jumpstarting your devsecops pipeline with iast and rasp
TRANSCRIPT
Jumpstarting Your DevSECOpsPipeline with IAST and RASP
Jeff Williams – @planetlevelCTO and Co-FOUNDER – Contrast Security
The Average application is extremelyvulnerable
71% unused Libraries
26.7 Vulnerabilities
2 Vulnerabilities
8% USED Libraries
21% Custom Code
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 3
You areUnder
AttacK
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 4
What is DevSecOps?
https://itrevolution.com/the-three-ways-principles-underpinning-devops/
1.Establish work flow
2.Ensure instant feedback
3.Culture of experimentation
1.Establish security work flow
2.Ensure instant security feedback
3.Build a security culture
DEVOPS DEVSECOPS
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 5
Keys to Security automationAccurate
REAL TIME
Continuous
Reliable
Any inaccuracy requires experts. And there aren’t enough experts
The best window to fix a vulnerability is within seconds after introducing it
The days of gigantic security PDF reports are hopefully long behind us.
Application protection in production has to be safe and testable
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 6
DEVSECOPS Enabling technologies
nFinds vulnerabilities
nHighly accurately
nFrom inside the application
nAcross custom code and libraries
n In real time
nWithout scanning
IASTInteractive application security testing
nPrevents vulnerabilities from being exploited
nHighly accurately
nFrom inside the application
nAcross custom code and libraries
n In real time
nWithout “learn mode”
RASPRUNTIME APPLICATION SELF-PROTECtion
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 7
How IAST and RASP WOrk
Your Application or API
ExploitPrevented
VulnerabilityConfirmed
✘IAST• Detects vulnerabilities in both
custom code and libraries during normal use
RASP• Prevents vulnerabilities from
being exploited in both custom code and libraries
Runtime ApplicationSelf- Protection
ConfigSensors
CodeSensors
Control Flow Sensors
HTTPSensors
BackendSensors
Data Flow Sensors
LibrarySensors AGENT
Interactive ApplicationSecurity Testing
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 8
Turning Devops into DevSECOPS
Development CI/CD/QA Operations
IAST/RASP IAST/RASP IAST/RASP
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 9
1. Add Security to Development
Today’s MISSION…
2. Lock Down Open Source libraries
3. Enable automatic Security Testing
4. Prevent exploitsin Operation
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10
GET an iast/RASP agent
1. Download 2. install
https://www.contrastsecurity.com/ce
3. Enjoy
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 11
Using IAST from within Maven
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 12
HQL injection
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 13
Automaticvulnerability
detection
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 14
IDE Chatops Browser
How do you want your security?
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 15
1. Add Security to Development
Today’s MISSION…
2. Lock Down Open Source libraries
3. Enable automatic Security Testing
4. Prevent exploitsin Operation
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 16Actual attack on CVE-2017 -5638
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 17
How fast can you respond?March 7CVE-2017 -5638 Disclosed, Apache releases fixed version
March 8We observe widespread attacks
Mid-MayEquifax breach occurs
July 29Equifax learns of breach
Sept 7Equifax discloses, Four more Struts2 CVEs disclosed
No updates
You must have the infrastructure in place to respond within hours.
DisasterNo detection
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 18
PRODDEV CI/CD
APIs Containers
PrivateCloud
APIs ContainersPrivate
Public Cloud
1. continuously Inventory all oSS
2. Automatically detect vulnerabilities in OSS
ASSESS OSSwith IAST
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 19
PROTECT WITH RASP1. Prevent known OSS
vulnerabilities from being exploited
2. Defend applications from attacks on unknown OSS vulnerabilities
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 20
1. Add Security to Development
Today’s MISSION…
2. Lock Down Open Source libraries
3. Enable automatic Security Testing
4. Prevent exploitsin Operation
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 21
IAST works the same in CI/CD
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 22
IAST works with all types of
testing…
…even production
Vulnerabilities
Anywhere
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel 23
Security Coverage
with JACOCO
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 24
1. Add Security to Development
Today’s MISSION…
2. Lock Down Open Source libraries
3. Enable automatic Security Testing
4. Prevent exploitsin Operation
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 25
Getting started with RASP
1. Download 2. install
https://www.contrastsecurity.com/ce
3. Enjoy
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 26
Web application firewalls both overblock and underblock
Application
Untrusted deserialization Name:Smith, James
Record ID:123456
Owner:Finance
Application expects to receive this
object
Bad Guy
AcmeInternalType#cmd:java.lang.Runtime
AcmeInternalType#mtd:getRuntime().exec
AcmeInternalType#args:‘cmd.exe’,’/C’,’calc’
AcmeInternalType#cmd:java.lang.Runtime
AcmeInternalType#mtd:getRuntime().exec
AcmeInternalType#args:‘cmd.exe’,’/C’,’calc’
Attacker sends malicious object
27
RASP protects from within
Who is attacking?What techniques are they using?
Which apps and aPIs are they targeting?
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 28
RASP Deploys automatically
with your application
• Ansible• Puppet• Docker• Kubernetes• Whatever…
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 29
RASP IS FAST
+50 µs 100x faster than SSLContrastProtect
SSL +5 ms
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 30
Is your soc blindto appsec?
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 31
1. Add Security to Development
You can start today!
2. Lock Down Open Source libraries
3. Enable automatic Security Testing
4. Prevent exploitsin Operation
IAST and RASP are a platform for “security as code”
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 32
Velocity Early Access
Get started for free at:http://contrastsecurity.com/ce
Contrast Community Edition (FREE)Contrast CE provides full-featured IAST and RASP for Java applications and APIs.
Finally, you can replace your SAST, DAST,
and WAF with something better…For free.
Contrast CE works with…
Ask me anything
Jumpstarting Your DevSecOps Pipeline with IAST and RASP
Jeff Williams @planetlevel
THANK YOU!
34
IAST and RASP•Find vulnerabilities
•Secure open source
•Prevent exploits
OrdinaryInsecure
Application
AGENT Self-Protecting Application
IAST and RASP use an instrumentation agent to
empower apps with security capabilities at runtime without
changing existing code…
“…works like AppDynamics for security”
35
Struts 2Dependencies
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com36
Dozens of CVEs every week
“Possible” ?!!
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel 37