Securing Production Applications & Data at Runtime. Prevoty

Transcription

1 Securing Production Applications & Data at Runtime Prevoty

2 Introducing Prevoty Scalable visibility and protection for all applications and services Over Verticals: Awards & Recognitions Years in Production 100 Banking Fin Services 100% Y/Y Growth USVP Funded years of combined enterprise experience Insurance Retail Ecommerce Media Healthcare Higher Ed Most Innovative Application Security Solution for 2016 Best Web Application Security Solution 2016 Julien Bellanger Co-Founder, CEO Kunal Anand Co-Founder, CTO George Vukcevich VP, Sales Farzad Tari VP, Business Development Chris Prevost VP, Solutions

3 Current State What s going on?

4 Applications are Transforming > Computation in the cloud > Applications and micro-services are running in containers and VMs > Pushing code more frequently #DevOps

5 Application security is forced to move at the pace of a business

6 Reality #1 Firewalls lack app context and can t scale with DevOps

7

8 Reality #2 Defenses predicated on signature updates and pattern matching will lose

9 alert( Hello World! );

10 <script[^>]*>[\\s\\s]*?</script[^>]*> <script[^>]*>[\\s\\s]*?</script[[\\s\\s]]*[\ \s\\s] <script[^>]*>[\\s\\s]*?</script[\ \s]*[\\s] <script[^>]*>[\\s\\s]*?</script <script[^>]*>[\\s\\s]*?

11 $=~[];$={ :++$,$$$$:(![]+"")[$], $:++$,$_$_:(![]+"") [$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$ $$_:(!""+"")[$],$ :++$,$_$:++$,$$ :({}+"")[$],$$_:++ $,$$$:++$,$ :++$,$ $:++$};$.$_=($.$_=$+"")[$.$_$]+ ($._$=$.$_[$. $])+($.$$=($.$+"")[$. $])+((!$)+"") [$._$$]+($. =$.$_[$.$$_])+($.$=(!""+"")[$. $])+ ($._=(!""+"")[$._$_])+$.$_[$.$_$]+$. +$._$+$.$;$.$$=$. $+(!""+"")[$._$$]+$. +$._+$.$+$.$$;$.$=($. )[$.$_] [$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$ $_+"\\"+$. $+$.$$_+$._$_+$. +"(\\\"\\"+$. $+$. $+ $. +$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+$._$+",\ \"+$.$ +$. +"\\"+$. $+$. $+$._$_+$.$_$_+"\\"+$. $ +$.$$_+$.$$_+$.$_$_+"\\"+$. $+$._$_+$._$$+$.$$ +"\\"+ $. $+$.$$_+$._$_+"\\"+$. $+$.$_$+$. $+"\\"+$. $+$.$ $_+$. +$. +"\\\");"+"\"")())();

12 Reality #3 Vulnerability management takes a lot of time (150 days/vuln) and forces exceptions (risk++)

13

14 We need to talk about #DevOps

15

16 Reality #4 Apps lack logging and visibility around security events

17 Reaction: Security Operations Center

18 Reaction: Application Developers

19 We need something better

20 Idea! Bad things can happen inside an application. What if we put a security control in there?

21 Runtime Application Security Monitoring and Protecting from Inside the App

22 Prevoty Runtime Providing application & data security visibility & protection at runtime 2. Detect Provides visibility into attack execution in production applications Detects and prevents runtime attacks High-performance for production environments Plug-in based, deployed via DevOps 1. Inspect Prevoty plug-ins use deep instrumentation to inspect application activity at runtime 3. Protect Instant mitigation against attacks including the OWASP Top 10, including content, database and command injections 4. Alert Works with: If the payload is malicious, alerts are issued to log files and any configured SIEMs Legacy Applications New Applications Third-party Applications Web Services Cloud Applications

23 Seamless DevOps Integration Align AppSec with Continuous Integration & Deployment Prevoty is dropped into automated CI and CD processes Prevoty travels with the application through the entire SSDLC. Insights are produced in many formats: CEF, LEEF, JSON

24 Automate Visibility & Protection > Last line of defense that travels with the app > With DevOps, apps can be secure by default > Get pre-correlated security logs for faster incident response

25 Integration > Drop-in agents and framework plugins require no code changes >.NET, Java, PHP, Python, Ruby, etc.

26 Attack Coverage > Code Injections: Cross-Site Scripting, SQLi, Command Injection, Path Traversal > App Weakness: Auth Management, Insecure Protocols, Exception Management

27 Awareness & Visibility > Pre-Correlated Intelligence: Network, Application, Endpoint & Database > SIEM Ready: CEF, LEEF, JSON, syslog

28 The W s > Who: IP, App Session (w/ user ID) > What: HTTP variable, DB query > Where: URL, file name, line number > When: Nanosecond timestamp

29 Top Use Cases > Automated vulnerability remediation to supplement lack of resources (ROI) > Building a heat map of actual risk to prioritize remediation > Embedded security via DevOps (secure by default)

30 Language Security A Better Methodology

31 What if you could figure out what a SQL query will do before it hits the database?

32 LANGSEC allows you to look at input through the lens of its language (grammar)

33 LANGSEC HTTP Var -> Cross-Site Scripting SQL Query -> SQL Injection Process -> Command Injection

34

35

36 BENCHMARK - OPERATIONS / SECOND 50 Patterns 100 Patterns 500 Patterns Prevoty 100,000 10,000 1, Inputs 500 Inputs 1000 Inputs 5000 Inputs Inputs

37 Wrap-Up Take-Aways

38 Transformation Creates Challenges > Everyone lacks application visibility > Vulnerability management is difficult to scale and takes a very long time (SSDLC pain) > Desire to push code frequently #DevOps

39 Automate Visibility & Protection > Last line of defense that travels with the app > With DevOps, apps can be secure by default > Get pre-correlated security logs for faster incident response

40 Language Security > Stay one step ahead of the attackers > Reduce operational overhead > Stop doing pattern matching!

41 Thank You Questions?