Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff - - PowerPoint PPT Presentation
Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff Williams @planetlevel CTO and Co-FOUNDER Contrast Security The Average 26.7 Vulnerabilities application is extremely 21% CustomCode vulnerable 8% USED Libraries 2
Jeff Williams –@planetlevel CTO and Co-FOUNDER – Contrast Security
71% unusedLibraries
8% USED Libraries 21% CustomCode
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
3
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
4
https://itrevolution.com/the-three-ways-principles-underpinning-devops/
1.Establish work flow 2.Ensure instant feedback 3.Culture of experimentation 1.Establish security work flow 2.Ensure instant security feedback 3.Build a security culture
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
5
Any inaccuracy requires experts. And there aren’t enough experts The best window to fix a vulnerability is within seconds after introducing it The days of gigantic security PDF reports are hopefully long behind us. Application protection in production has to be safe and testable
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
6
n Finds vulnerabilities n Highly accurately n From inside the application n Across custom code and libraries n In real time n Without scanning
Interactive application security testing
n Prevents vulnerabilities from being exploited n Highly accurately n From inside the application n Across custom code and libraries n In real time n Without “learn mode”
RUNTIME APPLICATION SELF-PROTECtion
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
7
Your Application or API
Exploit Prevented Vulnerability Confirmed
custom code and libraries during normal use
being exploited in both custom code and libraries
Runtime Application Self-Protection
Config Sensors Code Sensors Control Flow Sensors HTTP Sensors Backend Sensors Data Flow Sensors Library SensorsAGENT
Interactive Application Security Testing
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
8
Development CI/CD/QA Operations
IAST/RASP IAST/RASP IAST/RASP
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
9
Development
Source libraries
SecurityTesting
in Operation
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
10
https://www.contrastsecurity.com/ce
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
11
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
12
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
13
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
14
IDE Chatops Browser
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
15
Development
Source libraries
SecurityTesting
in Operation
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
16
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
17
March 7 CVE-2017-5638 Disclosed, Apache releases fixed version March 8 We observe widespread attacks Mid-May Equifax breach
July 29 Equifax learns of breach Sept 7 Equifax discloses, Four more Struts2 CVEs disclosed No updates
Disaster No detection
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
18
PROD DEV CI/CD
APIs Containers PrivateCloud
APIs Containers PrivatePublic Cloud
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
19
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
20
Development
Source libraries
SecurityTesting
in Operation
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
21
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
22
Vulnerabilities Anywhere
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel
23
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
24
Development
Source libraries
SecurityTesting
in Operation
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
25
https://www.contrastsecurity.com/ce
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
26
Application Untrusted deserialization
Name: Smith, James Record ID: 123456 Owner: Finance
Application expects to receive this
Bad Guy
AcmeInternalType#cmd: java.lang.Runtime AcmeInternalType#mtd: getRuntime().exec AcmeInternalType#args: ‘cmd.exe’,’/C’,’calc’ AcmeInternalType#cmd: java.lang.Runtime AcmeInternalType#mtd: getRuntime().exec AcmeInternalType#args: ‘cmd.exe’,’/C’,’calc’
Attacker sends malicious object
27
Who is attacking? What techniques are they using? Which apps and aPIsare they targeting?
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
28
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
29
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
30
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
31
Development
Source libraries
SecurityTesting
in Operation
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com
32
Contrast CE provides full-featured IAST and RASP for Java applications and APIs. Finally, you can replace your SAST, DAST, and WAF with something better… For free. Contrast CE works with…
Ask me anything
Jumpstarting Your DevSecOps Pipeline with IAST and RASP Jeff Williams @planetlevel
34
Ordinary Insecure Application AGENT Self- Protecting Application
IAST and RASP use an instrumentation agent to empower apps with security capabilities at runtime without changing existing code…
“…works like AppDynamics for security”
35
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 36
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel
37