Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Similar documents
NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Securing Production Applications & Data at Runtime. Prevoty

Protect your apps and your customers against application layer attacks

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU. Jeff Williams,

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

Overcoming the Challenges of Automating Security in a DevOps Environment

Micro Focus Fortify Application Security

An Introduction to the Waratek Application Security Platform

Let me secure that for you!

Web Applications & APIs

Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security

ShiftLeft. Real-World Runtime Protection Benchmarking

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

SIEMLESS THREAT DETECTION FOR AWS

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Application Security at Scale

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

Qualys Cloud Platform

An Introduction to Runtime Application Self-Protection (RASP)

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER

AWS Web Application Firewall. Darren Weiner Cloud Architect/Engineer

Automating Security Practices for the DevOps Revolution

Scanning-Less Scanning. Installation Guide

WHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family

Taking Control of Your Application Security

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

THE ART OF SECURING 100 PRODUCTS. Nir

Application security : going quicker

haltdos - Web Application Firewall

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

Micro Focus Security Fortify. Application Security

Discover Best of Show März 2016, Düsseldorf

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Is Runtime Application Self Protection (RASP) too good to be true?

SECURITY-AS-A-SERVICE BUILT FOR MICROSOFT AZURE

Secure DevOps: A Puma s Tail

Microsoft Networking Academy

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

Ruby in the Sky with Diamonds. August, 2014 Sao Paulo, Brazil

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

A Strategic Approach to Web Application Security

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Security Readiness Assessment

Robots with Pentest Recipes:

Dynamic Datacenter Security Solidex, November 2009

Managed Application Security trends and best practices in application security

SIEMLESS THREAT MANAGEMENT

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Andrés Riancho sec.com H2HC, 1

Trustwave Managed Security Testing

SECURITY-AS-A-SERVICE

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

AUTOMATING SECDEVOPS WORKSHOP

Application Security Buyer s Guide

The Top 6 WAF Essentials to Achieve Application Security Efficacy

THE FOUR PILLARS OF MODERN VULNERABILITY MANAGEMENT

Securing Your Amazon Web Services Virtual Networks

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

SECURITY TESTING. Towards a safer web world

Imperva Incapsula Website Security

The Four Pillars of Modern Vulnerability Management

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

Table of Content Security Trend

Weaving Security into Every Application

Getting Started with AWS Security

Application Security Using Runtime Protection

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

Vulnerability Assessment with Application Security

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Securing Your Microsoft Azure Virtual Networks

Effective Application Security Testing at High Velocity: Keeping up with Agile / DevOps February 28, 2017 Today s Speaker:

Continuous Delivery for Cloud Native Applications

Qualys Cloud Platform

An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec,

GOING WHERE NO WAFS HAVE GONE BEFORE

WALLARM AI ENGINE: HOW IT WORKS

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Additional Security Services on AWS

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

SECURITY IN MICROSOFT AZURE. Marija Strazdas Sr. Solutions Engineer

BUILDING A NEXT-GENERATION FIREWALL

OWASP TOP OWASP TOP

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Edge Foundational Training

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

Key Considerations in Choosing a Web Application Firewall

epldt Web Builder Security March 2017

Automating the Top 20 CIS Critical Security Controls

CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR

Security Testing. John Slankas

Cisco Tetration Analytics

Qualys Cloud Platform

SECURITY-AS-A-SERVICE BUILT FOR AWS

Transcription:

Application Security Use Cases RASP, WAF, NGWAF, What The Hell is The Difference.

Acronym Soup July 29, 2016 2

July 29, 2016 3

Definition of Terms WAF Web Application Firewall / waf / noun 1. An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. July 29, 2016 SOURCE: OWASP 4

Definition of Terms RASP Runtime Application Self Protection / rasp / noun 1. A security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. July 29, 2016 SOURCE: GARTNER 5

Definition of Terms NGWAF Next Generation Web Application Firewall / en gee waf / noun 1. Designed for deep security coverage across web applications, from multiple points in the application stack, providing proactive defense and returning relevant and actionable web application security analytics. July 29, 2016 SOURCE: SIGNAL SCIENCES 6

Does The Difference Even Matter No not really! July 29, 2016 7

What You Really Want From A Solution Enable app teams to move quicker and security teams to prioritize efforts through shared, actionable real time application security data. Support modern architecture that won t break production and provides seamless strategic and tactical visibility. Provide reliable blocking with no required tuning and no performance degradation. July 29, 2016 8

Why Does App Sec Have To Change? Changes In Developmental Models July 29, 2016 9

Traditional Application Development 6-24 Months Cycle Requirements Gathering Design Development Testing / QA Production / Implementation Maintenance July 29, 2016 10

Traditional Application Security 6-24 Months Cycle Requirements Gathering Design Development Testing / QA Production / Implementation Maintenance Secure Design Process Code Review Penetration Testing Bug and Vulnerability Fixes July 29, 2016 11

Modern Application Development Weekly Daily Hourly Cycle Times July 29, 2016 12

Modern Application Security Weekly Daily Hourly Cycle Times Security embedded in each step Developers responsible for security of their own code Security unit tests required for code acceptance Smaller security hurdles Build blocked by failed security tests Security Unit Tests Secure Design Secure Code Review July 29, 2016 13

Why Does App Sec Have To Change? Changes In Architectural Models July 29, 2016 14

Operational Security System Security Decision Engine Data Points In Development Data Security Data Activity Data Security Decisions Out Accurate Timely Actionable July 29, 2016 15

Traditional Web Applications Internet WAF Datacenter Single choke point for security implementation Looks at inbound network packets for web layer requests Load Balancer Analyses requests for attacks Blocking discovered attacks End Users Web Server Database July 29, 2016 16

Modern Web Applications Mobile Users PaaS / PaaS Cloud / Web Server Cloud Provider Instances Provider REST JSON API Datastore Instance Datastore Instance Datastore Instances End Users July 29, 2016 17

Modern Web Applications PaaS / PaaS Cloud / Web Server Cloud Provider Instances Provider REST JSON API Runtime / Interpreter.NET CLR Java Web Server NginX, Apache, IIS Source Code Python, Javscript, Node.js PHP July 29, 2016 18

Security Decision Engine Differences Signature checking Security Decision Engine Attack pattern detection Code and data flow analysis Language dissection Machine learning July 29, 2016 19

Security Decision Engine Differences Security Decisions Out Accurate Timely Actionable Integrates into YOUR toolchain Doesn t get in the way! Low overhead. Shows you what you want to see When you need to see it Doesn t overwhelm you with junk Increases resource effectiveness July 29, 2016 20

So Where Do We Go From Here Updating Your Application Security Program July 29, 2016 21

Traditional App Security Technology Stack Manual Assessment DAST Doesn t scale Expensive Time consuming Late 1990s Unsure Code Coverage Quick and Dirty FN/FP Prone Early 2000s WAF Expensive to Maintain Not Scalable Resource Draining Early 2000s SAST Expertise Required Developer Heavy Long Processing Time Mid 2000s July 29, 2016 22

Modern App Security Technology Stack SAST Bug Tracking DEV TIME DAST Manual Assessment ChatOps Alerting Services Automation OPS TIME NGWAF / RASP The Future Vuln Tracking CI/CD Logging July 29, 2016 23

Thanks A Bunch! Tyler Shields VP Marketing Strategy Partnerships tyler@signalsciences.com @signalsciences @txs July 29, 2016 www.signalsciences.com 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback