running a high-efficiency, high-visibility application security program with prevoty and threadfix

© 2016 Denim Group, Prevoty – All Rights Reserved

Running a High-Efficiency,

High-Visibility Application Security

Program with Prevoty and ThreadFix

July 19, 2016

0

Arpit JoshipuraVP Product Management, Prevoty

Dan CornellCTO, Denim Group


Agenda

• State of Application Security

• ThreadFix Overview

• RASP and Prevoty Overview

• ThreadFix / Prevoty Integration

1


State of Runtime Application Security

Market Trends show movement in Adoption of RASP

Key Executive Updates

1. Attacks on the rise (Web Attacks as the #1

vector in 2015 - Verizon Report)

2. Vulnerability backlog on the rise (>90% have up

to 5000 vulnerabilities that cannot be fixed)*

3. Analysts and Customers now believe that RASP

augments traditional runtime security

4. Customers moving past the stage of education

to active interest in RASP

5. Prevoty emerging as the leader (2 year lead) in

Runtime Application Security with new

competitors like Veracode announcing plans for

RASP this month

* http://blog.prevoty.com/news/the-great-divide-new-report-finds-it-pros-and-security-pros-at-odds-over-appsec


ThreadFix Overview

• Create a consolidated view of your

applications and vulnerabilities

• Prioritize application risk decisions based

on data

• Translate vulnerabilities to developers in

the tools they are already using

3


ThreadFix Overview

4


Create a consolidated

view of your

applications and

vulnerabilities

5


Application Portfolio Tracking

6


Vulnerability Consolidation

7


Prioritize application

risk decisions based on

data

8


Vulnerability Prioritization

9


Reporting and Metrics

10


Translate vulnerabilities

to developers in the

tools they are already

using

11


Defect Tracker Integration

12


Secure DevOps with ThreadFix

• What does your

pipeline look like?

http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceuhttp://www.slideshare.net/denimgroup/rsa2015-blending-

theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally

https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html

http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

http://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally

https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html


Runtime Application Security

(Visibility & Protection)

The Most Innovative

Startup 2016

People Shaping Info Security:

Kunal Anand, Co-founder/CTO

Most Innovative Security Product

(Software) of the Year

20 Most Promising

Enterprise Security

Companies

The Most Innovative

Application Security

Solution for 2016


Survey Results: IT & Security

Professionals Gap

Key findings• >90% have up to

5000 Vulnerabilities

in backlog

• Security Prof spend

>3.5 days every

week to tune

current runtime

solutions

* http://blog.prevoty.com/news/the-great-divide-new-report-finds-it-pros-and-security-pros-at-odds-over-appsec


2015 Enterprise Survey

16

Applications are being targeted at RuntimeEnterprise survey results, Dec 2015

What is the most common gateway attack experienced by your organization over the past 12 months?

In a recent Ponemon Institute research study, % of those

surveyed believe…

of applications are more vulnerable

today>75%

believe organizations are ineffective at

security>50%

Say application security is a top

priority~50%

Source: Security Survey by Ponemon Institute

Dec 2015

Top 3 Vectors constitute 95% of the Attacks in production


3 Easy Steps to Runtime

Application Security


Step 1: Identify the maturity of Application Security

Detection, Remediation and Protection spectrum of programs

Early Stage

Ad-hoc approach for

Testing, remediation.

Driven by compliance

Limited AppSec Tools &

Process

Intermediate

Continuous Testing

Inconsistent remediation &

protection with a backlog of

vulnerability

AppSec Testing Tools in

place

SSDLC Process

Framework

WAF in passive mode

Mature

Continuous Testing

Consistent Remediation

Continuous Monitoring

AppSec Testing Tools

operationalized

SSDLC operationalized

WAF in Passive/Active

mode

Runtime Monitoring


Step 2: Plan for a Modern security architecture

Backend Application

SQL

Database

Web API

NG Firewall

Web App Firewall

Load

Balancer

SIEM

Database Firewall

Runtime Sec

API Gateway

Runtime Sec

Mobile App

Hardening

SDK/Wrapper

Endpoint

Users Network Applications Data

Web Browser

CONFIDENTIAL°


Step 3: Plan for xAST in Development, RASP in Production

Layered Application Security

RASP works through the SDLC process, with protection in Operations


SignaturesRegular expressions

White lists/Black lists

Pattern matching

HeuristicsAnomaly Detection

Taint analysis

Data Flow Analysis

Not All RASPs are equal: LANGSEC based RASPSecurity without Signatures & Heuristics

LANGSEC

Language-theoretic Security

NO

Accurate <1% false positives

Simple Low TCO, No Tuning

Fast30-50X better than RegX

LANGSEC is the latest innovation in security technology that removes

obfuscation/fuzzing on Data Input so that security protections can be

accurately applied at the “moment of truth” (code execution)


PREVOTY SOLUTION TODAYProtecting applications in production at runtime

Application Security Monitoring and Protection from

inside the application itself at runtimeNo changes to the applications required

Deployed in the cloud, as a virtual appliance or self-contained in the

application

Monitoring: Application Security IntelligenceUnparalleled insights into what attacks are actually hitting applications

in production

Identifies “who / what / where / when” of an attack

Protection: RASP (Runtime Application Self-

Protection)Automatic vulnerability mitigation

Protects content (XSS), databases (SQL injection), tokens (CSRF) and

more

Allow time for development team to remediate critical vulnerabilities


PREVOTY APPLICATION SECURITY MONITORINGUnparalleled insights into the threats hitting your applications at runtime

IP address, session info (with

User ID), cookie detail

Identify the origin of the

threat

Who

Contents of the payload,

payload intelligence

Provide details of the

nature of the threat

What

Timestamp (down to the

nanosecond)

When did the attack take

place

When

URL for web applications, stack

trace for SQL queries

Where the exploit

happened

Where

Legacy Applications New Applications 3rd Party Applications


Ecosystem Integration

Prevoty delivers data on

production application attacks

in progress to:

• SIEMS

• NGFWs

• IPS’s

• WAFs


ThreadFix and Prevoty

• Value of integrating RASP with your

Vulnerability Resolution Platform

• Mechanics of integration

25


Marking Applications as RASP-

Protected

26


Vulnerability Risk Management and

RASP

27


Prioritizing Your Prevoty Rollout

28


Summary & Joint Value

• Un-paralleled insights from within the

application

• Efficient prioritization and remediation of

identified vulnerabilities

• Optimize deployment of Prevoty based on

risk and value

29


Questions and Contact

• ThreadFix www.threadfix.it

• Prevoty www.prevoty.com

30

http://www.threadfix.it/

http://www.prevoty.com/

running a high-efficiency, high-visibility application security program with prevoty and threadfix

Technology