Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Shift Left Security - The What, Why and HowDevOps.com
The shift left approach in DevOps moves software testing earlier in its lifecycle to prevent defects early in the software delivery process. How can developers use this approach to ensure security? Josh Thorngren, VP of Marketing at Twistlock, will explain what it means to shift left, and share five steps to ensure a successful transition to a shift left approach with DevOps.
Join this webinar to learn:
Best practices in adopting a successful shift to the left
How ‘shifting left’ promotes security
How developers are the new security guards in protecting company information
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Shift Left Security - The What, Why and HowDevOps.com
The shift left approach in DevOps moves software testing earlier in its lifecycle to prevent defects early in the software delivery process. How can developers use this approach to ensure security? Josh Thorngren, VP of Marketing at Twistlock, will explain what it means to shift left, and share five steps to ensure a successful transition to a shift left approach with DevOps.
Join this webinar to learn:
Best practices in adopting a successful shift to the left
How ‘shifting left’ promotes security
How developers are the new security guards in protecting company information
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Getting started with Site Reliability Engineering (SRE)Abeer R
"Getting started with Site Reliability Engineering (SRE): A guide to improving systems reliability at production"
This is an intro guide to share some of the common concepts of SRE to a non-technical audience. We will look at both technical and organizational changes that should be adopted to increase operational efficiency, ultimately benefiting for global optimizations - such as minimize downtime, improve systems architecture & infrastructure:
- improving incident response
- Defining error budgets
- Better monitoring of systems
- Getting the best out of systems alerting
- Eliminating manual, repetitive actions (toils) by automation
- Designing better on-call shifts/rotations
How to design the role of the Site Reliability Engineer (who effectively works between application development teams and operations support teams)
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
DevSecOps (short for development, security, and operations) is a development practice that integrates security initiatives at every stage of the software development lifecycle to deliver robust and secure applications.
SRE (service reliability engineer) on big DevOps platform running on the clou...DevClub_lv
SRE (service reliability engineer). The talk is to explain the SRE philosophy and the principles of production engineering and operations in clouds.
(Language – English)
Pavlo is ADOP (Accenture DevOps Platform) Service Reliability Team Lead, SRE practitioner. Has more then 18 years of IT experience in Ops and Dev.
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
In this presentation, it is outlined about DevOps, DevSecOps, Characteristics of DevSecOps, DevSecops Practises, Benefits of Implementing DevSecOps, Implementation Frameworks and the Challenges in Implementing DevSecOps.
The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.
Managing Infrastructure as a Product - Introduction to Platform EngineeringAdityo Pratomo
This is an introduction to platform engineering, the bridge that truly fulfills DevOps potential inside a mid-large scale organization. Sure, it's all the rage these days, but I'd argue to completely develop a platform, a product thinking mindset is also required.
This talk was presented in Kubernetes Day Indonesia 2022
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
This session is for organizational executive managers and security teams who want to know the effectiveness and performance of their organization’s application security initiatives.
Introductory performance KPI metrics covered for:
1. Product Security Quality & Business Financial Risk Exposure
2. SSDLC Maturity Organizational Performance
3. AppSec QA Testing
4. AppSec Consulting
5. AppSec Training
6. DevSecOps
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
More organisations are embracing DevOps and automation to realise compelling business benefits, such as more frequent feature releases, increased application stability, and more productive resource utilization. However, many security and compliance monitoring tools have not kept up. In fact, they often represent the largest single remaining barrier to continuous delivery.
How Small Team Get Ready for SRE (public version)Setyo Legowo
How Urbanindo small team engineering team implement Site Reliability Engineering (SRE) in their daily work life and why we choose SRE instead of ordinary DevOps.
In this presentation I will speak how are the SRE and DevOps, what is a reliability. Also about the reliability approach in Competitive Gaming in Wargaming and show a few cases.
