frameworks 3rd Party Libraries Apps and APIs Examples… • Report all use of DES/MD5 • Turn off XML doctype • Set X-Frame-Options • Report SQL injection vulns • Log all failed authentications • Block Spring EL attacks • Report vulnerable libraries • Deploy virtual patches • Block apps with old jQuery Your standard application stack(s) RAS P
Instrumented application portfolio AppSec Control Plane User Planepartners users employees devices hackers bots organized crimeinsiders operations information security application security developmentcompliance Visibility • Attacks • Vulnerabilities • Enhanced logging • Application profiles • Libraries and frameworks • Software architecture Control • Attack protection policy • Secure coding policy • Library policy • Crypto policy • Connection policy • Configuration policy CONTAINERS
THANK YOU Jeff Williams jeff.williams@contrastsecurity.com @planetlevel http://contrastsecurity.com “Leader” “Visionary” “Innovator”

Recommended

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 

Recommended

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)
Abeer R
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
SRE (service reliability engineer) on big DevOps platform running on the clou...
SRE (service reliability engineer) on big DevOps platform running on the clou...SRE (service reliability engineer) on big DevOps platform running on the clou...
SRE (service reliability engineer) on big DevOps platform running on the clou...
DevClub_lv
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native Apps
Araf Karsh Hamid
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Managing Infrastructure as a Product - Introduction to Platform Engineering
Managing Infrastructure as a Product - Introduction to Platform EngineeringManaging Infrastructure as a Product - Introduction to Platform Engineering
Managing Infrastructure as a Product - Introduction to Platform Engineering
Adityo Pratomo
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!
New Relic
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
Robert Grupe, CSSLP CISSP PE PMP
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
How Small Team Get Ready for SRE (public version)
How Small Team Get Ready for SRE (public version)How Small Team Get Ready for SRE (public version)
How Small Team Get Ready for SRE (public version)
Setyo Legowo
 
SRE vs DevOps
SRE vs DevOpsSRE vs DevOps
SRE vs DevOps
Levon Avakyan
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
Goran Begic
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 

More Related Content

What's hot

Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)
Abeer R
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
SRE (service reliability engineer) on big DevOps platform running on the clou...
SRE (service reliability engineer) on big DevOps platform running on the clou...SRE (service reliability engineer) on big DevOps platform running on the clou...
SRE (service reliability engineer) on big DevOps platform running on the clou...
DevClub_lv
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native Apps
Araf Karsh Hamid
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Managing Infrastructure as a Product - Introduction to Platform Engineering
Managing Infrastructure as a Product - Introduction to Platform EngineeringManaging Infrastructure as a Product - Introduction to Platform Engineering
Managing Infrastructure as a Product - Introduction to Platform Engineering
Adityo Pratomo
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!
New Relic
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
Robert Grupe, CSSLP CISSP PE PMP
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
How Small Team Get Ready for SRE (public version)
How Small Team Get Ready for SRE (public version)How Small Team Get Ready for SRE (public version)
How Small Team Get Ready for SRE (public version)
Setyo Legowo
 
SRE vs DevOps
SRE vs DevOpsSRE vs DevOps
SRE vs DevOps
Levon Avakyan
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 

What's hot (20)

Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
SRE (service reliability engineer) on big DevOps platform running on the clou...
SRE (service reliability engineer) on big DevOps platform running on the clou...SRE (service reliability engineer) on big DevOps platform running on the clou...
SRE (service reliability engineer) on big DevOps platform running on the clou...
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native Apps
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Managing Infrastructure as a Product - Introduction to Platform Engineering
Managing Infrastructure as a Product - Introduction to Platform EngineeringManaging Infrastructure as a Product - Introduction to Platform Engineering
Managing Infrastructure as a Product - Introduction to Platform Engineering
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
How Small Team Get Ready for SRE (public version)
How Small Team Get Ready for SRE (public version)How Small Team Get Ready for SRE (public version)
How Small Team Get Ready for SRE (public version)
 
SRE vs DevOps
SRE vs DevOpsSRE vs DevOps
SRE vs DevOps
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 

Viewers also liked

From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
Goran Begic
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
SeniorStoryteller
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
Priyanka Aash
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
IMMUNIO
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
Amazon Web Services
 
Don't Judge a Website by its Icon - Read the Label!
Don't Judge a Website by its Icon - Read the Label!Don't Judge a Website by its Icon - Read the Label!
Don't Judge a Website by its Icon - Read the Label!
Dinis Cruz
 
