Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way. Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.

1. Continuous Application Security
at Scale with IAST and RASP
Transforming DevOps into DevSecOps
Jeff Williams, CTO and founder
Contrast Security
@planetlevel
OWASP NOVA – July 2016

2. 2
A BRIEF HISTORY OF APPLICATION SECURITY AUTOMATION
DAST
(Dynamic
AppSecTesting)
WAF
(Web Application
Firewall)
SAST
(Static
AppSecTesting)
IDS/IPS
(Intrusion Detection/
Prevention System)
Development (find vulnerabilities) Operations (block attacks)
IAST
(Interactive
AppSecTesting)
RASP
(Runtime Application
Self-Protection)
UnifiedAgent
IAST and RASP
2002 2002
20142012
2015

4. WARNING: Security has
detected and blocked an
attempted attack.
This attack has been fully logged and
may be further investigated. If you
believe you have received this
message in error, please contact
security@company.com with the
details of the incident.
In 17 years of noisy
pentesting, I have
seen many stack
traces, many error
messages, and many
requests to “please
try again.”
I have never been
identified as an
attacker. Madness.

5. 5
APPSEC IS GETTING HARDER EVERY DAY!
Explosive growth
in libraries and
frameworks
Libraries
Microservices,
APIs, REST,
SOAP, single-
page apps
Services
Rapidly growing
use of cloud and
containers
Cloud
High speed
software
development
Agile
Legacy application security tools can’t handle the
speed, size, and complexity of modern software development

6. 6
OWASP
Benchmark
21,000 test
cases across a
range of true
and false
vulnerabilities
Free
Open
Reproducible
Sponsored by DHS
IAST-01
33%

7. 7
THE TRUE COST OF FALSE POSITIVES
Tool
App
400 PossibleVulnerabilities
In two days, we can triage
100 of 400 “possibles.”
(10% true positives)
We can confirm 10 of 40
real vulnerabilities.
Security Scanner PDF Report
We will miss 30 of 40
real vulnerabilities.

8. 8
WHAT’S YOUR ACTSOA?
ANNUAL COST TO SECURE ONE APPLICATION
Cost Factor Description Cost
License Cost Typical per-application annual license. This cost is $0 if relying on a manual pentest
and/or manual code review.
Analysis Actually assessing an application typically takes 2-4 weeks for a manual review, 1
for an automated scan.
Triage Experts must eliminate false positives from automated tool results. Plan on several
per assessment, zero for manual reviews.
Reporting Every vulnerability needs to get risk rated, written up, tracked, reported, and closed.
Dashboards need to be created. Figure one day per assessment.
Remediation Full cost to remediate and deploy fixes. Typical application has 22 vulnerabilities at
hours each at $100/hr totaling roughly $44,000.
$$$$
Retest The retest verifies that issues identified have been fixed appropriately. Typically the
retest costs about 25% of original assessment.
Management If running a scanning program, several headcount will be needed to manage the
schedule, contracts, and infrastructure required.
TOTAL ?

9. 9
ACCURACY, AUTOMATION, AND SCALABILITY
You can’t scale appsec without highly accurate tools
(both true positives and true negatives)
Because inaccuracies require experts…
…and experts don’t scale.

10. 10
TRADITIONAL VS. CONTINUOUS

11. 11
CONTINUOUS APPLICATION SECURITY
Development
and Operations
Push code to production with fully
automated security support
Application
Security
Security experts deliver security as code
Management
Management makes informed decisions with
detailed security analytics
New Code Production

12. 12
CONTINUOUS APPLICATION SECURITY
New Code Production
Development
and Operations
Standard
Defenses
Attack
Protection
Security
Integration
Application
Security
Security
Research
(Internal)
Threat
Intelligence
(External)
Security
Architecture
Management
Security
Orchestration
Security
Training

13. 4. The use of measuring instruments to monitor
and control a process. It is the art and science of
measurement and control of process variables
within a production, laboratory, or
manufacturing area.

14. Source instrumentation
Inject simple static method call

15. Binary
instrumentation
• Widely used
• CPU Performance
• Memory
• Logging
• Security
• …
• Lots of libraries
• ASM (Java)
• BCEL (Java)
• Javassist (Java)
• MBEL (.NET)
• RAIL (.NET)
• …

16. Dynamic binary instrumentation!
Runtime Environment
ClassClassClass
ClassClassClass
Agent
ClassClassClass
ClassClassClass
Binary code is enhanced as it
loads
ClassClassClass
ClassClassClassOriginal
Binary Code
Command and
Control Dashboard
Instrumented
Binary Code

17. 17
Runtime
INSTRUMENTATION IN ACTION
App Server
Frameworks
Libraries
Custom Code
Your application stack
Instrumentation
Agent
1
Add agent
-javaagent:appsec.jar
2
Agent instruments
running application
4
Dashboard provides
visibility and control
3
Agent blocks attacks
and finds vulnerabilities
Dashboard
Attacks and
vulnerabilities

18. 18
Security context assembled within agent
DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES
Developer
Tester
User
Attacker
Controller Validation Session
Business
Logic
Data Layer
SQL
API Database
HTTP
Request
Validation
Tags
Data
Tracking
Data
Parsing
Escaping
Tags
Query
Vulnerability?
Attack?



Sensors woven into running application

19. 19
Software is a black box.
STOP TALKING ABOUT “STATIC” AND “DYNAMIC”
HTTP
Traffic
Code
Frameworks
Libraries
Runtime Data
Flow
Runtime
Control Flow
Backend
Connections
Configuration
Data
Server
Configuration
Etc…
Platform
Runtime
Software
Architecture
SAST
DAST
WAF
Instrumentation
Talk about what information you need to
confirm a vulnerability or an attack

20. 20
Instrumentation
speed and
accuracy
dominates SAST
and DAST
OWASP
Benchmark -
21,000 test
cases across a
range of
vulnerabilities
33%
100%
Sponsored by DHS
92%
IAST-01

21. RAS
P
RAS
P
RAS
P
WA
F
GET
/foo?name='%20or%20
%20'1'='1 HTTP/1.0
GET
/foo?name='%20or%20
%20'1'='1 HTTP/1.0
WAF
RASP
Three problems:
1) Bottleneck
2) No context
3) Impedance
RAS
P
stmt.execute(
"select * from table
where id ='1' or
'1'='1'" );
APPLICATION DECISION
POINT
PERIMETER DECISION
POINT

22. Instrumentation performance – same as code
WebGoat RASP Processing
Typical traffic 50 microseconds
Mixed traffic 170 microseconds
Heavy attack traffic 230 microseconds
• Number of applications doesn’t matter
• No bottleneck on either bandwidth or CPU
millionths of a second

23. Application Platform
Instrumentation adds a security assessment
and protection API to every application
Physical Host or VM
Container OS
Container Runtime
3rd Party Frameworks
3rd Party Libraries
Apps and APIs
Examples…
• Report all use of DES/MD5
• Turn off XML doctype
• Set X-Frame-Options
• Report SQL injection vulns
• Log all failed authentications
• Block Spring EL attacks
• Report vulnerable libraries
• Deploy virtual patches
• Block apps with old jQuery
Your standard application stack(s)
RAS
P

24. Instrumented
application
portfolio
AppSec
Control Plane
User Planepartners
users
employees
devices
hackers
bots
organized
crimeinsiders
operations
information
security
application
security
developmentcompliance Visibility
• Attacks
• Vulnerabilities
• Enhanced logging
• Application profiles
• Libraries and frameworks
• Software architecture
Control
• Attack protection policy
• Secure coding policy
• Library policy
• Crypto policy
• Connection policy
• Configuration policy
CONTAINERS

25. THANK YOU
Jeff Williams
jeff.williams@contrastsecurity.com
@planetlevel
http://contrastsecurity.com
“Leader”
“Visionary”
“Innovator”