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
Getting started with Site Reliability Engineering (SRE)Abeer R
"Getting started with Site Reliability Engineering (SRE): A guide to improving systems reliability at production"
This is an intro guide to share some of the common concepts of SRE to a non-technical audience. We will look at both technical and organizational changes that should be adopted to increase operational efficiency, ultimately benefiting for global optimizations - such as minimize downtime, improve systems architecture & infrastructure:
- improving incident response
- Defining error budgets
- Better monitoring of systems
- Getting the best out of systems alerting
- Eliminating manual, repetitive actions (toils) by automation
- Designing better on-call shifts/rotations
How to design the role of the Site Reliability Engineer (who effectively works between application development teams and operations support teams)
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
DevSecOps (short for development, security, and operations) is a development practice that integrates security initiatives at every stage of the software development lifecycle to deliver robust and secure applications.
SRE (service reliability engineer) on big DevOps platform running on the clou...DevClub_lv
SRE (service reliability engineer). The talk is to explain the SRE philosophy and the principles of production engineering and operations in clouds.
(Language – English)
Pavlo is ADOP (Accenture DevOps Platform) Service Reliability Team Lead, SRE practitioner. Has more then 18 years of IT experience in Ops and Dev.
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
In this presentation, it is outlined about DevOps, DevSecOps, Characteristics of DevSecOps, DevSecops Practises, Benefits of Implementing DevSecOps, Implementation Frameworks and the Challenges in Implementing DevSecOps.
The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.
Managing Infrastructure as a Product - Introduction to Platform EngineeringAdityo Pratomo
This is an introduction to platform engineering, the bridge that truly fulfills DevOps potential inside a mid-large scale organization. Sure, it's all the rage these days, but I'd argue to completely develop a platform, a product thinking mindset is also required.
This talk was presented in Kubernetes Day Indonesia 2022
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
This session is for organizational executive managers and security teams who want to know the effectiveness and performance of their organization’s application security initiatives.
Introductory performance KPI metrics covered for:
1. Product Security Quality & Business Financial Risk Exposure
2. SSDLC Maturity Organizational Performance
3. AppSec QA Testing
4. AppSec Consulting
5. AppSec Training
6. DevSecOps
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
More organisations are embracing DevOps and automation to realise compelling business benefits, such as more frequent feature releases, increased application stability, and more productive resource utilization. However, many security and compliance monitoring tools have not kept up. In fact, they often represent the largest single remaining barrier to continuous delivery.
How Small Team Get Ready for SRE (public version)Setyo Legowo
How Urbanindo small team engineering team implement Site Reliability Engineering (SRE) in their daily work life and why we choose SRE instead of ordinary DevOps.
In this presentation I will speak how are the SRE and DevOps, what is a reliability. Also about the reliability approach in Competitive Gaming in Wargaming and show a few cases.
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
Hackers, meet your match. No longer are web applications an easy target. You have been getting away for too long with laughing at poor programming practices, pissing on every parameter,
and downloading entire tables from Web requests. In this talk, I will show a hands-on demo of a live application with a RASP, and without. I will cover the benefits of a RASP over a WAF, and explain
how web sites should no longer rely on dumb traffic level regex tools for their security.
I will attack a vulnerable web application, and demonstrate how a typical attack is carried out on it. Afterwards I will repeat the exercise on the same application, but this time with a RASP installed.
I will point out what the key differences are, and in a vendor neutral manner show key mechanisms which differentiate a RASP from a WAF or a firewall.
I will cover how brute force protection is done right, how aggregating application usage and sharing this data is beneficial, and how using a RASP can even be integrated into a SDLC.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...Amazon Web Services
This session will demonstrate how to embrace DevSecOps to improve your security and compliance agility and posture within the highly regulated HIPAA environment. We will cover compliance frameworks, data decoupling strategies to fully utilize AWS, and best practices learned from the industry most active cloud adopters.
Don't Judge a Website by its Icon - Read the Label!Dinis Cruz
Jeff Williams presentation at OWASP AppSecDC 2010. see https://www.owasp.org/index.php/Don%27t_Judge_a_Website_by_its_Icon_-_Read_the_Label! for more details
Living in the Matrix with Bytecode ManipulationC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1jtTJtd.
Sponsored by New Relic. Ashley Puls introduces three common byte code manipulation frameworks: ASM, CGLib, and Javassist, providing enough detail to get one started. Filmed at qconnewyork.com.
Ashley Puls is a senior software engineer at New Relic Inc. which provides an all-in one web application performance tool. She works on the Java Agent team in Portland which focuses on instrumenting Java applications.
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
The Waratek security plugin hardens legacy and current Java
Runtime, the JBoss application server and the Application itself by
adding security features and benefits across the full application
stack.
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
This webinar demonstrates how organizations can use the ThreadFix application vulnerability resolution platform to improve vulnerability resolution time and protect applications with Prevoty's RASP technology.
Join Denim Group CTO and Principal Dan Cornell and Prevoty VP, Marketing and Product, Arpit Joshipura for a free webinar to learn more about these tools that can help application security teams.
This webinar provides an overview how to use ThreadFix and Prevoty's RASP to run a high-efficiency, high visibility application security program.
In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CI/CD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CI/CD pipeline.
The 2018 Vulnerability Stats report covering off a fullstack review of cyber security across 1000's of web applictions, end-points and cloud based systems globally.
RADAR - Le nouveau scanner de vulnérabilité par F-SecureNRC
F-Secure RADAR lance sur le marché français un scanner de vulnérabilité puissant et accessible à la fois qui vous permettra d'identifier et contrôler les failles de sécurité sur l'ensemble de votre infrastructure.
Grâce à F-Secure RADAR :
-Cartographiez vos dispositifs et réseaux en temps réel.
-Comprenez le niveau de risque.
-Suivez automatiquement les évolutions des risques.
-Générez des rapports détaillés et personnalisés.
Testez la solution gratuitement pendant 1 mois !
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
The Web AppSec How-To: The Defender's ToolboxCheckmarx
Web application security has made headline news in the past few years. In this article, we review the various Web application security tools and highlight important decision factors to help you choose the application security technology best suited for your environment.
7 measures to overcome cyber attacks of web applicationTestingXperts
In recent years, the cyber-attacks have become rampant across computer systems, networks, websites and have been most widely attacking enterprises’ core business web applications, causing shock waves across the IT world.It is critical to follow a cyber-security incident response plan and risk management plan to overcome cyber threats and vulnerabilities. Evidently, CXOs need to leverage web application security testing and penetration testing to overcome the possible attacks on their business applications and systems
I'm preparing for the CISSP next week and also speaking for ISACA, so created this deck to help my peers with some concepts that appear in CISM/ CISSP and ITIL practitioner exams
Web app penetration testing best methods tools usedZoe Gilbert
Read this blog to know the best methodologies of web app penetration testing and tools to gain real-world insights by keeping untrusted data separate from commands and queries, with improved access control.
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Monitoring and Responding to API Breaches
Carolina Ruiz, CEO at Brier & Thorn
Detect and Respond to Threats Better with IBM Security App Exchange PartnersIBM Security
Since its launch a year ago, the IBM Security App Exchange has added over 60 apps to help extend the value of security solutions. In this webinar, meet three developers of the newest apps that help detect and respond to threats across networks and endpoints to improve security decision making and speed investigations.
Prevoty Runtime Application and Data Visibility for IBM QRadar provides real-time insights into application attacks, including the OWASP Top 10, data exfiltration and fraudulent behavior. Prevoty's solution is installed directly within an application and travels wherever it is deployed, in the cloud or on-premises. By using Prevoty, enterprises have unprecedented visibility and correlation across network, application and database activity.
Niara User and Entity Behavior Analysis for IBM QRadar reduces alert white noise and accelerates SOC attack response by utilizing QRadar data to provide a new dimension of analytics enabled by over 100 rule-less Machine Learning models designed to detect attacks that have evaded real time defenses while providing detailed forensic visibility.
