1 / 41

Application Security at DevOps Speed and Portfolio Scale

Jeff Williams, CEO Aspect Security, Inc. Application Security at DevOps Speed and Portfolio Scale. About Me. Application Security Is Healthcare. Sensors Are Revolutionizing Healthcare. Your phone will know you’re sick before you do!.

boris
Download Presentation

Application Security at DevOps Speed and Portfolio Scale

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jeff Williams, CEO Aspect Security, Inc. Application Security atDevOps Speed and Portfolio Scale

  2. About Me

  3. Application Security Is Healthcare

  4. Sensors Are Revolutionizing Healthcare Your phone will know you’re sick before you do! Instrumenting the body means continuousrealtime monitoring… Not periodic checkups

  5. Traditional Tools and Techniques Are Failing… DevOps Agile Aspect Oriented Programming CloudMobile RawSocket Libraries and Frameworks Serialized Objects Inversion of Control SOAP/REST Javascript Ajax

  6. AppSec Progress Continuous AppSec Software Security

  7. Starting Over

  8. Defining “Portfolio Scale” The rightdefenses for everyapplication are… • Present • Correct • Used Properly

  9. Defining “DevOpsSpeed” Application security happens continuouslyand in real time

  10. One Thing at a Time… Is my portfolio protected against clickjacking?

  11. Gathering Intelligence Controller Business Functions Data Layer Presentation Third Party Libraries Framework Application Server Platform Runtime Operating System

  12. Security Intelligence Sources Data Flow Backend Connections HTTP Traffic Vulnerability Trace Control Flow Libraries and Frameworks Configuration Data

  13. Designing a Clickjacking Sensor • Experiment Style • Environment • Analysis Technique • Data Sources  • Positive • Dev • Manual • Code • Negative • CI • SAST  • HTTP  • Sampling • Test • DAST • Configuration • Intelligence • QA • IAST • Data Flow  • Staging • Passive • Control Flow • Security • Libraries • JUnit • Choose based on: • Speed • Accuracy • Feedback • Scalability • Ease of Use • Cost • Prod • Connections

  14. Continuous ClickJacking Defense Verification A new HTTP sensor to verify that the X-Frame-Options header is set to DENY orSameOrigin on every webpage Data Warehouse: Application Security Intelligence DEV CI TEST QA STAG SEC OPS Manual Static Dynamic JUnit Interactive

  15. Run Against Entire Portfolio TB RPC F IR XX CM JJ RH QP X DD TY CO AS RA & @ S

  16. Check Your Headers https://cyh.herokuapp.com/cyh

  17. Continuous AppSec Dashboard

  18. One Small Step Towards Continuous AppSec • We transformed clickjackingverification todevops speed and portfolio scale! Okay, clickjacking. Big deal.

  19. More Sensors…

  20. Access Control Intelligence Sensor • Control Flow  • SAST   • Intelligence  • CI

  21. Generated Access Control Matrix from Code

  22. Known Vulnerable Libraries Sensor Run DependencyCheckduring every build (and do a build once a month even if nothing changed) • Libraries  • SAST   • Negative  • CI

  23. CSRF Defense Sensor • Run tests through ZAP • ZEST to check CSRF Token • Get results via ZAP REST API • HTTP  • Passive   • Positive  • QA

  24. Canonicalization Correctness Sensor • Code  • JUnit   • Positive  • Staging

  25. Injection Sensors Use IAST tools for DFA vulnerabilities • Data Flow  • IAST   • Negative  • Dev

  26. Architecture, Inventory, and More… • What would you like to gather from all your applications? • Inventory? Architecture? Outbound connections? Lines of code? Security components? • All possible…. and all at devops speed and portfolio scale

  27. Building Continuous AppSec Data Warehouse: Application Security Intelligence DEV CI TEST QA STAG SEC OPS Manual Static Dynamic JUnit Interactive

  28. Sensors? How do you know what sensors you need? • The OWASP Top Ten? • What your tools are good at? • What your pentester thinks is important? • Actually figure out what matters?

  29. Aspect 2013 Global AppSec Risk Report

  30. What’s In Your Expected Model? Expected Requirements Threat Model Abuse Cases Policy Standards… • There is no security without a model

  31. What Are You Actually Testing? Actual Pentest Code Review Tools Arch Review …

  32. Unfortunately… Expected Actual Not being tested (aka RISK) Doesn’t need testing (aka WASTE)

  33. Are You Secure? Secure?

  34. Aligning Sensors with Business Concerns • Fraud • Availability

  35. Continuous Application Security! Expected Actual Translate “expected” into sensors Application Portfolio A A A New Threats, Business Priorities A A A A A A A A A A A A A A A Application security dashboards

  36. How to Get Started

  37. Transforming AppSec • We will never improve if our only metric is whether we are doing what everyone else is doing

  38. Thank You! Please stop by the Contrast Security booth! @planetlevel

  39. Expected:Tracking Coverage • Minimal data collection • … • Strong encryption in storage and transit • All external connections use SSL • All internal connections use SSL • SSL hardened according to OWASP • All highly sensitive data encrypted • Encryption uses standard control • Encryption uses AES, no CBC or ECB • Universal authentication • … • Pervasive access control • … • Injection defenses • Strict positive validation of all input • Use of parameterized interfaces • All parsers hardened • XML parsers set to not use DOCTYPE • Browser set no content sniffing header • Etc… • Use Hibernate and secure coding • Use JQuery and secure coding • Etc… InfrastructureSecurity Logging andAccountability DataProtection SecureDevelopment SecurityVerification Incident Response

  40. Enterprise Controls Dashboard

More Related