Application Security at Scale

Transcription

1 Jake Marcinko Standards Manager, PCI Security Standards Council Jeff Williams CTO, Contrast Security Application Security at Scale

2 AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands

3 AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands

4 AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands

5 AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands

6 Quality Control Integrating Security Testing into the Overall Software Development Life Cycle

7 Quality Control Integrating Security Testing into the Overall Software Development Life Cycle

8 Roadblock Security Software Development & Application Security 10 years ago

9 A Brief History of Time

10 Waterfall Approach Software Development & Application Security 10 years ago

11 Waterfall Approach Software Development & Application Security 10 years ago

12 Agile Development Software Development & Application Security 10 years ago

13 Network-focused Security Software Development & Application Security 10 years ago

14 Network-focused Security Software Development & Application Security 10 years ago

15 Network-focused Security Software Development & Application Security 10 years ago

16 Attack Shift The Evolution of Software Development and Application-Focused Attacks

17 Security Testing Use of Static / Dynamic Code Scanners in the SDLC

18 Industry Response The Introduction of Application-focused Security Standards

19 Continued Evolution The Rise of Business Process Optimization and the Drive Towards Greater Agility & Efficiency

20 Development Shift The Evolution of Software Development & Delivery

21 Development Shift The Evolution of Software Development & Delivery

22 Development Shift The Evolution of Software Development & Delivery

23 Traditional Security Tools Designed for Security Experts, Not Software Developers

24 Roadblock Security Avoiding a culture of No

25 More Risk Network Security Application Security Today, the majority of attacks are targeting applications Source: Ponemon 7/2016, Application Security in the Changing Risk Landscape

26 The Leading Cause of Breaches! Unsurprisingly Network Security Application Security Last year, 82% of financial breaches were due to weak apps! Source: Verizon 2016, Verizon Data Breach Investigation Report

27 Less Budget Network Security Application Security but security spending isn t aligned with risk! Source: Ponemon 7/2016, Application Security in the Changing Risk Landscape

28 Trend Application security is getting harder... fast Explosive growth in libraries and frameworks Microservices, APIs, REST/XML services Rapidly growing use of cloud and containers High speed software development Libraries Services Cloud Agile Application security can t handle the speed, size, and complexity of modern software development

29 How Do We Reverse This Trend?

30 Teammates, Not Adversaries Step One: Partner with Architects, Developers, and Testers

31 Teammates, Not Adversaries Step One: Partner with Architects, Developers, and Testers

32 Teammates, Not Adversaries Step One: Partner with Architects, Developers, and Testers

33 Service-Oriented Step Two: Create On-Demand Security Services For Development Teams

34 Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment

35 Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support

36 Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling

37 Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy

38 Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning

39 Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation

40 Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation Vulnerability Remediation Support

41 Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation Vulnerability Remediation Support SDLC Implementation Support

42 Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation Vulnerability Remediation Support SDLC Implementation Support Compliance Support

43 Keeping Pace Step Three: Architect Security Services & Solutions to Further Support Rapid Development

44 Operating at Scale

45 Need for Automation The typical application portfolio has hundreds of millions of lines of code. CONTAINER S

46 Progress! A brief history of application security automation Development (find vulnerabilities) Operations (block attacks) SAST DAST 2002 (Static (Dynamic 2002 AppSec Testing) AppSec Testing) WAF (Web Application Firewall) IDS/IPS (Intrusion Detection/ Prevention System) 2012 IAST (Interactive AppSec Testing) 2014 RASP (Runtime Application Self- Protection) 2015 Unified Agent IAST and RASP

47 Continuous Application Security

48 Continuous Application Security AppSec Assessment AppSec Protection Code & Commit Build & Config Scan & Test Deploy & Release Run & Monitor SeleniumHQ

49 Security Happens Inside Your Applications 4. The use of measuring instruments to monitor and control a process. It is the art and science of measurement and control of process variables within a production, laboratory, or manufacturing area.

50 How IAST and RASP Work Your application stack Custom Code Libraries Frameworks App Server Runtime Instrumentation Agent Attacks and vulnerabilities Dashboard 1 Add agent -javaagent:appsec.jar 2 Agent instruments running application 3 Agent blocks attacks and finds vulnerabilities 4 Dashboard provides visibility and control

51 Three Key Goals Achieving Continuous Application Security Management Application Security Development and Operations Management makes informed decisions with detailed security analytics Security experts deliver security as code Push code to production with fully automated security support New Code Production

52 Eight Fundamental Activities Achieving Continuous Application Security Management Security Orchestration Security Training Application Security Threat Intelligence (External) Security Architecture Security Research (Internal) Development and Operations Security Integration Standard Defenses Attack Protection New Code Production

53 Continuous AppSec Handbook Not your grandfather s application security!

54 Contrast Security Welcome to the era of self-protecting software. Visionary Leader Innovator