application security at devops speed and portfolio scale
DESCRIPTION
Published on Nov 26, 2013 AppSec at DevOps Speed and Portfolio Scale - Jeff Williams Watch this talk on YouTube: https://www.youtube.com/watch?v=cIvOth0fxmI Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops. Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today's best software assurance techniques *can't*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development. Although we're making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It's not just security tools -- application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all. Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowing all the stakeholders in security to collaborate and finally become proactive. Speaker Jeff Williams CEO, Aspect Security Jeff is a founder and CEO of Aspect Security and recently launched Contrast Security, a new approach to application security analysis. Jeff was an OWASP Founder and served as Global Chairman from 2004 to 2012, contributing many projects including the OWASP Top Ten, WebGoat, ESAPI, ASVS, and more. Jeff is passionate about making it possible for anyone to do their own continuous application security in real time.TRANSCRIPT
Application Security atDevOps Speed and Portfolio Scale
Jeff Williams, CEO
Aspect Security, Inc.
About Me
Application Security Is Healthcare
Sensors Are Revolutionizing Healthcare
Instrumenting the body means continuous realtime monitoring…
Not periodic checkups
Your phone will know you’re sick before you
do!
Traditional Tools and Techniques Are Failing…
Javascript Ajax
SOAP/REST
Serialized Objects
RawSocket
Inversion of Control
Libraries and Frameworks
Aspect Oriented Programming
Agile
DevOps
CloudMobile
AppSec Progress
Security
SoftwareContinuous AppSec
Starting Over
The right defenses for every application are…
PresentCorrectUsed Properly
Defining “Portfolio Scale”
Defining “DevOps Speed”
Application security happens continuously
and in real time
Is my portfolio
protected against
clickjacking?
One Thing at a Time…
Gathering Intelligence
Controller
Presentation
Business Functions
DataLayer
Third Party Libraries
Application Server
Platform Runtime
Framework
Operating System
Security Intelligence Sources
HTTPTraffic
Backend Connections
Configuration Data
Libraries and Frameworks
Data Flow
Control Flow
Vulnerability Trace
Designing a Clickjacking Sensor
Experiment Style
Positive
Negative
Environment
Dev
CI
Test
QA
Staging
Security
Analysis Technique
Manual
SAST
DAST
IAST
Passive
Data Sources
Code
HTTP
Configuration
Choose based on:• Speed• Accuracy• Feedback• Scalability• Ease of Use• Cost
Data Flow
Control Flow
Libraries
Connections
Sampling
Prod
Intelligence
JUnit
Continuous ClickJacking Defense Verification
A new HTTP sensor to verify that theX-Frame-Options header is set to DENY
or SameOrigin on every webpage
Dynamic Interactive JUnitManual Static
DEV CI TEST QA STAG OPSSEC
Data Warehouse:Application SecurityIntelligence
Run Against Entire Portfolio
Application Name Result
Grade
TBMarks 88% ARPC 0% FCaseyMotors 0% FFinancials 72% CInternational Reporting 0% F…
“Financials” ClickJacking Defense – C (72%)
/home DENY
/home/error.jsp -
/home/index.jsp DENY
/account SAME-ORIGIN
/account/report.jsp -
…
TB RPC CM
TY JJ RH
CO AS RA
F IR XX
QP X DD
& @ S
Continuous AppSec Dashboard
• We transformed clickjacking verification todevops speed and portfolio scale!
One Small Step Towards Continuous AppSec
Before AfterAnnual pentest Continuous monitoringNegative signatures Positive verificationOne app at a time Portfolio wide
Okay, clickjacking. Big deal.
More Sensors…
I want a sensor to verify…
My business logic makes access control checks
My libraries are free from known vulnerabilities
My forms are not susceptible to CSRF attacks
My interpreters are protected against injection
My encryption is implemented correctly
My application has no unknown connections
And much more….
Source File Result @PreAuthorize
TestSBMBugtrackerController.java @PreAuthorize("hasAnyRole('ROLE_BUG_CREATE','ROLE_BUG_EDIT')")
UpdateSBMBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_EDIT')")
SelectBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_CREATE')")
CheckAppStatusController.java MISSING
ViewConsoleEventsController.java @PreAuthorize("hasRole('ROLE_CONSOLE_VIEW')")
DeleteEngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_PROFILES')")
DownloadEngineController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")
EngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")
ErrorController.java MISSING
InboxController.java @PreAuthorize("isAuthenticated()")
InstallationWizardController.java @PreAuthorize("isAuthenticated()")
InviteAFriendController.java @PreAuthorize("isAuthenticated()")
LoginController.java MISSING
DeleteMessageController.java @PreAuthorize("isAuthenticated()")
GetSystemMessagesController.java @PreAuthorize("isAdmin()")
Access Control Intelligence Sensor
Control Flow
SAST
Intelligence
CI
Generated Access Control Matrix from Code
ROLE_APPLIC
ATION_D
ELETE
ROLE_APPLIC
ATION_G
ROUP
ROLE_APPLIC
ATION_R
EET
ROLE_TR
ACES_D
ELET
E
ROLE_TR
ACES_S
ENDM
AIL
ROLE_TR
ACE_SE
ARCH
ROLE_EN
GINE_D
OWNLO
AD
ROLE_EN
GINE_P
ROFILES
ROLE_CONSO
LE_VIEW
ROLE_BUGTR
ACKER_VIEW
ROLE_BUGTR
ACKER_CREATE
ROLE_BUGTR
ACKER_DELE
TE
ROLE_AUDIT_
VIEW
ROLE_EN
GINE_A
CTIVITY
ROLE_LIB
RARY_SEARCH
TracesGetBugtrackersController.java OTracesGetUsersController.java OTracesJIRAExportController.java OTracesMergeController.java OTracesSaveStatusController.java OTracesSearchController.java OTracesSendToBugtrackersController.java
TracesTreeController.java OTracesViewerController.java OTraceViewerWorkingNotificationController.java OViewTracesController.java OUpdateAppConfigurationController.java OBannerController.java OBillingAccountActivityController.java O OBillingApplyPaymentController.java OBillingAppsController.java OBillingExecuteOrderController.java O
Known Vulnerable Libraries Sensor
Libraries
SAST
Negative
CI
Run DependencyCheck during every build(and do a build once a month even if nothing changed)
• Run tests through ZAP• ZEST to check CSRF Token• Get results via ZAP REST API
CSRF Defense Sensor
HTTP
Passive
Positive
QA
Canonicalization Correctness Sensor
Code
JUnit
Positive
Staging
Injection Sensors
Data Flow
IAST
Negative
Dev
Use IAST tools for DFA vulnerabilities
• What would you like to gather from all your applications?
• Inventory? Architecture? Outbound connections? Lines of code? Security components?
• All possible…. and all at devops speed and portfolio scale
Architecture, Inventory, and More…
Building Continuous AppSec
Dynamic Interactive JUnitManual Static
DEV CI TEST QA STAG OPSSEC
Data Warehouse:Application SecurityIntelligence
Sensors?
How do you know what sensors you need?
1) The OWASP Top Ten?2) What your tools are good at?3) What your pentester thinks is important?4) Actually figure out what matters?
Identification and Authentica
tion
Input Valid
ation and Encoding
Session M
anagement
Sensitive Data Pro
tection
Access
Control/A
uthorization
Error H
andling
Logging and In
trusio
n Detection
Cross
Site Request
Forgery (CSRF)
Platform Secu
rity
Database Securit
y
Code Quality
System Availa
bility - D
OS Protecti
on
Accessi
ng Extern
al Service
s0%
10%
20%
30%
40%
50%
60%
70%
80%
90%Applications with at Least One Vulnerability in Category
Higher Risk
Lower Risk
Aspect 2013 Global AppSec Risk Report
What’s In Your Expected Model?
ExpectedThreat Model
Abuse Cases
Policy
Standards…
Requirements
There is no security without a model
What Are You Actually Testing?
ActualPentest
Code Review
Tools
Arch Review
…
Unfortunately…
ActualExpected
Not being tested
(aka RISK)
Doesn’t need testing(aka WASTE)
Are You Secure?
Secure?
Sensors
Actual Defenses
Defense Strategies
Business Concerns Data Protection
Minimize Sensitive Data
Role Based Access Control
Encrypt Data in Storage and
Transit
Full Disk Encryption
with TrueCrypt
Programmatic Encryption with ESAPI
Libraries Present and Up-to-date
Encryption Correctness
with Junit Tests
ESAPI Used Properly
TLS Everywhere with Venafi
Logging and Intrusion Detection
Aligning Sensors with Business Concerns
Fraud Availability
Continuous Application Security!
Expected
Actual
ApplicationPortfolio
A A A
A A A
A A A
A A A
A A A
A A A
Application security dashboards
Translate “expected” into sensors
New Threats,Business Priorities
Choose a sensor
Build it with developers
Deploy your sensor
Create a dashboard using Excel
How to Get Started
Transforming AppSec
AppSec Compliance
AppSec Monitoring
AppSec Strategy
AppSec Optimization
AppSec as Business Driver
We will never improve if our only metric is whether we are doing what everyone else is doing
Thank You!
Please stop by the Contrast Security booth!
@planetlevel
Expected:Tracking Coverage
InfrastructureSecurity
DataProtection
Logging andAccountability
SecureDevelopment
SecurityVerification
IncidentResponse
▼ Minimal data collection▼ …
▼ Strong encryption in storage and transit▼ All external connections use SSL▼ All internal connections use SSL▼ SSL hardened according to OWASP▼ All highly sensitive data encrypted▼ Encryption uses standard control▼ Encryption uses AES, no CBC or ECB
▼ Universal authentication▼ …
▼ Pervasive access control▼ …
▼ Injection defenses▼ Strict positive validation of all input▼ Use of parameterized interfaces▼ All parsers hardened
▼ XML parsers set to not use DOCTYPE▼ Browser set no content sniffing header▼ Etc…
▼ Use Hibernate and secure coding▼ Use JQuery and secure coding
▼ Etc…
Enterprise Controls Dashboard
Expected DefenseDefense Present?
Defense Correct?
Applications Tested?
Training and Support
Authentication Authorization Cryptography
Validation Escaping Tokens Logging Intrusion Detection
Random Numbers
Browser Security
Safe API Wrappers
Object Reference Management
Error Handling