Continuous Application Security at Scale with IAST and RASP

Transforming DevOps into DevSecOps

Jeff Williams, CTO and founderContrast Security

@planetlevel

OWASP NOVA – July 2016

2

A BRIEF HISTORY OF APPLICATION SECURITY AUTOMATION

DAST(Dynamic

AppSec Testing)

WAF(Web Application

Firewall)

SAST(Static

AppSec Testing)

IDS/IPS(Intrusion Detection/ Prevention System)

Development (find vulnerabilities) Operations (block attacks)

IAST(Interactive

AppSec Testing)

RASP(Runtime

Application Self-Protection)

Unified AgentIAST and RASP

2002 2002

20142012

2015

WARNING: Security has detected and blocked an attempted attack.

This attack has been fully logged and may be further investigated. If you believe you have received this message in error, please contact security@company.com with the details of the incident.

In 17 years of noisy pentesting, I have seen many stack traces, many error messages, and many requests to “please try again.”

I have never been identified as an attacker. Madness.

5

APPSEC IS GETTING HARDER EVERY DAY!

Explosive growth in libraries and frameworks

Libraries

Microservices, APIs, REST, SOAP, single-page apps

Services

Rapidly growing use of cloud and containers

Cloud

High speed software development

Agile

Legacy application security tools can’t handle thespeed, size, and complexity of modern software

development

6

OWASP Benchmark

21,000 test cases

across a range of true and

false vulnerabilit

ies

FreeOpen

Reproducible

Sponsored by DHS

IAST-01

33%

7

THE TRUE COST OF FALSE POSITIVES

Tool

App

400 Possible Vulnerabilities

In two days, we can triage100 of 400 “possibles.”

(10% true positives)We can confirm 10 of 40real vulnerabilities.

Security Scanner PDF Report

We will miss 30 of 40real vulnerabilities.

8

WHAT’S YOUR ACTSOA? ANNUAL COST TO SECURE ONE APPLICATIONCost Factor Description Cost

License Cost Typical per-application annual license. This cost is $0 if relying on a manual pentest and/or manual code review.

Analysis Actually assessing an application typically takes 2-4 weeks for a manual review, 1 week for an automated scan.

Triage Experts must eliminate false positives from automated tool results. Plan on several days per assessment, zero for manual reviews.

Reporting Every vulnerability needs to get risk rated, written up, tracked, reported, and closed. Dashboards need to be created. Figure one day per assessment.

Remediation Full cost to remediate and deploy fixes. Typical application has 22 vulnerabilities at 20 hours each at $100/hr totaling roughly $44,000.

$$$$

Retest The retest verifies that issues identified have been fixed appropriately. Typically the retest costs about 25% of original assessment.

Management If running a scanning program, several headcount will be needed to manage the schedule, contracts, and infrastructure required.

TOTAL ?

9

ACCURACY, AUTOMATION, AND SCALABILITY

You can’t scale appsec without highly accurate tools(both true positives and true negatives)

Because inaccuracies require experts…

…and experts don’t scale.

10

TRADITIONAL VS. CONTINUOUS

11

CONTINUOUS APPLICATION SECURITY

Developmentand Operations

Push code to production with fully automated security support

ApplicationSecurity

Security experts deliver security as code

ManagementManagement makes informed decisions with detailed security analytics

New Code Production

12

CONTINUOUS APPLICATION SECURITY

New Code Production

Developmentand Operations

StandardDefenses

AttackProtection

Security Integration

ApplicationSecurity

SecurityResearch(Internal)

ThreatIntelligence (External)

Security Architecture

Management SecurityOrchestration

SecurityTraining

4. The use of measuring instruments to monitor and control a process. It is the art and science of measurement and control of process variables within a production, laboratory, or manufacturing area.

Source instrumentation

Inject simple static method call

Binaryinstrumentation• Widely used

• CPU Performance• Memory• Logging• Security• …

• Lots of libraries• ASM (Java)• BCEL (Java)• Javassist (Java)• MBEL (.NET)• RAIL (.NET)• …

Dynamic binary instrumentation!Runtime Environment

ClassClassClass

ClassClassClass

Agent

ClassClassClass

ClassClassClass

Binary code is enhanced as it loadsClassClassClass

ClassClassClassOriginalBinary Code

Command andControl Dashboard

InstrumentedBinary Code

17

Runtime

INSTRUMENTATION IN ACTION

App ServerFrameworks

LibrariesCustom Code

Your application stackInstrumentation

Agent

1Add agent

-javaagent:appsec.jar

2Agent instrumentsrunning application

4Dashboard providesvisibility and control

3Agent blocks attacks

and finds vulnerabilities

Dashboard

Attacks andvulnerabilities

18

Security context assembled within agent

DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES

Developer

TesterUser

Attacker

Controller

Validation Session Business

LogicData Layer

SQLAPI Databas

e

HTTP Request

Validation Tags

Data Tracking

Data Parsing

Escaping Tags Query

Vulnerability?

Attack?

✓✓

✘

Sensors woven into running application

19

Software is a black box.

STOP TALKING ABOUT “STATIC” AND “DYNAMIC”

HTTPTraffic

Code

Frameworks

Libraries Runtime Data Flow

Runtime Control Flow

Backend Connections

Configuration Data

Server Configuratio

n

Etc…Platform Runtime

Software Architecture

SAST

DAST

WAF

Instrumentation

Talk about what information you need toconfirm a vulnerability or an attack

20

Instrumentation speed and

accuracy dominates SAST and

DAST

OWASP Benchmark - 21,000 test cases across a range of

vulnerabilities

33%

100%

Sponsored by DHS

92% IAST-01

RASP

RASP

RASP

WAFGET /foo?name='%20or%20%20'1'='1 HTTP/1.0

GET /foo?name='%20or%20%20'1'='1 HTTP/1.0

WAF

RASP

Three problems:1) Bottleneck2) No context3) Impedance

RASP

stmt.execute( "select * from table where id ='1' or '1'='1'" );

APPLICATION DECISION POINT

PERIMETER DECISION POINT

Instrumentation performance – same as code WebGoat RASP Processing

Typical traffic 50 microsecondsMixed traffic 170 microsecondsHeavy attack traffic 230 microseconds

• Number of applications doesn’t matter• No bottleneck on either bandwidth or CPU

millionths of a second

Application Platform

Instrumentation adds a security assessment and protection API to every application

Physical Host or VM

Container OS

Container Runtime

3rd Party Frameworks

3rd Party Libraries

Apps and APIsExamples…• Report all use of DES/MD5• Turn off XML doctype• Set X-Frame-Options• Report SQL injection vulns• Log all failed authentications• Block Spring EL attacks• Report vulnerable libraries• Deploy virtual patches• Block apps with old jQuery

Your standard application stack(s)

RASP

Instrumentedapplication

portfolio

AppSecControl Plane

User Planepartners

users

employeesdevices hackers

bots organizedcrimeinsiders

operationsinformation

securityapplication

security

developmentcompliance Visibility• Attacks• Vulnerabilities• Enhanced logging• Application profiles• Libraries and frameworks• Software architecture

Control• Attack protection policy• Secure coding policy• Library policy• Crypto policy• Connection policy• Configuration policy

CONTAINERS

THANK YOU

Jeff Williamsjeff.williams@contrastsecurity.com

@planetlevel

http://contrastsecurity.com

“Leader”

“Vision-ary”

“Innova-tor”