Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Continuous Application Security
at Scale with IAST and RASP
Transforming DevOps into DevSecOps
Jeff Williams, CTO and foun...
2
A BRIEF HISTORY OF APPLICATION SECURITY AUTOMATION
DAST
(Dynamic
AppSecTesting)
WAF
(Web Application
Firewall)
SAST
(Sta...
WARNING: Security has
detected and blocked an
attempted attack.
This attack has been fully logged and
may be further inves...
5
APPSEC IS GETTING HARDER EVERY DAY!
Explosive growth
in libraries and
frameworks
Libraries
Microservices,
APIs, REST,
SO...
6
OWASP
Benchmark
21,000 test
cases across a
range of true
and false
vulnerabilities
Free
Open
Reproducible
Sponsored by D...
7
THE TRUE COST OF FALSE POSITIVES
Tool
App
400 PossibleVulnerabilities
In two days, we can triage
100 of 400 “possibles.”...
8
WHAT’S YOUR ACTSOA?
ANNUAL COST TO SECURE ONE APPLICATION
Cost Factor Description Cost
License Cost Typical per-applicat...
9
ACCURACY, AUTOMATION, AND SCALABILITY
You can’t scale appsec without highly accurate tools
(both true positives and true...
10
TRADITIONAL VS. CONTINUOUS
11
CONTINUOUS APPLICATION SECURITY
Development
and Operations
Push code to production with fully
automated security suppor...
12
CONTINUOUS APPLICATION SECURITY
New Code Production
Development
and Operations
Standard
Defenses
Attack
Protection
Secu...
4. The use of measuring instruments to monitor
and control a process. It is the art and science of
measurement and control...
Source instrumentation
Inject simple static method call
Binary
instrumentation
• Widely used
• CPU Performance
• Memory
• Logging
• Security
• …
• Lots of libraries
• ASM (Java)
...
Dynamic binary instrumentation!
Runtime Environment
ClassClassClass
ClassClassClass
Agent
ClassClassClass
ClassClassClass
...
17
Runtime
INSTRUMENTATION IN ACTION
App Server
Frameworks
Libraries
Custom Code
Your application stack
Instrumentation
Ag...
18
Security context assembled within agent
DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES
Developer
Tester
User
A...
19
Software is a black box.
STOP TALKING ABOUT “STATIC” AND “DYNAMIC”
HTTP
Traffic
Code
Frameworks
Libraries
Runtime Data
...
20
Instrumentation
speed and
accuracy
dominates SAST
and DAST
OWASP
Benchmark -
21,000 test
cases across a
range of
vulner...
RAS
P
RAS
P
RAS
P
WA
F
GET
/foo?name='%20or%20
%20'1'='1 HTTP/1.0
GET
/foo?name='%20or%20
%20'1'='1 HTTP/1.0
WAF
RASP
Thre...
Instrumentation performance – same as code
WebGoat RASP Processing
Typical traffic 50 microseconds
Mixed traffic 170 micro...
Application Platform
Instrumentation adds a security assessment
and protection API to every application
Physical Host or V...
Instrumented
application
portfolio
AppSec
Control Plane
User Planepartners
users
employees
devices
hackers
bots
organized
...
THANK YOU
Jeff Williams
jeff.williams@contrastsecurity.com
@planetlevel
http://contrastsecurity.com
“Leader”
“Visionary”
“...
Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps
Prochain SlideShare
Chargement dans…5
×

Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps

1 435 vues

Publié le

Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.

Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.

Publié dans : Internet
  • accessibility Books Library allowing access to top content, including thousands of title from favorite author, plus the ability to read or download a huge selection of books for your pc or smartphone within minutes DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ...................................ALL FOR EBOOKS................................................. Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps

  1. 1. Continuous Application Security at Scale with IAST and RASP Transforming DevOps into DevSecOps Jeff Williams, CTO and founder Contrast Security @planetlevel OWASP NOVA – July 2016
  2. 2. 2 A BRIEF HISTORY OF APPLICATION SECURITY AUTOMATION DAST (Dynamic AppSecTesting) WAF (Web Application Firewall) SAST (Static AppSecTesting) IDS/IPS (Intrusion Detection/ Prevention System) Development (find vulnerabilities) Operations (block attacks) IAST (Interactive AppSecTesting) RASP (Runtime Application Self-Protection) UnifiedAgent IAST and RASP 2002 2002 20142012 2015
  3. 3. WARNING: Security has detected and blocked an attempted attack. This attack has been fully logged and may be further investigated. If you believe you have received this message in error, please contact security@company.com with the details of the incident. In 17 years of noisy pentesting, I have seen many stack traces, many error messages, and many requests to “please try again.” I have never been identified as an attacker. Madness.
  4. 4. 5 APPSEC IS GETTING HARDER EVERY DAY! Explosive growth in libraries and frameworks Libraries Microservices, APIs, REST, SOAP, single- page apps Services Rapidly growing use of cloud and containers Cloud High speed software development Agile Legacy application security tools can’t handle the speed, size, and complexity of modern software development
  5. 5. 6 OWASP Benchmark 21,000 test cases across a range of true and false vulnerabilities Free Open Reproducible Sponsored by DHS IAST-01 33%
  6. 6. 7 THE TRUE COST OF FALSE POSITIVES Tool App 400 PossibleVulnerabilities In two days, we can triage 100 of 400 “possibles.” (10% true positives) We can confirm 10 of 40 real vulnerabilities. Security Scanner PDF Report We will miss 30 of 40 real vulnerabilities.
  7. 7. 8 WHAT’S YOUR ACTSOA? ANNUAL COST TO SECURE ONE APPLICATION Cost Factor Description Cost License Cost Typical per-application annual license. This cost is $0 if relying on a manual pentest and/or manual code review. Analysis Actually assessing an application typically takes 2-4 weeks for a manual review, 1 for an automated scan. Triage Experts must eliminate false positives from automated tool results. Plan on several per assessment, zero for manual reviews. Reporting Every vulnerability needs to get risk rated, written up, tracked, reported, and closed. Dashboards need to be created. Figure one day per assessment. Remediation Full cost to remediate and deploy fixes. Typical application has 22 vulnerabilities at hours each at $100/hr totaling roughly $44,000. $$$$ Retest The retest verifies that issues identified have been fixed appropriately. Typically the retest costs about 25% of original assessment. Management If running a scanning program, several headcount will be needed to manage the schedule, contracts, and infrastructure required. TOTAL ?
  8. 8. 9 ACCURACY, AUTOMATION, AND SCALABILITY You can’t scale appsec without highly accurate tools (both true positives and true negatives) Because inaccuracies require experts… …and experts don’t scale.
  9. 9. 10 TRADITIONAL VS. CONTINUOUS
  10. 10. 11 CONTINUOUS APPLICATION SECURITY Development and Operations Push code to production with fully automated security support Application Security Security experts deliver security as code Management Management makes informed decisions with detailed security analytics New Code Production
  11. 11. 12 CONTINUOUS APPLICATION SECURITY New Code Production Development and Operations Standard Defenses Attack Protection Security Integration Application Security Security Research (Internal) Threat Intelligence (External) Security Architecture Management Security Orchestration Security Training
  12. 12. 4. The use of measuring instruments to monitor and control a process. It is the art and science of measurement and control of process variables within a production, laboratory, or manufacturing area.
  13. 13. Source instrumentation Inject simple static method call
  14. 14. Binary instrumentation • Widely used • CPU Performance • Memory • Logging • Security • … • Lots of libraries • ASM (Java) • BCEL (Java) • Javassist (Java) • MBEL (.NET) • RAIL (.NET) • …
  15. 15. Dynamic binary instrumentation! Runtime Environment ClassClassClass ClassClassClass Agent ClassClassClass ClassClassClass Binary code is enhanced as it loads ClassClassClass ClassClassClassOriginal Binary Code Command and Control Dashboard Instrumented Binary Code
  16. 16. 17 Runtime INSTRUMENTATION IN ACTION App Server Frameworks Libraries Custom Code Your application stack Instrumentation Agent 1 Add agent -javaagent:appsec.jar 2 Agent instruments running application 4 Dashboard provides visibility and control 3 Agent blocks attacks and finds vulnerabilities Dashboard Attacks and vulnerabilities
  17. 17. 18 Security context assembled within agent DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES Developer Tester User Attacker Controller Validation Session Business Logic Data Layer SQL API Database HTTP Request Validation Tags Data Tracking Data Parsing Escaping Tags Query Vulnerability? Attack?    Sensors woven into running application
  18. 18. 19 Software is a black box. STOP TALKING ABOUT “STATIC” AND “DYNAMIC” HTTP Traffic Code Frameworks Libraries Runtime Data Flow Runtime Control Flow Backend Connections Configuration Data Server Configuration Etc… Platform Runtime Software Architecture SAST DAST WAF Instrumentation Talk about what information you need to confirm a vulnerability or an attack
  19. 19. 20 Instrumentation speed and accuracy dominates SAST and DAST OWASP Benchmark - 21,000 test cases across a range of vulnerabilities 33% 100% Sponsored by DHS 92% IAST-01
  20. 20. RAS P RAS P RAS P WA F GET /foo?name='%20or%20 %20'1'='1 HTTP/1.0 GET /foo?name='%20or%20 %20'1'='1 HTTP/1.0 WAF RASP Three problems: 1) Bottleneck 2) No context 3) Impedance RAS P stmt.execute( "select * from table where id ='1' or '1'='1'" ); APPLICATION DECISION POINT PERIMETER DECISION POINT
  21. 21. Instrumentation performance – same as code WebGoat RASP Processing Typical traffic 50 microseconds Mixed traffic 170 microseconds Heavy attack traffic 230 microseconds • Number of applications doesn’t matter • No bottleneck on either bandwidth or CPU millionths of a second
  22. 22. Application Platform Instrumentation adds a security assessment and protection API to every application Physical Host or VM Container OS Container Runtime 3rd Party Frameworks 3rd Party Libraries Apps and APIs Examples… • Report all use of DES/MD5 • Turn off XML doctype • Set X-Frame-Options • Report SQL injection vulns • Log all failed authentications • Block Spring EL attacks • Report vulnerable libraries • Deploy virtual patches • Block apps with old jQuery Your standard application stack(s) RAS P
  23. 23. Instrumented application portfolio AppSec Control Plane User Planepartners users employees devices hackers bots organized crimeinsiders operations information security application security developmentcompliance Visibility • Attacks • Vulnerabilities • Enhanced logging • Application profiles • Libraries and frameworks • Software architecture Control • Attack protection policy • Secure coding policy • Library policy • Crypto policy • Connection policy • Configuration policy CONTAINERS
  24. 24. THANK YOU Jeff Williams jeff.williams@contrastsecurity.com @planetlevel http://contrastsecurity.com “Leader” “Visionary” “Innovator”

×