jumpstarting your devsecops pipeline with iast and rasp
play

Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff - PowerPoint PPT Presentation

May 01, 2023 •222 likes •598 views

Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff Williams @planetlevel CTO and Co-FOUNDER Contrast Security The Average 26.7 Vulnerabilities application is extremely 21% CustomCode vulnerable 8% USED Libraries 2

  1. Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff Williams –@planetlevel CTO and Co-FOUNDER – Contrast Security

  2. The Average 26.7 Vulnerabilities application is extremely 21% CustomCode vulnerable 8% USED Libraries 2 Vulnerabilities 71% unusedLibraries

  3. You are Under AttacK 3 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  4. What is DevSecOps? DEVOPS DEVSECOPS 1.Establish work flow 1.Establish security work flow 2.Ensure instant feedback 2.Ensure instant security feedback 3.Culture of experimentation 3.Build a security culture https://itrevolution.com/the-three-ways-principles-underpinning-devops/ 4 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  5. Keys to Security automation Accurate Continuous Any inaccuracy The days of gigantic requires experts. security PDF reports And there aren’t are hopefully long enough experts behind us. Reliable REAL TIME Application The best window to protection in fix a vulnerability is production has to be within seconds after safe and testable introducing it 5 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  6. DEVSECOPS Enabling technologies IAST RASP Interactive application security testing RUNTIME APPLICATION SELF-PROTECtion n Finds vulnerabilities n Prevents vulnerabilities from being exploited n Highly accurately n Highly accurately n From inside the application n From inside the application n Across custom code and libraries n Across custom code and libraries n In real time n In real time n Without scanning n Without “learn mode” 6 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  7. How IAST and RASP WOrk Your Application or API Interactive Application IAST Security Testing • Detects vulnerabilities in both ✘ custom code and libraries during Exploit normal use Prevented Vulnerability RASP Runtime Application Confirmed Self-Protection • Prevents vulnerabilities from HTTP Code Data Flow Control Flow Sensors Sensors Sensors Sensors being exploited in both custom code and libraries Library Config Backend AGENT Sensors Sensors Sensors 7 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  8. Turning Devops into DevSECOPS IAST/RASP IAST/RASP IAST/RASP Development CI/CD/QA Operations 8 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  9. Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 9 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  10. GET an iast/RASP agent https://www.contrastsecurity.com/ce 1. Download 2. install 3. Enjoy 10 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  11. Using IAST from within Maven 11 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  12. HQL injection 12 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  13. Automatic vulnerability detection 13 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  14. How do you want your security? IDE Chatops Browser 14 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  15. Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 15 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  16. Actual attack on CVE-2017-5638 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | 16 contrastsecurity.com

  17. How fast can you respond? July 29 Sept 7 March 7 Mid-May Equifax Equifax discloses, CVE-2017-5638 Equifax learns of Four more Struts2 Disclosed, Apache breach breach CVEs disclosed releases fixed version occurs No updates No detection Disaster March 8 We observe You musthave the widespread attacks infrastructure in place to respond within hours. 17 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  18. DEV CI/CD PROD ASSESS OSS Cloud Private Public with IAST Cloud APIs Containers Private APIs Containers 1. continuously Inventory all oSS 2. Automatically detect vulnerabilities in OSS 18 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  19. PROTECT WITH RASP 1. Prevent known OSS vulnerabilities from being exploited 2. Defend applications from attacks on unknown OSS vulnerabilities 19 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  20. Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 20 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  21. IAST works the same in CI/CD 21 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  22. IAST works with all types of testing… Vulnerabilities …even production Anywhere 22 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  23. Security Coverage with JACOCO 23 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel

  24. Today’s MISSION… 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 24 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  25. Getting started with RASP https://www.contrastsecurity.com/ce 1. Download 2. install 3. Enjoy 25 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  26. Web application firewalls both overblock and underblock Application Bad Guy Name: Untrusted deserialization AcmeInternalType#cmd: AcmeInternalType#cmd: Smith, James java.lang.Runtime Application expects java.lang.Runtime Attacker sends malicious object to receive this Record ID: AcmeInternalType#mtd: AcmeInternalType#mtd: 123456 object getRuntime().exec getRuntime().exec Owner: AcmeInternalType#args: AcmeInternalType#args: Finance ‘cmd.exe’,’/C’,’calc’ ‘cmd.exe’,’/C’,’calc’ 26 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  27. RASP protects from within Who is attacking? What techniques are they using? Which apps and aPIsare they targeting? 27 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  28. • Ansible RASP Deploys • Puppet • Docker automatically • Kubernetes with your • Whatever… application 28 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  29. RASP IS FAST +5 ms SSL Contrast +50 µ s 100x faster than SSL Protect 29 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  30. Is your soc blind to appsec? 30 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  31. You can start today! IAST and RASP are a platform for “security as code” 1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits Development Source libraries SecurityTesting in Operation 31 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  32. Velocity Early Access Contrast Community Edition (FREE) Contrast CE provides full-featured IAST and RASP for Java applications and APIs. Finally, you can replace your SAST, DAST, and WAF with something better… For free. Contrast CE works with… Get started for free at: http://contrastsecurity.com/ce 32 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com

  33. THANK YOU! Ask me anything Jumpstarting Your DevSecOps Pipeline with IAST and RASP Jeff Williams @planetlevel

  34. 34 IAST and RASP use an instrumentation agent to empower apps with security capabilities at runtime without changing existing code… IAST and RASP • Find vulnerabilities Ordinary AGENT Self- Insecure • Secure open source Protecting Application Application • Prevent exploits “…works like AppDynamics for security”

  35. 35 Struts 2 Dependencies

  36. Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 36 Dozens of CVEs every week “Possible” ?!!

