Jake Marcinko Standards Manager, PCI Security Standards Council Jeff Williams CTO, Contrast Security Application Security at Scale
AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands
AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands
AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands
AppSec at Scale Delivering Timely Security Solutions / Services to Meet Evolving Business Demands
Quality Control Integrating Security Testing into the Overall Software Development Life Cycle
Quality Control Integrating Security Testing into the Overall Software Development Life Cycle
Roadblock Security Software Development & Application Security 10 years ago
A Brief History of Time
Waterfall Approach Software Development & Application Security 10 years ago
Waterfall Approach Software Development & Application Security 10 years ago
Agile Development Software Development & Application Security 10 years ago
Network-focused Security Software Development & Application Security 10 years ago
Network-focused Security Software Development & Application Security 10 years ago
Network-focused Security Software Development & Application Security 10 years ago
Attack Shift The Evolution of Software Development and Application-Focused Attacks
Security Testing Use of Static / Dynamic Code Scanners in the SDLC
Industry Response The Introduction of Application-focused Security Standards
Continued Evolution The Rise of Business Process Optimization and the Drive Towards Greater Agility & Efficiency
Development Shift The Evolution of Software Development & Delivery
Development Shift The Evolution of Software Development & Delivery
Development Shift The Evolution of Software Development & Delivery
Traditional Security Tools Designed for Security Experts, Not Software Developers
Roadblock Security Avoiding a culture of No
More Risk Network Security Application Security Today, the majority of attacks are targeting applications Source: Ponemon 7/2016, Application Security in the Changing Risk Landscape
The Leading Cause of Breaches! Unsurprisingly 2008 2009 2010 2011 2012 2013 2014 2015 2016 Network Security Application Security Last year, 82% of financial breaches were due to weak apps! Source: Verizon 2016, Verizon Data Breach Investigation Report
Less Budget Network Security Application Security but security spending isn t aligned with risk! Source: Ponemon 7/2016, Application Security in the Changing Risk Landscape
Trend Application security is getting harder... fast Explosive growth in libraries and frameworks Microservices, APIs, REST/XML services Rapidly growing use of cloud and containers High speed software development Libraries Services Cloud Agile Application security can t handle the speed, size, and complexity of modern software development
How Do We Reverse This Trend?
Teammates, Not Adversaries Step One: Partner with Architects, Developers, and Testers
Teammates, Not Adversaries Step One: Partner with Architects, Developers, and Testers
Teammates, Not Adversaries Step One: Partner with Architects, Developers, and Testers
Service-Oriented Step Two: Create On-Demand Security Services For Development Teams
Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment
Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support
Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling
Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy
Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning
Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation
Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation Vulnerability Remediation Support
Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation Vulnerability Remediation Support SDLC Implementation Support
Service-Oriented Step Two: Create On-Demand Security Services For Development Teams Vulnerability Assessment Application Security Automation Support Threat Intelligence / Modeling Security Requirements and Policy Secure Coding Training / elearning Security Architecture Consultation Vulnerability Remediation Support SDLC Implementation Support Compliance Support
Keeping Pace Step Three: Architect Security Services & Solutions to Further Support Rapid Development
Operating at Scale
Need for Automation The typical application portfolio has hundreds of millions of lines of code. CONTAINER S
Progress! A brief history of application security automation Development (find vulnerabilities) Operations (block attacks) SAST DAST 2002 (Static (Dynamic 2002 AppSec Testing) AppSec Testing) WAF (Web Application Firewall) IDS/IPS (Intrusion Detection/ Prevention System) 2012 IAST (Interactive AppSec Testing) 2014 RASP (Runtime Application Self- Protection) 2015 Unified Agent IAST and RASP
Continuous Application Security
Continuous Application Security AppSec Assessment AppSec Protection Code & Commit Build & Config Scan & Test Deploy & Release Run & Monitor Email SeleniumHQ
Security Happens Inside Your Applications 4. The use of measuring instruments to monitor and control a process. It is the art and science of measurement and control of process variables within a production, laboratory, or manufacturing area.
How IAST and RASP Work Your application stack Custom Code Libraries Frameworks App Server Runtime Instrumentation Agent Attacks and vulnerabilities Dashboard 1 Add agent -javaagent:appsec.jar 2 Agent instruments running application 3 Agent blocks attacks and finds vulnerabilities 4 Dashboard provides visibility and control
Three Key Goals Achieving Continuous Application Security Management Application Security Development and Operations Management makes informed decisions with detailed security analytics Security experts deliver security as code Push code to production with fully automated security support New Code Production
Eight Fundamental Activities Achieving Continuous Application Security Management Security Orchestration Security Training Application Security Threat Intelligence (External) Security Architecture Security Research (Internal) Development and Operations Security Integration Standard Defenses Attack Protection New Code Production
Continuous AppSec Handbook Not your grandfather s application security!
Contrast Security Welcome to the era of self-protecting software. Visionary Leader Innovator