Living in the Matrix with Bytecode Manipulation
Living in the Matrix with Bytecode ManipulationLiving in the Matrix with Bytecode Manipulation
Living in the Matrix with Bytecode Manipulation
C4Media
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Ltd
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
Managing SharePoint On-Premises vs. Online -- Compare and Contrast
Managing SharePoint On-Premises vs. Online -- Compare and ContrastManaging SharePoint On-Premises vs. Online -- Compare and Contrast
Managing SharePoint On-Premises vs. Online -- Compare and Contrast
Christian Buckley
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August Meetup
DevSecOpsSg
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
Stefan Streichsbier
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
Franklin Mosley
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
DevSecCon
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
Canturk Isci
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 

Viewers also liked (20)

From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
 
Don't Judge a Website by its Icon - Read the Label!
Don't Judge a Website by its Icon - Read the Label!Don't Judge a Website by its Icon - Read the Label!
Don't Judge a Website by its Icon - Read the Label!
 
Living in the Matrix with Bytecode Manipulation
Living in the Matrix with Bytecode ManipulationLiving in the Matrix with Bytecode Manipulation
Living in the Matrix with Bytecode Manipulation
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside Out
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
 
Managing SharePoint On-Premises vs. Online -- Compare and Contrast
Managing SharePoint On-Premises vs. Online -- Compare and ContrastManaging SharePoint On-Premises vs. Online -- Compare and Contrast
Managing SharePoint On-Premises vs. Online -- Compare and Contrast
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August Meetup
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 

Similar to Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps

edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
Eoin Keary
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
NRC
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspectorqqlan
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application
TestingXperts
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solution
hearme limited company
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Virtual Forge
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
Zoe Gilbert
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches
APIsecure_ Official
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange Partners
IBM Security
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
Black Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 

Similar to Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps (20)

edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspector
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solution
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange Partners
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 

Recently uploaded

急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 

Recently uploaded (20)

急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 

Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps

  • 1. Continuous Application Security at Scale with IAST and RASP Transforming DevOps into DevSecOps Jeff Williams, CTO and founder Contrast Security @planetlevel OWASP NOVA – July 2016
  • 2. 2 A BRIEF HISTORY OF APPLICATION SECURITY AUTOMATION DAST (Dynamic AppSecTesting) WAF (Web Application Firewall) SAST (Static AppSecTesting) IDS/IPS (Intrusion Detection/ Prevention System) Development (find vulnerabilities) Operations (block attacks) IAST (Interactive AppSecTesting) RASP (Runtime Application Self-Protection) UnifiedAgent IAST and RASP 2002 2002 20142012 2015
  • 3.
  • 4. WARNING: Security has detected and blocked an attempted attack. This attack has been fully logged and may be further investigated. If you believe you have received this message in error, please contact security@company.com with the details of the incident. In 17 years of noisy pentesting, I have seen many stack traces, many error messages, and many requests to “please try again.” I have never been identified as an attacker. Madness.
  • 5. 5 APPSEC IS GETTING HARDER EVERY DAY! Explosive growth in libraries and frameworks Libraries Microservices, APIs, REST, SOAP, single- page apps Services Rapidly growing use of cloud and containers Cloud High speed software development Agile Legacy application security tools can’t handle the speed, size, and complexity of modern software development
  • 6. 6 OWASP Benchmark 21,000 test cases across a range of true and false vulnerabilities Free Open Reproducible Sponsored by DHS IAST-01 33%
  • 7. 7 THE TRUE COST OF FALSE POSITIVES Tool App 400 PossibleVulnerabilities In two days, we can triage 100 of 400 “possibles.” (10% true positives) We can confirm 10 of 40 real vulnerabilities. Security Scanner PDF Report We will miss 30 of 40 real vulnerabilities.
  • 8. 8 WHAT’S YOUR ACTSOA? ANNUAL COST TO SECURE ONE APPLICATION Cost Factor Description Cost License Cost Typical per-application annual license. This cost is $0 if relying on a manual pentest and/or manual code review. Analysis Actually assessing an application typically takes 2-4 weeks for a manual review, 1 for an automated scan. Triage Experts must eliminate false positives from automated tool results. Plan on several per assessment, zero for manual reviews. Reporting Every vulnerability needs to get risk rated, written up, tracked, reported, and closed. Dashboards need to be created. Figure one day per assessment. Remediation Full cost to remediate and deploy fixes. Typical application has 22 vulnerabilities at hours each at $100/hr totaling roughly $44,000. $$$$ Retest The retest verifies that issues identified have been fixed appropriately. Typically the retest costs about 25% of original assessment. Management If running a scanning program, several headcount will be needed to manage the schedule, contracts, and infrastructure required. TOTAL ?
  • 9. 9 ACCURACY, AUTOMATION, AND SCALABILITY You can’t scale appsec without highly accurate tools (both true positives and true negatives) Because inaccuracies require experts… …and experts don’t scale.
  • 11. 11 CONTINUOUS APPLICATION SECURITY Development and Operations Push code to production with fully automated security support Application Security Security experts deliver security as code Management Management makes informed decisions with detailed security analytics New Code Production
  • 12. 12 CONTINUOUS APPLICATION SECURITY New Code Production Development and Operations Standard Defenses Attack Protection Security Integration Application Security Security Research (Internal) Threat Intelligence (External) Security Architecture Management Security Orchestration Security Training
  • 13. 4. The use of measuring instruments to monitor and control a process. It is the art and science of measurement and control of process variables within a production, laboratory, or manufacturing area.
  • 15. Binary instrumentation • Widely used • CPU Performance • Memory • Logging • Security • … • Lots of libraries • ASM (Java) • BCEL (Java) • Javassist (Java) • MBEL (.NET) • RAIL (.NET) • …
  • 16. Dynamic binary instrumentation! Runtime Environment ClassClassClass ClassClassClass Agent ClassClassClass ClassClassClass Binary code is enhanced as it loads ClassClassClass ClassClassClassOriginal Binary Code Command and Control Dashboard Instrumented Binary Code
  • 17. 17 Runtime INSTRUMENTATION IN ACTION App Server Frameworks Libraries Custom Code Your application stack Instrumentation Agent 1 Add agent -javaagent:appsec.jar 2 Agent instruments running application 4 Dashboard provides visibility and control 3 Agent blocks attacks and finds vulnerabilities Dashboard Attacks and vulnerabilities
  • 18. 18 Security context assembled within agent DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES Developer Tester User Attacker Controller Validation Session Business Logic Data Layer SQL API Database HTTP Request Validation Tags Data Tracking Data Parsing Escaping Tags Query Vulnerability? Attack?    Sensors woven into running application
  • 19. 19 Software is a black box. STOP TALKING ABOUT “STATIC” AND “DYNAMIC” HTTP Traffic Code Frameworks Libraries Runtime Data Flow Runtime Control Flow Backend Connections Configuration Data Server Configuration Etc… Platform Runtime Software Architecture SAST DAST WAF Instrumentation Talk about what information you need to confirm a vulnerability or an attack
  • 20. 20 Instrumentation speed and accuracy dominates SAST and DAST OWASP Benchmark - 21,000 test cases across a range of vulnerabilities 33% 100% Sponsored by DHS 92% IAST-01
  • 21. RAS P RAS P RAS P WA F GET /foo?name='%20or%20 %20'1'='1 HTTP/1.0 GET /foo?name='%20or%20 %20'1'='1 HTTP/1.0 WAF RASP Three problems: 1) Bottleneck 2) No context 3) Impedance RAS P stmt.execute( "select * from table where id ='1' or '1'='1'" ); APPLICATION DECISION POINT PERIMETER DECISION POINT
  • 22. Instrumentation performance – same as code WebGoat RASP Processing Typical traffic 50 microseconds Mixed traffic 170 microseconds Heavy attack traffic 230 microseconds • Number of applications doesn’t matter • No bottleneck on either bandwidth or CPU millionths of a second
  • 23. Application Platform Instrumentation adds a security assessment and protection API to every application Physical Host or VM Container OS Container Runtime 3rd Party Frameworks 3rd Party Libraries Apps and APIs Examples… • Report all use of DES/MD5 • Turn off XML doctype • Set X-Frame-Options • Report SQL injection vulns • Log all failed authentications • Block Spring EL attacks • Report vulnerable libraries • Deploy virtual patches • Block apps with old jQuery Your standard application stack(s) RAS P
  • 24. Instrumented application portfolio AppSec Control Plane User Planepartners users employees devices hackers bots organized crimeinsiders operations information security application security developmentcompliance Visibility • Attacks • Vulnerabilities • Enhanced logging • Application profiles • Libraries and frameworks • Software architecture Control • Attack protection policy • Secure coding policy • Library policy • Crypto policy • Connection policy • Configuration policy CONTAINERS