  37. 37 Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel

Recommend

How to use hacker personas to successfully build DevSecOps Pipeline Robin Yeman

How to use hacker personas to successfully build DevSecOps Pipeline Robin Yeman

How to use hacker personas to successfully build DevSecOps Pipeline Robin Yeman Lockheed Martin Sr. Fellow Lockheed Martin twitter @robinyeman Agenda DevOps and Pipeline Securing the pipeline Apply the

863 views • 26 slides
WOW! What a Clerkship! How to Maximize Law Students Judicial Externships by Jumpstarting the

WOW! What a Clerkship! How to Maximize Law Students Judicial Externships by Jumpstarting the

WOW! What a Clerkship! How to Maximize Law Students Judicial Externships by Jumpstarting the Classroom Experience By Amany Ragab Hacking, Assistant Clinical Professor Supervisor, Saint Louis University School of Law Externship Clinic I.

599 views • 46 slides
The Kitchen Sink Jumpstarting Mobile Web Development Introduction & Background i n i m A

The Kitchen Sink Jumpstarting Mobile Web Development Introduction & Background i n i m A

The Kitchen Sink Jumpstarting Mobile Web Development Introduction & Background i n i m A n a g j o M e c f i f O b W e s u p m a C UC San Diego embraces MWF onsulted 7 ampus IT Student Affairs Libraries Summer

527 views • 8 slides
Wabi-Sabi Your DevSecOps Presented by: Brittany

Wabi-Sabi Your DevSecOps Presented by: Brittany

AW6 DevOps Automation Wednesday, November 6th, 2019 10:30 AM Wabi-Sabi Your DevSecOps Presented by: Brittany Greenfield Wabbi

490 views • 25 slides
Jumpstarting EV Adoption: Making NL a leader in electric vehicle use Jon Seary Joe Butler

Jumpstarting EV Adoption: Making NL a leader in electric vehicle use Jon Seary Joe Butler

Jumpstarting EV Adoption: Making NL a leader in electric vehicle use Jon Seary Joe Butler Drive Electric NL Public Utilities Board Rate Mitigation Options and Impacts Why do we drive electric? Owning an EV: Significant cost savings for NL

680 views • 20 slides
DevSecOps An Implementation Strategy With a Focus on Cultural Implications 6 th Annual COV

DevSecOps An Implementation Strategy With a Focus on Cultural Implications 6 th Annual COV

DevSecOps An Implementation Strategy With a Focus on Cultural Implications 6 th Annual COV Information Security Conference Richmond, Virginia April 12, 2019 Presenters Eddie McAndrew Barry Davis COO CISSO AIS Network Virginia Dept. of

566 views • 40 slides
Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps Cameron

Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps Cameron

Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps Cameron Townshend Solution Architect, APJ, Sonatype Since 2000, 52% of Fortune 500 have been replaced. Established business leaders are also under attack

515 views • 47 slides
You Build It, You Secure It ( Introduction to DevSecOps ) John Willis @botchagalupe

You Build It, You Secure It ( Introduction to DevSecOps ) John Willis @botchagalupe

You Build It, You Secure It ( Introduction to DevSecOps ) John Willis @botchagalupe https://github.com/botchagalupe/my-presentations Devops is about Humans Devops is a set of practices and patterns that turn human capital into high

600 views • 49 slides
QA DevSecOps Leading a Quality-Driven DevOps Transformation Stacy Kirk CEO, QualityWorks

QA DevSecOps Leading a Quality-Driven DevOps Transformation Stacy Kirk CEO, QualityWorks

10/2/19 QA DevSecOps Leading a Quality-Driven DevOps Transformation Stacy Kirk CEO, QualityWorks Consulting Group Old School Power of a Tester Being Excuse to be Nosy in all meetings Go-No-Go Paid to Keep it Real 1 10/2/19

337 views • 15 slides
AD39 - Making the Jump from DevOps to DevSecOps

AD39 - Making the Jump from DevOps to DevSecOps

AD39 DevOps Engineering 11:30 AM AD39 - Making the Jump from DevOps to DevSecOps Presented by: Alan Crouch

781 views • 42 slides
Is there room for SecArch in DevSecOps? (or can old dogs perform new tricks?) Dimitrios

Is there room for SecArch in DevSecOps? (or can old dogs perform new tricks?) Dimitrios

Is there room for SecArch in DevSecOps? (or can old dogs perform new tricks?) Dimitrios Petropoulos 26 April 2018 $ cut -f5 -d: /etc/passwd | grep -i petropoulos Dimitrios Petropoulos Cryptographer by education (nobodys perfect)

