SlideShare a Scribd company logo

Technical Architecture of RASP Technology

Priyanka Aash
Priyanka Aash

APPSEC CHALLENGES - Writing Secure Code is not Easy - Most follows agile development strategies - Frequent releases and builds - Any release can introduce or reintroduce vulnerabilities - Problems by design. Ex: Session Hijacking, Credential Stuffing

Technology
1 of 50
SECURITY ENGINEER AJIN ABRAHAM INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING
▸ Security Engineering @ ▸ Research on Runtime Application Self Defence ▸ Authored MobSF, Xenotix and NodeJSScan ▸ Teach Security: https://opsecx.com ▸ Blog: http://opensecurity.in #WHOAMI
AGENDA : WHAT THE TALK IS ABOUT? RASP WAF WHAT THE TALK IS NOT ABOUT?
APPSEC CHALLENGES ▸ Writing Secure Code is not Easy ▸ Most follows agile development strategies ▸ Frequent releases and builds ▸ Any release can introduce or reintroduce vulnerabilities ▸ Problems by design. 
 Ex: Session Hijacking, Credential Stuffing
STATE OF WEB FRAMEWORK SECURITY ▸ Automatic CSRF Token - Anti CSRF ▸ Templates escapes User Input - No XSS ▸ Uses ORM - No SQLi You need to use secure APIs or write Code to 
 enable some of these Security Bugs happens when people write bad code.
STATE OF WEB FRAMEWORK SECURITY ▸ Anti CSRF - Can easily be turned off/miss configurations ▸ Templates escapes User Input - Just HTML Escape -> XSS ▸ https://jsfiddle.net/1c4f271c/ ▸ Uses ORM - SQLi is still possible ▸ http://rails-sqli.org/
STATE OF WEB FRAMEWORK SECURITY ▸ Remote OS Command Execution - No ▸ Remote Code Injection - No ▸ Server Side Template Injection RCE - No ▸ Session Hijacking - No ▸ Verb Tampering - No ▸ File Upload Restriction - No The list goes on…..
WE NEED TO PREVENT EXPLOITATION LET’S USE WAF
▸ First WAF AppShield in 1999, almost 18 years of existence ▸ Quick question : How many of you run a WAF in defence/ protection mode? ▸ Most organisations use them, but in monitor mode due
 high rate false positives. ▸ Most WAFs use BLACKLISTS CAN A WAF SOLVE THIS? 20% 70% 10% False Negatives False Positive Detection
APPLICATION SECURITY RULE OF THUMB Gets bypassed, today or tomorrow
WHAT WAF SEES? ATTACK != VULNERABILITY
HOW WAF WORKS ▸ The strength of WAF is the blacklist ▸ They detect Attacks not Vulnerability ▸ WAF has no application context ▸ Doesn’t know if a vulnerability got exploited inside
 the app server or not. WAFGET http://xyz.com APP SERVER HTTP REQUEST HTTP RESPONSE
▸ How long they keep on building the black lists? ▸ WAFs used to downgrade your security. ▸ No Perfect Forward Secrecy ▸ Can’t Support elliptic curves like ECDHE ▸ Some started to support with a Reverse Proxy ▸ Organisations are moving to PFS (Heartbleed bug) ▸ SSL Decryption and Re-encryption Overhead WAF PROBLEMS
TLS 1.3 COMING SOON ….
SO WHAT’S THE IDEAL PLACE FOR SECURITY? REQUEST RESPONSE APP SERVER APP SERVER CORE SECURITY LAYER
We can do much better.
 It’s time to evolve WAF - > SAST -> DAST -> IAST -> RASP Attack Detection 
 &
 Prevention/Neutralization
 +
 Precise 
 Vulnerability Detection
 +
 Extras Attack Detection 
 &
 Prevention Vulnerability Detection Precise 
 Vulnerability Detection
RUNTIME APPLICATION SELF DEFENCE ▸ Detect both Attacks and Vulnerability ▸ Zero Code Modification and Easy Integration ▸ No Hardware Requirements ▸ Apply defence inside the application ▸ Have Code Level insights ▸ Fewer False positives ▸ Inject Security at Runtime ▸ No use of Blacklists
