Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps
1. Continuous Application Security
at Scale with IAST and RASP
Transforming DevOps into DevSecOps
Jeff Williams, CTO and founder
Contrast Security
@planetlevel
OWASP NOVA – July 2016
2. 2
A BRIEF HISTORY OF APPLICATION SECURITY AUTOMATION
DAST
(Dynamic
AppSecTesting)
WAF
(Web Application
Firewall)
SAST
(Static
AppSecTesting)
IDS/IPS
(Intrusion Detection/
Prevention System)
Development (find vulnerabilities) Operations (block attacks)
IAST
(Interactive
AppSecTesting)
RASP
(Runtime Application
Self-Protection)
UnifiedAgent
IAST and RASP
2002 2002
20142012
2015
3.
4. WARNING: Security has
detected and blocked an
attempted attack.
This attack has been fully logged and
may be further investigated. If you
believe you have received this
message in error, please contact
security@company.com with the
details of the incident.
In 17 years of noisy
pentesting, I have
seen many stack
traces, many error
messages, and many
requests to “please
try again.”
I have never been
identified as an
attacker. Madness.
5. 5
APPSEC IS GETTING HARDER EVERY DAY!
Explosive growth
in libraries and
frameworks
Libraries
Microservices,
APIs, REST,
SOAP, single-
page apps
Services
Rapidly growing
use of cloud and
containers
Cloud
High speed
software
development
Agile
Legacy application security tools can’t handle the
speed, size, and complexity of modern software development
7. 7
THE TRUE COST OF FALSE POSITIVES
Tool
App
400 PossibleVulnerabilities
In two days, we can triage
100 of 400 “possibles.”
(10% true positives)
We can confirm 10 of 40
real vulnerabilities.
Security Scanner PDF Report
We will miss 30 of 40
real vulnerabilities.
8. 8
WHAT’S YOUR ACTSOA?
ANNUAL COST TO SECURE ONE APPLICATION
Cost Factor Description Cost
License Cost Typical per-application annual license. This cost is $0 if relying on a manual pentest
and/or manual code review.
Analysis Actually assessing an application typically takes 2-4 weeks for a manual review, 1
for an automated scan.
Triage Experts must eliminate false positives from automated tool results. Plan on several
per assessment, zero for manual reviews.
Reporting Every vulnerability needs to get risk rated, written up, tracked, reported, and closed.
Dashboards need to be created. Figure one day per assessment.
Remediation Full cost to remediate and deploy fixes. Typical application has 22 vulnerabilities at
hours each at $100/hr totaling roughly $44,000.
$$$$
Retest The retest verifies that issues identified have been fixed appropriately. Typically the
retest costs about 25% of original assessment.
Management If running a scanning program, several headcount will be needed to manage the
schedule, contracts, and infrastructure required.
TOTAL ?
9. 9
ACCURACY, AUTOMATION, AND SCALABILITY
You can’t scale appsec without highly accurate tools
(both true positives and true negatives)
Because inaccuracies require experts…
…and experts don’t scale.
11. 11
CONTINUOUS APPLICATION SECURITY
Development
and Operations
Push code to production with fully
automated security support
Application
Security
Security experts deliver security as code
Management
Management makes informed decisions with
detailed security analytics
New Code Production
12. 12
CONTINUOUS APPLICATION SECURITY
New Code Production
Development
and Operations
Standard
Defenses
Attack
Protection
Security
Integration
Application
Security
Security
Research
(Internal)
Threat
Intelligence
(External)
Security
Architecture
Management
Security
Orchestration
Security
Training
13. 4. The use of measuring instruments to monitor
and control a process. It is the art and science of
measurement and control of process variables
within a production, laboratory, or
manufacturing area.
16. Dynamic binary instrumentation!
Runtime Environment
ClassClassClass
ClassClassClass
Agent
ClassClassClass
ClassClassClass
Binary code is enhanced as it
loads
ClassClassClass
ClassClassClassOriginal
Binary Code
Command and
Control Dashboard
Instrumented
Binary Code
17. 17
Runtime
INSTRUMENTATION IN ACTION
App Server
Frameworks
Libraries
Custom Code
Your application stack
Instrumentation
Agent
1
Add agent
-javaagent:appsec.jar
2
Agent instruments
running application
4
Dashboard provides
visibility and control
3
Agent blocks attacks
and finds vulnerabilities
Dashboard
Attacks and
vulnerabilities
18. 18
Security context assembled within agent
DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES
Developer
Tester
User
Attacker
Controller Validation Session
Business
Logic
Data Layer
SQL
API Database
HTTP
Request
Validation
Tags
Data
Tracking
Data
Parsing
Escaping
Tags
Query
Vulnerability?
Attack?
Sensors woven into running application
19. 19
Software is a black box.
STOP TALKING ABOUT “STATIC” AND “DYNAMIC”
HTTP
Traffic
Code
Frameworks
Libraries
Runtime Data
Flow
Runtime
Control Flow
Backend
Connections
Configuration
Data
Server
Configuration
Etc…
Platform
Runtime
Software
Architecture
SAST
DAST
WAF
Instrumentation
Talk about what information you need to
confirm a vulnerability or an attack
22. Instrumentation performance – same as code
WebGoat RASP Processing
Typical traffic 50 microseconds
Mixed traffic 170 microseconds
Heavy attack traffic 230 microseconds
• Number of applications doesn’t matter
• No bottleneck on either bandwidth or CPU
millionths of a second
23. Application Platform
Instrumentation adds a security assessment
and protection API to every application
Physical Host or VM
Container OS
Container Runtime
3rd Party Frameworks
3rd Party Libraries
Apps and APIs
Examples…
• Report all use of DES/MD5
• Turn off XML doctype
• Set X-Frame-Options
• Report SQL injection vulns
• Log all failed authentications
• Block Spring EL attacks
• Report vulnerable libraries
• Deploy virtual patches
• Block apps with old jQuery
Your standard application stack(s)
RAS
P
Title: Continuous Application Security at Scale with IAST and RASP
Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
In the early 2000’s people started using static and dynamic scanners to find vulnerabiltiies
In operations at that time, they started using WAF and IDS/IPS to block attacks.
