SlideShare une entreprise Scribd logo

Runtime Protection in the Real World

Télécharger en tant que PPTX, PDF
B
Brooks Garrett

Learn how HP Fortify On Demand is leveraging Fortify Runtime Protection to protect our own cloud services. See tips and techniques learned from deploying Runtime Protection in the real world, and learn how you can leverage the same technology in your environment without compromising performance or uptime. You’ll come away with tips on deploying, managing, and integrating Fortify Runtime Protection so you can block attacks while providing your developers with line-of-code detail regarding how to close the holes.

Technologie
1  sur  35
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Runtime protection in the real world Brooks Garrett, Security Architect
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Who are you?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 Brooks Garrett Professional • Head Security Architect for Global FOD Operations • Information Security professional for 5 years • CISSP • Worked with multiple Fortune 100 companies • OWASP Member • Contributor to community AppSec Projects (DVWA) Personal • Father • Rugby player for over 8 years Security Architect, Fortify on Demand
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 What is Fortify on Demand? Mobile App’s Dynamic Analysis Static Analysis
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5 What is Fortify on Demand? Distributed Operations • Presence in 4 major regions around the world • Customers in over 15 countries • 5 Data centers • 3 Operations teams High Volume (This Year) • Over 300 customers • Over 3,000 applications • Over 15 languages • Over 225 Million lines of code
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The problem
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 The problem Bugs Errors Performance
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8 Evolving attacks Obfuscation: • URL Encoding • Javascript Packing • Double encoding • Malformed UTF-7 Business Logic: • Purchase with negative value • Bypass multi-step process validation • Ship without paying
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 Security vs. functionality Developers have competing priorities • Functionality tends to ship ahead of security • Project roadmaps aren’t including exhaustive security reviews • Developer training is often framework or technology centric
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 Standardized logging, isn’t What are your apps doing? • If someone is abusing an application how would you know • Network events are standardized and documented – Internal application logging is often the Wild West of IT • Developers tend to log in various formats and focus on debug related events – Less focus on security centric events • Definition of security event varies from application to application • SIEM solutions expect normalized data to work efficiently
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The solution
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12 The solution What if we could: • Block advanced injection attacks – Regardless of obfuscation • Integrate seamlessly with our existing applications • Generate application event logs – Without burdening developers or making code changes – In an industry standard format
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 What about WAF? WAF is too far from your application: • WAF can’t block advanced injection attacks – The WAF only sees obfuscated attacks • WAF can’t integrate seamlessly with our existing applications – WAF doesn’t understand application flow • WAF can’t generate application event logs – WAF has no visibility into application functions
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14 Examples WAF is great in theory but falls short in reality: • Block advanced injection attacks – The WAF only sees obfuscated attacks – id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users–+ • Integrate seamlessly with our existing applications – WAF doesn’t understand application flow – No integration, just another layer of network defense • Generate application event logs – WAF has no visibility into application functions – WAF talks GET and POST, the application talks File.WriteLine(SSN.ToString())
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. "Give a small boy a hammer, and he will find that everything he encounters needs pounding." Abraham Kaplan (1964)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 The solution Fortify RTA • Integrates into the CLR (Common Language Runtime) for a deep inspection of the application • Fast deployment time • Leverages standard Fortify rule definitions with ongoing support and updates • Increases resource consumption by less than 10% • Extremely flexible response capability • Provides line of code detail for developer remediation • Extends and enables logging from the application without code changes • Removes the need for additional SSL certificate deployment and management
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Implementing the solution
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 Deployment Basic plan 1. Deploy SSC (Software Security Center) 2. Configure Federations 3. Deploy Agents
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19 SSC Software Security Center • Java Web Application • Runs well inside Tomcat 7 • Deployed with MySQL • Optional
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 Configure federations Federations provide • Centralized configuration management • Centralized update management • Ability to separate endpoints for better visibility • Ability to swap between Protect and Log mode, on the fly • Ability to temporarily disable the solution completely
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21 Agent deployment Basic plan 1. Agent installer is a single EXE package 2. Requires a server service restart 3. Agents register according to federation rules
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22 Deployment experience Positive • Able to deploy to all servers with zero downtime inside one week • Deployed via SCCM • Integration with ArcSight and other CEF compliant devices was painless Considerations • SSC will house all of your security event data, proper database planning advised • Deploy throughout the whole organization starting in QA and Integration • Deploy in log mode initially but commit to enabling Protect mode for the most value
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Getting value from the solution
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 Getting value from the solution Immediate value from advanced features • Closing the loop and providing developers with line of code detail • Standardized application logging without changing existing code • Versatile response capabilities
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 Closing the loop Developer visibility at line of code level • Beyond URLs – Covers both security and performance issues – Line of code reference for issues – Specific stack trace for exceptions – Sample request data for reproducing event
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26 Standardized application logging DevOps visibility into security issues • OWASP AppSensor without code changes – User logon – User logout – User privilege level change – User password changed – Substituting another user’s session ID – Hidden field manipulation
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 Standardized application logging DevOps visibility into security issues • Industry standard events from all apps – CEF format readily consumable by COTS devices – Instant standardization of event data – Common transport mechanism over syslog
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28 Versatile response capabilities Custom automated responses • Respond to threats based on severity – Ignore the attack – Silently block the attack – Block and display a specific error page – Integrate with SIEM and active response to eradicate malicious users
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Conclusions
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 Real, tangible DevOps
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31 The future is now RTA provides • Advanced defenses against sophisticated attacks regardless of obfuscation • The closest technology is a WAF… – And it doesn’t come close • Rapid deployment with zero downtime for clustered environments • Line of code references for your developers • Application logging based on industry best practice with zero coding required • Powerful and granular response capability from ignore to nuke from orbit
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32 The new reality of application security Previous thinking isn’t working • It is no longer enough to provide network level defenses for application level vulnerabilities • Application security must move beyond the network and into the application • The ultimate goal of all application security is safeguarding data – The application is the closest layer to your data
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33 For more information Attend these sessions • 1293, Getting the most out of Fortify SCA • 1239, HP Fortify on Demand Visit our booth • B2 After the event • Contact your sales rep • Visit the website at: http://hp.com/go/appsec Your feedback is important to us. Please take a few minutes to complete the session survey.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Security for the new reality