TYPES OF RASP ▸ Pattern Matching with Blacklist - Old wine in new bottle (Fancy WAF) ▸ Dynamic Tainting - Good but Performance over head ▸ Virtualisation and Compartmentalisation - Good, but Less Precise, Container oriented and not application oriented, Platform Specific (JVM) ▸ Code Instrumentation and Dynamic Whitelist - Good, but specific to Frameworks, Developer deployed
FOCUS OF RESEARCH ▸ Other AppSec Challenges ▸ Preventing Verb Tampering ▸ Preventing Header Injection ▸ File Upload Protection ▸ Ongoing Research ▸ Preventing Session Hijacking ▸ Preventing Layer 7 DDoS ▸ Credential Stuffing ▸ RASP by API Instrumentation
 and Dynamic Whitelist ▸ Securing a vulnerable Python 
 Tornado app with Zero Code change. ▸ Code Injection Vulnerabilities ▸ Preventing SQLi ▸ Preventing RCE ▸ Preventing Stored & Reflected XSS ▸ Preventing DOM XSS
RASP BY API INSTRUMENTATION AND DYNAMIC WHITELIST ▸ MONKEY PATCHING ▸ LEXICAL ANALYSIS ▸ CONTEXT DETERMINATION
MONKEY PATCHING ▸ Also know as Runtime Hooking and Patching of functions/ methods. ▸ https://jsfiddle.net/h1gves49/2/
LEXICAL ANALYSIS AND TOKEN GENERATION ▸ A lexical analyzer breaks these syntaxes into a series of tokens, by removing any whitespace or comments in the source code. ▸ Lexical analyzer generates error if it sees an invalid token.
LEXICAL ANALYSIS AND TOKEN GENERATION SYNTAX TOKEN int KEYWORD value IDENTIFIER = OPERATOR 100 CONSTANT ; SYMBOL INPUT: int value = 100;//value is 100 Normal Lexer SYNTAX TOKEN int KEYWORD WHITESPACE value IDENTIFIER WHITESPACE = OPERATOR WHITESPACE 100 CONSTANT ; SYMBOL //value is 100 COMMENT Custom Lexer
CONTEXT DETERMINATION HTML PARSER HTML CODE DOM TREE
PREVENTING CODE INJECTION VULNERABILITIES Interpreter cannot distinguish between 
 Code and Data Solve that and you solve the code injection problems
PREVENTING CODE INJECTION VULNERABILITIES ▸ Preventing SQL Injection ▸ Preventing Remote OS Command Execution ▸ Preventing Stored & Reflected Cross Site Scripting ▸ Preventing DOM XSS
SQL INJECTION SELECT * FROM <user_input>
SQL INJECTION : HOOK SQL Execution API
 cursor.execute(‘SELECT * FROM logs‘)
SQL INJECTION : LEARN SELECT * FROM logs SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING
SQL INJECTION : PROTECT SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING WHITESPACE AND KEYWORD WHITESPACE DROP KEYWORD WHITESPACE TABLE KEYWORD WHITESPACE admin STRING SELECT * FROM logs AND DROP TABLE admin
SQL INJECTION : PROTECT KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING Rule for Context: SELECT * FROM <user_input> SELECT * FROM logs SELECT * FROM history SELECT * FROM logs AND DROP TABLE admin KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING 
 WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE STRING
DEMO
REMOTE OS COMMAND INJECTION ping -c 3 <user input>
REMOTE OS COMMAND INJECTION : HOOK Command Execution API
 os.system(ping -c 3 127.0.0.1)
REMOTE OS COMMAND INJECTION : LEARN ping -c 3 127.0.0.1 SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE 127.0.0.1 IP_OR_DOMAIN
REMOTE OS COMMAND INJECTION : PROTECT ping -c 3 127.0.0.1 & cat /etc/passwd SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE 127.0.0.1 IP_OR_DOMAIN WHITESPACE & SPLITTER WHITESPACE cat EXECUTABLE WHITESPACE /etc/passwd UNIX_PATH
REMOTE OS COMMAND INJECTION : PROTECT EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN Rule for Context: ping -c 3 <user_input> ping -c 3 127.0.0.1
 ping -c 3 google.com ping -c 3 127.0.0.1 & cat /etc/passwd 
 EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN
 WHITESPACE SPLITTER WHITESPACE EXECUTABLE WHITESPACE UNIX_PATH
DEMO
CROSS SITE SCRIPTING <body><h1>hello {{user_input1}} </h1></body>
 <script> var x=‘{{user_input2}}’;</script>
CROSS SITE SCRIPTING : HOOK Template Rendering API
 
