This document discusses the state of application security and the integration of Prevoty's runtime application self-protection (RASP) technology with Threadfix to enhance vulnerability management. It highlights the rising attacks on web applications and the backlog of vulnerabilities that organizations face, emphasizing the need for modern security practices. Additionally, it outlines the benefits of RASP in providing real-time protection and insights into application threats.

1. © 2016 Denim Group, Prevoty – All Rights Reserved
Running a High-Efficiency,
High-Visibility Application Security
Program with Prevoty and ThreadFix
July 19, 2016
0
Arpit Joshipura
VP Product Management, Prevoty
Dan Cornell
CTO, Denim Group

2. © 2016 Denim Group, Prevoty – All Rights Reserved
Agenda
• State of Application Security
• ThreadFix Overview
• RASP and Prevoty Overview
• ThreadFix / Prevoty Integration
1

3. © 2016 Denim Group, Prevoty – All Rights Reserved
State of Runtime Application Security
Market Trends show movement in Adoption of RASP
Key Executive Updates
1. Attacks on the rise (Web Attacks as the #1
vector in 2015 - Verizon Report)
2. Vulnerability backlog on the rise (>90% have up
to 5000 vulnerabilities that cannot be fixed)*
3. Analysts and Customers now believe that RASP
augments traditional runtime security
4. Customers moving past the stage of education
to active interest in RASP
5. Prevoty emerging as the leader (2 year lead) in
Runtime Application Security with new
competitors like Veracode announcing plans for
RASP this month
* http://blog.prevoty.com/news/the-great-divide-new-report-finds-it-pros-and-security-pros-at-odds-over-appsec

4. © 2016 Denim Group, Prevoty – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions based
on data
• Translate vulnerabilities to developers in
the tools they are already using
3

5. © 2016 Denim Group, Prevoty – All Rights Reserved
ThreadFix Overview
4

6. © 2016 Denim Group, Prevoty – All Rights Reserved
Create a consolidated
view of your
applications and
vulnerabilities
5

7. © 2016 Denim Group, Prevoty – All Rights Reserved
Application Portfolio Tracking
6

8. © 2016 Denim Group, Prevoty – All Rights Reserved
Vulnerability Consolidation
7

9. © 2016 Denim Group, Prevoty – All Rights Reserved
Prioritize application
risk decisions based on
data
8

10. © 2016 Denim Group, Prevoty – All Rights Reserved
Vulnerability Prioritization
9

11. © 2016 Denim Group, Prevoty – All Rights Reserved
Reporting and Metrics
10

12. © 2016 Denim Group, Prevoty – All Rights Reserved
Translate vulnerabilities
to developers in the
tools they are already
using
11

13. © 2016 Denim Group, Prevoty – All Rights Reserved
Defect Tracker Integration
12

14. © 2016 Denim Group, Prevoty – All Rights Reserved
Secure DevOps with ThreadFix
• What does your
pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu
http://www.slideshare.net/denimgroup/rsa2015-blending-
theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html

15. © 2016 Denim Group, Prevoty – All Rights Reserved
Runtime Application Security
(Visibility & Protection)
The Most Innovative
Startup 2016
People Shaping Info Security:
Kunal Anand, Co-founder/CTO
Most Innovative Security Product
(Software) of the Year
20 Most Promising
Enterprise Security
Companies
The Most Innovative
Application Security
Solution for 2016

16. © 2016 Denim Group, Prevoty – All Rights Reserved
Survey Results: IT & Security
Professionals Gap
Key findings
• >90% have up to
5000 Vulnerabilities
in backlog
• Security Prof spend
>3.5 days every
week to tune
current runtime
solutions
* http://blog.prevoty.com/news/the-great-divide-new-report-finds-it-pros-and-security-pros-at-odds-over-appsec

17. © 2016 Denim Group, Prevoty – All Rights Reserved
2015 Enterprise Survey
16
Applications are
being targeted at
Runtime
Enterprise survey results, Dec 2015
What is the most common gateway attack experienced
by your organization over the past 12 months?
In a recent Ponemon Institute research study, % of those
surveyed believe…
of applications are more vulnerable
today>75%
believe organizations are ineffective at
security
>50%
Say application security is a top
priority~50%
Source: Security Survey by Ponemon Institute
Dec 2015
Top 3 Vectors constitute 95% of the Attacks in production

18. © 2016 Denim Group, Prevoty – All Rights Reserved
3 Easy Steps to Runtime
Application Security

