Application Security Use Cases RASP, WAF, NGWAF, What The Hell is The Difference.
Acronym Soup July 29, 2016 2
July 29, 2016 3
Definition of Terms WAF Web Application Firewall / waf / noun 1. An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. July 29, 2016 SOURCE: OWASP 4
Definition of Terms RASP Runtime Application Self Protection / rasp / noun 1. A security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. July 29, 2016 SOURCE: GARTNER 5
Definition of Terms NGWAF Next Generation Web Application Firewall / en gee waf / noun 1. Designed for deep security coverage across web applications, from multiple points in the application stack, providing proactive defense and returning relevant and actionable web application security analytics. July 29, 2016 SOURCE: SIGNAL SCIENCES 6
Does The Difference Even Matter No not really! July 29, 2016 7
What You Really Want From A Solution Enable app teams to move quicker and security teams to prioritize efforts through shared, actionable real time application security data. Support modern architecture that won t break production and provides seamless strategic and tactical visibility. Provide reliable blocking with no required tuning and no performance degradation. July 29, 2016 8
Why Does App Sec Have To Change? Changes In Developmental Models July 29, 2016 9
Traditional Application Development 6-24 Months Cycle Requirements Gathering Design Development Testing / QA Production / Implementation Maintenance July 29, 2016 10
Traditional Application Security 6-24 Months Cycle Requirements Gathering Design Development Testing / QA Production / Implementation Maintenance Secure Design Process Code Review Penetration Testing Bug and Vulnerability Fixes July 29, 2016 11
Modern Application Development Weekly Daily Hourly Cycle Times July 29, 2016 12
Modern Application Security Weekly Daily Hourly Cycle Times Security embedded in each step Developers responsible for security of their own code Security unit tests required for code acceptance Smaller security hurdles Build blocked by failed security tests Security Unit Tests Secure Design Secure Code Review July 29, 2016 13
Why Does App Sec Have To Change? Changes In Architectural Models July 29, 2016 14
Operational Security System Security Decision Engine Data Points In Development Data Security Data Activity Data Security Decisions Out Accurate Timely Actionable July 29, 2016 15
Traditional Web Applications Internet WAF Datacenter Single choke point for security implementation Looks at inbound network packets for web layer requests Load Balancer Analyses requests for attacks Blocking discovered attacks End Users Web Server Database July 29, 2016 16
Modern Web Applications Mobile Users PaaS / PaaS Cloud / Web Server Cloud Provider Instances Provider REST JSON API Datastore Instance Datastore Instance Datastore Instances End Users July 29, 2016 17
Modern Web Applications PaaS / PaaS Cloud / Web Server Cloud Provider Instances Provider REST JSON API Runtime / Interpreter.NET CLR Java Web Server NginX, Apache, IIS Source Code Python, Javscript, Node.js PHP July 29, 2016 18
Security Decision Engine Differences Signature checking Security Decision Engine Attack pattern detection Code and data flow analysis Language dissection Machine learning July 29, 2016 19
Security Decision Engine Differences Security Decisions Out Accurate Timely Actionable Integrates into YOUR toolchain Doesn t get in the way! Low overhead. Shows you what you want to see When you need to see it Doesn t overwhelm you with junk Increases resource effectiveness July 29, 2016 20
So Where Do We Go From Here Updating Your Application Security Program July 29, 2016 21
Traditional App Security Technology Stack Manual Assessment DAST Doesn t scale Expensive Time consuming Late 1990s Unsure Code Coverage Quick and Dirty FN/FP Prone Early 2000s WAF Expensive to Maintain Not Scalable Resource Draining Early 2000s SAST Expertise Required Developer Heavy Long Processing Time Mid 2000s July 29, 2016 22
Modern App Security Technology Stack SAST Bug Tracking DEV TIME DAST Manual Assessment ChatOps Alerting Services Automation OPS TIME NGWAF / RASP The Future Vuln Tracking CI/CD Logging July 29, 2016 23
Thanks A Bunch! Tyler Shields VP Marketing Strategy Partnerships tyler@signalsciences.com @signalsciences @txs July 29, 2016 www.signalsciences.com 24