EMBRACING DEVSECOPS WITH EMBEDDED APPLICATION … · •Cloud Enthusiast, DevOps and Cybersecurity...
Transcript of EMBRACING DEVSECOPS WITH EMBEDDED APPLICATION … · •Cloud Enthusiast, DevOps and Cybersecurity...
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
Robert Statsinger
Senior Solution Architect
February 14, 2020
EMBRACING DEVSECOPS WITH EMBEDDED APPLICATION SECURITY
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
WHO AM I?
• Solution Architect, Contrast Security
• APM background
• Cloud Enthusiast, DevOps and Cybersecurity Imposter
• Animal Shelter Volunteer (Cat Snuggler)
• Barbershopper
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL
THE AVERAGE APPLICATION IS EXTREMELY VULNERABLE
71% unused Libraries
26.7 Vulnerabilities
2 Vulnerabilities
8% USED Libraries
21% Custom Code
Source: www.helpnetsecurity.com
73% of Apps contain at least one OWASP Top Ten
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
YOU ARE UNDER
ATTACK
Source: http://www.ptsecurity.com
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL 5
IDE Spellcheckers
5
APPSEC STATE OF THE PRACTICE: LEGACY TOOL QUAGMIRE Disparate, static, disconnected, inaccurate - huge staffing requirements to interpret results
SCA
SAST Full Scan
Fuzzing
NGWAF
WAF
SAST Quick Scan
IPS
Manual Code Review
DAST
Manual Pentesting
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
6 CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
APPSEC MEETS THE MODERN SDLC: IMPOSSIBLE ECONOMICS
HUGE RISK
Specialized security staff
More code, faster
appl
icat
ions
to
run
the
busi
ness
time
Security tools budget
6
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
SHOPPING GITHUB FOR WAF BYPASSES
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
8 CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
SDLC speed and safety are held back by a 15-year-old, scan-and perimeter-based software security model
Built for the pre-DevOps pre-Agile pre-Cloud era
THE ROOT PROBLEM
8
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
DEVELOPERS AND SECURITY: NOT ALWAYS ON THE SAME PAGE
• 70% of developers are expected to write secure code, but only 25% think their organization's security practices are "good.”
• Security professionals often complain about being on the outside, while developers and operations teams resent being told how to prioritize their work.
• Legacy Process:
– Engineers write code and hand it over to security when it was ready
– By the time security came back with fixes, developers would be in a time crunch; rarely was there time to address them all.
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
ITS VALENTINES DAY!
• Rethinking the relationship between Dev and Sec
• A new pact:
– Engineers own appsec in their own code, with IAST as their internal silent sidekick
– Secure code moves to production at the speed of DevOps
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
1.Establish work flow
2.Ensure instant feedback
3. Culture of experimentation
1.Establish security work flow
2. Ensure instant security feedback
3. Build a security culture
DEVOPS DEV SEC OPS
DEVSECOPS IS VERY PROMISING…
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
CONTINOUS UNIFIED APPSEC ACROSS THE SDLC
Development CI/CD/QA Operations
IAST/RASP IAST/RASP IAST/RASP
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
EMBEDDED APPSEC: HOW IAST AND RASP WORK
Your Application or API
Exploit Prevented
Vulnerability Confirmed
✘
IAST Detects vulnerabilities in both custom code and libraries during normal use
RASP Prevents exploits in both custom code and libraries
Runtime Application Self-Protection
Config Sensors
Code Sensors
Control Flow
Sensors HTTP
Sensors
Backend Sensors
Data Flow Sensors
Library Sensors AGENT
Interactive Application Security Testing
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
• IDE
• Jenkins/Circle CI
• Chef/Ansible/Puppet
• NPM/RPM/Nuget
• Docker
• Kubernetes
• Pivotal
• AWS/GCP/Azure
• Whatever…
IAST/RASP DEPLOYS WITH YOUR APPLICATION
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
CONTINUOUS IMMEDIATE APPSEC FOR DEVELOPERS
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
16 CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
TOP 3 SOFTWARE COMPANY
1400+ apps secured with less than one FTE
FORTUNE 10 FINANCIAL SERVICES COMPANY
50% reduction in pen
testing costs
TOP 3 GLOBAL INSURANCE COMPANY
3X increase in *safe* software
release velocity
MAJOR HEALTHCARE COMPANY
2.2M application-layer attacks protected every month
TANGIBLE BUSINESS BENEFITS
SPEED AND SCALE
GAME-CHANGING ECONOMICS
SDLC ACCELERATION
ENHANCED SECURITY
16
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
SUMMARY: DEVOPS + APPSEC AT SCALE
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
DOWNLOAD AN IAST/RASP AGENT
• 1. Download • 2. install • 3. Enjoy
agent
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
COME SEE US AT RSA IN TWO WEEKS!
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
CONTRAST SECURITY - CORPORATE SUMMARY
Enterprise Grade Application Security Software
Focused on securing applications and OSS across the SDLC
Incorporated in mid-2014 by Jeff Williams & Arshan Dabirsiaghi
Jeff co-founded OWASP (Open Web Application Security Project)
Key technologies: Agents and Deep Security Instrumentation
Proven approach used by APM vendors, applied to AppSec
Over 200 top customers across every major vertical
Key verticals include financial services, insurance, healthcare, and technology companies
Backed by top venture and corporate investors
Battery Ventures, General Catalyst, Acero Capital, Warburg Pincus
Corporate Investors: Microsoft Ventures, AXA Ventures
$119 million in total funding
HQ in Silicon Valley; Dev team in Maryland, Ireland
Global Presence
LEADER
Software Developmen
t Solution
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
THANK YOU!
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
GOT DOCKER?
HANDS ON:
JUMPSTART DEVSECOPS FOR FREE USING CONTRAST
COMMUNITY EDITION
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
CHECK OUT THIS REPO
https://github.com/rstatsinger/iastrasplab
Get ready for IAST and RASP to rock your AppSec world
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
A BRIEF SOAPBOX…
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
CT (Continuous Testing)
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL 27-Feb-20 WWW.CONTRASTSECURITY.COM ©2019CONFIDENTIAL
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
IAST MULTIPLIES THE VALUE OF EVERY INTERACTION
CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL CONTRASTSECURITY.COM © 2020 COMPANY CONFIDENTIAL
THANK YOU!