19. © 2016 Denim Group, Prevoty – All Rights Reserved
Step 1: Identify the maturity of Application Security
Detection, Remediation and Protection spectrum of programs
Early Stage
Ad-hoc approach for
Testing, remediation.
Driven by compliance
Limited AppSec Tools &
Process
Intermediate
Continuous Testing
Inconsistent remediation &
protection with a backlog of
vulnerability
AppSec Testing Tools in
place
SSDLC Process
Framework
WAF in passive mode
Mature
Continuous Testing
Consistent Remediation
Continuous Monitoring
AppSec Testing Tools
operationalized
SSDLC operationalized
WAF in Passive/Active
mode
Runtime Monitoring

20. © 2016 Denim Group, Prevoty – All Rights Reserved
Step 2: Plan for a Modern security architecture
Backend Application
SQL
Database
Web API
NG Firewall
Web App Firewall
Load
Balancer
SIEM
Database Firewall
Runtime Sec
API Gateway
Runtime Sec
Mobile App
Hardening
SDK/Wrapper
Endpoint
Users Network Applications Data
Web Browser
CONFIDENTIAL°

21. © 2016 Denim Group, Prevoty – All Rights Reserved
Step 3: Plan for xAST in Development, RASP in Production
Layered Application Security
RASP works through the SDLC process, with protection in Operations

22. © 2016 Denim Group, Prevoty – All Rights Reserved
Signatures
Regular expressions
White lists/Black lists
Pattern matching
Heuristics
Anomaly Detection
Taint analysis
Data Flow Analysis
Not All RASPs are equal: LANGSEC based RASP
Security without Signatures & Heuristics
LANGSEC
Language-theoretic Security
NO
Accurate
<1% false positives
Simple
Low TCO, No Tuning
Fast
30-50X better than RegX
LANGSEC is the latest innovation in security technology that removes
obfuscation/fuzzing on Data Input so that security protections can be
accurately applied at the “moment of truth” (code execution)

23. © 2016 Denim Group, Prevoty – All Rights Reserved
PREVOTY SOLUTION TODAY
Protecting applications in production at runtime
Application Security Monitoring and Protection from
inside the application itself at runtime
No changes to the applications required
Deployed in the cloud, as a virtual appliance or self-contained in the
application
Monitoring: Application Security Intelligence
Unparalleled insights into what attacks are actually hitting applications
in production
Identifies “who / what / where / when” of an attack
Protection: RASP (Runtime Application Self-
Protection)
Automatic vulnerability mitigation
Protects content (XSS), databases (SQL injection), tokens (CSRF) and
more
Allow time for development team to remediate critical vulnerabilities

24. © 2016 Denim Group, Prevoty – All Rights Reserved
PREVOTY APPLICATION SECURITY MONITORING
Unparalleled insights into the threats hitting your applications at runtime
IP address, session info (with
User ID), cookie detail
Identify the origin of the
threat
Who
Contents of the payload,
payload intelligence
Provide details of the
nature of the threat
What
Timestamp (down to the
nanosecond)
When did the attack take
place
When
URL for web applications, stack
trace for SQL queries
Where the exploit
happened
Where
Legacy Applications New Applications 3rd Party Applications

25. © 2016 Denim Group, Prevoty – All Rights Reserved
Ecosystem Integration
Prevoty delivers data on
production application attacks
in progress to:
• SIEMS
• NGFWs
• IPS’s
• WAFs

26. © 2016 Denim Group, Prevoty – All Rights Reserved
ThreadFix and Prevoty
• Value of integrating RASP with your
Vulnerability Resolution Platform
• Mechanics of integration
25

27. © 2016 Denim Group, Prevoty – All Rights Reserved
Marking Applications as RASP-
Protected
26

28. © 2016 Denim Group, Prevoty – All Rights Reserved
Vulnerability Risk Management and
RASP
27

29. © 2016 Denim Group, Prevoty – All Rights Reserved
Prioritizing Your Prevoty Rollout
28

30. © 2016 Denim Group, Prevoty – All Rights Reserved
Summary & Joint Value
• Un-paralleled insights from within the
application
• Efficient prioritization and remediation of
identified vulnerabilities
• Optimize deployment of Prevoty based on
risk and value
29

31. © 2016 Denim Group, Prevoty – All Rights Reserved
Questions and Contact
• ThreadFix www.threadfix.it
• Prevoty www.prevoty.com
30