ways
play

WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast - PowerPoint PPT Presentation

Jul 22, 2023 •31 likes •331 views

THE THREE WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast Security 1. TODAYS AVERAGE APPLICATION IS A SECURITY DISASTER 2. SOFTWARE IS LEAVING SECURITY IN THE DUST Typical enterprise has hundreds or thousands of

  1. THE THREE WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast Security

  2. 1. TODAY’S “AVERAGE” APPLICATION IS A SECURITY DISASTER

  3. 2. SOFTWARE IS LEAVING SECURITY IN THE DUST • Typical enterprise has hundreds or thousands of SOFTWARE applications 2020 2000 2010 • Applications are by far the WAF leading cause of SECURITY SAST DAST breaches (Verizon DBIR)

  4. 3. SOFTWARE SUPPLY CHAIN SECURITY IS TOTALLY BROKEN March 7 Mid-May July 29 Sept 7 CVE-2017-5638 Equifax Equifax Equifax discloses, Disclosed, Apache breach learns of Four more Struts2 releases fixed version occurs breach CVEs disclosed Equifax unaware Livin ’ la vida loca Equifax ignores Disaster Jan Feb Mar Apr May Jun Jul Aug Sept Oct Prepared Protected March 8 We observed widespread attack probes

  5. DIAGNOSIS: GOALS UNCLEAR, TIME WASTED What we must deliver: What we are delivering: Application/API portfolio Application/API portfolio  Right defenses in place  “I ran a scanner”  Defenses are effective  Attacks detected/blocked

  6. PUPPY MONKEY BABY DEV SEC OPS

  7. SO WHAT IS DEVOPS? The “Three Ways” 1. Establish work flow 2. Ensure instant feedback 3. Culture of experimentation https://itrevolution.com/the-three-ways-principles-underpinning-devops/

  8. Small batch sizes Tight feedback loops Swarm on problems Produce awesome Optimize for software downstream consumers

  9. QUESTION: CAN DEVOPS HELP SECURITY? • Problem : software is poor • Problem : security is poor quality, quality, late, slow, and doesn’t late, slow, and doesn’t provide provide business value. business value. • Approach : DevOps • Possible Approach : DevOps • Outcomes : • Required Outcomes : • 5x lower change failure rate • 10x increase in portfolio coverage? • 96x faster MTTR service • 80% reduction in vulns to prod? • 2x likely to exceed bus. goal • 0x increase in time to market?

  10. SEC DEV OPS != Static Pen Analysis Testing SHOVING LEGACY Dynamic WAF Scanning SECURIT Y TOOLS AND PROCES SES INTO

  11. 1. Establish security work flow • Build a concrete security story over time • Enable development to build security • Rip, mix, and burn security work The 2. Ensure instant security feedback • Enable self-inventory “Three Ways” • Get real application threat intelligence • Create security notification infrastructure of Security* 3. Build a security culture • Migrate to “positive” security • Accelerate evolution of your security story • Promote “security in sunshine” * Shamelessly adapted from The Phoenix Project, by Gene Kim

  12. Establish Security Work Flow The First Optimize delivery of security Security Way work that is valued by the business

  13. UMM …. WHAT IS SECURITY “WORK”? 1 2 3 4 Business Internal Operational Unplanned Security Security Security Security Projects Work Jobs Tasks Building defenses, compliance, Threat modeling, security Remediation, updates, Security “firefighting,” reporting, etc … architecture, security research, analytics, alerts, tickets, response, recovery, public vulnerability assessment, tools etc … relations, etc …

  14. FIRST WAY – BUILD A CONCRETE SECURITY STORY OVER Your security story maps TIME threat model ➡︐ defense strategy ➡︐ defenses ➡︐ assurance Making security concrete: • Enables communication • Aligns your team • Expose gaps and priorities • Creates line-of-sight * Shamelessly lifted from the Rugged Software Project

  15. FIRST WAY – ENABLE DEVELOPMENT TO BUILD SECURITY Deliver security one little piece at Refactor a time monolithic security tasks into small batch sizes. Leverage existing DevOps processes and tools

  16. FIRST WAY – WORK ON BIGGEST THREATS, ONE AT A TIME Add a single risk to Establish attack Implement defense threat model protection • Create JIRA ticket: • XML library • Enable RASP XXE rule Prevent XXE • Update training Create defense Establish continuous XXE Monitor DEV and OPS strategy assessment Updated • Update JIRA Ticket • Research typical • Vulns go to JIRA with Security failures Slack alert • Standardize parser config • Build custom test • Attacks go to Splunk Story cases and VictorOps • Log & block attacks • Enable IAST XXE rule Do you really need security experts for all these tasks?

