Contenu connexe Similaire à Runtime Protection in the Real World (20) Runtime Protection in the Real World1. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Runtime protection in the
real world
Brooks Garrett, Security Architect
2. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Who are you?
3. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Brooks Garrett
Professional
• Head Security Architect for Global FOD
Operations
• Information Security professional for 5 years
• CISSP
• Worked with multiple Fortune 100 companies
• OWASP Member
• Contributor to community AppSec Projects
(DVWA)
Personal
• Father
• Rugby player for over 8 years
Security Architect, Fortify on Demand
4. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
What is Fortify on Demand?
Mobile
App’s
Dynamic
Analysis
Static
Analysis
5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
What is Fortify on Demand?
Distributed Operations
• Presence in 4 major regions around the world
• Customers in over 15 countries
• 5 Data centers
• 3 Operations teams
High Volume (This Year)
• Over 300 customers
• Over 3,000 applications
• Over 15 languages
• Over 225 Million lines of code
6. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The problem
7. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
The problem
Bugs Errors Performance
8. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
Evolving attacks
Obfuscation:
• URL Encoding
• Javascript Packing
• Double encoding
• Malformed UTF-7
Business Logic:
• Purchase with negative value
• Bypass multi-step process validation
• Ship without paying
9. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
Security vs. functionality
Developers have competing priorities
• Functionality tends to ship ahead of security
• Project roadmaps aren’t including exhaustive security reviews
• Developer training is often framework or technology centric
10. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Standardized logging, isn’t
What are your apps doing?
• If someone is abusing an application how would you know
• Network events are standardized and documented
– Internal application logging is often the Wild West of IT
• Developers tend to log in various formats and focus on debug related events
– Less focus on security centric events
• Definition of security event varies from application to application
• SIEM solutions expect normalized data to work efficiently
11. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The solution
12. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
The solution
What if we could:
• Block advanced injection attacks
– Regardless of obfuscation
• Integrate seamlessly with our existing applications
• Generate application event logs
– Without burdening developers or making code changes
– In an industry standard format
13. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
What about WAF?
WAF is too far from your application:
• WAF can’t block advanced injection attacks
– The WAF only sees obfuscated attacks
• WAF can’t integrate seamlessly with our existing applications
– WAF doesn’t understand application flow
• WAF can’t generate application event logs
– WAF has no visibility into application functions
14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Examples
WAF is great in theory but falls short in reality:
• Block advanced injection attacks
– The WAF only sees obfuscated attacks
– id=1%252f%252a*/UNION%252f%252a
/SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users–+
• Integrate seamlessly with our existing applications
– WAF doesn’t understand application flow
– No integration, just another layer of network defense
• Generate application event logs
– WAF has no visibility into application functions
– WAF talks GET and POST, the application talks File.WriteLine(SSN.ToString())
15. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
"Give a small boy a hammer,
and he will find that everything
he encounters needs
pounding."
Abraham Kaplan (1964)
16. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
The solution
Fortify RTA
• Integrates into the CLR (Common Language Runtime) for a deep inspection of the application
• Fast deployment time
• Leverages standard Fortify rule definitions with ongoing support and updates
• Increases resource consumption by less than 10%
• Extremely flexible response capability
• Provides line of code detail for developer remediation
• Extends and enables logging from the application without code changes
• Removes the need for additional SSL certificate deployment and management
17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Implementing the solution
18. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Deployment
Basic plan
1. Deploy SSC (Software Security Center)
2. Configure Federations
3. Deploy Agents
19. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
SSC
Software Security Center
• Java Web Application
• Runs well inside Tomcat 7
• Deployed with MySQL
• Optional
20. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
Configure federations
Federations provide
• Centralized configuration management
• Centralized update management
• Ability to separate endpoints for better visibility
• Ability to swap between Protect and Log mode, on the fly
• Ability to temporarily disable the solution completely
21. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
Agent deployment
Basic plan
1. Agent installer is a single EXE package
2. Requires a server service restart
3. Agents register according to federation rules
22. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
Deployment experience
Positive
• Able to deploy to all servers with zero downtime inside one week
• Deployed via SCCM
• Integration with ArcSight and other CEF compliant devices was painless
Considerations
• SSC will house all of your security event data, proper database planning advised
• Deploy throughout the whole organization starting in QA and Integration
• Deploy in log mode initially but commit to enabling Protect mode for the most value
23. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Getting value from the solution
24. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Getting value from the solution
Immediate value from advanced features
• Closing the loop and providing developers with line of code detail
• Standardized application logging without changing existing code
• Versatile response capabilities
25. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
Closing the loop
Developer visibility at line of code
level
• Beyond URLs
– Covers both security and performance issues
– Line of code reference for issues
– Specific stack trace for exceptions
– Sample request data for reproducing event
26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26
Standardized application logging
DevOps visibility into security
issues
• OWASP AppSensor without code changes
– User logon
– User logout
– User privilege level change
– User password changed
– Substituting another user’s session ID
– Hidden field manipulation
27. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
Standardized application logging
DevOps visibility into security
issues
• Industry standard events from all apps
– CEF format readily consumable by COTS
devices
– Instant standardization of event data
– Common transport mechanism over syslog
28. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28
Versatile response capabilities
Custom automated responses
• Respond to threats based on severity
– Ignore the attack
– Silently block the attack
– Block and display a specific error page
– Integrate with SIEM and active response to
eradicate malicious users
29. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Conclusions
30. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30
Real, tangible
DevOps
31. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
The future is now
RTA provides
• Advanced defenses against sophisticated attacks regardless of obfuscation
• The closest technology is a WAF…
– And it doesn’t come close
• Rapid deployment with zero downtime for clustered environments
• Line of code references for your developers
• Application logging based on industry best practice with zero coding required
• Powerful and granular response capability from ignore to nuke from orbit
32. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32
The new reality of application security
Previous thinking isn’t working
• It is no longer enough to provide network level defenses for application level vulnerabilities
• Application security must move beyond the network and into the application
• The ultimate goal of all application security is safeguarding data
– The application is the closest layer to your data
33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33
For more information
Attend these sessions
• 1293, Getting the
most out of Fortify
SCA
• 1239, HP Fortify on
Demand
Visit our booth
• B2
After the event
• Contact your sales rep
• Visit the website at:
http://hp.com/go/appsec
Your feedback is important to us. Please take a few minutes to complete the session survey.
34. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
35. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security for the new reality
Notes de l'éditeur This talk is a case study in how FOD faced a unique problem and the solution we arrived at. It is a story of dogfooding and balancing operations with security. We are an Application Security company. We bake security into every facet of our SDLC, but nothing is ever perfect. In the perfect world, every build goes through rigorous fucntional, security, and user acceptance testing. We all know that right now our companies aren’t in the perfect world. This is the real world. In the real world things break. We find new bugs when users take actions or supply data we didn’t expect. We face ever changing tactics from determined attackers that have time on their side. We are responsible for satisfying performance metrics and keeping things running.
With these goals and responsibilities there will come a time when that emergency patch has to go out right now and it probably missed a security gate somewhere along the way.
The problem is Application Security is hard. Process is excellent but you have to place the correct controls in the right place to catch when process fails. The first thought that came to mind is, “Why not WAF?” There is a whole industry around securing web applications. This industry centers on the idea that we can’t just filter the network anymore. We have to protect the application. This is great when you don’t expect your users to send attack traffic to you, but what if you expect exactly that? What if normal traffic is your users sending large amounts of attack data at your site?
WAF won’t cut it in this scenario. You’re left either leaving portions of your code unprotected or blocking normal users. Both scenarios are equally bad. This talk is a case study in how FOD faced a unique problem and the solution we arrived at. It is a story of dogfooding and balancing operations with security. RTA is the solution to our problem. RTA hooks directly into our CLR and provides deep insight into what is happening as untrusted data traverses our application. The false positive rate after initial tuning is near zero and we are leveraging standard FOD rulepacks. RTA is the solution to our problem. RTA hooks directly into our CLR and provides deep insight into what is happening as untrusted data traverses our application. The false positive rate after initial tuning is near zero and we are leveraging standard FOD rulepacks. RTA is the solution to our problem. RTA hooks directly into our CLR and provides deep insight into what is happening as untrusted data traverses our application. The false positive rate after initial tuning is near zero and we are leveraging standard FOD rulepacks. RTA is the solution to our problem. RTA hooks directly into our CLR and provides deep insight into what is happening as untrusted data traverses our application. The false positive rate after initial tuning is near zero and we are leveraging standard FOD rulepacks. RTA is the solution to our problem. RTA hooks directly into our CLR and provides deep insight into what is happening as untrusted data traverses our application. The false positive rate after initial tuning is near zero and we are leveraging standard FOD rulepacks. If you can recommend other Protect sessions to your audience, please include a slide like this one.