Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security

Transcription

1 Application Security at DevOps Speed and Portfolio Scale Jeff Contrast Security

2 OWASP XSS Prevention Cheat Sheet 1,000,000 Page Views!

3 About Me

4 Application Security Is Healthcare

5 Sensors Are Revolutionizing Healthcare Your phone will know you re sick before you do! Instrumenting the body means continuous realtime monitoring Not periodic checkups

6 Modern Software Development Javascript/Ajax Libraries and Frameworks Serialized Objects Aspect Oriented Programming Cloud/Mobile Inversion of Control SOAP/REST Agile Raw Socket DevOps Traditional appsec tools and techniques simply can t handle ANY of these

7 Security AppSec Progress Continuous Software AppSec

8 Starting Over

9 Defining Portfolio Scale The right defenses for every application are Present Correct Used Properly

10 Application security happens continuously and in real time Defining DevOps Speed

11 One Thing at a Time Is my portfolio protected against clickjacking?

12 Gathering Intelligence Controller Presentation Business Functions Data Layer Third Party Libraries Framework Application Server Platform Runtime Operating System

13 Security Intelligence Sources Vulnerability Trace HTTP Traffic Data Flow Backend Connections Control Flow Libraries and Frameworks Configuration Data

14 Designing a Clickjacking Sensor Intel Sources Analysis Technique Experiment Style Environment Code Manual Positive Dev HTTP SAST Negative CI Configuration DAST Sampling Test Data Flow IAST Intelligence QA Control Flow Passive Staging Libraries JUnit Security Connections Choose based on: Speed Accuracy Feedback Scalability Ease of Use Cost Prod

15 Continuous ClickJacking Defense Verification A new HTTP sensor to verify that the X-Frame-Options header is set to DENY or SameOrigin on every webpage DEV CI TEST QA STAG SEC OPS Data Warehouse: Application Security Intelligence Manual Dynamic Static Interactive JUnit

16 Instrumentation Instrument your applications and they report their security regardless of your organizational or technical structure. Internal Networks Ad-Hoc Servers External Facing Cloud

17 Run Against Entire Portfolio TB RPC CM TY JJ RH CO AS RA F IR XX QP X DD S Application Name Result Grade TBMarks 88% A RPC 0% F CaseyMotors 0% F Financials 72% C International Reporting 0% F Financials ClickJacking Defense C (72%) /home DENY /home/error.jsp - /home/index.jsp DENY /account SAME-ORIGIN /account/report.jsp -

18 Check Your Headers

19 Continuous AppSec Dashboard

20 One Small Step Towards Continuous AppSec We transformed clickjacking verification to devops speed and portfolio scale! Before Annual pentest Negative signatures One app at a time After Continuous monitoring Positive verification Portfolio wide Okay, clickjacking. Big deal.

21 More Sensors I want a sensor to verify My business logic makes access control checks My libraries are free from known vulnerabilities My forms are not susceptible to CSRF attacks My interpreters are protected against injection My encryption is implemented correctly My application has no unknown connections And much more.

22 Access Control Intelligence Sensor Source File TestSBMBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_CREATE')") CheckAppStatusController.java MISSING ViewConsoleEventsController.java DeleteEngineConfigController.java ErrorController.java MISSING InboxController.java @PreAuthorize("isAuthenticated()") Control Flow SAST LoginController.java MISSING Intelligence CI

23 Generated Access Control Matrix from Code ROLE_APPLICATION_DELETE TracesGetBugtrackersController.java O TracesGetUsersController.java O TracesJIRAExportController.java O TracesMergeController.java O TracesSaveStatusController.java O TracesSearchController.java O TracesSendToBugtrackersController.java TracesTreeController.java O TracesViewerController.java O TraceViewerWorkingNotificationController.java O ViewTracesController.java O UpdateAppConfigurationController.java O BannerController.java O BillingAccountActivityController.java O O BillingApplyPaymentController.java O BillingAppsController.java O BillingExecuteOrderController.java O ROLE_APPLICATION_GROUP ROLE_APPLICATION_REET ROLE_TRACES_DELETE ROLE_TRACES_SENDMAIL ROLE_TRACE_SEARCH ROLE_ENGINE_DOWNLOAD ROLE_ENGINE_PROFILES ROLE_CONSOLE_VIEW ROLE_BUGTRACKER_VIEW ROLE_BUGTRACKER_CREATE ROLE_BUGTRACKER_DELETE ROLE_AUDIT_VIEW ROLE_ENGINE_A ROLE_LI