Check Point Software SmartView for IBM QRadar consolidates monitoring, logging, reporting and event analysis into a single console to bring you comprehensive, easy-to-understand threat visibility to enable your security team to focus their efforts on the critical threats for forensic analysis within a unified console.
Join this webinar hosted by Russ Warren, IBM Security Intelligence Program Manager, to hear more about these apps and how they extend the power of IBM QRadar SIEM, and also how you can develop your own apps.
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
Join Cenzic’s Chris Harget for an overview of the essentials of Web Application Security, including the risks, practices and tools that improve security at every stage of the application lifecycle.
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
According to SAP 85% of cybersecurity attacks target the application layer. To be successful in defending against these attacks you need to use a variety of tools. In session we'll go into the various types application security tools and approaches, including SAST, DAST, RASP, PEN, as well as Open Source Vulnerability Management. We'll help you understand the differences between these tools and help you develop a plan for filling your application security toolbox.
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Similar to Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps (20)
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps
1. Continuous Application Security
at Scale with IAST and RASP
Transforming DevOps into DevSecOps
Jeff Williams, CTO and founder
Contrast Security
@planetlevel
OWASP NOVA – July 2016
2. 2
A BRIEF HISTORY OF APPLICATION SECURITY AUTOMATION
DAST
(Dynamic
AppSecTesting)
WAF
(Web Application
Firewall)
SAST
(Static
AppSecTesting)
IDS/IPS
(Intrusion Detection/
Prevention System)
Development (find vulnerabilities) Operations (block attacks)
IAST
(Interactive
AppSecTesting)
RASP
(Runtime Application
Self-Protection)
UnifiedAgent
IAST and RASP
2002 2002
20142012
2015
3.
4. WARNING: Security has
detected and blocked an
attempted attack.
This attack has been fully logged and
may be further investigated. If you
believe you have received this
message in error, please contact
security@company.com with the
details of the incident.
In 17 years of noisy
pentesting, I have
seen many stack
traces, many error
messages, and many
requests to “please
try again.”
I have never been
identified as an
attacker. Madness.
5. 5
APPSEC IS GETTING HARDER EVERY DAY!
Explosive growth
in libraries and
frameworks
Libraries
Microservices,
APIs, REST,
SOAP, single-
page apps
Services
Rapidly growing
use of cloud and
containers
Cloud
High speed
software
development
Agile
Legacy application security tools can’t handle the
speed, size, and complexity of modern software development
7. 7
THE TRUE COST OF FALSE POSITIVES
Tool
App
400 PossibleVulnerabilities
In two days, we can triage
100 of 400 “possibles.”
(10% true positives)
We can confirm 10 of 40
real vulnerabilities.
Security Scanner PDF Report
We will miss 30 of 40
real vulnerabilities.
8. 8
WHAT’S YOUR ACTSOA?
ANNUAL COST TO SECURE ONE APPLICATION
Cost Factor Description Cost
License Cost Typical per-application annual license. This cost is $0 if relying on a manual pentest
and/or manual code review.
Analysis Actually assessing an application typically takes 2-4 weeks for a manual review, 1
for an automated scan.
Triage Experts must eliminate false positives from automated tool results. Plan on several
per assessment, zero for manual reviews.
Reporting Every vulnerability needs to get risk rated, written up, tracked, reported, and closed.
Dashboards need to be created. Figure one day per assessment.
Remediation Full cost to remediate and deploy fixes. Typical application has 22 vulnerabilities at
hours each at $100/hr totaling roughly $44,000.
$$$$
Retest The retest verifies that issues identified have been fixed appropriately. Typically the
retest costs about 25% of original assessment.
Management If running a scanning program, several headcount will be needed to manage the
schedule, contracts, and infrastructure required.
TOTAL ?
9. 9
ACCURACY, AUTOMATION, AND SCALABILITY
You can’t scale appsec without highly accurate tools
(both true positives and true negatives)
Because inaccuracies require experts…
…and experts don’t scale.
11. 11
CONTINUOUS APPLICATION SECURITY
Development
and Operations
Push code to production with fully
automated security support
Application
Security
Security experts deliver security as code
Management
Management makes informed decisions with
detailed security analytics
New Code Production
12. 12
CONTINUOUS APPLICATION SECURITY
New Code Production
Development
and Operations
Standard
Defenses
Attack
Protection
Security
Integration
Application
Security
Security
Research
(Internal)
Threat
Intelligence
(External)
Security
Architecture
Management
Security
Orchestration
Security
Training
13. 4. The use of measuring instruments to monitor
and control a process. It is the art and science of
measurement and control of process variables
within a production, laboratory, or
manufacturing area.
16. Dynamic binary instrumentation!
Runtime Environment
ClassClassClass
ClassClassClass
Agent
ClassClassClass
ClassClassClass
Binary code is enhanced as it
loads
ClassClassClass
ClassClassClassOriginal
Binary Code
Command and
Control Dashboard
Instrumented
Binary Code
17. 17
Runtime
INSTRUMENTATION IN ACTION
App Server
Frameworks
Libraries
Custom Code
Your application stack
Instrumentation
Agent
1
Add agent
-javaagent:appsec.jar
2
Agent instruments
running application
4
Dashboard provides
visibility and control
3
Agent blocks attacks
and finds vulnerabilities
Dashboard
Attacks and
vulnerabilities
18. 18
Security context assembled within agent
DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES
Developer
Tester
User
Attacker
Controller Validation Session
Business
Logic
Data Layer
SQL
API Database
HTTP
Request
Validation
Tags
Data
Tracking
Data
Parsing
Escaping
Tags
Query
Vulnerability?
Attack?
Sensors woven into running application
19. 19
Software is a black box.
STOP TALKING ABOUT “STATIC” AND “DYNAMIC”
HTTP
Traffic
Code
Frameworks
Libraries
Runtime Data
Flow
Runtime
Control Flow
Backend
Connections
Configuration
Data
Server
Configuration
Etc…
Platform
Runtime
Software
Architecture
SAST
DAST
WAF
Instrumentation
Talk about what information you need to
confirm a vulnerability or an attack
22. Instrumentation performance – same as code
WebGoat RASP Processing
Typical traffic 50 microseconds
Mixed traffic 170 microseconds
Heavy attack traffic 230 microseconds
• Number of applications doesn’t matter
• No bottleneck on either bandwidth or CPU
millionths of a second
23. Application Platform
Instrumentation adds a security assessment
and protection API to every application
Physical Host or VM
Container OS
Container Runtime
3rd Party Frameworks
3rd Party Libraries
Apps and APIs
Examples…
• Report all use of DES/MD5
• Turn off XML doctype
• Set X-Frame-Options
• Report SQL injection vulns
• Log all failed authentications
• Block Spring EL attacks
• Report vulnerable libraries
• Deploy virtual patches
• Block apps with old jQuery
Your standard application stack(s)
RAS
P
Title: Continuous Application Security at Scale with IAST and RASP
Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
In the early 2000’s people started using static and dynamic scanners to find vulnerabiltiies
In operations at that time, they started using WAF and IDS/IPS to block attacks.
And it stayed that way for the last 65 million years….
Until 2014 when people started using software instrumentation agents.
In development, we call this IAST
In production, we call this RASP
As I’ll show you next, these agents have huge advantages over scanners and firewalls.
The Golden Age of Pentest, SAST, DAST
If I send a request that NO LEGITIMATE USER could not possibly have ever generated. Why am I not instantly banned?
Why do I get error messages that say “PLEASE TRY AGAIN”
This is crazy – it’s actually not that hard to detect a real attack. It’s obvious when you look at them.
Blocking attacks is probably the simplest way to get the BIGGEST amount of security protection.
.
SERVICES - Move to APIs for web, mobile, B2B
LIBRARIES-Supply chain
CLOUD - Application mobility -need flexibility
AGILE- Rapid deployment
There’s a better way…
And it looks like this…
RASP is basically just SELF-PROTECTION via SECURITY INSTRUMENTATION
Instrumentation is basically tapping into something complicated so you can monitor and control it.
