Discover Best of Show März 2016, Düsseldorf

Transcription

1 Discover Best of Show März 2016, Düsseldorf

2 März 2016 Softwaresicherheit im Zeitalter von DevOps Lucas von Stockhausen Regional Product Manager Fortify

3 The case for Application Security I am secure I have a firewall 3

4 Malware over the years HPE Security Research Cyber Risk Report

5 There is a breach in the headlines almost every day 5

6 Casualties Accidents Aircraft Accidents over the years 3000 Aircraft Accidents Year Casualties Accidents Number of accidents and fatalities per year (excluding sabotage, shoot-downs) 6

7 The increase in attacks is constant Ponemon Cost of Cyber Crime Study 2012 Ponemon Cost of Cyber Crime Study

8 Existing network and perimeter based security is insufficient % of breaches exploit vulnerabilities in the application layer Yet the ratio of spending between perimeter security and application security is 23-to-1 - Gartner Maverick Research: Stop Protecting Your Apps; It s Time for Apps to Protect Themselves (2014)

9 Basic hacking example 9

10 Live example SQL Injection Telnet Cross site scripting 10

11 SQL-Injection String username = ctx.getauthenticatedusername(); String itemname = request.getparameter("itemname"); String query = "SELECT * FROM items WHERE owner = '" + username + "' AND itemname = '" + itemname + "'"; ResultSet rs = stmt.execute(query); String username = ctx.getauthenticatedusername(); String itemname = request.getparameter("itemname"); String query = "SELECT * FROM items WHERE owner = '" + lucas+ "' AND itemname = '" + "x' or 1=1; -- + "'"; ResultSet rs = stmt.execute(query); username = lucas itemname = "x' or 1=1; -- SELECT * FROM items WHERE owner = 'lucas' AND itemname = 'x' or 1=1; -- '"

12 SQL-Injection 12

13 Telnet session 13

14 XSS Cross Site Scripting 14

15 Real word payloads 15

16 Real-world payloads So, what is XSS truly capable off What can you execute?

17 Real-world payloads Simple answer: JavaScript

18 Real-world payloads Simple answer: JavaScript Wait. That weak-sauce web scripting language that you had to learn in college back in the day? How bad could it be?

19 Real-world payloads Javascript is a full-featured programming language Object-oriented C-like syntax Extremely powerful Native in every browser

20 Real-world payloads In sum, being able to run JavaScript on a victim s browser has a LOT of potential

21 Real-world payloads In sum, being able to run JavaScript on a victim s browser has a LOT of potential Let s take a look at a possible attack and how to build it up Let s go to

22 Real-world payloads

23 Real-world payloads

24 Real-world payloads enter your username',' '); password=prompt('please enter your password',' '); alert("username="%2b%0ausername%2b%0a" and password="%2b%0apassword);</script>

25 Real-world payloads enter your username',' '); password=prompt('please enter your password',' '); document.write('<img src=" alt=""'); document.write('<br>invalid Login: '%2B%0Ausername);</script>

26 Real-world payloads enter your username',' '); password=prompt('please enter your password',' '); document.write('<img src=" rd%2b'">'); document.write('<br>invalid Login: '%2Busername);</script>

27 Real-world payloads There are many other possibilities and Opportunities Remember, if these are the easy options, imagine what others are capable of!

28 Real-world payloads There are a number of ways to launch the actual attack Stored XSS Reflected XSS Owning a page that a victim visits Remember, navigating to a page is permission to run what s on that page Consider visiting a webpage is an act of significant trust

29 What is the reason 29

30 Today s approach > expensive, reactive 1 Somebody builds insecure software IT deploys the insecure software We convince & pay the developer to fix it 2 4 We are breached or pay someone to tell us our code is insecure 3

31 Cost Why it doesn t work 30x more costly to secure in production 30X 10X 15X 5X 2X Requirements Coding Integration/ component testing System testing Production After an application is released into Production, it costs 30x more than during design. Source: NIST

32 The right approach > systematic, proactive Embed security into SDLC development process 1 2 In-house Outsourced Commercial Open source Leverage Security Gate to validate resiliency of internal or external code before Production 3 Improve SDLC policies Monitor and protect software running in Production This is application security

33 The help Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Runtime Application Self Protection (RASP)

34 Example Process for Analysis Development Teams Security AWB 2. Audit Defect Tracking System Monitor CM Project Security Lead Source Code Repository(s) CISO 3. Assign CM Central Build Server(s) Build Tool Fortify SCA 5. Validate AWB WebInspect Development Manager 1. Identify Security Auditor IDE 4. Fix Fortify CM Fortify SSC Server 6. Report Developer

35 Movement to DevOps Business leaders have Agility at the top of their priorities as they prepare for the fast-paced, very competitive future. Processes need to be further streamlined, minimize resource consumption and reduce time-to-market. Security context Development organizations can save time and money by building in security early in the development process 35

36 Challenges in a DevOps environment Developers are not security experts Security testing is an afterthought Pressure to push out software into production leaves no time for security Security assessment take up resources 36

37 Introducing HPE Security DevInspect Bringing application security closer to the Developer AppSec solution created for developers to identify and remediate security vulnerabilities in source code within the native developers environment. Brings market-leading AppSec technologies directly to the developer, ensuring secure code as your shift left in your dev process. Real-time, instant security results as the developer is writing code. Enable developers to assess for security weaknesses. 37

38 End to End Application Security Static Dynamic Runtime On-premise DevInspect App Defender On-demand Fortify on Demand App Defender Application Development 38

39 HPE Security DevInspect: Static Code Analysis Real-time lightweight analysis of the source code Dynamic Analysis Runtime Analysis Documentation 39

40 What s included in DevInspect 1.0? Static Code Analysis Real-time lightweight analysis of the source code Integration for Fortify Software Security Center (SSC) Integration for Fortify on Demand (FoD) Documentation 40

41 Key Benefits DESIGNED FOR THE DEVELOPER Fully integrated into the native development environment (IDE) Supports the DevOps toolchain Providing thorough and robust software security analysis of an application INSTANT RESULTS (Fast) Inline analysis of the source code as the developer types providing immediate feedback Out of the box results no configuration required CONTINUOUS FEEDBACK Continuously updated security findings as code is written Tracks findings and guided developers toward remediation 41

42 Example Process for Static Analysis in DevOps Development Teams Security AWB Defect Tracking System Monitor CM Project Security Lead Source Code Repository(s) CISO CM Central Build Server(s) Build Tool Fortify SCA 4. Validate AWB WebInspect Development Manager 1. DevInspect IDE 2. Checkin 3. Milestone Scan Fortify CM Fortify SSC Server Security Auditor 5. Report Developer

43 Security Assistant Real-time lightweight analysis of the source code Fortify menu for additional options Fortify Icon added to icon bar Detailed remediation advice Vulnerable line of code highlighted & Tool tip for additional information All issues detected in the project 43

44 Thank you 44