543 views • 18 slides
Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael

Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael

Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira Prefix hijacking prefers shorter route Victim 168.122/16 168.122/16 Path: X-111 AS X Path: 666 AS 666 168.122/16 AS Path: 111

884 views • 24 slides
Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and

Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and

Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira BGP is insecure! Prefix hijack 1.2.0.0/16 is Mine The Internet AS 1 AS 666 1.2.0.0/16 is Mine BGP is insecure! Prefix hijacks

305 views • 27 slides
The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme TOC How did I get here What is CivicActions What is compliance Making compliance fun Culture

1.24k views • 89 slides
Pipeline Construction Pipeline Construction Challenges Challenges NAPCA Workshop August 19,

Pipeline Construction Pipeline Construction Challenges Challenges NAPCA Workshop August 19,

U.S. Department of Transportation Pipeline and Hazardous Materials Safety Administration Pipeline Construction Pipeline Construction Challenges Challenges NAPCA Workshop August 19, 2010 Houston, Texas Kenneth Y. Lee Office of Pipeline

506 views • 50 slides
1,000 foot pipeline Connect Replacement (Saugus 3 and 4) Wells to Magic Mountain Pipeline

1,000 foot pipeline Connect Replacement (Saugus 3 and 4) Wells to Magic Mountain Pipeline

Magic Mountain Water Pipeline Installation Agreement Amendment Commerce Center Drive Pipeline Background 1,000 foot pipeline Connect Replacement (Saugus 3 and 4) Wells to Magic Mountain Pipeline Five Point will oversee construction

59 views • 3 slides
Pipeline A Presentation by Team Pipeline Ben Lai Brandon Bakhshai Jeffrey Serio Somya

Pipeline A Presentation by Team Pipeline Ben Lai Brandon Bakhshai Jeffrey Serio Somya

Pipeline A Presentation by Team Pipeline Ben Lai Brandon Bakhshai Jeffrey Serio Somya Vasudevan What is pipeline Pipeline is an asynchronous programming language that uses an event-driven architecture. Pipelines event-loop is powered by

329 views • 20 slides
Highlights Highlights of of New New Pipeline Pipeline Medicines Medicines Based on Meds

Highlights Highlights of of New New Pipeline Pipeline Medicines Medicines Based on Meds

Highlights Highlights of of New New Pipeline Pipeline Medicines Medicines Based on Meds Pipeline Monitor 2018 CADTH Symposium April 15, 2019 Jared Berger Policy Analyst Providing insight into potentially high-impact medicines in the

317 views • 9 slides
API 15S Spoolable Composite Pipeline Systems SD / ND Commissions PHMSA TQ Pipeline Safety

API 15S Spoolable Composite Pipeline Systems SD / ND Commissions PHMSA TQ Pipeline Safety

API 15S Spoolable Composite Pipeline Systems SD / ND Commissions PHMSA TQ Pipeline Safety Seminar Sioux Falls, SD April 15, 2015 DeWitt Burdeaux Regulatory Affairs FlexSteel Pipeline Technologies Presentation Topics Why Use Spoolable

539 views • 31 slides
Spire Missouri STL Pipeline November 13, 2019 STL Pipeline Supports strategy to modernize

Spire Missouri STL Pipeline November 13, 2019 STL Pipeline Supports strategy to modernize

Spire Missouri STL Pipeline November 13, 2019 STL Pipeline Supports strategy to modernize our 60-mile pipeline gas assets to: with capacity of 400 MMcf/d Achieve more diverse supply portfolio Improve reliability and resiliency

622 views • 11 slides
The OpenGL Rendering Pipeline The Rendering Pipeline The process to generate two-dimensional

The OpenGL Rendering Pipeline The Rendering Pipeline The process to generate two-dimensional

The OpenGL Rendering Pipeline The Rendering Pipeline The process to generate two-dimensional images from given virtual cameras and 3D objects The pipeline stages implement various core graphics rendering algorithms Why should you

724 views • 16 slides
Rationale Conventional Computational Pipeline Monitoring (CPM) methods have very limited

Rationale Conventional Computational Pipeline Monitoring (CPM) methods have very limited

Liquid Pipeline Leak Detection - Ongoing Research to Evaluate Selected External Leak Detection Technologies Mark Stephens, C-FER Technologies Pipeline Safety Trust Conference, New Orleans LA October 20, 2016 www.cfertech.com 1 2016 Pipeline

182 views • 17 slides
Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety

Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety

Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety Trust Conference New Orleans, LA Leak Detection Best Defense is Preventing Leaks from Occurring in First Place Proactive pipeline integrity

258 views • 7 slides
Overview Basics of Pipelining Pipeline Hazards Appendix A Pipeline Implementation

Overview Basics of Pipelining Pipeline Hazards Appendix A Pipeline Implementation

Overview Basics of Pipelining Pipeline Hazards Appendix A Pipeline Implementation p p Pipelining + Exceptions Pipelining: Basic and Intermediate Pipeline to handle Multicycle Operations Concepts 1 2 Unpipelined

507 views • 14 slides

More recommend