SlideShare a Scribd company logo

Innovating Faster with Continuous Application Security

Jeff Williams
Jeff Williams

DevSecOps tutorial and demonstration. Build your pipeline with IAST, RASP, and OSS. Try Contrast community edition full strength DevSecOps platform for testing, protecting, and open source analysis -- all for free. https://www.contrastsecurity.com/contrast-community-edition

Software
1 of 30
Download to read offline
Innovating Faster with Continuous Application Security By Jeff Williams, CTO and co-founder Contrast Security @planetlevel
The Average application is extremely vulnerable 71%unused Libraries 26.7Vulnerabilities 2Vulnerabilities 8%USED Libraries 21%Custom Code
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 3 You are Under AttacK
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Traditional AppSec Doesn’t Scale Experts Expert Tools Application Portfolio Assurance Coverage Process Fit Awful Results $$$$ Traditional AppSec Program
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DevSecOps Is Very Promising 5 https://itrevolution.com/the-three-ways-principles-underpinning-devops/ 1.Establish work flow 2.Ensure instant feedback 3.Culture of experimentation 1.Establish security work flow 2.Ensure instant security feedback 3.Build a security culture DEVOPS DEVSECOPS
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Continuous Application Security Security in development Security in integration Security in operations PROTECT • Tell me who is attacking and how • Stop vulns from being exploited • Don’t create alert fatigue ASSURE • Don’t slow down my builds • Integrate with my testing tools • Real vulns break my build EMPOWER •Test my custom code and libraries •Realtime feedback through my tools •Don’t slow me down
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ IAST and RASP Runtime Application Self-Protection (RASP) •Prevents exploit ofvulnerabilities in both custom code and libraries. Your Application or API Config Sensors Code Sensors Control Flow Sensors HTTP Sensors Backend Sensors Data Flow Sensors Library Sensors Exploit Prevented Vulnerability Confirmed ✘ Interactive Application Security Testing (IAST) •Detects vulnerabilities in both custom code and libraries
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ A Fully Automated Pipeline with Security Development CI/CD/QA Operations IAST IAST/RASP RASP
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Adding IAST/RASP to PCF application 9 cf login cf push spring-petclinic cf create-user-provided-service contrast-security-service -p "teamserver_url, username, api_key, service_key” cf bind-service spring-petclinic contrast-security-service cf restage spring-petclinic
10 • Must be extremely accurate • Must work on modern apps with APIs and OSS Test my custom code AND libraries • Must integrate with tools I’m already using – NO PDF! Realtime feedback through my tools • Must not create bottleneck – NO SCANNING! Don’t slow me down Security in Development
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Automation is all about speed, accuracy, and ease-of-use 11 OWASP Benchmark Free and open application benchmark with thousands of security test cases
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Download an IAST/RASP Agent 12 1. Download 2. Install 3. Enjoy agent
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Empower developers to assess their own security! 13 PRODDEV CI/CD APIs Containers PrivateCloud APIs ContainersPrivate Public Cloud Custom Code - and - Open Source
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security in Everyday environment 14 IDE ChatOps Browser Others:
15 • Fully automated security testing with every build Don’t slow down my builds • Plugins, integrations, webhooks, and FULL REST API Integrate with my testing tools • Set criteria for when to break the build Break my build… but only for real issues Security In Integration
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Fail the build 16
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Automatic Bugtracking Integration 17
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Measuring Attack Surface 18
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel 19 Measuring Security Testing Coverage
20 • I need actionable threat intelligence Tell me who is attacking and how • Must not overblock (FP) or underblock (FN) Stop vulnerabilities from being exploited • Don’t warn me about meaningless probes Don’t create alert fatigue Security in operations
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Protect Applications and APIs with RASP 21 Custom Code Open Source Libraries and Frameworks Application Server and Platform • PREVENTS Known Vulnerabilities from exploit • Prevents LATENT Vulnerabilities from exploit • Fast response to prevent NOVEL vulnerabilities from exploit
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RASP Deploys with Your Application 22 • Ansible • Puppet • Docker • Kubernetes • Whatever…
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RASP Protects Against OSS Vulnerabilities 23 March 7 CVE-2017-5638 Disclosed, Apache releases fixed version March 8 We observe widespread attacks Mid-May Equifax breach occurs July29 Equifax learns of breach Sept 7 Equifax discloses, Four more Struts2 CVEs disclosed No updates You must have infrastructure to respond within hours. DisasterNo detection
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RASP Supports Complex and Backend Protocols 24 Application Untrusted deserialization Name: Smith, James Record ID: 123456 Owner: Finance Application expects to receive this object Bad Guy AcmeInternalType#cmd: java.lang.Runtime AcmeInternalType#mtd: getRuntime().exec AcmeInternalType#args: ‘cmd.exe’,’/C’,’calc’ AcmeInternalType#cmd: java.lang.Runtime AcmeInternalType#mtd: getRuntime().exec AcmeInternalType#args: ‘cmd.exe’,’/C’,’calc’ Attacker sends malicious object
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RASP Is Fast 25 +50 µs 100x faster than wafRASP waf +5 ms
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RASP Provides AppSec Threat Intelligence 26
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Continuous Application Security Security in development Security in integration Security in operations PROTECT • Tell me who is attacking and how • Stop vulns from being exploited • Don’t create alert fatigue ASSURE • Don’t slow down my builds • Integrate with my testing tools • Real vulns break my build EMPOWER •Test my custom code and libraries •Realtime feedback through my tools •Don’t slow me down
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Fully Continuous AppSec
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Contrast Community Edition 21,000,000 DEVELOPERS IN THE WORLD AND ONLY 6% HAVE ACCESS TO DECENT SECURITY TOOLS Contrast CE is a totally free and full-strength application security platform combining: • Assess web apps and APIs for vulnerabilities (AST) • Monitor open source (SCA) • Runtime exploit prevention (RASP) Faster, more accurate, more scalable, better integrated, and more DevSecOps-friendly than any other application security solution. Coming Soon: https://www.contrastsecurity.com/contrast-community-edition
> Go Fast and Be Secure. Try Continuous Application Security Now! #springone@s1p

Recommended

2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingPhil Agcaoili
 

Recommended

2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingPhil Agcaoili
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Sonatype
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solutionhearme limited company
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud MigrationCarlos Andrés García
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 
Developer Secure Containers for the Cyberspace Battlefield
Developer Secure Containers for the Cyberspace BattlefieldDeveloper Secure Containers for the Cyberspace Battlefield
Developer Secure Containers for the Cyberspace BattlefieldVMware Tanzu
 
What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor CaliforniumStéphane Maldini
 

More Related Content

What's hot

Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Sonatype
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solutionhearme limited company
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 

What's hot (20)

Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solution
 

Similar to Innovating Faster with Continuous Application Security

Developer Secure Containers for the Cyberspace Battlefield
Developer Secure Containers for the Cyberspace BattlefieldDeveloper Secure Containers for the Cyberspace Battlefield
Developer Secure Containers for the Cyberspace BattlefieldVMware Tanzu
 
What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor CaliforniumStéphane Maldini
 
Heavyweights: Tipping the Scales with Very Large Foundations
Heavyweights: Tipping the Scales with Very Large FoundationsHeavyweights: Tipping the Scales with Very Large Foundations
Heavyweights: Tipping the Scales with Very Large FoundationsVMware Tanzu
 
Marcin Grzejszczak - Contract Tests in the Enterprise
Marcin Grzejszczak - Contract Tests in the EnterpriseMarcin Grzejszczak - Contract Tests in the Enterprise
Marcin Grzejszczak - Contract Tests in the EnterpriseSegFaultConf
 
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...cornelia davis
 
Cross-Platform Observability for Cloud Foundry
Cross-Platform Observability for Cloud FoundryCross-Platform Observability for Cloud Foundry
Cross-Platform Observability for Cloud FoundryVMware Tanzu
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott AndrewsVMware Tanzu
 
P to V to C: The Value of Bringing “Everything” to Containers
P to V to C: The Value of Bringing “Everything” to ContainersP to V to C: The Value of Bringing “Everything” to Containers
P to V to C: The Value of Bringing “Everything” to ContainersVMware Tanzu
 
Buckets, Funnels, Mobs and Cats or: How We Learned to Love Scaling Apps To Th...
Buckets, Funnels, Mobs and Cats or: How We Learned to Love Scaling Apps To Th...Buckets, Funnels, Mobs and Cats or: How We Learned to Love Scaling Apps To Th...
Buckets, Funnels, Mobs and Cats or: How We Learned to Love Scaling Apps To Th...VMware Tanzu
 
Experience + Education = Empowerment
Experience + Education = EmpowermentExperience + Education = Empowerment
Experience + Education = EmpowermentVMware Tanzu
 
Spring Cloud Gateway - Ryan Baxter
Spring Cloud Gateway - Ryan BaxterSpring Cloud Gateway - Ryan Baxter
Spring Cloud Gateway - Ryan BaxterVMware Tanzu
 
Chaos Engineering for PCF
Chaos Engineering for PCFChaos Engineering for PCF
Chaos Engineering for PCFVMware Tanzu
 
Automation and Culture Changes for 40M Subscriber Platform Operation
Automation and Culture Changes for 40M Subscriber Platform OperationAutomation and Culture Changes for 40M Subscriber Platform Operation
Automation and Culture Changes for 40M Subscriber Platform OperationVMware Tanzu
 
Tools to Slay the Fire Breathing Monoliths in Your Enterprise
Tools to Slay the Fire Breathing Monoliths in Your EnterpriseTools to Slay the Fire Breathing Monoliths in Your Enterprise
Tools to Slay the Fire Breathing Monoliths in Your EnterpriseVMware Tanzu
 
Containers Were Never Your End State
Containers Were Never Your End StateContainers Were Never Your End State
Containers Were Never Your End StateVMware Tanzu
 
SDLC for Pivotal Platform powered by Spring Initializr and Concourse
SDLC for Pivotal Platform powered by Spring Initializr and ConcourseSDLC for Pivotal Platform powered by Spring Initializr and Concourse
SDLC for Pivotal Platform powered by Spring Initializr and ConcourseVMware Tanzu
 
Introduction to Reactive Streams and Reactor 2.5
Introduction to Reactive Streams and Reactor 2.5Introduction to Reactive Streams and Reactor 2.5
Introduction to Reactive Streams and Reactor 2.5Stéphane Maldini
 
The Cloud Challenge
The Cloud ChallengeThe Cloud Challenge
The Cloud ChallengeVMware Tanzu
 
SpringOnePlatform2017 recap
SpringOnePlatform2017 recapSpringOnePlatform2017 recap
SpringOnePlatform2017 recapminseok kim
 

Similar to Innovating Faster with Continuous Application Security (20)

Developer Secure Containers for the Cyberspace Battlefield
Developer Secure Containers for the Cyberspace BattlefieldDeveloper Secure Containers for the Cyberspace Battlefield
Developer Secure Containers for the Cyberspace Battlefield
 
What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor Californium
 
Heavyweights: Tipping the Scales with Very Large Foundations
Heavyweights: Tipping the Scales with Very Large FoundationsHeavyweights: Tipping the Scales with Very Large Foundations
Heavyweights: Tipping the Scales with Very Large Foundations
 
Marcin Grzejszczak - Contract Tests in the Enterprise
Marcin Grzejszczak - Contract Tests in the EnterpriseMarcin Grzejszczak - Contract Tests in the Enterprise
Marcin Grzejszczak - Contract Tests in the Enterprise
 
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
 
Cross-Platform Observability for Cloud Foundry
Cross-Platform Observability for Cloud FoundryCross-Platform Observability for Cloud Foundry
Cross-Platform Observability for Cloud Foundry
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott Andrews
 
P to V to C: The Value of Bringing “Everything” to Containers
P to V to C: The Value of Bringing “Everything” to ContainersP to V to C: The Value of Bringing “Everything” to Containers
P to V to C: The Value of Bringing “Everything” to Containers
 
Buckets, Funnels, Mobs and Cats or: How We Learned to Love Scaling Apps To Th...
Buckets, Funnels, Mobs and Cats or: How We Learned to Love Scaling Apps To Th...Buckets, Funnels, Mobs and Cats or: How We Learned to Love Scaling Apps To Th...
Buckets, Funnels, Mobs and Cats or: How We Learned to Love Scaling Apps To Th...
 