24 Known Vulnerable Libraries Sensor Run DependencyCheck during every build (and do a build once a month even if nothing changed) Libraries SAST Negative CI

25 CSRF Defense Sensor HTTP Passive Positive QA Run tests through ZAP ZEST to check CSRF Token Get results via ZAP REST API

26 Canonicalization Correctness Sensor Code JUnit Positive Staging

27 Injection Sensors Use code instrumentation tools for DFA vulnerabilities Data Flow IAST Negative Dev

28 Architecture, Inventory, and More What would you like to gather from all your applications? Inventory? Architecture? Outbound connections? Lines of code? Security components? All possible. and all at devops speed and portfolio scale

29 Building Continuous AppSec DEV CI TEST QA STAG SEC OPS Data Warehouse: Application Security Intelligence Manual Dynamic Static Interactive JUnit

30 Sensors? How do you know what sensors you need? 1) The OWASP Top Ten? 2) What your tools are good at? 3) What your pentester thinks is important? 4) Actually figure out what matters?

31 Aspect 2013 Global AppSec Risk Report Applications with at Least One Vulnerability in Category 90% 80% Higher Risk 70% Lower Risk 60% 50% 40% 30% 20% 10% 0%

32 What s In Your Expected Model? Expected Requirements Threat Model Abuse Cases Policy Standards There is no security without a model

33 What Are You Actually Testing? Pentest Actual Code Review Tools Arch Review

34 Unfortunately Expected Actual Not being tested (aka RISK) Doesn t need testing (aka WASTE)

35 Secure? Are You Secure?

36 Aligning Sensors with Business Concerns Business Concerns Fraud Data Protection Availability Defense Strategies Minimize Sensitive Data Role Based Access Control Encrypt Data in Storage and Transit Logging and Intrusion Detection Actual Defenses Full Disk Encryption with TrueCrypt Programmatic Encryption with ESAPI TLS Everywhere with Venafi Sensors Libraries Present and Up-to-date Encryption Correctness with Junit Tests ESAPI Used Properly

37 Continuous Application Security! New Threats, Business Priorities Translate expected into sensors Expected Actual Application Portfolio A A A A A A A A A A A A A A A A A A Application security dashboards

38 How to Get Started Choose a sensor Build it with developers Deploy your sensor Create a dashboard using Excel

39 Transforming AppSec AppSec Strategy AppSec Optimization AppSec as Business Driver AppSec Compliance AppSec Monitoring We will never improve if our only metric is whether we are doing what everyone else is doing

40 Thank You! Please stop by our

41 Expected:Tracking Coverage Infrastructure Security Logging and Accountability Data Protection Minimal data collection Secure Development Security Verification Incident Response Strong encryption in storage and transit All external connections use SSL All internal connections use SSL SSL hardened according to OWASP All highly sensitive data encrypted Encryption uses standard control Encryption uses AES, no CBC or ECB Universal authentication Pervasive access control Injection defenses Strict positive validation of all input Use of parameterized interfaces All parsers hardened XML parsers set to not use DOCTYPE Browser set no content sniffing header Etc Use Hibernate and secure coding Use JQuery and secure coding Etc

42 Authentication Authorization Cryptography Expected Defense Defense Present? Enterprise Controls Dashboard Defense Correct? Applications Tested? Training and Support Validation Escaping Tokens Logging Intrusion Detection Random Numbers Browser Security Safe API Wrappers Object Reference Management Error Handling