Recommandé

Professional incident response
Professional incident responseProfessional incident response
Professional incident responseBrooks Garrett
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worsecentralohioissa
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
Poor mans spy vs spy using open source tools to detect attackers
Poor mans spy vs spy using open source tools to detect attackersPoor mans spy vs spy using open source tools to detect attackers
Poor mans spy vs spy using open source tools to detect attackersDerek Banks
 
Incident response on a shoestring budget
Incident response on a shoestring budgetIncident response on a shoestring budget
Incident response on a shoestring budgetDerek Banks
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Retail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapRetail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapTripwire
 
CredDefense Toolkit
CredDefense ToolkitCredDefense Toolkit
CredDefense ToolkitDerek Banks
 

Recommandé

Professional incident response
Professional incident responseProfessional incident response
Professional incident responseBrooks Garrett
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worsecentralohioissa
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
Poor mans spy vs spy using open source tools to detect attackers
Poor mans spy vs spy using open source tools to detect attackersPoor mans spy vs spy using open source tools to detect attackers
Poor mans spy vs spy using open source tools to detect attackersDerek Banks
 
Incident response on a shoestring budget
Incident response on a shoestring budgetIncident response on a shoestring budget
Incident response on a shoestring budgetDerek Banks
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Retail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapRetail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapTripwire
 
CredDefense Toolkit
CredDefense ToolkitCredDefense Toolkit
CredDefense ToolkitDerek Banks
 
5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber Threats5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber ThreatsSolarWinds
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...
If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...
If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...SolarWinds
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeCompliancy Group
 
smAlbany 2013 gn bdr pp
smAlbany 2013 gn bdr ppsmAlbany 2013 gn bdr pp
smAlbany 2013 gn bdr ppLiberteks
 