 template.render(“<body><h1>hello {{user_input1}}
 </h1></body><script> var x=‘{{user_input2}}’;
 </script>“, user_input1, user_input2)
CROSS SITE SCRIPTING : CONTEXT DETERMINATION Parsing the DOM Tree <body><h1>hello {{user_input1}}
 </h1></body><script> var x=‘{{user_input2}}’;
 </script> HTML_CONTEXT JAVASCRIPT_VALUE_CONTEXT
CROSS SITE SCRIPTING : PROTECT <body><h1>hello {{user_input1}} </h1></body>
 <script> var x=‘{{user_input2}}’;</script> <body><h1>hello World </h1></body>
 <script> var x=‘Hello World’;</script> user_input1 = “World”
 user_input2 = “Hello World”
CROSS SITE SCRIPTING : PROTECT <body><h1>hello &lt;script&gt;alert(0)&lt;/ script&gt; </h1></body>
 <script> var x=‘';alert(0);//x3C/scriptx3E’;</ script> user_input1 = “<script>alert(0)</script>”
 user_input2 = “‘;alert(0);//</script>”
DEMO
PREVENTING DOM XSS https://jsfiddle.net/vno23woL/3/ ▸ Inject Security into JavaScript Frameworks ▸ Common JavaScript Frameworks - jQuery, AngularJS, MustacheJS etc… ▸ DOMPurify - https://github.com/cure53/DOMPurify ▸ jPurify - https://github.com/cure53/jPurify
ON GOING RESEARCH ▸ Preventing Session Hijacking ▸ Preventing Layer 7 DDoS ▸ Credential Stuffing
THE RASP ADVANTAGES ▸ Accurate and Precise in Vulnerability Detection & Prevention ▸ Code Level Insight (Line no, Stack trace) ▸ Not based on Heuristics - Zero/Negligible False Positives ▸ No SSL Decryption and Re-encryption overhead ▸ Doesn’t Downgrade your Security ▸ Preemptive security - Zero Day protection ▸ Zero Code Change and easy integration
 
 pip install rasp_module
 import rasp_module
BIGGEST ADVANTAGE Now you can deploy it on protection mode
CHARACTERISTICS OF AN IDEAL RASP ▸ Ideal RASP should have minimal Performance impact ▸ Should not introduce vulnerabilities ▸ Must not consume PII of users ▸ Should not learn the bad stuff ▸ Should be a “real RASP” not a fancy WAF with Blacklist. ▸ Minimal Configuration and Easy deployment
THAT’S ALL FOLKS! ▸ Thanks to ▸ Zaid Al Hamami, Mike Milner, Steve Williams, Oliver Lavery
 (Team IMMUNIO inc). ▸ Kamaiah, Francis, Bharadwaj, Surendar, Sinu, Vivek 
 (Team Yodlee Security Office - YSO) ▸ Due Credits ▸ Graphics/Image Owners @ajinabraham ajin25@gmail.com

Recommended

Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Attack detection and prevention in the cyber
Attack detection and prevention in the cyberAttack detection and prevention in the cyber
Attack detection and prevention in the cyberJahangirnagar University
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Lecture 3
Lecture 3Lecture 3
Lecture 3Education
 

Recommended

Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Attack detection and prevention in the cyber
Attack detection and prevention in the cyberAttack detection and prevention in the cyber
Attack detection and prevention in the cyberJahangirnagar University
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Lecture 3
Lecture 3Lecture 3
Lecture 3Education
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5AfiqEfendy Zaen
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoorsGaurav Dalvi
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nistNaveen Koyi
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokeshLokesh Bysani
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
SOFTWARE TESTING
SOFTWARE TESTINGSOFTWARE TESTING
SOFTWARE TESTINGPriyanka Karancy
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?Ryan G. Murphy
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 

