Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff Williams –@planetlevel CTO and Co-FOUNDER – Contrast Security
The Average 26.7 Vulnerabilities application is extremely 21% CustomCode vulnerable 8% USED Libraries 2 Vulnerabilities 71% unusedLibraries
You are Under AttacK 3 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
What is DevSecOps? DEVOPS DEVSECOPS 1.Establish work flow 1.Establish security work flow 2.Ensure instant feedback 2.Ensure instant security feedback 3.Culture of experimentation 3.Build a security culture https://itrevolution.com/the-three-ways-principles-underpinning-devops/ 4 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Keys to Security automation Accurate Continuous Any inaccuracy The days of gigantic requires experts. security PDF reports And there aren’t are hopefully long enough experts behind us. Reliable REAL TIME Application The best window to protection in fix a vulnerability is production has to be within seconds after safe and testable introducing it 5 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
DEVSECOPS Enabling technologies IAST RASP Interactive application security testing RUNTIME APPLICATION SELF-PROTECtion n Finds vulnerabilities n Prevents vulnerabilities from being exploited n Highly accurately n Highly accurately n From inside the application n From inside the application n Across custom code and libraries n Across custom code and libraries n In real time n In real time n Without scanning n Without “learn mode” 6 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
How IAST and RASP WOrk Your Application or API Interactive Application IAST Security Testing • Detects vulnerabilities in both ✘ custom code and libraries during Exploit normal use Prevented Vulnerability RASP Runtime Application Confirmed Self-Protection • Prevents vulnerabilities from HTTP Code Data Flow Control Flow Sensors Sensors Sensors Sensors being exploited in both custom code and libraries Library Config Backend AGENT Sensors Sensors Sensors 7 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Turning Devops into DevSECOPS IAST/RASP IAST/RASP IAST/RASP Development CI/CD/QA Operations 8 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 9 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
GET an iast/RASP agent https://www.contrastsecurity.com/ce 1. Download 2. install 3. Enjoy 10 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Using IAST from within Maven 11 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
HQL injection 12 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Automatic vulnerability detection 13 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
How do you want your security? IDE Chatops Browser 14 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 15 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Actual attack on CVE-2017-5638 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | 16 contrastsecurity.com
How fast can you respond? July 29 Sept 7 March 7 Mid-May Equifax Equifax discloses, CVE-2017-5638 Equifax learns of Four more Struts2 Disclosed, Apache breach breach CVEs disclosed releases fixed version occurs No updates No detection Disaster March 8 We observe You musthave the widespread attacks infrastructure in place to respond within hours. 17 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
DEV CI/CD PROD ASSESS OSS Cloud Private Public with IAST Cloud APIs Containers Private APIs Containers 1. continuously Inventory all oSS 2. Automatically detect vulnerabilities in OSS 18 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
PROTECT WITH RASP 1. Prevent known OSS vulnerabilities from being exploited 2. Defend applications from attacks on unknown OSS vulnerabilities 19 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 20 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
IAST works the same in CI/CD 21 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
IAST works with all types of testing… Vulnerabilities …even production Anywhere 22 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Security Coverage with JACOCO 23 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel
Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 24 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Getting started with RASP https://www.contrastsecurity.com/ce 1. Download 2. install 3. Enjoy 25 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Web application firewalls both overblock and underblock Application Bad Guy Name: Untrusted deserialization AcmeInternalType#cmd: AcmeInternalType#cmd: Smith, James java.lang.Runtime Application expects java.lang.Runtime Attacker sends malicious object to receive this Record ID: AcmeInternalType#mtd: AcmeInternalType#mtd: 123456 object getRuntime().exec getRuntime().exec Owner: AcmeInternalType#args: AcmeInternalType#args: Finance ‘cmd.exe’,’/C’,’calc’ ‘cmd.exe’,’/C’,’calc’ 26 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
RASP protects from within Who is attacking? What techniques are they using? Which apps and aPIsare they targeting? 27 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
• Ansible RASP Deploys • Puppet • Docker automatically • Kubernetes with your • Whatever… application 28 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
RASP IS FAST +5 ms SSL Contrast +50 µ s 100x faster than SSL Protect 29 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Is your soc blind to appsec? 30 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
You can start today! IAST and RASP are a platform for “security as code” 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 31 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Velocity Early Access Contrast Community Edition (FREE) Contrast CE provides full-featured IAST and RASP for Java applications and APIs. Finally, you can replace your SAST, DAST, and WAF with something better… For free. Contrast CE works with… Get started for free at: http://contrastsecurity.com/ce 32 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
THANK YOU! Ask me anything Jumpstarting Your DevSecOps Pipeline with IAST and RASP Jeff Williams @planetlevel
34 IAST and RASP use an instrumentation agent to empower apps with security capabilities at runtime without changing existing code… IAST and RASP • Find vulnerabilities Ordinary AGENT Self- Insecure • Secure open source Protecting Application Application • Prevent exploits “…works like AppDynamics for security”
35 Struts 2 Dependencies
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 36 Dozens of CVEs every week “Possible” ?!!
37 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel
Recommend
More recommend