  17. Ensure Instant Security Feedback The Second Security Way Establish tight security feedback loops across the lifecycle

  18. SECOND WAY – DEV ENABLE SELF-INVENTORY • You need to know Internal OPS the exact version of every app, api, and Public Cloud library running on every server in every environments Private APIs Containers • Not hard to fully Automatic Application automate self- Inventory inventory

  19. SECOND WAY – GET REAL APPLICATION THREAT INTELLIGENCE Establish the infrastructure to … • Know who is attacking you • Know what techniques they’re using • Know what they’re targeting • … and protect within hours Equifax Attack

  20. SECOND WAY – ESTABLISH A REALTIME APPSEC CONTROL PLANE DEV TEST PROD Public Cloud Public Cloud Private APIs Containers Private APIs Containers APIs

  21. Build Security Culture The Third A culture that constantly Security Way advances security with the threat through experimentation and learning

  22. THIRD WAY – MIGRATE TO “POSITIVE” SECURITY Measure positive security directly from your running application Testing for all the ways you Testing to verify might introduce XSS your XSS defense

  23. THIRD WAY – ACCELERATE THE EVOLUTION OF YOUR SECURITY STORY Celebrate new big The faster you risks without cycle, the faster recrimination you get secure Focus on strength and simplicity

  24. THIRD WAY – PROMOTE SECURITY IN SUNSHINE Architects Create Define Research Developers Security Security Story Defenses Monitor Implement We Security Threat Defenses Trust AppSec Infosec Users Visibility Cycle Understand Share Intelligence Stakeholders We We Hide Blame Business Understand Verify Audit Laws Compliance Legal

  25. TRUST

  26. BLAME “Don’t hate the playa Hate the game” -- Ice T

  27. The first rule of security is … HIDE …You do not talk about security

  28. 1. Establish security work flow • Build a concrete security story over time • Enable development to build security • Rip, mix, and burn security work The 2. Ensure instant security feedback • Enable self-inventory “Three Ways” • Get real application threat intelligence • Create security notification infrastructure of Security* 3. Build security culture • Migrate to “positive” security • Accelerate evolution of your security story • Promote “security in sunshine” * Shamelessly adapted from The Phoenix Project, by Gene Kim

  29. CLOSING THOUGHTS – TURNING SECURITY INTO CODE • Don’t focus on how to build software securely … • Make software security into something you build!

  30. Ask me anything. @planetlevel contrastsecurity.com LEADER Software Development Solution

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A pragmatic implementation of non-blocking linked lists, Tim Harris, DISC 2001 Five ways not to fool yourself 1. Measure as you go Starting and stopping

585 views • 25 slides
Isaiah 55:8-9 8. For My thoughts are not your thoughts, neither are your ways My ways, declares

Isaiah 55:8-9 8. For My thoughts are not your thoughts, neither are your ways My ways, declares

Isaiah 55:8-9 8. For My thoughts are not your thoughts, neither are your ways My ways, declares the LORD. 9. For as the heavens are higher than the earth, so are My ways higher than your ways and My thoughts than your thoughts. Trusting God

444 views • 18 slides
Narrative as a systems leadership practice Ways of perceiving Ways of

Narrative as a systems leadership practice Ways of perceiving Ways of

Narrative as a systems leadership practice Ways of perceiving Ways of feeling Balcony & dancefloor Personal core values The unseen & unpredicted Commitment

1.04k views • 67 slides
United Ways 2 -1-1 United Way Association of South Carolina United Ways 2 -1-1 Explanation

United Ways 2 -1-1 United Way Association of South Carolina United Ways 2 -1-1 Explanation

Visit SC211.org or Download the App Now United Ways 2 -1-1 United Way Association of South Carolina United Ways 2 -1-1 Explanation of 2-1-1 Services 01/23/2019 Community Resources Food, Housing & Utilities Child Care &

266 views • 23 slides
NEW WAYS a research program to identify, treat and support individuals with common mental

NEW WAYS a research program to identify, treat and support individuals with common mental