More Related Content

What's hot

Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5AfiqEfendy Zaen
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoorsGaurav Dalvi
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokeshLokesh Bysani
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?Ryan G. Murphy
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 

What's hot (20)

Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nist
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokesh
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
SOFTWARE TESTING
SOFTWARE TESTINGSOFTWARE TESTING
SOFTWARE TESTING
 
Security testing
Security testingSecurity testing
Security testing
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 

Similar to Technical Architecture of RASP Technology

Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
What the Struts?
What the Struts?What the Struts?
What the Struts?Joe Kutner
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTFJerod Brennen
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 

Similar to Technical Architecture of RASP Technology (20)

Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
 
What the Struts?
What the Struts?What the Struts?
What the Struts?
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Thierry Lestable
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfalexjohnson7307
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 

Recently uploaded (20)

Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 

Technical Architecture of RASP Technology

  • 1. SECURITY ENGINEER AJIN ABRAHAM INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING
  • 2. ▸ Security Engineering @ ▸ Research on Runtime Application Self Defence ▸ Authored MobSF, Xenotix and NodeJSScan ▸ Teach Security: https://opsecx.com ▸ Blog: http://opensecurity.in #WHOAMI
  • 3. AGENDA : WHAT THE TALK IS ABOUT? RASP WAF WHAT THE TALK IS NOT ABOUT?
  • 4. APPSEC CHALLENGES ▸ Writing Secure Code is not Easy ▸ Most follows agile development strategies ▸ Frequent releases and builds ▸ Any release can introduce or reintroduce vulnerabilities ▸ Problems by design. 
 Ex: Session Hijacking, Credential Stuffing
  • 5. STATE OF WEB FRAMEWORK SECURITY ▸ Automatic CSRF Token - Anti CSRF ▸ Templates escapes User Input - No XSS ▸ Uses ORM - No SQLi You need to use secure APIs or write Code to 
 enable some of these Security Bugs happens when people write bad code.
  • 6. STATE OF WEB FRAMEWORK SECURITY ▸ Anti CSRF - Can easily be turned off/miss configurations ▸ Templates escapes User Input - Just HTML Escape -> XSS ▸ https://jsfiddle.net/1c4f271c/ ▸ Uses ORM - SQLi is still possible ▸ http://rails-sqli.org/
  • 7. STATE OF WEB FRAMEWORK SECURITY ▸ Remote OS Command Execution - No ▸ Remote Code Injection - No ▸ Server Side Template Injection RCE - No ▸ Session Hijacking - No ▸ Verb Tampering - No ▸ File Upload Restriction - No The list goes on…..
  • 8. WE NEED TO PREVENT EXPLOITATION LET’S USE WAF
  • 9. ▸ First WAF AppShield in 1999, almost 18 years of existence ▸ Quick question : How many of you run a WAF in defence/ protection mode? ▸ Most organisations use them, but in monitor mode due
 high rate false positives. ▸ Most WAFs use BLACKLISTS CAN A WAF SOLVE THIS? 20% 70% 10% False Negatives False Positive Detection
  • 10. APPLICATION SECURITY RULE OF THUMB Gets bypassed, today or tomorrow
  • 11. WHAT WAF SEES? ATTACK != VULNERABILITY
  • 12. HOW WAF WORKS ▸ The strength of WAF is the blacklist ▸ They detect Attacks not Vulnerability ▸ WAF has no application context ▸ Doesn’t know if a vulnerability got exploited inside
 the app server or not. WAFGET http://xyz.com APP SERVER HTTP REQUEST HTTP RESPONSE
  • 13. ▸ How long they keep on building the black lists? ▸ WAFs used to downgrade your security. ▸ No Perfect Forward Secrecy ▸ Can’t Support elliptic curves like ECDHE ▸ Some started to support with a Reverse Proxy ▸ Organisations are moving to PFS (Heartbleed bug) ▸ SSL Decryption and Re-encryption Overhead WAF PROBLEMS
  • 14. TLS 1.3 COMING SOON ….
  • 15. SO WHAT’S THE IDEAL PLACE FOR SECURITY? REQUEST RESPONSE APP SERVER APP SERVER CORE SECURITY LAYER
  • 16. We can do much better.
 It’s time to evolve WAF - > SAST -> DAST -> IAST -> RASP Attack Detection 
 &
 Prevention/Neutralization
 +
 Precise 
 Vulnerability Detection
 +
 Extras Attack Detection 
 &
 Prevention Vulnerability Detection Precise 
 Vulnerability Detection
  • 17. RUNTIME APPLICATION SELF DEFENCE ▸ Detect both Attacks and Vulnerability ▸ Zero Code Modification and Easy Integration ▸ No Hardware Requirements ▸ Apply defence inside the application ▸ Have Code Level insights ▸ Fewer False positives ▸ Inject Security at Runtime ▸ No use of Blacklists
  • 18. TYPES OF RASP ▸ Pattern Matching with Blacklist - Old wine in new bottle (Fancy WAF) ▸ Dynamic Tainting - Good but Performance over head ▸ Virtualisation and Compartmentalisation - Good, but Less Precise, Container oriented and not application oriented, Platform Specific (JVM) ▸ Code Instrumentation and Dynamic Whitelist - Good, but specific to Frameworks, Developer deployed
  • 19. FOCUS OF RESEARCH ▸ Other AppSec Challenges ▸ Preventing Verb Tampering ▸ Preventing Header Injection ▸ File Upload Protection ▸ Ongoing Research ▸ Preventing Session Hijacking ▸ Preventing Layer 7 DDoS ▸ Credential Stuffing ▸ RASP by API Instrumentation
 and Dynamic Whitelist ▸ Securing a vulnerable Python 
 Tornado app with Zero Code change. ▸ Code Injection Vulnerabilities ▸ Preventing SQLi ▸ Preventing RCE ▸ Preventing Stored & Reflected XSS ▸ Preventing DOM XSS
  • 20. RASP BY API INSTRUMENTATION AND DYNAMIC WHITELIST ▸ MONKEY PATCHING ▸ LEXICAL ANALYSIS ▸ CONTEXT DETERMINATION
  • 21. MONKEY PATCHING ▸ Also know as Runtime Hooking and Patching of functions/ methods. ▸ https://jsfiddle.net/h1gves49/2/
  • 22. LEXICAL ANALYSIS AND TOKEN GENERATION ▸ A lexical analyzer breaks these syntaxes into a series of tokens, by removing any whitespace or comments in the source code. ▸ Lexical analyzer generates error if it sees an invalid token.
  • 23. LEXICAL ANALYSIS AND TOKEN GENERATION SYNTAX TOKEN int KEYWORD value IDENTIFIER = OPERATOR 100 CONSTANT ; SYMBOL INPUT: int value = 100;//value is 100 Normal Lexer SYNTAX TOKEN int KEYWORD WHITESPACE value IDENTIFIER WHITESPACE = OPERATOR WHITESPACE 100 CONSTANT ; SYMBOL //value is 100 COMMENT Custom Lexer
  • 25. PREVENTING CODE INJECTION VULNERABILITIES Interpreter cannot distinguish between 
 Code and Data Solve that and you solve the code injection problems
  • 26. PREVENTING CODE INJECTION VULNERABILITIES ▸ Preventing SQL Injection ▸ Preventing Remote OS Command Execution ▸ Preventing Stored & Reflected Cross Site Scripting ▸ Preventing DOM XSS
  • 27. SQL INJECTION SELECT * FROM <user_input>
  • 28. SQL INJECTION : HOOK SQL Execution API
 cursor.execute(‘SELECT * FROM logs‘)
  • 29. SQL INJECTION : LEARN SELECT * FROM logs SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING
  • 30. SQL INJECTION : PROTECT SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING WHITESPACE AND KEYWORD WHITESPACE DROP KEYWORD WHITESPACE TABLE KEYWORD WHITESPACE admin STRING SELECT * FROM logs AND DROP TABLE admin
  • 31. SQL INJECTION : PROTECT KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING Rule for Context: SELECT * FROM <user_input> SELECT * FROM logs SELECT * FROM history SELECT * FROM logs AND DROP TABLE admin KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING 
 WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE STRING
  • 32. DEMO
  • 33. REMOTE OS COMMAND INJECTION ping -c 3 <user input>
  • 34. REMOTE OS COMMAND INJECTION : HOOK Command Execution API
 os.system(ping -c 3 127.0.0.1)
  • 35. REMOTE OS COMMAND INJECTION : LEARN ping -c 3 127.0.0.1 SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE 127.0.0.1 IP_OR_DOMAIN
  • 36. REMOTE OS COMMAND INJECTION : PROTECT ping -c 3 127.0.0.1 & cat /etc/passwd SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE 127.0.0.1 IP_OR_DOMAIN WHITESPACE & SPLITTER WHITESPACE cat EXECUTABLE WHITESPACE /etc/passwd UNIX_PATH
  • 37. REMOTE OS COMMAND INJECTION : PROTECT EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN Rule for Context: ping -c 3 <user_input> ping -c 3 127.0.0.1
 ping -c 3 google.com ping -c 3 127.0.0.1 & cat /etc/passwd 
 EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN
 WHITESPACE SPLITTER WHITESPACE EXECUTABLE WHITESPACE UNIX_PATH
  • 38. DEMO
  • 39. CROSS SITE SCRIPTING <body><h1>hello {{user_input1}} </h1></body>
 <script> var x=‘{{user_input2}}’;</script>
  • 40. CROSS SITE SCRIPTING : HOOK Template Rendering API
 
