jumpstarting your devsecops pipeline with iast and rasp
play

Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff - PowerPoint PPT Presentation

Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff Williams @planetlevel CTO and Co-FOUNDER Contrast Security The Average 26.7 Vulnerabilities application is extremely 21% CustomCode vulnerable 8% USED Libraries 2


  1. Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff Williams –@planetlevel CTO and Co-FOUNDER – Contrast Security

  2. The Average 26.7 Vulnerabilities application is extremely 21% CustomCode vulnerable 8% USED Libraries 2 Vulnerabilities 71% unusedLibraries

  3. You are Under AttacK 3 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  4. What is DevSecOps? DEVOPS DEVSECOPS 1.Establish work flow 1.Establish security work flow 2.Ensure instant feedback 2.Ensure instant security feedback 3.Culture of experimentation 3.Build a security culture https://itrevolution.com/the-three-ways-principles-underpinning-devops/ 4 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  5. Keys to Security automation Accurate Continuous Any inaccuracy The days of gigantic requires experts. security PDF reports And there aren’t are hopefully long enough experts behind us. Reliable REAL TIME Application The best window to protection in fix a vulnerability is production has to be within seconds after safe and testable introducing it 5 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  6. DEVSECOPS Enabling technologies IAST RASP Interactive application security testing RUNTIME APPLICATION SELF-PROTECtion n Finds vulnerabilities n Prevents vulnerabilities from being exploited n Highly accurately n Highly accurately n From inside the application n From inside the application n Across custom code and libraries n Across custom code and libraries n In real time n In real time n Without scanning n Without “learn mode” 6 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  7. How IAST and RASP WOrk Your Application or API Interactive Application IAST Security Testing • Detects vulnerabilities in both ✘ custom code and libraries during Exploit normal use Prevented Vulnerability RASP Runtime Application Confirmed Self-Protection • Prevents vulnerabilities from HTTP Code Data Flow Control Flow Sensors Sensors Sensors Sensors being exploited in both custom code and libraries Library Config Backend AGENT Sensors Sensors Sensors 7 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  8. Turning Devops into DevSECOPS IAST/RASP IAST/RASP IAST/RASP Development CI/CD/QA Operations 8 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  9. Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 9 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  10. GET an iast/RASP agent https://www.contrastsecurity.com/ce 1. Download 2. install 3. Enjoy 10 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  11. Using IAST from within Maven 11 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  12. HQL injection 12 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  13. Automatic vulnerability detection 13 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  14. How do you want your security? IDE Chatops Browser 14 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  15. Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 15 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  16. Actual attack on CVE-2017-5638 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | 16 contrastsecurity.com

  17. How fast can you respond? July 29 Sept 7 March 7 Mid-May Equifax Equifax discloses, CVE-2017-5638 Equifax learns of Four more Struts2 Disclosed, Apache breach breach CVEs disclosed releases fixed version occurs No updates No detection Disaster March 8 We observe You musthave the widespread attacks infrastructure in place to respond within hours. 17 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  18. DEV CI/CD PROD ASSESS OSS Cloud Private Public with IAST Cloud APIs Containers Private APIs Containers 1. continuously Inventory all oSS 2. Automatically detect vulnerabilities in OSS 18 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  19. PROTECT WITH RASP 1. Prevent known OSS vulnerabilities from being exploited 2. Defend applications from attacks on unknown OSS vulnerabilities 19 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  20. Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 20 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  21. IAST works the same in CI/CD 21 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  22. IAST works with all types of testing… Vulnerabilities …even production Anywhere 22 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  23. Security Coverage with JACOCO 23 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel

  24. Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 24 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  25. Getting started with RASP https://www.contrastsecurity.com/ce 1. Download 2. install 3. Enjoy 25 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  26. Web application firewalls both overblock and underblock Application Bad Guy Name: Untrusted deserialization AcmeInternalType#cmd: AcmeInternalType#cmd: Smith, James java.lang.Runtime Application expects java.lang.Runtime Attacker sends malicious object to receive this Record ID: AcmeInternalType#mtd: AcmeInternalType#mtd: 123456 object getRuntime().exec getRuntime().exec Owner: AcmeInternalType#args: AcmeInternalType#args: Finance ‘cmd.exe’,’/C’,’calc’ ‘cmd.exe’,’/C’,’calc’ 26 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  27. RASP protects from within Who is attacking? What techniques are they using? Which apps and aPIsare they targeting? 27 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  28. • Ansible RASP Deploys • Puppet • Docker automatically • Kubernetes with your • Whatever… application 28 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  29. RASP IS FAST +5 ms SSL Contrast +50 µ s 100x faster than SSL Protect 29 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  30. Is your soc blind to appsec? 30 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  31. You can start today! IAST and RASP are a platform for “security as code” 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 31 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  32. Velocity Early Access Contrast Community Edition (FREE) Contrast CE provides full-featured IAST and RASP for Java applications and APIs. Finally, you can replace your SAST, DAST, and WAF with something better… For free. Contrast CE works with… Get started for free at: http://contrastsecurity.com/ce 32 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  33. THANK YOU! Ask me anything Jumpstarting Your DevSecOps Pipeline with IAST and RASP Jeff Williams @planetlevel

  34. 34 IAST and RASP use an instrumentation agent to empower apps with security capabilities at runtime without changing existing code… IAST and RASP • Find vulnerabilities Ordinary AGENT Self- Insecure • Secure open source Protecting Application Application • Prevent exploits “…works like AppDynamics for security”

  35. 35 Struts 2 Dependencies

  36. Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 36 Dozens of CVEs every week “Possible” ?!!

  37. 37 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel

Recommend


More recommend