NEW WAYS SOCIAL MEDICINE AND EPIDEMIOLOGY THE SAHLGRENSKA ACADEMY NEW WAYS a research program to identify, treat and support individuals with common mental disorders to remain in work NEW WAYS JULY 2017 NEW WAYS SOCIAL MEDICINE AND

1.06k views • 54 slides
And even give understanding what key - activities such as RIIM ChuSanRen/ChuSanRen behavior

And even give understanding what key - activities such as RIIM ChuSanRen/ChuSanRen behavior

Session Overview Ways we do vs. the ways you do How Ideas of Kaizen are different from This session will offer an introduction to the various the Western ways of improvement aspects of KAIZEN or Problem Solving(PS), focusing on

174 views • 6 slides
5 Ways to Motivate Adult Learners 1. Create a Need 2. Create and Maintain Interest

5 Ways to Motivate Adult Learners 1. Create a Need 2. Create and Maintain Interest

Workshop Agenda Welcome to the workshop Division of large group into small groups based on teaching experience Table Introduction (Who are you? What do you do?) 5 ways to stay motivated as teachers 5 ways that squelch learners

341 views • 9 slides
Wild Ways Well By Ryan Bryce Introduction Wild Ways Well is a project which was introduced to us

Wild Ways Well By Ryan Bryce Introduction Wild Ways Well is a project which was introduced to us

Wild Ways Well By Ryan Bryce Introduction Wild Ways Well is a project which was introduced to us by Paul and Rebecca. The project focusses on helping us : Connect with the Environment, Be Active, Take Notice, Keep Learning and Give Back. One

307 views • 6 slides
Turing Machine properties There are many ways to skin a cat Turing Machines And many ways

Turing Machine properties There are many ways to skin a cat Turing Machines And many ways

Turing Machine properties There are many ways to skin a cat Turing Machines And many ways to define a TM The books Standard Turing Machines Tape unbounded on both sides Deterministic (at most 1 move / configuration) TM

173 views • 5 slides
Proverbs 3 17 Her [wisdom] ways are pleasant ways, and all her paths are peace. 18 She is a tree of

Proverbs 3 17 Her [wisdom] ways are pleasant ways, and all her paths are peace. 18 She is a tree of

Proverbs 3 17 Her [wisdom] ways are pleasant ways, and all her paths are peace. 18 She is a tree of life to those who take hold of her; those who hold her fast will be blessed. 19 By wisdom the Lord laid the earths foundations, by understanding

571 views • 34 slides
ays of Seeing Ways of Seeing ohn Berger John Berger Ways of Seeing W ohn Berger John Berger

ays of Seeing Ways of Seeing ohn Berger John Berger Ways of Seeing W ohn Berger John Berger

ays of Seeing Ways of Seeing ohn Berger John Berger Ways of Seeing W ohn Berger John Berger Lewis Denson MArch 2 ACS Presentation The relation between what we see and what we know is never settled - John Berger If a love of

179 views • 13 slides
Introduction - Variation Theory Conference Powerful ways of acting spring from powerful ways

Introduction - Variation Theory Conference Powerful ways of acting spring from powerful ways

Introduction - Variation Theory Conference Powerful ways of acting spring from powerful ways of seeing ( Marton et al., 2004, p. 5) 16 th February 2015 2-5pm Programme 1:15-2:00 Registration and lunch 2:00-2:30 Introductions

748 views • 35 slides
Molecular mechanisms of angiogenesis Three ways of formation of blood vessels Three ways of

Molecular mechanisms of angiogenesis Three ways of formation of blood vessels Three ways of

Molecular mechanisms of angiogenesis Three ways of formation of blood vessels Three ways of formation of blood vessels Vasculogenesis bFGF capillaries are formed from vascular progenitor cells VEGF angioblast capillary Angiogenesis

732 views • 70 slides
Welcome! Phishing And Ways To Combat It Phishing and ways to combat it Lance Bailey Systems

Welcome! Phishing And Ways To Combat It Phishing and ways to combat it Lance Bailey Systems

Conference 2018 Conference 2018 Welcome! Phishing And Ways To Combat It Phishing and ways to combat it Lance Bailey Systems Coordinator Genome Sciences Centre Don Devenney Information Technology Analyst Royal Roads University 2

222 views • 21 slides
Disclaimer This presentation is based on how I have used the product. There are several ways to