Security intelligence using big data presentation (engineering seminar)
Security intelligence using big data presentation (engineering seminar)Security intelligence using big data presentation (engineering seminar)
Security intelligence using big data presentation (engineering seminar)Marco Casassa Mont
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
How to improve your system monitoring
How to improve your system monitoringHow to improve your system monitoring
How to improve your system monitoringAndrew White
 
Threat Intelligence + SIEM: A Force to be Reckoned With
Threat Intelligence + SIEM: A Force to be Reckoned WithThreat Intelligence + SIEM: A Force to be Reckoned With
Threat Intelligence + SIEM: A Force to be Reckoned WithSolarWinds
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series BreakfastCSO_Presentations
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalyticsconf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalyticsTom LaGatta
 
Meletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis MPhil/MRes/BSc
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleanerJohn Stauffacher
 
Devsec ops
Devsec opsDevsec ops
Devsec opsVipinYadav257
 
Incident Command: The far side of the edge
Incident Command: The far side of the edgeIncident Command: The far side of the edge
Incident Command: The far side of the edgeFastly
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
2014 Top 10 Predictions for BC/DR by Dr. Steven B GoldmanxMattersMarketing
 
Virtual Application Networks Innovations Advance Software-defined Network Lea...
Virtual Application Networks Innovations Advance Software-defined Network Lea...Virtual Application Networks Innovations Advance Software-defined Network Lea...
Virtual Application Networks Innovations Advance Software-defined Network Lea...Open Networking Summits
 
HP Discover - Developing new applications for the cloud
HP Discover - Developing new applications for the cloudHP Discover - Developing new applications for the cloud
HP Discover - Developing new applications for the cloudBart Blommaerts
 

Contenu connexe

Tendances

5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber Threats5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber ThreatsSolarWinds
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...
If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...
If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...SolarWinds
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeCompliancy Group
 
smAlbany 2013 gn bdr pp
smAlbany 2013 gn bdr ppsmAlbany 2013 gn bdr pp
smAlbany 2013 gn bdr ppLiberteks
 
Security intelligence using big data presentation (engineering seminar)
Security intelligence using big data presentation (engineering seminar)Security intelligence using big data presentation (engineering seminar)
Security intelligence using big data presentation (engineering seminar)Marco Casassa Mont
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
How to improve your system monitoring
How to improve your system monitoringHow to improve your system monitoring
How to improve your system monitoringAndrew White
 
Threat Intelligence + SIEM: A Force to be Reckoned With
Threat Intelligence + SIEM: A Force to be Reckoned WithThreat Intelligence + SIEM: A Force to be Reckoned With
Threat Intelligence + SIEM: A Force to be Reckoned WithSolarWinds
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalyticsconf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalyticsTom LaGatta
 
Incident Command: The far side of the edge
Incident Command: The far side of the edgeIncident Command: The far side of the edge
Incident Command: The far side of the edgeFastly
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
2014 Top 10 Predictions for BC/DR by Dr. Steven B GoldmanxMattersMarketing
 

Tendances (20)

5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber Threats5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber Threats
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentation
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...
If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...
If an Application Fails in the Datacenter and No Users Are On It, Will it Cut...
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challenge
 
smAlbany 2013 gn bdr pp
smAlbany 2013 gn bdr ppsmAlbany 2013 gn bdr pp
smAlbany 2013 gn bdr pp
 
Security intelligence using big data presentation (engineering seminar)
Security intelligence using big data presentation (engineering seminar)Security intelligence using big data presentation (engineering seminar)
Security intelligence using big data presentation (engineering seminar)
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
How to improve your system monitoring
How to improve your system monitoringHow to improve your system monitoring
How to improve your system monitoring
 
Threat Intelligence + SIEM: A Force to be Reckoned With
Threat Intelligence + SIEM: A Force to be Reckoned WithThreat Intelligence + SIEM: A Force to be Reckoned With
Threat Intelligence + SIEM: A Force to be Reckoned With
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalyticsconf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
 
Meletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis -CSIRTs
Meletis Belsis -CSIRTs
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
Devsec ops
Devsec opsDevsec ops
Devsec ops
 
Incident Command: The far side of the edge
Incident Command: The far side of the edgeIncident Command: The far side of the edge
Incident Command: The far side of the edge
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
 

Similaire à Runtime Protection in the Real World

Virtual Application Networks Innovations Advance Software-defined Network Lea...
Virtual Application Networks Innovations Advance Software-defined Network Lea...Virtual Application Networks Innovations Advance Software-defined Network Lea...
Virtual Application Networks Innovations Advance Software-defined Network Lea...Open Networking Summits
 
HP Discover - Developing new applications for the cloud
HP Discover - Developing new applications for the cloudHP Discover - Developing new applications for the cloud
HP Discover - Developing new applications for the cloudBart Blommaerts
 
Il paradigma DevOps e Continuous Delivery Automation
Il paradigma DevOps e Continuous Delivery Automation Il paradigma DevOps e Continuous Delivery Automation
Il paradigma DevOps e Continuous Delivery Automation HP Enterprise Italia
 
Monitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US ArmyMonitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US ArmySolarWinds
 
Mobile enterprise sept 24 v1
Mobile enterprise sept 24 v1Mobile enterprise sept 24 v1
Mobile enterprise sept 24 v1Wilfried Grommen
 
Government and Education Webinar: Successfully Migrating Applications to the ...
Government and Education Webinar: Successfully Migrating Applications to the ...Government and Education Webinar: Successfully Migrating Applications to the ...
Government and Education Webinar: Successfully Migrating Applications to the ...SolarWinds
 
Twelve Factor - Designing for Change
Twelve Factor - Designing for ChangeTwelve Factor - Designing for Change
Twelve Factor - Designing for ChangeEric Wyles
 
Java Micro Edition (ME) 8 Deep Dive
Java Micro Edition (ME) 8 Deep DiveJava Micro Edition (ME) 8 Deep Dive
Java Micro Edition (ME) 8 Deep Diveterrencebarr
 
Il paradigma DevOps e Continuous Delivery Automation
Il paradigma DevOps e Continuous Delivery AutomationIl paradigma DevOps e Continuous Delivery Automation
Il paradigma DevOps e Continuous Delivery AutomationHP Enterprise Italia
 
Digital government presentation final
Digital government presentation finalDigital government presentation final
Digital government presentation finalShirlie23
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
 
Splunk MINT and Stream Breakout
Splunk MINT and Stream BreakoutSplunk MINT and Stream Breakout
Splunk MINT and Stream BreakoutSplunk
 
Government and Education Webinar: Improving Application Performance
Government and Education Webinar: Improving Application PerformanceGovernment and Education Webinar: Improving Application Performance
Government and Education Webinar: Improving Application PerformanceSolarWinds
 
Big Data Fundamentals 6.6.18
Big Data Fundamentals 6.6.18Big Data Fundamentals 6.6.18
Big Data Fundamentals 6.6.18Cloudera, Inc.
 
A DevOps adoption playbook- achieving business value at scale
A DevOps adoption playbook- achieving business value at scaleA DevOps adoption playbook- achieving business value at scale
A DevOps adoption playbook- achieving business value at scaleSanjeev Sharma
 
Technology insights: Decision Science Platform
Technology insights: Decision Science PlatformTechnology insights: Decision Science Platform
Technology insights: Decision Science PlatformDecision Science Community
 
the-top-ten-things-that-have-been-proven-to-effect-software-reliability-1.pdf
the-top-ten-things-that-have-been-proven-to-effect-software-reliability-1.pdfthe-top-ten-things-that-have-been-proven-to-effect-software-reliability-1.pdf
the-top-ten-things-that-have-been-proven-to-effect-software-reliability-1.pdfmattcs901
 
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsSolarWinds
 

Similaire à Runtime Protection in the Real World (20)

Virtual Application Networks Innovations Advance Software-defined Network Lea...
Virtual Application Networks Innovations Advance Software-defined Network Lea...Virtual Application Networks Innovations Advance Software-defined Network Lea...
Virtual Application Networks Innovations Advance Software-defined Network Lea...
 