And it stayed that way for the last 65 million years….
Until 2014 when people started using software instrumentation agents.
In development, we call this IAST
In production, we call this RASP
As I’ll show you next, these agents have huge advantages over scanners and firewalls.
The Golden Age of Pentest, SAST, DAST
If I send a request that NO LEGITIMATE USER could not possibly have ever generated. Why am I not instantly banned?
Why do I get error messages that say “PLEASE TRY AGAIN”
This is crazy – it’s actually not that hard to detect a real attack. It’s obvious when you look at them.
Blocking attacks is probably the simplest way to get the BIGGEST amount of security protection.
.
SERVICES - Move to APIs for web, mobile, B2B
LIBRARIES-Supply chain
CLOUD - Application mobility -need flexibility
AGILE- Rapid deployment
There’s a better way…
And it looks like this…
RASP is basically just SELF-PROTECTION via SECURITY INSTRUMENTATION
Instrumentation is basically tapping into something complicated so you can monitor and control it.
This is the simplest kind of instrumentation – we do it directly in source code.
This is the MYSQL JDBC implementation
I added simple callbacks to the NONPARAMETERIZED MYSQL methods.
You can compile this and add it to your applications
This is a simple way to collect data about everywhere that an organization uses non-parameterized database calls.
Notice we’re turning application security inside out – data comes to you. You don’t have to go collect the data.
But the point is that this is incredibly safe.
And you do the same thing with binary instrumentation – modify the binaries on disk to contain security sensors.
This has the advantage of being a post-compilation step. It happens without the need for source code and complex build chains.
But it’s still just the same basic INSERTION OF STATIC CALLS.
Binary instrumentation is fast, safe and reliable
You’re already almost certainly using this type of instrumentation.
It’s used everywhere – frameworks, libraries, BCEL is even built into Java itself. It’s actually one of the reasons that static code analysis is so hopeless.
We can even take this one step farther and do the instrumentation as the code loads into memory.
This is supported in many frameworks – like the Java Instrumentation API, the .NET profiler, etc…
Every single bit of code gets instrumented – custom code, LIBRARIES, FRAMEWORKS, even DYNAMICALLY loaded code.
This makes it incredibly convenient – just make the agent part of your standard stack.
It’s easy – but that’s the one ask – you have to add this to your stack. But it’s SO WORTH IT
So now we have ALL the ingredients to hook up a RASP engine.
So let’s walk through how RASP works to block a real attack
Accuracy is EVERYTHING here. The reason almost all WAFs are in LOG MODE is that they’re not accurate.
When a request comes in, the RASP engine sees it.
If it stopped here, that’d be nothing more than a WAF.
REMEMBER – not all RASP is created equal.
The better the instrumentation… the better the results.
As you can see the RASP engine collects CONTEXT from every bit of the REQUEST.
It builds a complete story.
When the attack is finally formed – seeing that it is an attack and blocking it is EASY and OBVIOUS.
Let’s get this out of the way. Yes RASP can block attacks like a WAF. Better actually.
Botttom line is that:
RASP architecture and performance are way superior
RASP is accurate because it has INSANE amount of CONTEXT – sees the whole query and taint
RASP is way more accurate because it doesn’t have the impedance mismatch problem – there IS NO separate parser
SOLVE application security problems in the APPLICATION layer. PERIOD
RASP is fantastic for performance.
* No extra hop
As you can see it’s 1/20th of a millisecond typically, and slightly more when it’s under attack
RASP ends up instrumenting in a lot of what the developer probably should have coded in in the first place
* As fast or FASTER than if you coded it yourself
Well, since RASP is just code -- no limit on the size of applications. 20 million lines of code.
We've been doing this since 2009 - extremely well proven.
RASP is FAR MORE than a WAF replacement. It’s like an API for security monitoring and control.
Why do you need such an API? Because your needs change. How will you respond to the next Deserializion Flaw.
With an API like this you can
* Quickly find out exactly what your applications are doing
Add security defenses to your applications
Block attempts to attack your applications
In fact, it’s nothing less than an ADAPTER that gives you total over visibility and policy across your entire portfolio.
Tell some of the stories…
And now let’s think about appsec at devops speed and portfolio scale with RASP.
Imagine that you’ve added a RASP agent as part of your standard application stack
All the applications in your portfolio now have an APPSEC API and capabilities
Internal, external, dev, test, stage, prod, cloud, container, etc…..
Application security moves with the application
Network security has had a control plane forever – you can monitor and control all your devices, endpoints, firewalls, etc….
Application security is just the Wild West – no way to manage application security AT ALL.
How long would it take you to add logging for encrytpion failures to all your apps, or add a clickjacking header, etc....
We currently measure these projects in YEARS, but we need to respond to new attacks in MINUTES
Through RASP, you have complete control over application security across all of those applications in real time
You control what visibility you want
You control the policies