Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security
OWASP XSS Prevention Cheat Sheet 1,000,000 Page Views! https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet
About Me
Application Security Is Healthcare
Sensors Are Revolutionizing Healthcare Your phone will know you re sick before you do! Instrumenting the body means continuous realtime monitoring Not periodic checkups
Modern Software Development Javascript/Ajax Libraries and Frameworks Serialized Objects Aspect Oriented Programming Cloud/Mobile Inversion of Control SOAP/REST Agile Raw Socket DevOps Traditional appsec tools and techniques simply can t handle ANY of these
Security AppSec Progress Continuous Software AppSec
Starting Over
Defining Portfolio Scale The right defenses for every application are Present Correct Used Properly
Application security happens continuously and in real time Defining DevOps Speed
One Thing at a Time Is my portfolio protected against clickjacking?
Gathering Intelligence Controller Presentation Business Functions Data Layer Third Party Libraries Framework Application Server Platform Runtime Operating System
Security Intelligence Sources Vulnerability Trace HTTP Traffic Data Flow Backend Connections Control Flow Libraries and Frameworks Configuration Data
Designing a Clickjacking Sensor Intel Sources Analysis Technique Experiment Style Environment Code Manual Positive Dev HTTP SAST Negative CI Configuration DAST Sampling Test Data Flow IAST Intelligence QA Control Flow Passive Staging Libraries JUnit Security Connections Choose based on: Speed Accuracy Feedback Scalability Ease of Use Cost Prod
Continuous ClickJacking Defense Verification A new HTTP sensor to verify that the X-Frame-Options header is set to DENY or SameOrigin on every webpage DEV CI TEST QA STAG SEC OPS Data Warehouse: Application Security Intelligence Manual Dynamic Static Interactive JUnit
Instrumentation Instrument your applications and they report their security regardless of your organizational or technical structure. Internal Networks Ad-Hoc Servers External Facing Cloud
Run Against Entire Portfolio TB RPC CM TY JJ RH CO AS RA F IR XX QP X DD & @ S Application Name Result Grade TBMarks 88% A RPC 0% F CaseyMotors 0% F Financials 72% C International Reporting 0% F Financials ClickJacking Defense C (72%) /home DENY /home/error.jsp - /home/index.jsp DENY /account SAME-ORIGIN /account/report.jsp -
https://cyh.herokuapp.com/cyh Check Your Headers
Continuous AppSec Dashboard
One Small Step Towards Continuous AppSec We transformed clickjacking verification to devops speed and portfolio scale! Before Annual pentest Negative signatures One app at a time After Continuous monitoring Positive verification Portfolio wide Okay, clickjacking. Big deal.
More Sensors I want a sensor to verify My business logic makes access control checks My libraries are free from known vulnerabilities My forms are not susceptible to CSRF attacks My interpreters are protected against injection My encryption is implemented correctly My application has no unknown connections And much more.
Access Control Intelligence Sensor Source File Result @PreAuthorize TestSBMBugtrackerController.java UpdateSBMBugtrackerController.java SelectBugtrackerController.java @PreAuthorize("hasAnyRole('ROLE_BUG_CREATE','ROLE_BUG_EDIT')") @PreAuthorize("hasRole('ROLE_BUG_EDIT')") @PreAuthorize("hasRole('ROLE_BUG_CREATE')") CheckAppStatusController.java MISSING ViewConsoleEventsController.java DeleteEngineConfigController.java DownloadEngineController.java EngineConfigController.java @PreAuthorize("hasRole('ROLE_CONSOLE_VIEW')") @PreAuthorize("hasRole('ROLE_ENGINE_PROFILES')") @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')") @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')") ErrorController.java MISSING InboxController.java InstallationWizardController.java InviteAFriendController.java @PreAuthorize("isAuthenticated()") @PreAuthorize("isAuthenticated()") @PreAuthorize("isAuthenticated()") Control Flow SAST LoginController.java MISSING Intelligence DeleteMessageController.java GetSystemMessagesController.java @PreAuthorize("isAuthenticated()") @PreAuthorize("isAdmin()") CI
