continuous application security at scale with iast and rasp -- transforming devops into devsecops
TRANSCRIPT
Continuous Application Security at Scale with IAST and RASP
Transforming DevOps into DevSecOps
Jeff Williams, CTO and founderContrast Security
@planetlevel
OWASP NOVA – July 2016
2
A BRIEF HISTORY OF APPLICATION SECURITY AUTOMATION
DAST(Dynamic
AppSec Testing)
WAF(Web Application
Firewall)
SAST(Static
AppSec Testing)
IDS/IPS(Intrusion Detection/ Prevention System)
Development (find vulnerabilities) Operations (block attacks)
IAST(Interactive
AppSec Testing)
RASP(Runtime
Application Self-Protection)
Unified AgentIAST and RASP
2002 2002
20142012
2015
WARNING: Security has detected and blocked an attempted attack.
This attack has been fully logged and may be further investigated. If you believe you have received this message in error, please contact [email protected] with the details of the incident.
In 17 years of noisy pentesting, I have seen many stack traces, many error messages, and many requests to “please try again.”
I have never been identified as an attacker. Madness.
5
APPSEC IS GETTING HARDER EVERY DAY!
Explosive growth in libraries and frameworks
Libraries
Microservices, APIs, REST, SOAP, single-page apps
Services
Rapidly growing use of cloud and containers
Cloud
High speed software development
Agile
Legacy application security tools can’t handle thespeed, size, and complexity of modern software
development
6
OWASP Benchmark
21,000 test cases
across a range of true and
false vulnerabilit
ies
FreeOpen
Reproducible
Sponsored by DHS
IAST-01
33%
7
THE TRUE COST OF FALSE POSITIVES
Tool
App
400 Possible Vulnerabilities
In two days, we can triage100 of 400 “possibles.”
(10% true positives)We can confirm 10 of 40real vulnerabilities.
Security Scanner PDF Report
We will miss 30 of 40real vulnerabilities.
8
WHAT’S YOUR ACTSOA? ANNUAL COST TO SECURE ONE APPLICATIONCost Factor Description Cost
License Cost Typical per-application annual license. This cost is $0 if relying on a manual pentest and/or manual code review.
Analysis Actually assessing an application typically takes 2-4 weeks for a manual review, 1 week for an automated scan.
Triage Experts must eliminate false positives from automated tool results. Plan on several days per assessment, zero for manual reviews.
Reporting Every vulnerability needs to get risk rated, written up, tracked, reported, and closed. Dashboards need to be created. Figure one day per assessment.
Remediation Full cost to remediate and deploy fixes. Typical application has 22 vulnerabilities at 20 hours each at $100/hr totaling roughly $44,000.
$$$$
Retest The retest verifies that issues identified have been fixed appropriately. Typically the retest costs about 25% of original assessment.
Management If running a scanning program, several headcount will be needed to manage the schedule, contracts, and infrastructure required.
TOTAL ?
9
ACCURACY, AUTOMATION, AND SCALABILITY
You can’t scale appsec without highly accurate tools(both true positives and true negatives)
Because inaccuracies require experts…
…and experts don’t scale.
11
CONTINUOUS APPLICATION SECURITY
Developmentand Operations
Push code to production with fully automated security support
ApplicationSecurity
Security experts deliver security as code
ManagementManagement makes informed decisions with detailed security analytics
New Code Production
12
CONTINUOUS APPLICATION SECURITY
New Code Production
Developmentand Operations
StandardDefenses
AttackProtection
Security Integration
ApplicationSecurity
SecurityResearch(Internal)
ThreatIntelligence (External)
Security Architecture
Management SecurityOrchestration
SecurityTraining
4. The use of measuring instruments to monitor and control a process. It is the art and science of measurement and control of process variables within a production, laboratory, or manufacturing area.
Binaryinstrumentation• Widely used
• CPU Performance• Memory• Logging• Security• …
• Lots of libraries• ASM (Java)• BCEL (Java)• Javassist (Java)• MBEL (.NET)• RAIL (.NET)• …
Dynamic binary instrumentation!Runtime Environment
ClassClassClass
ClassClassClass
Agent
ClassClassClass
ClassClassClass
Binary code is enhanced as it loadsClassClassClass
ClassClassClassOriginalBinary Code
Command andControl Dashboard
InstrumentedBinary Code
17
Runtime
INSTRUMENTATION IN ACTION
App ServerFrameworks
LibrariesCustom Code
Your application stackInstrumentation
Agent
1Add agent
-javaagent:appsec.jar
2Agent instrumentsrunning application
4Dashboard providesvisibility and control
3Agent blocks attacks
and finds vulnerabilities
Dashboard
Attacks andvulnerabilities
18
Security context assembled within agent
DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES
Developer
TesterUser
Attacker
Controller
Validation Session Business
LogicData Layer
SQLAPI Databas
e
HTTP Request
Validation Tags
Data Tracking
Data Parsing
Escaping Tags Query
Vulnerability?
Attack?
✓✓
✘
Sensors woven into running application
19
Software is a black box.
STOP TALKING ABOUT “STATIC” AND “DYNAMIC”
HTTPTraffic
Code
Frameworks
Libraries Runtime Data Flow
Runtime Control Flow
Backend Connections
Configuration Data
Server Configuratio
n
Etc…Platform Runtime
Software Architecture
SAST
DAST
WAF
Instrumentation
Talk about what information you need toconfirm a vulnerability or an attack
20
Instrumentation speed and
accuracy dominates SAST and
DAST
OWASP Benchmark - 21,000 test cases across a range of
vulnerabilities
33%
100%
Sponsored by DHS
92% IAST-01
RASP
RASP
RASP
WAFGET /foo?name='%20or%20%20'1'='1 HTTP/1.0
GET /foo?name='%20or%20%20'1'='1 HTTP/1.0
WAF
RASP
Three problems:1) Bottleneck2) No context3) Impedance
RASP
stmt.execute( "select * from table where id ='1' or '1'='1'" );
APPLICATION DECISION POINT
PERIMETER DECISION POINT
Instrumentation performance – same as code WebGoat RASP Processing
Typical traffic 50 microsecondsMixed traffic 170 microsecondsHeavy attack traffic 230 microseconds
• Number of applications doesn’t matter• No bottleneck on either bandwidth or CPU
millionths of a second
Application Platform
Instrumentation adds a security assessment and protection API to every application
Physical Host or VM
Container OS
Container Runtime
3rd Party Frameworks
3rd Party Libraries
Apps and APIsExamples…• Report all use of DES/MD5• Turn off XML doctype• Set X-Frame-Options• Report SQL injection vulns• Log all failed authentications• Block Spring EL attacks• Report vulnerable libraries• Deploy virtual patches• Block apps with old jQuery
Your standard application stack(s)
RASP
Instrumentedapplication
portfolio
AppSecControl Plane
User Planepartners
users
employeesdevices hackers
bots organizedcrimeinsiders
operationsinformation
securityapplication
security
developmentcompliance Visibility• Attacks• Vulnerabilities• Enhanced logging• Application profiles• Libraries and frameworks• Software architecture
Control• Attack protection policy• Secure coding policy• Library policy• Crypto policy• Connection policy• Configuration policy
CONTAINERS
THANK YOU
Jeff [email protected]
@planetlevel
http://contrastsecurity.com
“Leader”
“Vision-ary”
“Innova-tor”