 template.render(“<body><h1>hello {{user_input1}}
 </h1></body><script> var x=‘{{user_input2}}’;
 </script>“, user_input1, user_input2)
  • 41. CROSS SITE SCRIPTING : CONTEXT DETERMINATION Parsing the DOM Tree <body><h1>hello {{user_input1}}
 </h1></body><script> var x=‘{{user_input2}}’;
 </script> HTML_CONTEXT JAVASCRIPT_VALUE_CONTEXT
  • 42. CROSS SITE SCRIPTING : PROTECT <body><h1>hello {{user_input1}} </h1></body>
 <script> var x=‘{{user_input2}}’;</script> <body><h1>hello World </h1></body>
 <script> var x=‘Hello World’;</script> user_input1 = “World”
 user_input2 = “Hello World”
  • 43. CROSS SITE SCRIPTING : PROTECT <body><h1>hello &lt;script&gt;alert(0)&lt;/ script&gt; </h1></body>
 <script> var x=‘';alert(0);//x3C/scriptx3E’;</ script> user_input1 = “<script>alert(0)</script>”
 user_input2 = “‘;alert(0);//</script>”
  • 44. DEMO
  • 45. PREVENTING DOM XSS https://jsfiddle.net/vno23woL/3/ ▸ Inject Security into JavaScript Frameworks ▸ Common JavaScript Frameworks - jQuery, AngularJS, MustacheJS etc… ▸ DOMPurify - https://github.com/cure53/DOMPurify ▸ jPurify - https://github.com/cure53/jPurify
  • 46. ON GOING RESEARCH ▸ Preventing Session Hijacking ▸ Preventing Layer 7 DDoS ▸ Credential Stuffing
  • 47. THE RASP ADVANTAGES ▸ Accurate and Precise in Vulnerability Detection & Prevention ▸ Code Level Insight (Line no, Stack trace) ▸ Not based on Heuristics - Zero/Negligible False Positives ▸ No SSL Decryption and Re-encryption overhead ▸ Doesn’t Downgrade your Security ▸ Preemptive security - Zero Day protection ▸ Zero Code Change and easy integration
 
 pip install rasp_module
 import rasp_module
  • 48. BIGGEST ADVANTAGE Now you can deploy it on protection mode
  • 49. CHARACTERISTICS OF AN IDEAL RASP ▸ Ideal RASP should have minimal Performance impact ▸ Should not introduce vulnerabilities ▸ Must not consume PII of users ▸ Should not learn the bad stuff ▸ Should be a “real RASP” not a fancy WAF with Blacklist. ▸ Minimal Configuration and Easy deployment
  • 50. THAT’S ALL FOLKS! ▸ Thanks to ▸ Zaid Al Hamami, Mike Milner, Steve Williams, Oliver Lavery
 (Team IMMUNIO inc). ▸ Kamaiah, Francis, Bharadwaj, Surendar, Sinu, Vivek 
 (Team Yodlee Security Office - YSO) ▸ Due Credits ▸ Graphics/Image Owners @ajinabraham ajin25@gmail.com