Application Security at Scale

Similar documents
THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU. Jeff Williams,

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

Securing Digital Transformation

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1

AKAMAI CLOUD SECURITY SOLUTIONS

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

FOR FINANCIAL SERVICES ORGANIZATIONS

Discover Best of Show März 2016, Düsseldorf

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

SIEMLESS THREAT MANAGEMENT

Digital Renewable Ecosystem on Predix Platform from GE Renewable Energy

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Taking Control of Your Application Security

Weaving Security into Every Application

Next Generation Authentication

A Methodology to Build Lasting, Intelligent Cybersecurity Programs

Accelerate Your Enterprise Private Cloud Initiative

Converged Security - Protect your Digital Enterprise May 24, Copyright 2016 Vivit Worldwide

May the (IBM) X-Force Be With You

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Preparing your network for the next wave of innovation

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

CSP 2017 Network Virtualisation and Security Scott McKinnon

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

THE ART OF SECURING 100 PRODUCTS. Nir

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

NEXT GENERATION SECURITY OPERATIONS CENTER

In collaborazione con

QUICK WINS: Why You Must Get Defensive About Application Security

Securing Your Digital Transformation

Application Security Buyer s Guide

locuz.com SOC Services

The Oracle Trust Fabric Securing the Cloud Journey

Managed Application Security trends and best practices in application security

Imperva Incapsula Website Security

THE CONTRAST ASSESS COST ADVANTAGE

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

Reinvent Your 2013 Security Management Strategy

Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security

Security. Made Smarter.

An Introduction to the Waratek Application Security Platform

PT Unified Application Security Enforcement. ptsecurity.com

Security-as-a-Service: The Future of Security Management

Un SOC avanzato per una efficace risposta al cybercrime

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

in collaboration with

Securing a Dynamic Infrastructure. IT Virtualization new challenges

MATURE YOUR CYBER DEFENSE OPERATIONS with Accenture s SIEM Transformation Services

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

align security instill confidence

Security Challenges and

SIEM: Five Requirements that Solve the Bigger Business Issues

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

A Simple Guide to Understanding EDR

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Traditional Security Solutions Have Reached Their Limit

DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

MITIGATE CYBER ATTACK RISK

Maximum Security with Minimum Impact : Going Beyond Next Gen

Modern Database Architectures Demand Modern Data Security Measures

IBM Rational Software

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

CIO INSIGHTS Boosting Agility and Performance on the Evolving Internet

CISO as Change Agent: Getting to Yes

Background FAST FACTS

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Automated, Real-Time Risk Analysis & Remediation

Transforming IT: From Silos To Services

The Windstream Enterprise Advantage for Banking

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

IBM Application Security on Cloud

Security

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Managed Endpoint Defense

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M. Matias Madou Ph.D., Secure Code Warrior

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

An Introduction to Runtime Application Self-Protection (RASP)

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

AGILE AND CONTINUOUS THREAT MODELS

Transcription:

Jake Marcinko Standards Manager, PCI Security Standards Council Jeff Williams CTO, Contrast Security Application Security at Scale

AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands

AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands

AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands

AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands

Quality Control Integrating Security Testing into the Overall Software Development Life Cycle

Quality Control Integrating Security Testing into the Overall Software Development Life Cycle

Roadblock Security Software Development & Application Security 10 years ago

A Brief History of Time

Waterfall Approach Software Development & Application Security 10 years ago

Waterfall Approach Software Development & Application Security 10 years ago

Agile Development Software Development & Application Security 10 years ago

Network-focused Security Software Development & Application Security 10 years ago

Network-focused Security Software Development & Application Security 10 years ago

Network-focused Security Software Development & Application Security 10 years ago

Attack Shift The Evolution of Software Development and Application-Focused Attacks

Security Testing Use of Static / Dynamic Code Scanners in the SDLC

Industry Response The Introduction of Application-focused Security Standards

Continued Evolution The Rise of Business Process Optimization and the Drive Towards Greater Agility & Efficiency

Development Shift The Evolution of Software Development & Delivery

Development Shift The Evolution of Software Development & Delivery

Development Shift The Evolution of Software Development & Delivery

Traditional Security Tools Designed for Security Experts, Not Software Developers

Roadblock Security Avoiding a culture of No

More Risk Network Security Application Security Today, the majority of attacks are targeting applications Source: Ponemon 7/2016, Application Security in the Changing Risk Landscape

The Leading Cause of Breaches! Unsurprisingly 2008 2009 2010 2011 2012 2013 2014 2015 2016 Network Security Application Security Last year, 82% of financial breaches were due to weak apps! Source: Verizon 2016, Verizon Data Breach Investigation Report

Less Budget Network Security Application Security but security spending isn t aligned with risk! Source: Ponemon 7/2016, Application Security in the Changing Risk Landscape

Trend Application security is getting harder... fast Explosive growth in libraries and frameworks Microservices, APIs, REST/XML services Rapidly growing use of cloud and containers High speed software development Libraries Services Cloud Agile Application security can t handle the speed, size, and complexity of modern software development

How Do We Reverse This Trend?

Teammates, Not Adversaries Step One: Partner with Architects, Developers, and Testers

Teammates, Not Adversaries Step One: Partner with Architects, Developers, and Testers

Teammates, Not Adversaries Step One: Partner with Architects, Developers, and Testers

Service-Oriented Step Two: Create On-Demand Security Services For Development Teams

Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment

Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support

Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling

Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy

Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning

Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation

Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation Vulnerability Remediation Support

Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation Vulnerability Remediation Support SDLC Implementation Support

Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation Vulnerability Remediation Support SDLC Implementation Support Compliance Support

Keeping Pace Step Three: Architect Security Services & Solutions to Further Support Rapid Development

Operating at Scale

Need for Automation The typical application portfolio has hundreds of millions of lines of code. CONTAINER S

Progress! A brief history of application security automation Development (find vulnerabilities) Operations (block attacks) SAST DAST 2002 (Static (Dynamic 2002 AppSec Testing) AppSec Testing) WAF (Web Application Firewall) IDS/IPS (Intrusion Detection/ Prevention System) 2012 IAST (Interactive AppSec Testing) 2014 RASP (Runtime Application Self- Protection) 2015 Unified Agent IAST and RASP

Continuous Application Security

Continuous Application Security AppSec Assessment AppSec Protection Code & Commit Build & Config Scan & Test Deploy & Release Run & Monitor Email SeleniumHQ

Security Happens Inside Your Applications 4. The use of measuring instruments to monitor and control a process. It is the art and science of measurement and control of process variables within a production, laboratory, or manufacturing area.

How IAST and RASP Work Your application stack Custom Code Libraries Frameworks App Server Runtime Instrumentation Agent Attacks and vulnerabilities Dashboard 1 Add agent -javaagent:appsec.jar 2 Agent instruments running application 3 Agent blocks attacks and finds vulnerabilities 4 Dashboard provides visibility and control

Three Key Goals Achieving Continuous Application Security Management Application Security Development and Operations Management makes informed decisions with detailed security analytics Security experts deliver security as code Push code to production with fully automated security support New Code Production

Eight Fundamental Activities Achieving Continuous Application Security Management Security Orchestration Security Training Application Security Threat Intelligence (External) Security Architecture Security Research (Internal) Development and Operations Security Integration Standard Defenses Attack Protection New Code Production

Continuous AppSec Handbook Not your grandfather s application security!

Contrast Security Welcome to the era of self-protecting software. Visionary Leader Innovator

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback