Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security

Similar documents
OWASP Top 10 The Ten Most Critical Web Application Security Risks

THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU. Jeff Williams,

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

Application Security at Scale

Application security : going quicker

Aguascalientes Local Chapter. Kickoff

Solutions Business Manager Web Application Security Assessment

N different strategies to automate OWASP ZAP

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Robots with Pentest Recipes:

Copyright

The requirements were developed with the following objectives in mind:

The Top 6 WAF Essentials to Achieve Application Security Efficacy

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

LIPPU-API: Security Considerations

Secure DevOps: A Puma s Tail

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Qualys Cloud Platform

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

1. APPLICATION SECURITY: KEY CHALLENGES

OWASP TOP OWASP TOP

Best Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security

V Conference on Application Security and Modern Technologies

INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING

epldt Web Builder Security March 2017

Taking Control of Your Application Security

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1

Sichere Software vom Java-Entwickler

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

C1: Define Security Requirements

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

THE ART OF SECURING 100 PRODUCTS. Nir

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Strengthen and Scale security using DevSecOps

AppSec in a DevOps World

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

Creating an AppSec Pipeline with containers in a week. How we failed and succeeded Jeroen Willemsen OWASP benelux days

Welcome to the OWASP TOP 10

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

Surrogate Dependencies (in

An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec,

In collaborazione con

THE EMERGING PRODUCT SECURITY LEADER DISCIPLINE

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Information Security Policy

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

SIEM: Five Requirements that Solve the Bigger Business Issues

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Securing Production Applications & Data at Runtime. Prevoty

Web Applications & APIs

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Application Layer Security

A10 HARMONY CONTROLLER

API Best Practices. Managing APIs holistically across the enterprise

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

CSci530 Final Exam. Fall 2011

10 FOCUS AREAS FOR BREACH PREVENTION

How to implement SDL and don t turn gray. Andrey Kovalev, Security Engineer

RA-GRS, 130 replication support, ZRS, 130

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

EasyCrypt passes an independent security audit

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

F5 Application Security. Radovan Gibala Field Systems Engineer

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Managed Application Security trends and best practices in application security

Fortify Software Security Content 2017 Update 4 December 15, 2017

A Strategic Approach to Web Application Security

DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Injecting Security Controls into Software Applications. Katy Anton

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

SECURITY PRACTICES OVERVIEW

Automating Security Practices for the DevOps Revolution

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Continuously Discover and Eliminate Security Risk in Production Apps

Applications Security

ShiftLeft. Real-World Runtime Protection Benchmarking

MigrationWiz Security Overview

ADC im Cloud - Zeitalter

PrecisionAccess Trusted Access Control

Compliance Audit Readiness. Bob Kral Tenable Network Security

Transcription:

Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security

OWASP XSS Prevention Cheat Sheet 1,000,000 Page Views! https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet

About Me

Application Security Is Healthcare

Sensors Are Revolutionizing Healthcare Your phone will know you re sick before you do! Instrumenting the body means continuous realtime monitoring Not periodic checkups

Modern Software Development Javascript/Ajax Libraries and Frameworks Serialized Objects Aspect Oriented Programming Cloud/Mobile Inversion of Control SOAP/REST Agile Raw Socket DevOps Traditional appsec tools and techniques simply can t handle ANY of these

Security AppSec Progress Continuous Software AppSec

Starting Over

Defining Portfolio Scale The right defenses for every application are Present Correct Used Properly

Application security happens continuously and in real time Defining DevOps Speed

One Thing at a Time Is my portfolio protected against clickjacking?

Gathering Intelligence Controller Presentation Business Functions Data Layer Third Party Libraries Framework Application Server Platform Runtime Operating System

Security Intelligence Sources Vulnerability Trace HTTP Traffic Data Flow Backend Connections Control Flow Libraries and Frameworks Configuration Data

Designing a Clickjacking Sensor Intel Sources Analysis Technique Experiment Style Environment Code Manual Positive Dev HTTP SAST Negative CI Configuration DAST Sampling Test Data Flow IAST Intelligence QA Control Flow Passive Staging Libraries JUnit Security Connections Choose based on: Speed Accuracy Feedback Scalability Ease of Use Cost Prod

Continuous ClickJacking Defense Verification A new HTTP sensor to verify that the X-Frame-Options header is set to DENY or SameOrigin on every webpage DEV CI TEST QA STAG SEC OPS Data Warehouse: Application Security Intelligence Manual Dynamic Static Interactive JUnit

Instrumentation Instrument your applications and they report their security regardless of your organizational or technical structure. Internal Networks Ad-Hoc Servers External Facing Cloud

Run Against Entire Portfolio TB RPC CM TY JJ RH CO AS RA F IR XX QP X DD & @ S Application Name Result Grade TBMarks 88% A RPC 0% F CaseyMotors 0% F Financials 72% C International Reporting 0% F Financials ClickJacking Defense C (72%) /home DENY /home/error.jsp - /home/index.jsp DENY /account SAME-ORIGIN /account/report.jsp -

https://cyh.herokuapp.com/cyh Check Your Headers

Continuous AppSec Dashboard

One Small Step Towards Continuous AppSec We transformed clickjacking verification to devops speed and portfolio scale! Before Annual pentest Negative signatures One app at a time After Continuous monitoring Positive verification Portfolio wide Okay, clickjacking. Big deal.

More Sensors I want a sensor to verify My business logic makes access control checks My libraries are free from known vulnerabilities My forms are not susceptible to CSRF attacks My interpreters are protected against injection My encryption is implemented correctly My application has no unknown connections And much more.

Access Control Intelligence Sensor Source File Result @PreAuthorize TestSBMBugtrackerController.java UpdateSBMBugtrackerController.java SelectBugtrackerController.java @PreAuthorize("hasAnyRole('ROLE_BUG_CREATE','ROLE_BUG_EDIT')") @PreAuthorize("hasRole('ROLE_BUG_EDIT')") @PreAuthorize("hasRole('ROLE_BUG_CREATE')") CheckAppStatusController.java MISSING ViewConsoleEventsController.java DeleteEngineConfigController.java DownloadEngineController.java EngineConfigController.java @PreAuthorize("hasRole('ROLE_CONSOLE_VIEW')") @PreAuthorize("hasRole('ROLE_ENGINE_PROFILES')") @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')") @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')") ErrorController.java MISSING InboxController.java InstallationWizardController.java InviteAFriendController.java @PreAuthorize("isAuthenticated()") @PreAuthorize("isAuthenticated()") @PreAuthorize("isAuthenticated()") Control Flow SAST LoginController.java MISSING Intelligence DeleteMessageController.java GetSystemMessagesController.java @PreAuthorize("isAuthenticated()") @PreAuthorize("isAdmin()") CI

Generated Access Control Matrix from Code ROLE_APPLICATION_DELETE TracesGetBugtrackersController.java O TracesGetUsersController.java O TracesJIRAExportController.java O TracesMergeController.java O TracesSaveStatusController.java O TracesSearchController.java O TracesSendToBugtrackersController.java TracesTreeController.java O TracesViewerController.java O TraceViewerWorkingNotificationController.java O ViewTracesController.java O UpdateAppConfigurationController.java O BannerController.java O BillingAccountActivityController.java O O BillingApplyPaymentController.java O BillingAppsController.java O BillingExecuteOrderController.java O ROLE_APPLICATION_GROUP ROLE_APPLICATION_REET ROLE_TRACES_DELETE ROLE_TRACES_SENDMAIL ROLE_TRACE_SEARCH ROLE_ENGINE_DOWNLOAD ROLE_ENGINE_PROFILES ROLE_CONSOLE_VIEW ROLE_BUGTRACKER_VIEW ROLE_BUGTRACKER_CREATE ROLE_BUGTRACKER_DELETE ROLE_AUDIT_VIEW ROLE_ENGINE_A ROLE_LI

Known Vulnerable Libraries Sensor Run DependencyCheck during every build (and do a build once a month even if nothing changed) Libraries SAST Negative CI

CSRF Defense Sensor HTTP Passive Positive QA Run tests through ZAP ZEST to check CSRF Token Get results via ZAP REST API

Canonicalization Correctness Sensor Code JUnit Positive Staging

Injection Sensors Use code instrumentation tools for DFA vulnerabilities Data Flow IAST Negative Dev

Architecture, Inventory, and More What would you like to gather from all your applications? Inventory? Architecture? Outbound connections? Lines of code? Security components? All possible. and all at devops speed and portfolio scale

Building Continuous AppSec DEV CI TEST QA STAG SEC OPS Data Warehouse: Application Security Intelligence Manual Dynamic Static Interactive JUnit

Sensors? How do you know what sensors you need? 1) The OWASP Top Ten? 2) What your tools are good at? 3) What your pentester thinks is important? 4) Actually figure out what matters?

Aspect 2013 Global AppSec Risk Report Applications with at Least One Vulnerability in Category 90% 80% Higher Risk 70% Lower Risk 60% 50% 40% 30% 20% 10% 0%

What s In Your Expected Model? Expected Requirements Threat Model Abuse Cases Policy Standards There is no security without a model

What Are You Actually Testing? Pentest Actual Code Review Tools Arch Review

Unfortunately Expected Actual Not being tested (aka RISK) Doesn t need testing (aka WASTE)

Secure? Are You Secure?

Aligning Sensors with Business Concerns Business Concerns Fraud Data Protection Availability Defense Strategies Minimize Sensitive Data Role Based Access Control Encrypt Data in Storage and Transit Logging and Intrusion Detection Actual Defenses Full Disk Encryption with TrueCrypt Programmatic Encryption with ESAPI TLS Everywhere with Venafi Sensors Libraries Present and Up-to-date Encryption Correctness with Junit Tests ESAPI Used Properly

Continuous Application Security! New Threats, Business Priorities Translate expected into sensors Expected Actual Application Portfolio A A A A A A A A A A A A A A A A A A Application security dashboards

How to Get Started Choose a sensor Build it with developers Deploy your sensor Create a dashboard using Excel

Transforming AppSec AppSec Strategy AppSec Optimization AppSec as Business Driver AppSec Compliance AppSec Monitoring We will never improve if our only metric is whether we are doing what everyone else is doing

Thank You! Please stop by our booth! @contrastsec

Expected:Tracking Coverage Infrastructure Security Logging and Accountability Data Protection Minimal data collection Secure Development Security Verification Incident Response Strong encryption in storage and transit All external connections use SSL All internal connections use SSL SSL hardened according to OWASP All highly sensitive data encrypted Encryption uses standard control Encryption uses AES, no CBC or ECB Universal authentication Pervasive access control Injection defenses Strict positive validation of all input Use of parameterized interfaces All parsers hardened XML parsers set to not use DOCTYPE Browser set no content sniffing header Etc Use Hibernate and secure coding Use JQuery and secure coding Etc

Authentication Authorization Cryptography Expected Defense Defense Present? Enterprise Controls Dashboard Defense Correct? Applications Tested? Training and Support Validation Escaping Tokens Logging Intrusion Detection Random Numbers Browser Security Safe API Wrappers Object Reference Management Error Handling

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback