appsec at devops speed and portfolio scale owasp... · application security at devops speed and...
TRANSCRIPT
Application Security at
DevOps Speed and Portfolio Scale
Jeff Williams @planetlevel
Contrast Security
OWASP XSS PreventionCheat Sheet
1,000,000 Page Views!
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
About Me
Application Security Is Healthcare
Sensors Are Revolutionizing Healthcare
Instrumenting the body means continuous realtime monitoring…
Not periodic checkups
Your phone will know you’re sick before you
do!
Modern Software Development…
Javascript/Ajax SOAP/REST
Serialized Objects
Raw Socket
Inversion of Control
Libraries and Frameworks
Aspect Oriented
ProgrammingAgile
DevOps
Cloud/Mobile
Traditional appsec tools and techniquessimply can’t handle ANY of these
AppSec Progress
Security
SoftwareContinuous AppSec
Starting Over
The right defenses for every application are…
PresentCorrectUsed Properly
Defining “Portfolio Scale”
Defining “DevOps Speed”
Application security happens continuously
and in real time
Is my portfolio
protected against
clickjacking?
One Thing at a Time…
Gathering Intelligence
Controller
Presentation
Business Functions
DataLayer
Third Party Libraries
Application Server
Platform Runtime
Framework
Operating System
Security Intelligence Sources
HTTPTraffic
Backend Connections
Configuration Data
Libraries and Frameworks
Data Flow
Control Flow
Vulnerability Trace
Designing a Clickjacking Sensor
Experiment Style
Positive
Negative
Environment
Dev
CI
Test
QA
Staging
Security
Analysis Technique
Manual
SAST
DAST
IAST
Passive
Intel Sources
Code
HTTP
Configuration
Choose based on:• Speed• Accuracy• Feedback• Scalability• Ease of Use• Cost
Data Flow
Control Flow
Libraries
Connections
Sampling
Prod
Intelligence
JUnit
Continuous ClickJacking Defense Verification
A new HTTP sensor to verify that theX-Frame-Options header is set to DENY
or SameOrigin on every webpage
Dynamic Interactive JUnitManual Static
DEV CI TEST QA STAG OPSSEC
Data Warehouse:Application SecurityIntelligence
Instrumentation
Internal Networks
Ad-Hoc Servers
External Facing Cloud
Instrument your applications and they report their security
…regardless of your organizational or technical structure.
Run Against Entire Portfolio
Application Name Result Grade
TBMarks 88% A
RPC 0% F
CaseyMotors 0% F
Financials 72% C
International Reporting 0% F
…
“Financials” ClickJacking Defense – C (72%)
/home DENY
/home/error.jsp -
/home/index.jsp DENY
/account SAME-ORIGIN
/account/report.jsp -
…
TB RPC CM
TY JJ RH
CO AS RA
F IR XX
QP X DD
& @ S
Continuous AppSec Dashboard
• We transformed clickjacking verification todevops speed and portfolio scale!
One Small Step Towards Continuous AppSec
Before After
Annual pentest Continuous monitoring
Negative signatures Positive verification
One app at a time Portfolio wide
Okay, clickjacking. Big deal.
More Sensors…
I want a sensor to verify…
My business logic makes access control checks
My libraries are free from known vulnerabilities
My forms are not susceptible to CSRF attacks
My interpreters are protected against injection
My encryption is implemented correctly
My application has no unknown connections
And much more….
Source File Result @PreAuthorize
TestSBMBugtrackerController.java @PreAuthorize("hasAnyRole('ROLE_BUG_CREATE','ROLE_BUG_EDIT')")
UpdateSBMBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_EDIT')")
SelectBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_CREATE')")
CheckAppStatusController.java MISSING
ViewConsoleEventsController.java @PreAuthorize("hasRole('ROLE_CONSOLE_VIEW')")
DeleteEngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_PROFILES')")
DownloadEngineController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")
EngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")
ErrorController.java MISSING
InboxController.java @PreAuthorize("isAuthenticated()")
InstallationWizardController.java @PreAuthorize("isAuthenticated()")
InviteAFriendController.java @PreAuthorize("isAuthenticated()")
LoginController.java MISSING
DeleteMessageController.java @PreAuthorize("isAuthenticated()")
GetSystemMessagesController.java @PreAuthorize("isAdmin()")
Access Control Intelligence Sensor
Control Flow
SAST
Intelligence
CI
Generated Access Control Matrix from Code
ROLE
_APPLICATIO
N_DELE
TE
ROLE
_APPLICATIO
N_GROUP
ROLE
_APPLICATIO
N_REET
ROLE
_TRACES
_DEL
ETE
ROLE
_TRACES
_SEN
DMAIL
ROLE
_TRACE_
SEARCH
ROLE
_ENGIN
E_DOW
NLOAD
ROLE
_ENGIN
E_PROFI
LES
ROLE
_CONSOLE
_VIEW
ROLE
_BUGTRACKER
_VIEW
ROLE
_BUGTRACKER
_CREATE
ROLE
_BUGTRACKER
_DELETE
ROLE
_AUDIT_VIE
W
ROLE
_ENGIN
E_ACTIV
ITY
ROLE
_LIBRARY_SE
ARCH
TracesGetBugtrackersController.java O
TracesGetUsersController.java O
TracesJIRAExportController.java O
TracesMergeController.java O
TracesSaveStatusController.java O
TracesSearchController.java O
TracesSendToBugtrackersController.java
TracesTreeController.java O
TracesViewerController.java O
TraceViewerWorkingNotificationController.java O
ViewTracesController.java O
UpdateAppConfigurationController.java O
BannerController.java O
BillingAccountActivityController.java O O
BillingApplyPaymentController.java O
BillingAppsController.java O
BillingExecuteOrderController.java O
Known Vulnerable Libraries Sensor
Libraries
SAST
Negative
CI
Run DependencyCheck during every build(and do a build once a month even if nothing changed)
• Run tests through ZAP
• ZEST to check CSRF Token
• Get results via ZAP REST API
CSRF Defense Sensor
HTTP
Passive
Positive
QA
Canonicalization Correctness Sensor
Code
JUnit
Positive
Staging
Injection Sensors
Data Flow
IAST
Negative
Dev
Use code instrumentationtools for DFA vulnerabilities
• What would you like to gather from all your applications?
• Inventory? Architecture? Outbound connections? Lines of code? Security components?
• All possible…. and all at devops speed and portfolio scale
Architecture, Inventory, and More…
Building Continuous AppSec
Dynamic Interactive JUnitManual Static
DEV CI TEST QA STAG OPSSEC
Data Warehouse:Application SecurityIntelligence
Sensors?
How do you know what sensors you need?
1) The OWASP Top Ten?
2) What your tools are good at?
3) What your pentester thinks is important?
4) Actually figure out what matters?
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Applications with at Least One Vulnerability in Category
Higher Risk
Lower Risk
Aspect 2013 Global AppSec Risk Report
What’s In Your Expected Model?
ExpectedThreat Model
Abuse Cases
Policy
Standards…
Requirements
There is no security without a model
What Are You Actually Testing?
ActualPentest
Code Review
Tools
Arch Review
…
Unfortunately…
ActualExpected
Not being tested
(aka RISK)
Doesn’t need testing(aka WASTE)
Are You Secure?
Secure?
Sensors
Actual Defenses
Defense Strategies
Business Concerns Data Protection
Minimize Sensitive Data
Role Based Access Control
Encrypt Data in Storage and
Transit
Full Disk Encryption
with TrueCrypt
Programmatic Encryption with ESAPI
Libraries Present and Up-to-date
Encryption Correctness
with Junit Tests
ESAPI Used Properly
TLS Everywhere with Venafi
Logging and Intrusion Detection
Aligning Sensors with Business Concerns
Fraud Availability
Continuous Application Security!
Expected
Actual
ApplicationPortfolio
A A A
A A A
A A A
A A A
A A A
A A A
Application security dashboards
Translate “expected” into sensors
New Threats,Business Priorities
Choose a sensor
Build it with developers
Deploy your sensor
Create a dashboard using Excel
How to Get Started
Transforming AppSec
AppSecCompliance
AppSecMonitoring
AppSecStrategy
AppSecOptimization
AppSec as Business Driver
We will never improve if our only metric is whether we are doing what everyone else is doing
Thank You!
Please stop by our booth!@contrastsec
Expected:Tracking Coverage
InfrastructureSecurity
DataProtection
Logging andAccountability
SecureDevelopment
SecurityVerification
IncidentResponse
▼ Minimal data collection▼ …
▼ Strong encryption in storage and transit▼ All external connections use SSL▼ All internal connections use SSL▼ SSL hardened according to OWASP▼ All highly sensitive data encrypted▼ Encryption uses standard control▼ Encryption uses AES, no CBC or ECB
▼ Universal authentication▼ …
▼ Pervasive access control▼ …
▼ Injection defenses▼ Strict positive validation of all input▼ Use of parameterized interfaces▼ All parsers hardened
▼ XML parsers set to not use DOCTYPE▼ Browser set no content sniffing header▼ Etc…
▼ Use Hibernate and secure coding▼ Use JQuery and secure coding
▼ Etc…
Enterprise Controls Dashboard
Expected DefenseDefense
Present?
Defense
Correct?
Applications
Tested?
Training and
Support
Authentication
Authorization
Cryptography
Validation
Escaping
Tokens
Logging
Intrusion Detection
Random Numbers
Browser Security
Safe API Wrappers
Object Reference Management
Error Handling