Valery Boronin presented on Application Inspector SSDL Edition, an application security testing tool. He began with an overview of common problems with application security like poor code quality costing over $500 billion annually. He then demonstrated Application Inspector SSDL Edition's capabilities like automated scanning, issue tracking, role-based access controls, and guidance for developers on fixing vulnerabilities. Benefits highlighted were helping develop more secure software through interaction with developers and automatic validation of fixes. Future plans include integration with build servers, IDEs, and providing more customization, compliance support, and analytics.
2. R&D – 20 years
Best in class Application & Device Control
as a windows kernel mode developer
RSDN Team member (still #1 in Low-level?!)
Security - began with the last millennium
CTO, small company (30+ subordinates)
Director DLP Research, large (Kaspersky)
DLP, Encryption, Incident Management
Now responsible for SDL and
Application Inspector SSDL Edition
18.05.2016 Positive Hack Days 2016, Moscow 2
About – Valery Boronin
3. 1. Prologue – problem statement
2. Gartner on AST
3. Difficulties with AST Tools
4. What we did against them in AI SSDL
5. Live Demo
6. Our uniqueness & your benefits
7. Future
8. FAQ + Q&A
Agenda For next one hour
18.05.2016 Positive Hack Days 2016, Moscow 3
4. Code avalanche
Not enough people to review
In appropriate time frame
18.05.2016 Positive Hack Days 2016, Moscow 4
Problem statement
6. increasing risks
Product quality level is lower than expected
Defect leakage to production
Budget, schedule, effort overruns
Compliance & Litigation
…
increasing losses
Lower-sales
Financial
even human lives
18.05.2016 Positive Hack Days 2016, Moscow 6
It results in
7. Critical Capabilities for AST, 2014:
1. Enterprise management console, reporting across
multiple testers, RBAC and SDL/SDLC integration.
2. Remediation advices + Reporting + Overall application
portfolio risk trending for the CIO/CISO.
3. Multiple language support for the console and for
services is an enterprise capability.
Not only we think about it….
18.05.2016 Positive Hack Days 2016, Moscow 7
8. 1. Yet another mgmt. console, workflow, reports, ...
2. Helmet Fire + Little / no help with remediation
3. Dedicated to one specific role (or even single-user)
4. No care about CxOs and Auditors
5. Odd Tools + SSDL is not a target
6. Sometimes poor architecture
7. Vendor lock + very long FR/CR cycle, w/o guarantees
18.05.2016 Positive Hack Days 2016, Moscow 8
Difficulties with AST tools
1. Manual or / and Inconvenient use
2. Delays + No guidance over process
3. Bad from compliance prospective
9. D1: We interacts with developer through code
18.05.2016 Positive Hack Days 2016, Moscow 9
10. Different developers
assigned different tickets
Work on a fix in
specially prepared,
separate branches
simultaneously!
18.05.2016 Positive Hack Days 2016, Moscow 10
D2: We help with remediation using teamwork
1
2
11. 18.05.2016 Positive Hack Days 2016, Moscow 11
D3: We support roles + RBAC
Admin – to setup + assign roles
Developer – for Dev & QA
Manager – for R&D & Security managers
Auditor – see next slide
…more to come
12. Operations & BI
Audit
Benchmarking
Tracking from issues to
people …and vice versa
Figure out / probe
Trends
Anomalies
Hypotheses
Customize accordingly
Policy / Reports / Dashboards
18.05.2016 Positive Hack Days 2016, Moscow 12
D4: We take care about CxO and Auditors
14. Automated code commit scan
Scan results delivered ASAP
to all participants using their
preferred way, form and
even language
Code flaws & vulns in VCS
Issues in tracker
Notifications / Reports in
UA-emails
• FYA for responsible
• FYI for observers
18.05.2016 Positive Hack Days 2016, Moscow 14
D : Convenient for each role
15. Endless event-driven protection
Set your security policy rules
Guidance over Process / Code fix confirmations
Metrics & KPIs
Benchmarking
Proactive mgmt
18.05.2016 Positive Hack Days 2016, Moscow 15
D : Minimal delays + help with guidance
16. PA DSS & PCI DSS
OWASP
FSTEK
РС БР ИББС-2 6-2014
…
Your policy rules
18.05.2016 Positive Hack Days 2016, Moscow 16
D: Our approach favored by regulators
17. 18.05.2016 Positive Hack Days 2016, Moscow 17
D6: Enterprise architecture – Helicopter view
UX- & UA-aware
Extensible
Secure
• RBAC on data level
• Segregation of duty
• Least privileges
AF
18. Analyst’s Workplace
to design
Queries
to apply in
Reports
Notifications
Dashboard / UI
Plugins / API
18.05.2016 Positive Hack Days 2016, Moscow 18
D7: We’re open + self-help = No vendor lock
20. Our uniqueness – we’re close to developers
18.05.2016 Positive Hack Days 2016, Moscow 20
21. 1. how to scan sample project on a GitHub (I left it there for your comfortable observation later on, if need)
- AI SSDL may perform his job manually or automatically on any new commit in selected branch of
specified repository.
2. how vulnerabilities found and reported on a GitHub directly.
3. how developer/manager/administrator/etc notified about issues found through special role-based UX /
UA-ready personalized notification emails. btw, this notification emails are customizable - you may
change them how you need per project, per role, etc – no need to rebuild product to get appropriate for
you content.
4. how code flaws / vulns found combined in aggregation tickets by vuln class (LDAP injection issues
is one ticket, XSS issues is another).
5. how AI interacts with developer through code annotation and our special markers (TODO, VERIFY,
FIXED, REOPEN, FP). MS VS, Eclipse, Resharper have built-in support for this markers.
6. how different developers assigned different tickets / issues and work on fix in separate branches
(specially prepared, to keep focus) simultaneously.
7. how their changes are automatically detected and confirmed by AI, we do not trust by word ;-)
8. how policy on a project changes its status (violated red or successful green) depends on master
branch scan results and again how people notified about it by UA-aware emails, with specific actions for
different roles in different situations.
9. how to deal with data collected (scans, commits, workflow, etc.) through analyst’s workplace – special
effort for role of data analyst. Using this tool you may perform benchmarking, tracking from issues to
people or vice versa – and, globally, probe your hypotheses, figure out trends or anomalies.
10.By modifying queries, you may even change certain parts of the product’s UI on the fly (per role, per
project, etc) as you need, w/o firing CR/FR and waiting while vendor implement them few months later
and rolling update out in your infrastructure. In the nearest future in a similar manner this approach will
be reused to customize reports for your needs and to customize dashboards - with key metrics and
indicators per project, per role, etc.
18.05.2016 Positive Hack Days 2016, Moscow 21
For your records - we saw today
23. Interaction through source code – no broken habits
Progress via aggregation tickets – in your favorite tracker
Automatic scans & fix confirmations – always helps
18.05.2016 Positive Hack Days 2016, Moscow 23
PT AI SSDL Edition Benefits for Developers
24. Your product development more safe, secure, reliable
Less possible damage & cost of incidents
Reduced risks including
• Leak vulnerability in production
• Late vulnerability detection
• Effort overruns
• Schedule overruns
• Budget overruns
• Project failure
• …even intellectual
properties-related
18.05.2016 Positive Hack Days 2016, Moscow 24
PT AI SSDL Edition Benefits for Managers
25. Power of AI under the hood
Exploits
Endless event-driven protection
Set your security policy rules
Guidance over process
3d-parties code acceptance
BI, Metrics & KPIs
Benchmarking
Audit
18.05.2016 Positive Hack Days 2016, Moscow 25
Benefits for Security guys, CxOs and Auditors
26. No broken habits + Favorite tools + Clear language
18.05.2016 Positive Hack Days 2016, Moscow 26
Benefits for All
27. Are your product Popular? Next Target!
Development using SSDL – save costs, reduce risks and
increase quality of your product (why? See this on SSDL)
Development with AI SSDL – your step to more safe,
secure, reliable code and, thus, future
Time to try AI SSDL!
18.05.2016 Positive Hack Days 2016, Moscow 27
Conclusion
29. CI and build servers
IDE
Policy and workflow
mgmt. & enforcement
Flexible classifications
Open API, Plugins SDK
Make Gartner & Co happy:
Overall app portfolio risk trending for CxOCISO
Vulnerability tracking – vulnerability life cycle
18.05.2016 Positive Hack Days 2016, Moscow 29
Future Plans and Ideas
30. More roles
More policies
More workflows
More compliance
More reports
More tools
More environments
18.05.2016 Positive Hack Days 2016, Moscow 30
Future – Citius, Altius, Fortius
Please, give us an advice
what is important to
you – we plan and
support it a bit later
31. Q1: AI Desktop vs AI SSDL: what’s difference?
A1: AI Desktop is for security guys, AI SSDL for developers.
Q2: What’s next?
A2: Give us a card and we’ll send you a form to sign up for a CTP
Q3: When it will be available?
A3: CTP (Community Technology Preview) planned for Autumn’16
FAQ
18.05.2016 Positive Hack Days 2016, Moscow 31
Q: But wait! …what if I want it right now?
A: Begin with AI Desktop (analysis engine the same) and
get AI SSDL later, with AI Desktop price reduction!
32. Is everything clear?
Is there all you need?
Something forgotten?
Questions & clarifications
Ideas
Improvements
Suggestions
Feedback is highly appreciated!
Please, deliver it your preferred way.
Discussion
18.05.2016 Positive Hack Days 2016, Moscow 32