jumpstarting your devsecops pipeline with iast and rasp

Jumpstarting Your DevSECOpsPipeline with IAST and RASP

Jeff Williams – @planetlevelCTO and Co-FOUNDER – Contrast Security

The Average application is extremelyvulnerable

71% unused Libraries

26.7 Vulnerabilities

2 Vulnerabilities

8% USED Libraries

21% Custom Code

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 3

You areUnder

AttacK


What is DevSecOps?

https://itrevolution.com/the-three-ways-principles-underpinning-devops/

1.Establish work flow

2.Ensure instant feedback

3.Culture of experimentation

1.Establish security work flow

2.Ensure instant security feedback

3.Build a security culture

DEVOPS DEVSECOPS


Keys to Security automationAccurate

REAL TIME

Continuous

Reliable

Any inaccuracy requires experts. And there aren’t enough experts

The best window to fix a vulnerability is within seconds after introducing it

The days of gigantic security PDF reports are hopefully long behind us.

Application protection in production has to be safe and testable


DEVSECOPS Enabling technologies

nFinds vulnerabilities

nHighly accurately

nFrom inside the application

nAcross custom code and libraries

n In real time

nWithout scanning

IASTInteractive application security testing

nPrevents vulnerabilities from being exploited

nHighly accurately

nFrom inside the application

nAcross custom code and libraries

n In real time

nWithout “learn mode”

RASPRUNTIME APPLICATION SELF-PROTECtion


How IAST and RASP WOrk

Your Application or API

ExploitPrevented

VulnerabilityConfirmed

✘IAST• Detects vulnerabilities in both

custom code and libraries during normal use

RASP• Prevents vulnerabilities from

being exploited in both custom code and libraries

Runtime ApplicationSelf- Protection

ConfigSensors

CodeSensors

Control Flow Sensors

HTTPSensors

BackendSensors

Data Flow Sensors

LibrarySensors AGENT

Interactive ApplicationSecurity Testing


Turning Devops into DevSECOPS

Development CI/CD/QA Operations

IAST/RASP IAST/RASP IAST/RASP


1. Add Security to Development

Today’s MISSION…

2. Lock Down Open Source libraries

3. Enable automatic Security Testing

4. Prevent exploitsin Operation


GET an iast/RASP agent

1. Download 2. install

https://www.contrastsecurity.com/ce

3. Enjoy



Using IAST from within Maven


HQL injection


Automaticvulnerability

detection


IDE Chatops Browser

How do you want your security?

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 16Actual attack on CVE-2017 -5638


How fast can you respond?March 7CVE-2017 -5638 Disclosed, Apache releases fixed version

March 8We observe widespread attacks

Mid-MayEquifax breach occurs

July 29Equifax learns of breach

Sept 7Equifax discloses, Four more Struts2 CVEs disclosed

No updates

You must have the infrastructure in place to respond within hours.

DisasterNo detection


PRODDEV CI/CD

APIs Containers

PrivateCloud

APIs ContainersPrivate

Public Cloud

1. continuously Inventory all oSS

2. Automatically detect vulnerabilities in OSS

ASSESS OSSwith IAST


PROTECT WITH RASP1. Prevent known OSS

vulnerabilities from being exploited

2. Defend applications from attacks on unknown OSS vulnerabilities


IAST works the same in CI/CD


IAST works with all types of

testing…

…even production

Vulnerabilities

Anywhere

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel 23

Security Coverage

with JACOCO


Getting started with RASP

1. Download 2. install


3. Enjoy



Web application firewalls both overblock and underblock

Application

Untrusted deserialization Name:Smith, James

Record ID:123456

Owner:Finance

Application expects to receive this

object

Bad Guy

AcmeInternalType#cmd:java.lang.Runtime

AcmeInternalType#mtd:getRuntime().exec

AcmeInternalType#args:‘cmd.exe’,’/C’,’calc’

AcmeInternalType#cmd:java.lang.Runtime

AcmeInternalType#mtd:getRuntime().exec

AcmeInternalType#args:‘cmd.exe’,’/C’,’calc’

Attacker sends malicious object

27

RASP protects from within

Who is attacking?What techniques are they using?

Which apps and aPIs are they targeting?

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com


RASP Deploys automatically

with your application

• Ansible• Puppet• Docker• Kubernetes• Whatever…


RASP IS FAST

+50 µs 100x faster than SSLContrastProtect

SSL +5 ms


Is your soc blindto appsec?



You can start today!




IAST and RASP are a platform for “security as code”


Velocity Early Access

Get started for free at:http://contrastsecurity.com/ce

Contrast Community Edition (FREE)Contrast CE provides full-featured IAST and RASP for Java applications and APIs.

Finally, you can replace your SAST, DAST,

and WAF with something better…For free.

Contrast CE works with…

Ask me anything

Jumpstarting Your DevSecOps Pipeline with IAST and RASP

Jeff Williams @planetlevel

THANK YOU!

34

IAST and RASP•Find vulnerabilities

•Secure open source

•Prevent exploits

OrdinaryInsecure

Application

AGENT Self-Protecting Application

IAST and RASP use an instrumentation agent to

empower apps with security capabilities at runtime without

changing existing code…

“…works like AppDynamics for security”

35

Struts 2Dependencies

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com36

Dozens of CVEs every week

“Possible” ?!!

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel 37

jumpstarting your devsecops pipeline with iast and rasp

Documents