350 likes | 465 Views
Runtime protection in the real world. Brooks Garrett, Security Architect. Who are you?. Brooks Garrett. Security Architect, Fortify on Demand. Professional Head Security Architect for Global FOD Operations Information Security professional for 5 years CISSP
E N D
Runtime protection in the real world Brooks Garrett, Security Architect
Brooks Garrett Security Architect, Fortify on Demand • Professional • Head Security Architect for Global FOD Operations • Information Security professional for 5 years • CISSP • Worked with multiple Fortune 100 companies • OWASP Member • Contributor to community AppSec Projects (DVWA) • Personal • Father • Rugby player for over 8 years
What is Fortify on Demand? Static Analysis Dynamic Analysis Mobile App’s
What is Fortify on Demand? • Distributed Operations • Presence in 4 major regions around the world • Customers in over 15 countries • 5 Data centers • 3 Operations teams High Volume (This Year) • Over 300 customers • Over 3,000 applications • Over 15 languages • Over 225 Million lines of code
The problem Errors Bugs Performance
Evolving attacks • Obfuscation: • URL Encoding • Javascript Packing • Double encoding • Malformed UTF-7 • Business Logic: • Purchase with negative value • Bypass multi-step process validation • Ship without paying
Security vs. functionality • Developers have competing priorities • Functionality tends to ship ahead of security • Project roadmaps aren’t including exhaustive security reviews • Developer training is often framework or technology centric
Standardized logging, isn’t • What are your apps doing? • If someone is abusing an application how would you know • Network events are standardized and documented • Internal application logging is often the Wild West of IT • Developers tend to log in various formats and focus on debug related events • Less focus on security centric events • Definition of security event varies from application to application • SIEM solutions expect normalized data to work efficiently
The solution • What if we could: • Block advanced injection attacks • Regardless of obfuscation • Integrate seamlessly with our existing applications • Generate application event logs • Without burdening developers or making code changes • In an industry standard format
What about WAF? • WAF is too far from your application: • WAF can’t block advanced injection attacks • The WAF only sees obfuscated attacks • WAF can’t integrate seamlessly with our existing applications • WAF doesn’t understand application flow • WAF can’t generate application event logs • WAF has no visibility into application functions
Examples • WAF is great in theory but falls short in reality: • Block advanced injection attacks • The WAF only sees obfuscated attacks • id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users–+ • Integrate seamlessly with our existing applications • WAF doesn’t understand application flow • No integration, just another layer of network defense • Generate application event logs • WAF has no visibility into application functions • WAF talks GET and POST, the application talks File.WriteLine(SSN.ToString())
"Give a small boy a hammer, and he will find that everything he encounters needs pounding." Abraham Kaplan (1964)
The solution • Fortify RTA • Integrates into the CLR (Common Language Runtime) for a deep inspection of the application • Fast deployment time • Leverages standard Fortify rule definitions with ongoing support and updates • Increases resource consumption by less than 10% • Extremely flexible response capability • Provides line of code detail for developer remediation • Extends and enables logging from the application without code changes • Removes the need for additional SSL certificate deployment and management
Deployment • Basic plan • Deploy SSC (Software Security Center) • Configure Federations • Deploy Agents
SSC • Software Security Center • Java Web Application • Runs well inside Tomcat 7 • Deployed with MySQL • Optional
Configure federations • Federations provide • Centralized configuration management • Centralized update management • Ability to separate endpoints for better visibility • Ability to swap between Protect and Log mode, on the fly • Ability to temporarily disable the solution completely
Agent deployment • Basic plan • Agent installer is a single EXE package • Requires a server service restart • Agents register according to federation rules
Deployment experience • Positive • Able to deploy to all servers with zero downtime inside one week • Deployed via SCCM • Integration with ArcSight and other CEF compliant devices was painless • Considerations • SSC will house all of your security event data, proper database planning advised • Deploy throughout the whole organization starting in QA and Integration • Deploy in log mode initially but commit to enabling Protect mode for the most value
Getting value from the solution • Immediate value from advanced features • Closing the loop and providing developers with line of code detail • Standardized application logging without changing existing code • Versatile response capabilities
Closing the loop • Developer visibility at line of code level • Beyond URLs • Covers both security and performance issues • Line of code reference for issues • Specific stack trace for exceptions • Sample request data for reproducing event
Standardized application logging • DevOps visibility into security issues • OWASP AppSensor without code changes • User logon • User logout • User privilege level change • User password changed • Substituting another user’s session ID • Hidden field manipulation
Standardized application logging • DevOps visibility into security issues • Industry standard events from all apps • CEF format readily consumable by COTS devices • Instant standardization of event data • Common transport mechanism over syslog
Versatile response capabilities • Custom automated responses • Respond to threats based on severity • Ignore the attack • Silently block the attack • Block and display a specific error page • Integrate with SIEM and active response to eradicate malicious users
The future is now • RTA provides • Advanced defenses against sophisticated attacks regardless of obfuscation • The closest technology is a WAF… • And it doesn’t come close • Rapid deployment with zero downtime for clustered environments • Line of code references for your developers • Application logging based on industry best practice with zero coding required • Powerful and granular response capability from ignore to nuke from orbit
The new reality of application security • Previous thinking isn’t working • It is no longer enough to provide network level defenses for application level vulnerabilities • Application security must move beyond the network and into the application • The ultimate goal of all application security is safeguarding data • The application is the closest layer to your data
For more information Attend these sessions Visit our booth After the event • 1293, Getting the most out of Fortify SCA • 1239, HP Fortify on Demand • B2 • Contact your sales rep • Visit the website at: http://hp.com/go/appsec Your feedback is important to us. Please take a few minutes to complete the session survey.