Experience + Education = Empowerment
Experience + Education = EmpowermentExperience + Education = Empowerment
Experience + Education = Empowerment
 
Spring Cloud Gateway - Ryan Baxter
Spring Cloud Gateway - Ryan BaxterSpring Cloud Gateway - Ryan Baxter
Spring Cloud Gateway - Ryan Baxter
 
Serverless Spring 오충현
Serverless Spring 오충현Serverless Spring 오충현
Serverless Spring 오충현
 
Chaos Engineering for PCF
Chaos Engineering for PCFChaos Engineering for PCF
Chaos Engineering for PCF
 
Automation and Culture Changes for 40M Subscriber Platform Operation
Automation and Culture Changes for 40M Subscriber Platform OperationAutomation and Culture Changes for 40M Subscriber Platform Operation
Automation and Culture Changes for 40M Subscriber Platform Operation
 
Tools to Slay the Fire Breathing Monoliths in Your Enterprise
Tools to Slay the Fire Breathing Monoliths in Your EnterpriseTools to Slay the Fire Breathing Monoliths in Your Enterprise
Tools to Slay the Fire Breathing Monoliths in Your Enterprise
 
Containers Were Never Your End State
Containers Were Never Your End StateContainers Were Never Your End State
Containers Were Never Your End State
 
SDLC for Pivotal Platform powered by Spring Initializr and Concourse
SDLC for Pivotal Platform powered by Spring Initializr and ConcourseSDLC for Pivotal Platform powered by Spring Initializr and Concourse
SDLC for Pivotal Platform powered by Spring Initializr and Concourse
 
Introduction to Reactive Streams and Reactor 2.5
Introduction to Reactive Streams and Reactor 2.5Introduction to Reactive Streams and Reactor 2.5
Introduction to Reactive Streams and Reactor 2.5
 
The Cloud Challenge
The Cloud ChallengeThe Cloud Challenge
The Cloud Challenge
 
SpringOnePlatform2017 recap
SpringOnePlatform2017 recapSpringOnePlatform2017 recap
SpringOnePlatform2017 recap
 

Recently uploaded

Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 

Recently uploaded (20)

Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 

Innovating Faster with Continuous Application Security

  • 1. Innovating Faster with Continuous Application Security By Jeff Williams, CTO and co-founder Contrast Security @planetlevel
  • 2. The Average application is extremely vulnerable 71%unused Libraries 26.7Vulnerabilities 2Vulnerabilities 8%USED Libraries 21%Custom Code
  • 3. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 3 You are Under AttacK
  • 4. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Traditional AppSec Doesn’t Scale Experts Expert Tools Application Portfolio Assurance Coverage Process Fit Awful Results $$$$ Traditional AppSec Program
  • 5. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DevSecOps Is Very Promising 5 https://itrevolution.com/the-three-ways-principles-underpinning-devops/ 1.Establish work flow 2.Ensure instant feedback 3.Culture of experimentation 1.Establish security work flow 2.Ensure instant security feedback 3.Build a security culture DEVOPS DEVSECOPS
  • 6. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Continuous Application Security Security in development Security in integration Security in operations PROTECT • Tell me who is attacking and how • Stop vulns from being exploited • Don’t create alert fatigue ASSURE • Don’t slow down my builds • Integrate with my testing tools • Real vulns break my build EMPOWER •Test my custom code and libraries •Realtime feedback through my tools •Don’t slow me down
  • 7. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ IAST and RASP Runtime Application Self-Protection (RASP) •Prevents exploit ofvulnerabilities in both custom code and libraries. Your Application or API Config Sensors Code Sensors Control Flow Sensors HTTP Sensors Backend Sensors Data Flow Sensors Library Sensors Exploit Prevented Vulnerability Confirmed ✘ Interactive Application Security Testing (IAST) •Detects vulnerabilities in both custom code and libraries
  • 8. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ A Fully Automated Pipeline with Security Development CI/CD/QA Operations IAST IAST/RASP RASP
  • 9. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Adding IAST/RASP to PCF application 9 cf login cf push spring-petclinic cf create-user-provided-service contrast-security-service -p "teamserver_url, username, api_key, service_key” cf bind-service spring-petclinic contrast-security-service cf restage spring-petclinic
  • 10. 10 • Must be extremely accurate • Must work on modern apps with APIs and OSS Test my custom code AND libraries • Must integrate with tools I’m already using – NO PDF! Realtime feedback through my tools • Must not create bottleneck – NO SCANNING! Don’t slow me down Security in Development
  • 11. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Automation is all about speed, accuracy, and ease-of-use 11 OWASP Benchmark Free and open application benchmark with thousands of security test cases
  • 12. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Download an IAST/RASP Agent 12 1. Download 2. Install 3. Enjoy agent
  • 13. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Empower developers to assess their own security! 13 PRODDEV CI/CD APIs Containers PrivateCloud APIs ContainersPrivate Public Cloud Custom Code - and - Open Source
  • 14. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security in Everyday environment 14 IDE ChatOps Browser Others:
  • 15. 15 • Fully automated security testing with every build Don’t slow down my builds • Plugins, integrations, webhooks, and FULL REST API Integrate with my testing tools • Set criteria for when to break the build Break my build… but only for real issues Security In Integration
  • 16. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Fail the build 16
  • 17. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Automatic Bugtracking Integration 17
  • 18. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Measuring Attack Surface 18
  • 19. Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel 19 Measuring Security Testing Coverage
  • 20. 20 • I need actionable threat intelligence Tell me who is attacking and how • Must not overblock (FP) or underblock (FN) Stop vulnerabilities from being exploited • Don’t warn me about meaningless probes Don’t create alert fatigue Security in operations
  • 21. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Protect Applications and APIs with RASP 21 Custom Code Open Source Libraries and Frameworks Application Server and Platform • PREVENTS Known Vulnerabilities from exploit • Prevents LATENT Vulnerabilities from exploit • Fast response to prevent NOVEL vulnerabilities from exploit
  • 22. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RASP Deploys with Your Application 22 • Ansible • Puppet • Docker • Kubernetes • Whatever…
  • 23. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RASP Protects Against OSS Vulnerabilities 23 March 7 CVE-2017-5638 Disclosed, Apache releases fixed version March 8 We observe widespread attacks Mid-May Equifax breach occurs July29 Equifax learns of breach Sept 7 Equifax discloses, Four more Struts2 CVEs disclosed No updates You must have infrastructure to respond within hours. DisasterNo detection
  • 24. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RASP Supports Complex and Backend Protocols 24 Application Untrusted deserialization Name: Smith, James Record ID: 123456 Owner: Finance Application expects to receive this object Bad Guy AcmeInternalType#cmd: java.lang.Runtime AcmeInternalType#mtd: getRuntime().exec AcmeInternalType#args: ‘cmd.exe’,’/C’,’calc’ AcmeInternalType#cmd: java.lang.Runtime AcmeInternalType#mtd: getRuntime().exec AcmeInternalType#args: ‘cmd.exe’,’/C’,’calc’ Attacker sends malicious object
  • 25. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RASP Is Fast 25 +50 µs 100x faster than wafRASP waf +5 ms
  • 26. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RASP Provides AppSec Threat Intelligence 26
  • 27. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Continuous Application Security Security in development Security in integration Security in operations PROTECT • Tell me who is attacking and how • Stop vulns from being exploited • Don’t create alert fatigue ASSURE • Don’t slow down my builds • Integrate with my testing tools • Real vulns break my build EMPOWER •Test my custom code and libraries •Realtime feedback through my tools •Don’t slow me down
  • 28. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Fully Continuous AppSec
  • 29. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Contrast Community Edition 21,000,000 DEVELOPERS IN THE WORLD AND ONLY 6% HAVE ACCESS TO DECENT SECURITY TOOLS Contrast CE is a totally free and full-strength application security platform combining: • Assess web apps and APIs for vulnerabilities (AST) • Monitor open source (SCA) • Runtime exploit prevention (RASP) Faster, more accurate, more scalable, better integrated, and more DevSecOps-friendly than any other application security solution. Coming Soon: https://www.contrastsecurity.com/contrast-community-edition
  • 30. > Go Fast and Be Secure. Try Continuous Application Security Now! #springone@s1p