HP Discover - Developing new applications for the cloud
HP Discover - Developing new applications for the cloudHP Discover - Developing new applications for the cloud
HP Discover - Developing new applications for the cloud
 
Il paradigma DevOps e Continuous Delivery Automation
Il paradigma DevOps e Continuous Delivery Automation Il paradigma DevOps e Continuous Delivery Automation
Il paradigma DevOps e Continuous Delivery Automation
 
Monitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US ArmyMonitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US Army
 
Mobile enterprise sept 24 v1
Mobile enterprise sept 24 v1Mobile enterprise sept 24 v1
Mobile enterprise sept 24 v1
 
Government and Education Webinar: Successfully Migrating Applications to the ...
Government and Education Webinar: Successfully Migrating Applications to the ...Government and Education Webinar: Successfully Migrating Applications to the ...
Government and Education Webinar: Successfully Migrating Applications to the ...
 
Twelve Factor - Designing for Change
Twelve Factor - Designing for ChangeTwelve Factor - Designing for Change
Twelve Factor - Designing for Change
 
Java Micro Edition (ME) 8 Deep Dive
Java Micro Edition (ME) 8 Deep DiveJava Micro Edition (ME) 8 Deep Dive
Java Micro Edition (ME) 8 Deep Dive
 
Il paradigma DevOps e Continuous Delivery Automation
Il paradigma DevOps e Continuous Delivery AutomationIl paradigma DevOps e Continuous Delivery Automation
Il paradigma DevOps e Continuous Delivery Automation
 
Digital government presentation final
Digital government presentation finalDigital government presentation final
Digital government presentation final
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous World
 
Making Network Security Relevant
Making Network Security RelevantMaking Network Security Relevant
Making Network Security Relevant
 
Splunk MINT and Stream Breakout
Splunk MINT and Stream BreakoutSplunk MINT and Stream Breakout
Splunk MINT and Stream Breakout
 
Government and Education Webinar: Improving Application Performance
Government and Education Webinar: Improving Application PerformanceGovernment and Education Webinar: Improving Application Performance
Government and Education Webinar: Improving Application Performance
 
Big Data Fundamentals 6.6.18
Big Data Fundamentals 6.6.18Big Data Fundamentals 6.6.18
Big Data Fundamentals 6.6.18
 
Big Data Fundamentals
Big Data FundamentalsBig Data Fundamentals
Big Data Fundamentals
 
A DevOps adoption playbook- achieving business value at scale
A DevOps adoption playbook- achieving business value at scaleA DevOps adoption playbook- achieving business value at scale
A DevOps adoption playbook- achieving business value at scale
 
Technology insights: Decision Science Platform
Technology insights: Decision Science PlatformTechnology insights: Decision Science Platform
Technology insights: Decision Science Platform
 
the-top-ten-things-that-have-been-proven-to-effect-software-reliability-1.pdf
the-top-ten-things-that-have-been-proven-to-effect-software-reliability-1.pdfthe-top-ten-things-that-have-been-proven-to-effect-software-reliability-1.pdf
the-top-ten-things-that-have-been-proven-to-effect-software-reliability-1.pdf
 
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
 

Dernier

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Dernier (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Runtime Protection in the Real World

