automating your tools: how to free up your security professionals for actual security tasks

Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com

Automating Your ToolsHow to Free Up Your Security Professionals for Actual Security Tasks

Techno Security06/02/2015

Application security that just works

©2015 Aspect Security. All Rights Reserved 2

ABOUT ME

Kevin FealeyPrincipal Consultant & Practice Lead,

Automation & Integration Services7 years AppSec experience

Specialties:• Process efficiency• Open Source and Commercial Tools• Automation



ABOUT YOU

•Developer?•Part of an AppSec team?•[Want to] Do Continuous/Rapid Delivery?



APPLICATION SECURITY VS. NETWORK SECURITY

Application Layer– Attacker sends attacks inside

valid HTTP requests– Custom code is tricked into

doing something it should not– Security requires software

development expertise, not signatures

Network Layer– Firewall, hardening, patching,

IDS, and SSL/TLS cannot detect or stop attacks inside HTTP requests

– Security relies on signature databases

Fire

wal

l

Fire

wal

l

Dat

abas

esLe

gacy

Sys

tem

sW

eb S

ervi

ces

Dire

ctor

ies

Hum

an R

esrc

sB

illin

g

Custom Code

APPLICATIONATTACK

Net

wor

k La

yer

App

licat

ion

Laye

r

Acc

ount

sFi

nanc

eA

dmin

istr

atio

nTr

ansa

ctio

nsC

omm

unic

atio

nK

now

ledg

e M

gmt

E-C

omm

erce

Bus

. Fun

ctio

ns

Hardened OS

Web Server

App Server



COMMON APPLICATION VULNERABILITIES

– Injection Flaws– Broken Account and

Session Management– Cross Site Scripting Flaws– Direct Object References– Web/Application Server

Misconfigurations

– Sensitive Data Exposure– Broken Access Control– Cross-Site Request Forgery– Using Components with

Known Vulnerabilities– Unvalidated Redirects and

Forwards

■The OWASP Top Ten:



WHY TALK ABOUT APPSEC HERE?

-Many public attacks at the app layer- SQLi for a ‘data breach’- Pivot: XSS -> Admin Account Compromise -> ??

- Better understanding of the app layer can provide better granularity when performing root cause analysis- Better understanding of these issues can allow for more specific remediation guidance


TRADITIONAL APPLICATION SECURITYSecurity Like it’s 1999..



TRADITIONAL APPSEC

~2 weeks



TRADITIONAL VULNERABILITY MANAGEMENT

Risk Accepted


UNDERSTANDING THE PROBLEM



RECEIVE NO SECURITY AT ALL

Hundreds or thousands of web applications and web services

90%

10%

Security teams are understaffed

RECEIVE SOME SECURITY

Development is getting faster and more abstract

“Security causes rework”

RESULT: SECURITY IS NOT SCALABLE

It’s only getting worse…



ROOT CAUSES

Development

Production

Security

Oops! Forgot security…

Requirements

Design

DevelopTest

Maintenance

SDLC



SOLUTION: AUTOMATION

Make security a part of the SDLC

Deploy sensors for “continuous application security”

Hundreds or thousands of web applications and web services

RECEIVE SOME SECURITY

Widen the security bottleneck

With Security Automation

Provide broad coverageto more applicationsin less time

90%


CONTINUOUS APPLICATION SECURITY (CAS)



TOMORROW: SECURITY SENSORS IN THE SDLC

Automated, integrated testing and reporting shorten the feedback cycle and enable security at scale

Design

Develop

Test

Maintenance

Code Sync

Build/Deploy

Scan

Report



COST TO REMEDIATE ISSUES

Coding Testing Beta Release $-

$500.00

$1,000.00

$1,500.00

$2,000.00

$2,500.00

$3,000.00

$3,500.00

$4,000.00

$4,500.00

$139.00

$1,390.00

$2,780.00

$4,170.00

Cost to Fix a Vulnerability Depends on When it is Found

 Find an issue in Development vs Test – Save 10x



TOOL AUTOMATION

Leverage efficiencies of scale and reuse to greatly reduce the amount of time spent on analysis.

Manual Scanning Automated

Scanning

Scanning Workflow Activities

TriageScanScan ConfigurationAccess Source

Automated scanning allows your security team to spend less time trying to get the tool to do its job and more time looking for real vulnerabilities



WHAT SENSORS?



TURN YOU TOOLS INTO SENSORS

 Most tools have at least one of the following:1. Command Line Interface2. REST APIs3. Public APIs


20

CENTRALIZE SENSOR OUTPUT

Application ServerWeb Server Database Server Security Tools

‘ or 1=1; -- Access Control Violation! Heartbleed

detected!

Invalid HTTP Request

Data

Central Repository



APPLICATION SECURITY EVENT ALERTS

Application ServerWeb Server Database Server

‘ or 1=1; --

Central Repository

!!!CAS Dashboard/ GRC tool, etc.



CONTINUOUS APPLICATION SECURITY

Real-Time Actionable Security Intelligence for:- Developers- Security Teams- Managers- Executives



BENEFITS OF SECURITY DASHBOARDS

Understand your true risk at the application layer

Profile applications & development teams for continuous improvement

Consolidated data in the event of a breach

Breed security culture by making security visible



NOW WHAT?

• Develop/Enhance sensors• Track security trends via dashboards• Research• Threat Models/Architecture Reviews/Remediation Guidance• Spread security culture

Security Team’s Job:

24/7 Security

What Good is this Tool? 25

Sweet new pool table!Where should we put it?



BEFORE YOU DEVELOP A DASHBOARD

 Define a security model that fits your business• All encryption = AES, no CBC or ECB• All external/internal connections use SSL• Use defined secure libraries

 Start small and grow CAS program over time



THANK YOU!

 Kevin Fealey | @secfealz [email protected] www.AspectSecurity.com

 Questions? Feedback?

http://www.aspectsecurity.com/



DESCRIPTION

 Tuesday, June 2 1:30PM - 2:20PM Automating Your Tools: How to Free Up Your Security Professionals for Actual Security Tasks Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change.    This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low-hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years.

automating your tools: how to free up your security professionals for actual security tasks

Technology