THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU. Jeff Williams,

Transcription

1 THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU Jeff Williams, CONTRAST SECURITY 291 Lambert Avenue Palo Alto, California

2 ARE YOU SECURE? Threats Expected Security Model (claims) Verified Defenses (evidence) 2

3 Claims. asdf Not evidence. But still very cool.

4 1% DOS Espionage Application Security 9% Skimmers 22% 36% 4% Crimeware 14% Point of Sale Insiders 8% *2014 Verizon DBIR

5 1% DOS Espionage Application Security 9% Skimmers 22% 36% 1.7% of security spending 14% 4% Point of Sale Crimeware Insiders 8% *2014 Verizon DBIR

6 The frequency and sophistication of attacks is increasing as the complexity, connectivity, and criticality of our code is increasing * h,p:// biggest- data- breaches- hacks/ 6

7 Application security is eating security Alex Stamos (Yahoo CISO) 7

8 How Are We Doing? 1. Assurance? Coverage? 10% 3. Process Fit? Mad Assurance Coverage Process Fit *2014 Aspect Security Global Application Security Risk Report

9 Space Shu,le Spring Framework Windows 3.1 US Tax Code Window NT 3.5 Firefox Windows NT 4.0 MicrosoT Office 2013 Mac OSX Car SoTware Mouse DNA Financial Organiza9on 400,000 1,165,000 2,500,000 4,400,000 4,500,000 9,500,000 12,000,000 44,500,000 85,000, ,000, ,000,000 The Insane Complexity of Modern Code 1,000,000,000 9

10 TRADITIONAL APPSEC PROGRAM Assurance Application Portfolio Experts Expert Tools Coverage Process Fit Development organiza9ons interpret DELAYS as DAMAGE and route around them.

11 CONTEXT CONTENT IS KING! 11

12 A Vulnerability Is a Pattern of Events DB

13 Rootkits Aren t Always Evil! Enterprise Java Rootkits - BlackHat 2009 The holy grail of backdoors The Java Instrumentation API h,ps:// usa- 09/WILLIAMS/ BHUSA09- Williams- EnterpriseJavaRootkits- PAPER.pdf

14 Instrumentation 1. java -javaagent=agent.jar Class Original Class Bytecode Class 2. premain() 3. addtransformer() 4. loadclass() Agent Java Virtual Machine ClassFile Transformer 5. transform() ClassLoader Instrumented Class Class Class Bytecode Add sensors. bytecode is instrumented for security!

15 DEEP SECURITY INSTRUMENTATION HAS UNFAIR ADVANTAGES Deep Security Instrumentation Code Libraries Runtime Data Flow Software Architecture HTTP Traffic Frameworks Runtime Control Flow Server Configuration SAST DAST WAF Code HTTP Traffic HTTP Traffic Backend Connections Configuration Data Platform Runtime Etc 15

16

17 Daily Work Design Develop Test Code Accepted Released Product Released Product

18 Continuous AppSec 18

19 thousands of reports a minute csp_reports_at_scale.html

20 Surface security info for everyone, not just the security team

21 APPLICATION SECURITY TWO SEPARATE WORLDS Development Operations Tools to detect vulnerabilities Tools to stop attacks 21

22 TODAY EVOLUTIONARY ADVANCES Development Operations IAST Interactive Application Security Testing RASP Runtime Application Self-Protection DAST SAST Threat Agent WAF IDS/IPS Must have technologies Joseph Feiman (Gartner) 22

23 TOMORROW UNIFIED APPSEC Development AND Operations UNIFIED APPSEC RASP IAST A single appsec technology across the entire lifecycle 23

24 INFUSE SECURITY TECHNOLOGIES INTO APPLICATIONS Application SAST DAST Deep Security Instrumentation WAF Agent IDS/IPS Threat 24

25 EXAMPLE: CODE VULNERABILITIES (SQL INJECTION) Concept Architecture Design Development Unit Testing Integration QA Testing Operation Monitoring Generate accurate security architecture diagrams Provide instant vulnerability feedback Add security testing to existing test efforts Identify and block attacks and exploits 25

26 EXAMPLE: THIRD PARTY LIBRARIES (SPRING EL INJECTION) Employee Apps Third Party Apps Public Apps Cloud Apps Rogue Apps Automatically collect library inventory Notify projects of library vulnerabilities Ensure that developers use libraries safely Shield applications from attacks on known vulnerabilities 26

27 The world s fastest application security.