WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast - - PowerPoint PPT Presentation

ways
SMART_READER_LITE
LIVE PREVIEW

WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast - - PowerPoint PPT Presentation

Jul 22, 2023 31 likes •335 views

THE THREE WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast Security 1. TODAYS AVERAGE APPLICATION IS A SECURITY DISASTER 2. SOFTWARE IS LEAVING SECURITY IN THE DUST Typical enterprise has hundreds or thousands of

slide-1
SLIDE 1

THE THREE WAYS OF SECURITY

Jeff Williams Co-founder and CTO Contrast Security

slide-2
SLIDE 2
  • 1. TODAY’S “AVERAGE” APPLICATION IS A

SECURITY DISASTER

slide-3
SLIDE 3
  • 2. SOFTWARE IS LEAVING SECURITY IN THE

DUST

SOFTWARE SECURITY 2000 2010 2020

SAST DAST WAF

  • Typical

enterprise has hundreds or thousands of applications

  • Applications are

by far the leading cause of breaches (Verizon DBIR)

slide-4
SLIDE 4
  • 3. SOFTWARE SUPPLY CHAIN SECURITY IS

TOTALLY BROKEN

Jan Feb Mar Apr May Jun Jul Aug Sept Oct March 7 CVE-2017-5638 Disclosed, Apache releases fixed version March 8 We observed widespread attack probes Mid-May Equifax breach

  • ccurs

July 29 Equifax learns of breach Sept 7 Equifax discloses, Four more Struts2 CVEs disclosed Equifax ignores Protected Disaster Livin’ la vida loca Prepared Equifax unaware

slide-5
SLIDE 5

DIAGNOSIS: GOALS UNCLEAR, TIME WASTED What we are delivering: What we must deliver:  Right defenses in place  Defenses are effective  Attacks detected/blocked  “I ran a scanner”

Application/API portfolio Application/API portfolio

slide-6
SLIDE 6

DEV SEC OPS

PUPPY MONKEY BABY

slide-7
SLIDE 7

SO WHAT IS DEVOPS?

https://itrevolution.com/the-three-ways-principles-underpinning-devops/

The “Three Ways”

1. Establish work flow 2. Ensure instant feedback 3. Culture of experimentation

slide-8
SLIDE 8

Small batch sizes Tight feedback loops Swarm on problems Optimize for downstream consumers Produce awesome software

slide-9
SLIDE 9

QUESTION: CAN DEVOPS HELP SECURITY?

  • Problem: software is poor

quality, late, slow, and doesn’t provide business value.

  • Approach: DevOps
  • Outcomes:
  • 5x lower change failure rate
  • 96x faster MTTR service
  • 2x likely to exceed bus. goal
  • Problem: security is poor quality,

late, slow, and doesn’t provide business value.

  • Possible Approach: DevOps
  • Required Outcomes:
  • 10x increase in portfolio coverage?
  • 80% reduction in vulns to prod?
  • 0x increase in time to market?
slide-10
SLIDE 10

Static Analysis

Dynamic Scanning WAF Pen Testing

DEV OPS != SHOVING LEGACY SECURIT Y TOOLS AND PROCES SES INTO SEC

slide-11
SLIDE 11

The “Three Ways”

  • f Security*
  • 1. Establish security work flow
  • Build a concrete security story over time
  • Enable development to build security
  • Rip, mix, and burn security work
  • 2. Ensure instant security feedback
  • Enable self-inventory
  • Get real application threat intelligence
  • Create security notification infrastructure
  • 3. Build a security culture
  • Migrate to “positive” security
  • Accelerate evolution of your security story
  • Promote “security in sunshine”

* Shamelessly adapted from The Phoenix Project, by Gene Kim

slide-12
SLIDE 12

The First Security Way Establish Security Work Flow Optimize delivery of security work that is valued by the business

slide-13
SLIDE 13

Business Security Projects

Building defenses, compliance, reporting, etc…

1

Internal Security Work

Threat modeling, security architecture, security research, vulnerability assessment, tools

2

Operational Security Jobs

Remediation, updates, analytics, alerts, tickets, etc…

3

Unplanned Security Tasks

Security “firefighting,” response, recovery, public relations, etc…

4

UMM…. WHAT IS SECURITY “WORK”?

