jumpstarting your devsecops pipeline with iast and rasp · 2018-07-28 · jumpstarting your...
TRANSCRIPT
![Page 1: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/1.jpg)
Jeff Williams – @planetlevelCTO and Co-FOUNDER – Contrast Security
Jumpstarting Your DevSECOpsPipeline with IAST and RASP
![Page 2: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/2.jpg)
The Average application is extremelyvulnerable
71% unused Libraries
26.7 Vulnerabilities
2 Vulnerabilities
8% USED Libraries
21% Custom Code
![Page 3: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/3.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 3
You areUnder
AttacK
![Page 4: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/4.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 4
DevSecOps is very promising…
https://itrevolution.com/the-three-ways-principles-underpinning-devops/
1.Establish work flow
2.Ensure instant feedback
3.Culture of experimentation
1.Establish security work flow
2.Ensure instant security feedback
3.Build a security culture
DEVOPS DEVSECOPS
![Page 5: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/5.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 5
Dzone DevSecOps Refcard
https://dzone.com/refcardz/introduction-to-devsecops
WRITTEN BY JEFF WILLIAMSCO-FOUNDER AND CTO OF CONTRAST SECURITY
![Page 6: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/6.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 6
Evolution of appsec Automation
DAST(Dynamic
AppSec Testing)
WAF(Web Application
Firewall)
SAST(Static
AppSec Testing)
IDS/IPS(Intrusion Detection/
Prevention System)
Development (find vulnerabilities) Operations (Prevent Exploit)
IAST(Interactive
AppSec Testing)
RASP(Runtime Application
Self-Protection)
UnifiedIAST, RASP, SCA
2002 2002
20152012
Today
![Page 7: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/7.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 7
How IAST and RASP WOrk
Your Application or API
ExploitPrevented
VulnerabilityConfirmed
✘IAST• Detects vulnerabilities in both
custom code and libraries during normal use
RASP• Prevents vulnerabilities from
being exploited in both custom code and libraries
Runtime ApplicationSelf- Protection
ConfigSensors
CodeSensors
Control Flow
SensorsHTTP
Sensors
BackendSensors
Data Flow Sensors
LibrarySensors AGENT
Interactive ApplicationSecurity Testing
![Page 8: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/8.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 8
Turning Devops into DevSECOPS
Development CI/CD/QA Operations
IAST/RASP IAST/RASP IAST/RASP
![Page 9: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/9.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 9
1. Add Security to Development
Today’s MISSION…
2. Lock Down Open Source libraries
3. Enable automatic Security Testing
4. Prevent exploitsin Operation
![Page 10: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/10.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10
• Must cover policies/rules I care about
• Must have minimal false positives/false negatives
SECURITY
• Must integrate in tools I’m already using – NOT PDF
• Must notify with ChatOps!
SPEED
• Must not create bottleneck – NO SCANNING
• Must work on my portfolio including APIs!
Scale
DevSecOPs GOALS:
DEV
![Page 11: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/11.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 11
GET an iast/RASP agent
1. Download 2. install
https://www.contrastsecurity.com/ce
3. Enjoy
![Page 12: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/12.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 12
Using IAST from within Maven
![Page 13: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/13.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 13
HQL injection
![Page 14: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/14.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 14
IDE Chatops Browser
How do you want your security?
OTHERS:
![Page 15: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/15.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 15
1. Add Security to Development
Today’s MISSION…
2. Lock Down Open Source libraries
3. Enable automatic Security Testing
4. Prevent exploitsin Operation
✓• Security• Speed• Scale
![Page 16: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/16.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 16
• Must identify all components everywhere
• Must show libraries that are actually used (72% unused)
inventory
• Must pinpoint apps and servers with vulnerable libraries
• Must identify both known and unknown vulnerabilities
ASSESS
• Detection isn’t enough
• Protect against both known and unknown flaws
PROTECT
DevSecOPs GOALS:
Open source
![Page 17: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/17.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 17Actual attack on CVE-2017 -5638
![Page 18: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/18.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 18
How fast can you respond?March 7CVE-2017 -5638 Disclosed, Apache releases fixed version
March 8We observe widespread attacks
Mid-MayEquifax breach occurs
July 29Equifax learns of breach
Sept 7Equifax discloses, Four more Struts2 CVEs disclosed
No updates
You must have the infrastructure in place to respond within hours.