This is the simplest kind of instrumentation – we do it directly in source code.
This is the MYSQL JDBC implementation
I added simple callbacks to the NONPARAMETERIZED MYSQL methods.
You can compile this and add it to your applications
This is a simple way to collect data about everywhere that an organization uses non-parameterized database calls.
Notice we’re turning application security inside out – data comes to you. You don’t have to go collect the data.
But the point is that this is incredibly safe.
And you do the same thing with binary instrumentation – modify the binaries on disk to contain security sensors.
This has the advantage of being a post-compilation step. It happens without the need for source code and complex build chains.
But it’s still just the same basic INSERTION OF STATIC CALLS.
Binary instrumentation is fast, safe and reliable
You’re already almost certainly using this type of instrumentation.
It’s used everywhere – frameworks, libraries, BCEL is even built into Java itself. It’s actually one of the reasons that static code analysis is so hopeless.
We can even take this one step farther and do the instrumentation as the code loads into memory.
This is supported in many frameworks – like the Java Instrumentation API, the .NET profiler, etc…
Every single bit of code gets instrumented – custom code, LIBRARIES, FRAMEWORKS, even DYNAMICALLY loaded code.
This makes it incredibly convenient – just make the agent part of your standard stack.
It’s easy – but that’s the one ask – you have to add this to your stack. But it’s SO WORTH IT
So now we have ALL the ingredients to hook up a RASP engine.
So let’s walk through how RASP works to block a real attack
Accuracy is EVERYTHING here. The reason almost all WAFs are in LOG MODE is that they’re not accurate.
When a request comes in, the RASP engine sees it.
If it stopped here, that’d be nothing more than a WAF.
REMEMBER – not all RASP is created equal.
The better the instrumentation… the better the results.
As you can see the RASP engine collects CONTEXT from every bit of the REQUEST.
It builds a complete story.
When the attack is finally formed – seeing that it is an attack and blocking it is EASY and OBVIOUS.
Let’s get this out of the way. Yes RASP can block attacks like a WAF. Better actually.
Botttom line is that:
RASP architecture and performance are way superior
RASP is accurate because it has INSANE amount of CONTEXT – sees the whole query and taint
RASP is way more accurate because it doesn’t have the impedance mismatch problem – there IS NO separate parser
SOLVE application security problems in the APPLICATION layer. PERIOD
RASP is fantastic for performance.
* No extra hop
As you can see it’s 1/20th of a millisecond typically, and slightly more when it’s under attack
RASP ends up instrumenting in a lot of what the developer probably should have coded in in the first place
* As fast or FASTER than if you coded it yourself
Well, since RASP is just code -- no limit on the size of applications. 20 million lines of code.
We've been doing this since 2009 - extremely well proven.
RASP is FAR MORE than a WAF replacement. It’s like an API for security monitoring and control.
Why do you need such an API? Because your needs change. How will you respond to the next Deserializion Flaw.
With an API like this you can
* Quickly find out exactly what your applications are doing
Add security defenses to your applications
Block attempts to attack your applications
In fact, it’s nothing less than an ADAPTER that gives you total over visibility and policy across your entire portfolio.
Tell some of the stories…
And now let’s think about appsec at devops speed and portfolio scale with RASP.
Imagine that you’ve added a RASP agent as part of your standard application stack
All the applications in your portfolio now have an APPSEC API and capabilities
Internal, external, dev, test, stage, prod, cloud, container, etc…..
Application security moves with the application
Network security has had a control plane forever – you can monitor and control all your devices, endpoints, firewalls, etc….
Application security is just the Wild West – no way to manage application security AT ALL.
How long would it take you to add logging for encrytpion failures to all your apps, or add a clickjacking header, etc....
We currently measure these projects in YEARS, but we need to respond to new attacks in MINUTES
Through RASP, you have complete control over application security across all of those applications in real time
You control what visibility you want
You control the policies