Disclaimer This presentation is based on how I have used the product. There are several ways to

Disclaimer This presentation is based on how I have used the product. There are several ways to use this new feature. What you are about to see is my experience. YMMV KHCV There are two ways to use Wires-X One way is to use it to link

578 views • 34 slides
Youve done all the hard work, now a couple of ways in which you can get the best out of

Youve done all the hard work, now a couple of ways in which you can get the best out of

Youve done all the hard work, now a couple of ways in which you can get the best out of yourself and your audience! Practjse what youre going to say. There are lots of ways you can do this stand in front of the

305 views • 4 slides
Outlines Examples of CTMCs 2 Examples of CTMCs Example: The following CTMC have been

Outlines Examples of CTMCs 2 Examples of CTMCs Example: The following CTMC have been

Markov Chains (3) Outlines Examples of CTMCs 2 Examples of CTMCs Example: The following CTMC have been solved in the class and 1,2 ( ) t transient state probabilities have been computed. i 1 2 (0)

287 views • 14 slides
Telecom Work Group Meeting 2018-11-20 Public Rule 502.17 Voice Communications Section 502.17

Telecom Work Group Meeting 2018-11-20 Public Rule 502.17 Voice Communications Section 502.17

Telecom Work Group Meeting 2018-11-20 Public Rule 502.17 Voice Communications Section 502.17 of the ISO rules, Voice Communications was created to combine the voice requirements outlined in Section 502.4 of the ISO rules, ADAMS and Voice

97 views • 6 slides
4 3 2 1 MTTF MTTF MTTF MTTF MTTF 1 1 1 1 1 MTTR MTTR MTTR MTTR MTTR We can use

4 3 2 1 MTTF MTTF MTTF MTTF MTTF 1 1 1 1 1 MTTR MTTR MTTR MTTR MTTR We can use

A Web Site receives 25 requests per seconds. A load balancer equally distributes incoming requests to 5 equal servers. The CPU service demand of a request is 20 msec, and the disk service demand is 50 msec. Assume that inter-arrival times of

321 views • 4 slides
GSP Development Status Finalizing future water budget/forecast with agencies Adding

GSP Development Status Finalizing future water budget/forecast with agencies Adding

GSP Development Status Finalizing future water budget/forecast with agencies Adding projects for mitigation from agencies Awaiting projects from a few agencies Some revision of wells in Monitoring Network Coordinating Water Level

389 views • 14 slides
PERFORMANCE METRICS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of

PERFORMANCE METRICS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of

PERFORMANCE METRICS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 6810: Computer Architecture Overview Announcement Jan. 17 th : Homework 1 release (due on Jan. 30 th ) This lecture

727 views • 37 slides
Requirements Analysis Week 11 INFM 603 Different Perspectives on Design Thanks to Satish Mishra

Requirements Analysis Week 11 INFM 603 Different Perspectives on Design Thanks to Satish Mishra

Requirements Analysis Week 11 INFM 603 Different Perspectives on Design Thanks to Satish Mishra The System Life Cycle Systems analysis How do we know what kind of system to build? User-centered design How do we discern and

443 views • 31 slides
Dev and Ops Cooperation at & JAOO 2010 Production? On Call? Outage? 5 Billion photos

Dev and Ops Cooperation at & JAOO 2010 Production? On Call? Outage? 5 Billion photos

Dev and Ops Cooperation at & JAOO 2010 Production? On Call? Outage? 5 Billion photos ~10 PB of disk 10 datacenters for photos 2 datacenters for site and API traffic 28TB of MySQL data on 62 shards, ~140,000 qps over 5.7

893 views • 40 slides
CI/CD FOR THE ENTERPRISE: TEACHING AN OLD DOG NEW TRICKS Open Infrastructure Summit 2019 Patrick

CI/CD FOR THE ENTERPRISE: TEACHING AN OLD DOG NEW TRICKS Open Infrastructure Summit 2019 Patrick

CI/CD FOR THE ENTERPRISE: TEACHING AN OLD DOG NEW TRICKS Open Infrastructure Summit 2019 Patrick Easters Sr. Software Applications Engineer May 1, 2019 THE PIPE DREAM CONTINUOUS CONTINUOUS INTEGRATION DELIVERY AUTOMATICALLY BUILD TEST

520 views • 26 slides

More recommend