automating your tools: how to free up your security professionals for actual security tasks
TRANSCRIPT
Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com
Automating Your ToolsHow to Free Up Your Security Professionals for Actual Security Tasks
Techno Security06/02/2015
Application security that just works
©2015 Aspect Security. All Rights Reserved 2
ABOUT ME
Kevin FealeyPrincipal Consultant & Practice Lead,
Automation & Integration Services7 years AppSec experience
Specialties:• Process efficiency• Open Source and Commercial Tools• Automation
Application security that just works
©2015 Aspect Security. All Rights Reserved 3
ABOUT YOU
•Developer?•Part of an AppSec team?•[Want to] Do Continuous/Rapid Delivery?
Application security that just works
©2015 Aspect Security. All Rights Reserved 4
APPLICATION SECURITY VS. NETWORK SECURITY
Application Layer– Attacker sends attacks inside
valid HTTP requests– Custom code is tricked into
doing something it should not– Security requires software
development expertise, not signatures
Network Layer– Firewall, hardening, patching,
IDS, and SSL/TLS cannot detect or stop attacks inside HTTP requests
– Security relies on signature databases
Fire
wal
l
Fire
wal
l
Dat
abas
esLe
gacy
Sys
tem
sW
eb S
ervi
ces
Dire
ctor
ies
Hum
an R
esrc
sB
illin
g
Custom Code
APPLICATIONATTACK
Net
wor
k La
yer
App
licat
ion
Laye
r
Acc
ount
sFi
nanc
eA
dmin
istr
atio
nTr
ansa
ctio
nsC
omm
unic
atio
nK
now
ledg
e M
gmt
E-C
omm
erce
Bus
. Fun
ctio
ns
Hardened OS
Web Server
App Server
Application security that just works
©2015 Aspect Security. All Rights Reserved 5
COMMON APPLICATION VULNERABILITIES
– Injection Flaws– Broken Account and
Session Management– Cross Site Scripting Flaws– Direct Object References– Web/Application Server
Misconfigurations
– Sensitive Data Exposure– Broken Access Control– Cross-Site Request Forgery– Using Components with
Known Vulnerabilities– Unvalidated Redirects and
Forwards
■The OWASP Top Ten:
Application security that just works
©2015 Aspect Security. All Rights Reserved 6
WHY TALK ABOUT APPSEC HERE?
-Many public attacks at the app layer- SQLi for a ‘data breach’- Pivot: XSS -> Admin Account Compromise -> ??
- Better understanding of the app layer can provide better granularity when performing root cause analysis- Better understanding of these issues can allow for more specific remediation guidance
©2015 Aspect Security. All Rights Reserved 7
TRADITIONAL APPLICATION SECURITYSecurity Like it’s 1999..
Application security that just works
©2015 Aspect Security. All Rights Reserved 8
TRADITIONAL APPSEC
~2 weeks
Application security that just works
©2015 Aspect Security. All Rights Reserved 9
TRADITIONAL VULNERABILITY MANAGEMENT
Risk Accepted
©2015 Aspect Security. All Rights Reserved 10
UNDERSTANDING THE PROBLEM
Application security that just works
©2015 Aspect Security. All Rights Reserved 11
RECEIVE NO SECURITY AT ALL
Hundreds or thousands of web applications and web services
90%
10%
Security teams are understaffed
RECEIVE SOME SECURITY
Development is getting faster and more abstract
“Security causes rework”
RESULT: SECURITY IS NOT SCALABLE
It’s only getting worse…
Application security that just works
©2015 Aspect Security. All Rights Reserved 12
ROOT CAUSES
Development
Production
Security
Oops! Forgot security…
Requirements
Design
DevelopTest
Maintenance
SDLC
Application security that just works
©2015 Aspect Security. All Rights Reserved 13
SOLUTION: AUTOMATION
Make security a part of the SDLC
Deploy sensors for “continuous application security”
Hundreds or thousands of web applications and web services
RECEIVE SOME SECURITY
Widen the security bottleneck
With Security Automation
Provide broad coverageto more applicationsin less time
90%
©2015 Aspect Security. All Rights Reserved 14
CONTINUOUS APPLICATION SECURITY (CAS)
Application security that just works
©2015 Aspect Security. All Rights Reserved 15
TOMORROW: SECURITY SENSORS IN THE SDLC
Automated, integrated testing and reporting shorten the feedback cycle and enable security at scale
Design
Develop
Test
Maintenance
Code Sync
Build/Deploy
Scan
Report
Application security that just works
©2015 Aspect Security. All Rights Reserved 16
COST TO REMEDIATE ISSUES
Coding Testing Beta Release $-
$500.00
$1,000.00
$1,500.00
$2,000.00
$2,500.00
$3,000.00
$3,500.00
$4,000.00
$4,500.00
$139.00
$1,390.00
$2,780.00
$4,170.00
Cost to Fix a Vulnerability Depends on When it is Found
Find an issue in Development vs Test – Save 10x
Application security that just works
©2015 Aspect Security. All Rights Reserved 17
TOOL AUTOMATION
Leverage efficiencies of scale and reuse to greatly reduce the amount of time spent on analysis.
Manual Scanning Automated
Scanning
Scanning Workflow Activities
TriageScanScan ConfigurationAccess Source
Automated scanning allows your security team to spend less time trying to get the tool to do its job and more time looking for real vulnerabilities
Application security that just works
©2015 Aspect Security. All Rights Reserved 18
WHAT SENSORS?
Application security that just works
©2015 Aspect Security. All Rights Reserved 19
TURN YOU TOOLS INTO SENSORS
Most tools have at least one of the following:1. Command Line Interface2. REST APIs3. Public APIs
Application security that just works
20
CENTRALIZE SENSOR OUTPUT
Application ServerWeb Server Database Server Security Tools
‘ or 1=1; -- Access Control Violation! Heartbleed
detected!
Invalid HTTP Request
Data
Central Repository
Application security that just works
©2015 Aspect Security. All Rights Reserved 21
APPLICATION SECURITY EVENT ALERTS
Application ServerWeb Server Database Server
‘ or 1=1; --
Central Repository
!!!CAS Dashboard/ GRC tool, etc.
Application security that just works
©2015 Aspect Security. All Rights Reserved 22
CONTINUOUS APPLICATION SECURITY
Real-Time Actionable Security Intelligence for:- Developers- Security Teams- Managers- Executives
Application security that just works
©2015 Aspect Security. All Rights Reserved 23
BENEFITS OF SECURITY DASHBOARDS
Understand your true risk at the application layer
Profile applications & development teams for continuous improvement
Consolidated data in the event of a breach
Breed security culture by making security visible
Application security that just works
©2015 Aspect Security. All Rights Reserved 24
NOW WHAT?
• Develop/Enhance sensors• Track security trends via dashboards• Research• Threat Models/Architecture Reviews/Remediation Guidance• Spread security culture
Security Team’s Job:
24/7 Security
What Good is this Tool? 25
Sweet new pool table!Where should we put it?
Application security that just works
©2015 Aspect Security. All Rights Reserved 26
BEFORE YOU DEVELOP A DASHBOARD
Define a security model that fits your business• All encryption = AES, no CBC or ECB• All external/internal connections use SSL• Use defined secure libraries
Start small and grow CAS program over time
Application security that just works
©2015 Aspect Security. All Rights Reserved 27
THANK YOU!
Kevin Fealey | @secfealz [email protected] www.AspectSecurity.com
Questions? Feedback?
Application security that just works
©2015 Aspect Security. All Rights Reserved 28
DESCRIPTION
Tuesday, June 2 1:30PM - 2:20PM Automating Your Tools: How to Free Up Your Security Professionals for Actual Security Tasks Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change. This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low-hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years.