  • 1. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Runtime protection in the real world Brooks Garrett, Security Architect
  • 2. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Who are you?
  • 3. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 Brooks Garrett Professional • Head Security Architect for Global FOD Operations • Information Security professional for 5 years • CISSP • Worked with multiple Fortune 100 companies • OWASP Member • Contributor to community AppSec Projects (DVWA) Personal • Father • Rugby player for over 8 years Security Architect, Fortify on Demand
  • 4. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 What is Fortify on Demand? Mobile App’s Dynamic Analysis Static Analysis
  • 5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5 What is Fortify on Demand? Distributed Operations • Presence in 4 major regions around the world • Customers in over 15 countries • 5 Data centers • 3 Operations teams High Volume (This Year) • Over 300 customers • Over 3,000 applications • Over 15 languages • Over 225 Million lines of code
  • 6. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The problem
  • 7. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 The problem Bugs Errors Performance
  • 8. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8 Evolving attacks Obfuscation: • URL Encoding • Javascript Packing • Double encoding • Malformed UTF-7 Business Logic: • Purchase with negative value • Bypass multi-step process validation • Ship without paying
  • 9. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 Security vs. functionality Developers have competing priorities • Functionality tends to ship ahead of security • Project roadmaps aren’t including exhaustive security reviews • Developer training is often framework or technology centric
  • 10. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 Standardized logging, isn’t What are your apps doing? • If someone is abusing an application how would you know • Network events are standardized and documented – Internal application logging is often the Wild West of IT • Developers tend to log in various formats and focus on debug related events – Less focus on security centric events • Definition of security event varies from application to application • SIEM solutions expect normalized data to work efficiently
  • 11. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The solution
  • 12. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12 The solution What if we could: • Block advanced injection attacks – Regardless of obfuscation • Integrate seamlessly with our existing applications • Generate application event logs – Without burdening developers or making code changes – In an industry standard format
  • 13. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 What about WAF? WAF is too far from your application: • WAF can’t block advanced injection attacks – The WAF only sees obfuscated attacks • WAF can’t integrate seamlessly with our existing applications – WAF doesn’t understand application flow • WAF can’t generate application event logs – WAF has no visibility into application functions
  • 14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14 Examples WAF is great in theory but falls short in reality: • Block advanced injection attacks – The WAF only sees obfuscated attacks – id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users–+ • Integrate seamlessly with our existing applications – WAF doesn’t understand application flow – No integration, just another layer of network defense • Generate application event logs – WAF has no visibility into application functions – WAF talks GET and POST, the application talks File.WriteLine(SSN.ToString())
  • 15. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. "Give a small boy a hammer, and he will find that everything he encounters needs pounding." Abraham Kaplan (1964)
  • 16. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 The solution Fortify RTA • Integrates into the CLR (Common Language Runtime) for a deep inspection of the application • Fast deployment time • Leverages standard Fortify rule definitions with ongoing support and updates • Increases resource consumption by less than 10% • Extremely flexible response capability • Provides line of code detail for developer remediation • Extends and enables logging from the application without code changes • Removes the need for additional SSL certificate deployment and management
  • 17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Implementing the solution
  • 18. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 Deployment Basic plan 1. Deploy SSC (Software Security Center) 2. Configure Federations 3. Deploy Agents
  • 19. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19 SSC Software Security Center • Java Web Application • Runs well inside Tomcat 7 • Deployed with MySQL • Optional
  • 20. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 Configure federations Federations provide • Centralized configuration management • Centralized update management • Ability to separate endpoints for better visibility • Ability to swap between Protect and Log mode, on the fly • Ability to temporarily disable the solution completely
  • 21. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21 Agent deployment Basic plan 1. Agent installer is a single EXE package 2. Requires a server service restart 3. Agents register according to federation rules
  • 22. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22 Deployment experience Positive • Able to deploy to all servers with zero downtime inside one week • Deployed via SCCM • Integration with ArcSight and other CEF compliant devices was painless Considerations • SSC will house all of your security event data, proper database planning advised • Deploy throughout the whole organization starting in QA and Integration • Deploy in log mode initially but commit to enabling Protect mode for the most value
  • 23. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Getting value from the solution
  • 24. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 Getting value from the solution Immediate value from advanced features • Closing the loop and providing developers with line of code detail • Standardized application logging without changing existing code • Versatile response capabilities
  • 25. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 Closing the loop Developer visibility at line of code level • Beyond URLs – Covers both security and performance issues – Line of code reference for issues – Specific stack trace for exceptions – Sample request data for reproducing event
  • 26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26 Standardized application logging DevOps visibility into security issues • OWASP AppSensor without code changes – User logon – User logout – User privilege level change – User password changed – Substituting another user’s session ID – Hidden field manipulation
  • 27. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 Standardized application logging DevOps visibility into security issues • Industry standard events from all apps – CEF format readily consumable by COTS devices – Instant standardization of event data – Common transport mechanism over syslog
  • 28. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28 Versatile response capabilities Custom automated responses • Respond to threats based on severity – Ignore the attack – Silently block the attack – Block and display a specific error page – Integrate with SIEM and active response to eradicate malicious users
  • 29. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Conclusions
  • 30. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 Real, tangible DevOps
  • 31. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31 The future is now RTA provides • Advanced defenses against sophisticated attacks regardless of obfuscation • The closest technology is a WAF… – And it doesn’t come close • Rapid deployment with zero downtime for clustered environments • Line of code references for your developers • Application logging based on industry best practice with zero coding required • Powerful and granular response capability from ignore to nuke from orbit
  • 32. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32 The new reality of application security Previous thinking isn’t working • It is no longer enough to provide network level defenses for application level vulnerabilities • Application security must move beyond the network and into the application • The ultimate goal of all application security is safeguarding data – The application is the closest layer to your data
  • 33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33 For more information Attend these sessions • 1293, Getting the most out of Fortify SCA • 1239, HP Fortify on Demand Visit our booth • B2 After the event • Contact your sales rep • Visit the website at: http://hp.com/go/appsec Your feedback is important to us. Please take a few minutes to complete the session survey.
  • 34. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you
  • 35. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Security for the new reality

Notes de l'éditeur

  1. This talk is a case study in how FOD faced a unique problem and the solution we arrived at. It is a story of dogfooding and balancing operations with security.
  2. We are an Application Security company. We bake security into every facet of our SDLC, but nothing is ever perfect. In the perfect world, every build goes through rigorous fucntional, security, and user acceptance testing. We all know that right now our companies aren’t in the perfect world. This is the real world. In the real world things break. We find new bugs when users take actions or supply data we didn’t expect. We face ever changing tactics from determined attackers that have time on their side. We are responsible for satisfying performance metrics and keeping things running. With these goals and responsibilities there will come a time when that emergency patch has to go out right now and it probably missed a security gate somewhere along the way. The problem is Application Security is hard. Process is excellent but you have to place the correct controls in the right place to catch when process fails.
  3. The first thought that came to mind is, “Why not WAF?” There is a whole industry around securing web applications. This industry centers on the idea that we can’t just filter the network anymore. We have to protect the application. This is great when you don’t expect your users to send attack traffic to you, but what if you expect exactly that? What if normal traffic is your users sending large amounts of attack data at your site? WAF won’t cut it in this scenario. You’re left either leaving portions of your code unprotected or blocking normal users. Both scenarios are equally bad.
  4. This talk is a case study in how FOD faced a unique problem and the solution we arrived at. It is a story of dogfooding and balancing operations with security.
  5. RTA is the solution to our problem. RTA hooks directly into our CLR and provides deep insight into what is happening as untrusted data traverses our application. The false positive rate after initial tuning is near zero and we are leveraging standard FOD rulepacks.
  6. RTA is the solution to our problem. RTA hooks directly into our CLR and provides deep insight into what is happening as untrusted data traverses our application. The false positive rate after initial tuning is near zero and we are leveraging standard FOD rulepacks.
  7. RTA is the solution to our problem. RTA hooks directly into our CLR and provides deep insight into what is happening as untrusted data traverses our application. The false positive rate after initial tuning is near zero and we are leveraging standard FOD rulepacks.
  8. RTA is the solution to our problem. RTA hooks directly into our CLR and provides deep insight into what is happening as untrusted data traverses our application. The false positive rate after initial tuning is near zero and we are leveraging standard FOD rulepacks.
  9. RTA is the solution to our problem. RTA hooks directly into our CLR and provides deep insight into what is happening as untrusted data traverses our application. The false positive rate after initial tuning is near zero and we are leveraging standard FOD rulepacks.
  10. If you can recommend other Protect sessions to your audience, please include a slide like this one.