Generated Access Control Matrix from Code ROLE_APPLICATION_DELETE TracesGetBugtrackersController.java O TracesGetUsersController.java O TracesJIRAExportController.java O TracesMergeController.java O TracesSaveStatusController.java O TracesSearchController.java O TracesSendToBugtrackersController.java TracesTreeController.java O TracesViewerController.java O TraceViewerWorkingNotificationController.java O ViewTracesController.java O UpdateAppConfigurationController.java O BannerController.java O BillingAccountActivityController.java O O BillingApplyPaymentController.java O BillingAppsController.java O BillingExecuteOrderController.java O ROLE_APPLICATION_GROUP ROLE_APPLICATION_REET ROLE_TRACES_DELETE ROLE_TRACES_SENDMAIL ROLE_TRACE_SEARCH ROLE_ENGINE_DOWNLOAD ROLE_ENGINE_PROFILES ROLE_CONSOLE_VIEW ROLE_BUGTRACKER_VIEW ROLE_BUGTRACKER_CREATE ROLE_BUGTRACKER_DELETE ROLE_AUDIT_VIEW ROLE_ENGINE_A ROLE_LI
Known Vulnerable Libraries Sensor Run DependencyCheck during every build (and do a build once a month even if nothing changed) Libraries SAST Negative CI
CSRF Defense Sensor HTTP Passive Positive QA Run tests through ZAP ZEST to check CSRF Token Get results via ZAP REST API
Canonicalization Correctness Sensor Code JUnit Positive Staging
Injection Sensors Use code instrumentation tools for DFA vulnerabilities Data Flow IAST Negative Dev
Architecture, Inventory, and More What would you like to gather from all your applications? Inventory? Architecture? Outbound connections? Lines of code? Security components? All possible. and all at devops speed and portfolio scale
Building Continuous AppSec DEV CI TEST QA STAG SEC OPS Data Warehouse: Application Security Intelligence Manual Dynamic Static Interactive JUnit
Sensors? How do you know what sensors you need? 1) The OWASP Top Ten? 2) What your tools are good at? 3) What your pentester thinks is important? 4) Actually figure out what matters?
Aspect 2013 Global AppSec Risk Report Applications with at Least One Vulnerability in Category 90% 80% Higher Risk 70% Lower Risk 60% 50% 40% 30% 20% 10% 0%
What s In Your Expected Model? Expected Requirements Threat Model Abuse Cases Policy Standards There is no security without a model
What Are You Actually Testing? Pentest Actual Code Review Tools Arch Review
Unfortunately Expected Actual Not being tested (aka RISK) Doesn t need testing (aka WASTE)
Secure? Are You Secure?
Aligning Sensors with Business Concerns Business Concerns Fraud Data Protection Availability Defense Strategies Minimize Sensitive Data Role Based Access Control Encrypt Data in Storage and Transit Logging and Intrusion Detection Actual Defenses Full Disk Encryption with TrueCrypt Programmatic Encryption with ESAPI TLS Everywhere with Venafi Sensors Libraries Present and Up-to-date Encryption Correctness with Junit Tests ESAPI Used Properly
Continuous Application Security! New Threats, Business Priorities Translate expected into sensors Expected Actual Application Portfolio A A A A A A A A A A A A A A A A A A Application security dashboards
How to Get Started Choose a sensor Build it with developers Deploy your sensor Create a dashboard using Excel
Transforming AppSec AppSec Strategy AppSec Optimization AppSec as Business Driver AppSec Compliance AppSec Monitoring We will never improve if our only metric is whether we are doing what everyone else is doing
Thank You! Please stop by our booth! @contrastsec
Expected:Tracking Coverage Infrastructure Security Logging and Accountability Data Protection Minimal data collection Secure Development Security Verification Incident Response Strong encryption in storage and transit All external connections use SSL All internal connections use SSL SSL hardened according to OWASP All highly sensitive data encrypted Encryption uses standard control Encryption uses AES, no CBC or ECB Universal authentication Pervasive access control Injection defenses Strict positive validation of all input Use of parameterized interfaces All parsers hardened XML parsers set to not use DOCTYPE Browser set no content sniffing header Etc Use Hibernate and secure coding Use JQuery and secure coding Etc
Authentication Authorization Cryptography Expected Defense Defense Present? Enterprise Controls Dashboard Defense Correct? Applications Tested? Training and Support Validation Escaping Tokens Logging Intrusion Detection Random Numbers Browser Security Safe API Wrappers Object Reference Management Error Handling