slide-14
SLIDE 14

* Shamelessly lifted from the Rugged Software Project

Your security story maps threat model ➡︐ defense strategy ➡︐ defenses ➡︐ assurance Making security concrete:

  • Enables communication
  • Aligns your team
  • Expose gaps and priorities
  • Creates line-of-sight

FIRST WAY – BUILD A CONCRETE SECURITY STORY OVER TIME

slide-15
SLIDE 15

Leverage existing DevOps processes and tools Refactor monolithic security tasks into small batch sizes. Deliver security one little piece at a time

FIRST WAY – ENABLE DEVELOPMENT TO BUILD SECURITY

slide-16
SLIDE 16

FIRST WAY – WORK ON BIGGEST THREATS, ONE AT A TIME

Add a single risk to threat model

  • Create JIRA ticket:

Prevent XXE Create defense strategy

  • Update JIRA Ticket
  • Standardize parser

config

  • Log & block attacks

Implement defense

  • XML library
  • Update training

Establish continuous assessment

  • Research typical

failures

  • Build custom test

cases

  • Enable IAST XXE rule

Establish attack protection

  • Enable RASP XXE rule

Monitor DEV and OPS

  • Vulns go to JIRA with

Slack alert

  • Attacks go to Splunk

and VictorOps

Do you really need security experts for all these tasks?

XXE Updated Security Story

slide-17
SLIDE 17

The Second Security Way Ensure Instant Security Feedback Establish tight security feedback loops across the lifecycle

slide-18
SLIDE 18

SECOND WAY – ENABLE SELF-INVENTORY

  • You need to know

the exact version of every app, api, and library running on every server in every environments

  • Not hard to fully

automate self- inventory

DEV

Internal

APIs Containers Private

Public Cloud

OPS

Automatic Application Inventory

slide-19
SLIDE 19

SECOND WAY – GET REAL APPLICATION THREAT INTELLIGENCE

Establish the infrastructure to…

  • Know who is

attacking you

  • Know what

techniques they’re using

  • Know what they’re

targeting

  • … and protect within

hours

Equifax Attack

slide-20
SLIDE 20

SECOND WAY – ESTABLISH A REALTIME APPSEC CONTROL PLANE

PROD DEV TEST

APIs Containers Private

Public Cloud

APIs Containers Private

Public Cloud

APIs

slide-21
SLIDE 21

The Third Security Way

Build Security Culture A culture that constantly advances security with the threat through experimentation and learning

slide-22
SLIDE 22

THIRD WAY – MIGRATE TO “POSITIVE” SECURITY

Testing for all the ways you might introduce XSS Testing to verify your XSS defense Measure positive security directly from your running application

slide-23
SLIDE 23

THIRD WAY – ACCELERATE THE EVOLUTION OF YOUR SECURITY STORY

Celebrate new big risks without recrimination

Focus on strength and simplicity

The faster you cycle, the faster you get secure

slide-24
SLIDE 24

THIRD WAY – PROMOTE SECURITY IN SUNSHINE

AppSec Visibility Cycle

Audit Developers Infosec Legal Architects Users Research Business

Monitor Threat Create Security Story Define Security Defenses Implement Security Defenses Share Intelligence Understand Laws Verify Compliance Understand Stakeholders

We Trust We Blame We Hide

slide-25
SLIDE 25

TRUST

slide-26
SLIDE 26

“Don’t hate the playa Hate the game”

  • - Ice T

BLAME

slide-27
SLIDE 27

The first rule of security is… …You do not talk about security HIDE

slide-28
SLIDE 28

The “Three Ways”

  • f Security*

* Shamelessly adapted from The Phoenix Project, by Gene Kim

  • 1. Establish security work flow
  • Build a concrete security story over time
  • Enable development to build security
  • Rip, mix, and burn security work
  • 2. Ensure instant security feedback
  • Enable self-inventory
  • Get real application threat intelligence
  • Create security notification infrastructure
  • 3. Build security culture
  • Migrate to “positive” security
  • Accelerate evolution of your security story
  • Promote “security in sunshine”
slide-29
SLIDE 29

CLOSING THOUGHTS – TURNING SECURITY INTO CODE

  • Don’t focus on how

to build software securely…

  • Make software

security into something you build!

slide-30
SLIDE 30

Ask me anything. @planetlevel contrastsecurity.com

LEADER

Software Development Solution