Editor's Notes

  1. Title: Continuous Application Security at Scale with IAST and RASP Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives.  To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).”  In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way. 
  2. In the early 2000’s people started using static and dynamic scanners to find vulnerabiltiies In operations at that time, they started using WAF and IDS/IPS to block attacks. And it stayed that way for the last 65 million years…. Until 2014 when people started using software instrumentation agents. In development, we call this IAST In production, we call this RASP As I’ll show you next, these agents have huge advantages over scanners and firewalls.
  3. The Golden Age of Pentest, SAST, DAST
  4. If I send a request that NO LEGITIMATE USER could not possibly have ever generated. Why am I not instantly banned? Why do I get error messages that say “PLEASE TRY AGAIN” This is crazy – it’s actually not that hard to detect a real attack. It’s obvious when you look at them. Blocking attacks is probably the simplest way to get the BIGGEST amount of security protection. .
  5. SERVICES - Move to APIs for web, mobile, B2B LIBRARIES-Supply chain CLOUD - Application mobility -need flexibility AGILE- Rapid deployment     
  6. There’s a better way…
  7. And it looks like this…
  8. RASP is basically just SELF-PROTECTION via SECURITY INSTRUMENTATION Instrumentation is basically tapping into something complicated so you can monitor and control it.
  9. This is the simplest kind of instrumentation – we do it directly in source code. This is the MYSQL JDBC implementation I added simple callbacks to the NONPARAMETERIZED MYSQL methods. You can compile this and add it to your applications This is a simple way to collect data about everywhere that an organization uses non-parameterized database calls. Notice we’re turning application security inside out – data comes to you. You don’t have to go collect the data. But the point is that this is incredibly safe.
  10. And you do the same thing with binary instrumentation – modify the binaries on disk to contain security sensors. This has the advantage of being a post-compilation step. It happens without the need for source code and complex build chains. But it’s still just the same basic INSERTION OF STATIC CALLS. Binary instrumentation is fast, safe and reliable You’re already almost certainly using this type of instrumentation. It’s used everywhere – frameworks, libraries, BCEL is even built into Java itself. It’s actually one of the reasons that static code analysis is so hopeless.
  11. We can even take this one step farther and do the instrumentation as the code loads into memory. This is supported in many frameworks – like the Java Instrumentation API, the .NET profiler, etc… Every single bit of code gets instrumented – custom code, LIBRARIES, FRAMEWORKS, even DYNAMICALLY loaded code. This makes it incredibly convenient – just make the agent part of your standard stack. It’s easy – but that’s the one ask – you have to add this to your stack. But it’s SO WORTH IT So now we have ALL the ingredients to hook up a RASP engine.
  12. So let’s walk through how RASP works to block a real attack Accuracy is EVERYTHING here. The reason almost all WAFs are in LOG MODE is that they’re not accurate. When a request comes in, the RASP engine sees it. If it stopped here, that’d be nothing more than a WAF. REMEMBER – not all RASP is created equal. The better the instrumentation… the better the results. As you can see the RASP engine collects CONTEXT from every bit of the REQUEST. It builds a complete story. When the attack is finally formed – seeing that it is an attack and blocking it is EASY and OBVIOUS.
  13. Let’s get this out of the way. Yes RASP can block attacks like a WAF. Better actually. Botttom line is that: RASP architecture and performance are way superior RASP is accurate because it has INSANE amount of CONTEXT – sees the whole query and taint RASP is way more accurate because it doesn’t have the impedance mismatch problem – there IS NO separate parser SOLVE application security problems in the APPLICATION layer. PERIOD
  14. RASP is fantastic for performance. * No extra hop As you can see it’s 1/20th of a millisecond typically, and slightly more when it’s under attack RASP ends up instrumenting in a lot of what the developer probably should have coded in in the first place * As fast or FASTER than if you coded it yourself Well, since RASP is just code -- no limit on the size of applications. 20 million lines of code. We've been doing this since 2009 - extremely well proven.  
  15. RASP is FAR MORE than a WAF replacement. It’s like an API for security monitoring and control. Why do you need such an API? Because your needs change. How will you respond to the next Deserializion Flaw. With an API like this you can * Quickly find out exactly what your applications are doing Add security defenses to your applications Block attempts to attack your applications In fact, it’s nothing less than an ADAPTER that gives you total over visibility and policy across your entire portfolio. Tell some of the stories…
  16. And now let’s think about appsec at devops speed and portfolio scale with RASP. Imagine that you’ve added a RASP agent as part of your standard application stack All the applications in your portfolio now have an APPSEC API and capabilities Internal, external, dev, test, stage, prod, cloud, container, etc….. Application security moves with the application Network security has had a control plane forever – you can monitor and control all your devices, endpoints, firewalls, etc…. Application security is just the Wild West – no way to manage application security AT ALL. How long would it take you to add logging for encrytpion failures to all your apps, or add a clickjacking header, etc.... We currently measure these projects in YEARS, but we need to respond to new attacks in MINUTES Through RASP, you have complete control over application security across all of those applications in real time You control what visibility you want You control the policies