DisasterNo detection
![Page 19: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/19.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 19
PRODDEV CI/CD
APIs Containers
PrivateCloud
APIs ContainersPrivate
Public Cloud
1. continuously Inventory all oSS
2. Automatically detect vulnerabilities in OSS
ASSESS OSSwith IAST
![Page 20: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/20.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 20
PROTECT OSS WITH RASP
1. Prevent known OSS vulnerabilities from being exploited
2. Defend applications from attacks on unknown OSS vulnerabilities
![Page 21: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/21.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 21
1. Add Security to Development
Today’s MISSION…
2. Lock Down Open Source libraries
3. Enable automatic Security Testing
4. Prevent exploitsin Operation
✓ ✓• Security• Speed• Scale
• Inventory•Assess•Protect
![Page 22: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/22.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 22
• Security testing automatically with every build
• Works without extensive test cases
CONTINUOUS
• Open vulnerability tickets automatically
• Plugins, integrations, webhooks, and full REST API
Integrated
• Set criteria for when to break the build
• Manage appsec policy across application portfolio
FEEDBACK
DevSecOPs GOALS:
Ci / CD
![Page 23: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/23.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 23
IAST works the same in CI/CD
![Page 24: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/24.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 24
IAST works with all types of
testing…
…even production
Vulnerabilities
Anywhere
![Page 25: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/25.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel 25
Security Coverage
with JACOCO
![Page 26: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/26.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 26
1. Add Security to Development
Today’s MISSION…
2. Lock Down Open Source libraries
3. Enable automatic Security Testing
4. Prevent exploitsin Operation
✓✓ ✓• Security• Speed• Scale
• Inventory•Assess•Protect
•Continuous• Integrated• Feedback
![Page 27: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/27.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 27
• Who is attacking? What attack vectors?
• What applications and vulnerabilities are they targeting?
visibility
• Must not overblock (FP) or underblock (FN)
• No tailoring or “learn mode”
Protect
• Change rules centrally, enforce from within apps
• Automatic updates
CONTROL
DevSecOPs GOALS:
OPS
![Page 28: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/28.jpg)
28
RASP protects from within
Who is attacking?What techniques are they using?
Which apps and aPIs are they targeting?
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
![Page 29: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/29.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 29
RASP is accurateApplication
Untrusted deserialization Name:Smith, James
Record ID:123456
Owner:Finance
Application expects to receive this
object
Bad Guy
AcmeInternalType#cmd:java.lang.Runtime
AcmeInternalType#mtd:getRuntime().exec
AcmeInternalType#args:‘cmd.exe’,’/C’,’calc’
AcmeInternalType#cmd:java.lang.Runtime
AcmeInternalType#mtd:getRuntime().exec
AcmeInternalType#args:‘cmd.exe’,’/C’,’calc’
Attacker sends malicious object
![Page 30: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/30.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 30
RASP IS FAST
+50 µs 100x faster than SSLContrastProtect
SSL +5 ms
![Page 31: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/31.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 31
RASP Deploys automatically
with your application
• Ansible• Puppet• Docker• Kubernetes• Whatever…
![Page 32: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/32.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 32
Is your soc blindto appsec?
![Page 33: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/33.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 33
1. Add Security to Development
You can start today!
2. Lock Down Open Source libraries
3. Enable automatic Security Testing
4. Prevent exploitsin Operation
✓✓✓ ✓• Security• Speed• Scale
• Inventory•Assess•Protect
•Continuous• Integrated• Feedback
•Visibility•Protect•Control
![Page 34: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/34.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 34
Scanners and Firewalls don’t Scale
Experts
ExpertTools
ApplicationPortfolio
Assurance
Coverage
Process Fit
AwfulResults
$$$$
Traditional AppSecProgram
![Page 35: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/35.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 35
IAST/RASP – fully distributed approach
![Page 36: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/36.jpg)
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 36
AppSEc EU Early Access
http://contrastsecurity.com/ce
Contrast Community Edition – FREE Contrast CE provides full-featuredIAST and RASP for Java applications and APIs.
Finally, you can replace your SAST, DAST, SCA and WAF with something better…
Just some of the Contrast CE integrations…
![Page 37: Jumpstarting Your DevSECOps Pipeline with IAST and RASP · 2018-07-28 · Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10 • Must cover policies/rules](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ae1c37e708231d42dcdc1/html5/thumbnails/37.jpg)
Ask me anything
Jumpstarting Your DevSecOps Pipeline with IAST and RASP
Jeff Williams @planetlevel
THANK YOU!