EMBRACING DEVSECOPS WITH EMBEDDED APPLICATION … · •Cloud Enthusiast, DevOps and Cybersecurity...

CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL

Robert Statsinger

Senior Solution Architect

[email protected]

February 14, 2020

EMBRACING DEVSECOPS WITH EMBEDDED APPLICATION SECURITY

mailto:[email protected]


WHO AM I?

• Solution Architect, Contrast Security

• APM background

• Cloud Enthusiast, DevOps and Cybersecurity Imposter

• Animal Shelter Volunteer (Cat Snuggler)

• Barbershopper

CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL

THE AVERAGE APPLICATION IS EXTREMELY VULNERABLE

71% unused Libraries

26.7 Vulnerabilities

2 Vulnerabilities

8% USED Libraries

21% Custom Code

Source: www.helpnetsecurity.com

73% of Apps contain at least one OWASP Top Ten


YOU ARE UNDER

ATTACK

Source: http://www.ptsecurity.com

CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL 5

IDE Spellcheckers

5

APPSEC STATE OF THE PRACTICE: LEGACY TOOL QUAGMIRE Disparate, static, disconnected, inaccurate - huge staffing requirements to interpret results

SCA

SAST Full Scan

Fuzzing

NGWAF

WAF

SAST Quick Scan

IPS

Manual Code Review

DAST

Manual Pentesting


6 CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL

APPSEC MEETS THE MODERN SDLC: IMPOSSIBLE ECONOMICS

HUGE RISK

Specialized security staff

More code, faster

appl

icat

ions

to

run

the

busi

ness

time

Security tools budget

6


SHOPPING GITHUB FOR WAF BYPASSES



SDLC speed and safety are held back by a 15-year-old, scan-and perimeter-based software security model

Built for the pre-DevOps pre-Agile pre-Cloud era

THE ROOT PROBLEM

8


DEVELOPERS AND SECURITY: NOT ALWAYS ON THE SAME PAGE

• 70% of developers are expected to write secure code, but only 25% think their organization's security practices are "good.”

• Security professionals often complain about being on the outside, while developers and operations teams resent being told how to prioritize their work.

• Legacy Process:

– Engineers write code and hand it over to security when it was ready

– By the time security came back with fixes, developers would be in a time crunch; rarely was there time to address them all.


ITS VALENTINES DAY!

• Rethinking the relationship between Dev and Sec

• A new pact:

– Engineers own appsec in their own code, with IAST as their internal silent sidekick

– Secure code moves to production at the speed of DevOps


1.Establish work flow

2.Ensure instant feedback

3. Culture of experimentation

1.Establish security work flow

2. Ensure instant security feedback

3. Build a security culture

DEVOPS DEV SEC OPS

DEVSECOPS IS VERY PROMISING…


CONTINOUS UNIFIED APPSEC ACROSS THE SDLC

Development CI/CD/QA Operations

IAST/RASP IAST/RASP IAST/RASP


EMBEDDED APPSEC: HOW IAST AND RASP WORK

Your Application or API

Exploit Prevented

Vulnerability Confirmed

✘

IAST Detects vulnerabilities in both custom code and libraries during normal use

RASP Prevents exploits in both custom code and libraries

Runtime Application Self-Protection

Config Sensors

Code Sensors

Control Flow

Sensors HTTP

Sensors

Backend Sensors

Data Flow Sensors

Library Sensors AGENT

Interactive Application Security Testing


• IDE

• Jenkins/Circle CI

• Chef/Ansible/Puppet

• NPM/RPM/Nuget

• Docker

• Kubernetes

• Pivotal

• AWS/GCP/Azure

• Whatever…

IAST/RASP DEPLOYS WITH YOUR APPLICATION


CONTINUOUS IMMEDIATE APPSEC FOR DEVELOPERS



TOP 3 SOFTWARE COMPANY

1400+ apps secured with less than one FTE

FORTUNE 10 FINANCIAL SERVICES COMPANY

50% reduction in pen

testing costs

TOP 3 GLOBAL INSURANCE COMPANY

3X increase in *safe* software

release velocity

MAJOR HEALTHCARE COMPANY

2.2M application-layer attacks protected every month

TANGIBLE BUSINESS BENEFITS

SPEED AND SCALE

GAME-CHANGING ECONOMICS

SDLC ACCELERATION

ENHANCED SECURITY

16


SUMMARY: DEVOPS + APPSEC AT SCALE


DOWNLOAD AN IAST/RASP AGENT

• 1. Download • 2. install • 3. Enjoy

agent


COME SEE US AT RSA IN TWO WEEKS!

https://drive.google.com/file/d/1C1cSzqU-ufdJmM1DVSZ5YTDsFALKFVJE/view?usp=sharing


CONTRAST SECURITY - CORPORATE SUMMARY

Enterprise Grade Application Security Software

Focused on securing applications and OSS across the SDLC

Incorporated in mid-2014 by Jeff Williams & Arshan Dabirsiaghi

Jeff co-founded OWASP (Open Web Application Security Project)

Key technologies: Agents and Deep Security Instrumentation

Proven approach used by APM vendors, applied to AppSec

Over 200 top customers across every major vertical

Key verticals include financial services, insurance, healthcare, and technology companies

Backed by top venture and corporate investors

Battery Ventures, General Catalyst, Acero Capital, Warburg Pincus

Corporate Investors: Microsoft Ventures, AXA Ventures

$119 million in total funding

HQ in Silicon Valley; Dev team in Maryland, Ireland

Global Presence

LEADER

Software Developmen

t Solution


THANK YOU!


GOT DOCKER?

HANDS ON:

JUMPSTART DEVSECOPS FOR FREE USING CONTRAST

COMMUNITY EDITION


CHECK OUT THIS REPO

https://github.com/rstatsinger/iastrasplab

Get ready for IAST and RASP to rock your AppSec world

https://github.com/rstatsinger/iastrasplab


A BRIEF SOAPBOX…


CT (Continuous Testing)


IAST MULTIPLIES THE VALUE OF EVERY INTERACTION


THANK YOU!

EMBRACING DEVSECOPS WITH EMBEDDED APPLICATION … · •Cloud Enthusiast, DevOps and Cybersecurity...

Documents

Transcript of EMBRACING DEVSECOPS WITH EMBEDDED APPLICATION … · •Cloud Enthusiast, DevOps and Cybersecurity...