Download - Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel
![Page 1: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/1.jpg)
Continuous Application Security“We’re Pulling Out All the Stops”
Jeff Williams@planetlevel
![Page 2: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/2.jpg)
Factories Instrument Everything
![Page 3: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/3.jpg)
Programmable Controllers
![Page 4: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/4.jpg)
Connectors and Adapters
![Page 5: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/5.jpg)
Live Dashboard
Identify problems before they become PROBLEMS
![Page 6: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/6.jpg)
The Phoenix Project
![Page 7: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/7.jpg)
What Is Continuous AppSec?
What: The right defenses for every application are…
PresentCorrectUsed Properly
How: Portfolio and enterprise security controls are verified…
ContinuouslyAutomaticallyIn real time
![Page 8: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/8.jpg)
Building Continuous AppSec
Dynamic Interactive JUnitManual Static
DEV CI TEST QA STAG OPSSEC
Continuous AppSec
Analytics
Your IT Organization…
3) Collect big data security analytics
1)Transform our existing tools into SENSORS2) Instrument entire software organization
![Page 10: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/10.jpg)
• CheckYourHeaders– http://cyh.heroku.com/cyh
• OWASP Dependency Check– http://www.owasp.org/index.php/OWASP_Dependency_Check
• Nmap– http://nmap.org
• Sslyze– https://github.com/iSECPartners/sslyze
• OWASP ZAP– http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• Minion• Gauntlt
Initial Sensors
![Page 11: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/11.jpg)
• I hate presentations that wait until the end to show me the result.
• If you hate it, please feel free to check your email or play angry birds
• If you like it, I’ll give you the details…
Results/Demo
![Page 12: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/12.jpg)
Monkey Architecture
Hosts Dashboard
Digesters
Sensors
HostsHosts
Speak Evil!
Hear Evil!
See Evil!
Monkey Server
![Page 13: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/13.jpg)
What’s In an AppSec Sensor
Sensor
Config
ToolLauncher
![Page 14: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/14.jpg)
• Config is stuff like– Hostname– Target URLs– Perhaps full sitemap– Credentials– Tool options
• Recursive• Output format• Destination directory
– Etc…
Sensor Launcher and Config?
• Launcher is a small script that runs tool with specified config
![Page 15: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/15.jpg)
Managing Sensors with Puppet
class depcheck {package { 'openjdk-7-jdk':ensure => installed, }exec { "/usr/sbin/update-alternatives --set java /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java": }exec { "/usr/sbin/update-alternatives --set javac /usr/lib/jvm/java-7-openjdk-amd64/bin/javac": }… check bashssh_authorized_key { 'monkey': ….. }… check permissions file { "/home/monkey/agentmonkey/TOOLS/dependency-check-1.1.4-release": source => "puppet:///modules/depcheck/dependency-check-1.1.4-release", recurse => true,}file { "/home/monkey/agentmonkey/SCRIPTS/depcheck.sh": source => "puppet:///modules/depcheck/depcheck.sh", … }cron { "cronDepcheck": command => "/home/monkey/agentmonkey/SCRIPTS/depcheck.sh", user => monkey, minute => 0, }}
![Page 16: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/16.jpg)
Handling Results
rsyncRaw Sensor Data
ARMS Server (with Sensors)
Monkey Server
![Page 17: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/17.jpg)
Standardizing the Data
Digesters
XML
JSON
Text
CSV
Monkey Format*
*Currently CSV
![Page 18: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/18.jpg)
Digesters
RAW
DIGESTED
Python, XPath, etc…
![Page 19: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/19.jpg)
• Timestamp – April 14, 2014 10:10 AM EDT• IPAddress – 192.168.2.234• Hostname – webgoat.internal• AppName – WebGoat • URL – http://webgoat.internal/WebGoat/attack• LOC – /filepath/Foo.java @ 123 • Tool – DependencyCheck • Category – Platform• Subcategory – Libraries• TestName – CheckCVE• TestDesc – Verify library is…• TestResult – Library has CVE-2011-124• ASVS – V6.2• CWE – CWE-2013-03• Security – 40 (0 to 100)• Coverage – OOS• Confidence – 100
Monkey Format
![Page 20: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/20.jpg)
Initial Categories
Auth’n
Auto-complete
Auth’z
Path Traversal
Headers
Access Control
Caching
Content
CSP
Cookies
Framing
Robots
XSS
Injection
CrossJS
SQL
XSS
Platform
Libraries
Transport
Algorithms
Certificates
Heartbleed
STS
Mixed Content
Unknown
![Page 21: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/21.jpg)
Dashboards
Monkey has aself-organizing dashboard
Sensors report their own category, subcategory, and testname
Cat: TransportSubCat: HeartBleedTestName: heartbleed
![Page 22: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/22.jpg)
HeartBleed
![Page 23: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/23.jpg)
Designing a HeartBleed Sensor
Experiment Style
Negative
Positive
Environment
Dev
CI
Test
QA
Staging
Security
Analysis Technique
Manual
SAST
Passive
IAST
DAST
Data Sources
Code
HTTP
Configuration
Choose based on:• Speed• Accuracy• Feedback• Scalability• Ease of Use• Cost
Data Flow
Control Flow
Platform
Connections
Sampling
Prod
Intelligence
JUnit
![Page 24: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/24.jpg)
• Download scanner• Realize it’s written in Go• Download Go compiler• Add Sensor to Monkey (20 minutes)• Build Digester (10 minutes)• Continuous monitoring enabled in 1 hour!
• And then I realized my mistake…
Adding HeartBleed to Monkey
![Page 25: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/25.jpg)
The Better Way to Test for HeartBleed
![Page 26: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/26.jpg)
Sensors?
What sensors should we add next?
![Page 27: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/27.jpg)
What’s In Your Expected Model?
ExpectedThreat Model
Abuse Cases
Policy
Standards…
Requirements
There is no security without a model
![Page 28: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/28.jpg)
What Are You Actually Testing?
ActualPentest
Code Review
Tools
Arch Review
…
![Page 29: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/29.jpg)
Unfortunately…
ActualExpected
Not being tested
(aka RISK)
Doesn’t need testing(aka WASTE)
![Page 30: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/30.jpg)
Are You Secure?
Secure?
![Page 31: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/31.jpg)
Data Protection
Minimize Sensitive
Data
Role Based Access Control
Encrypt Data in Storage and Transit
Full Disk Encryption
with TrueCryp
t
Programmati
c Encryptio
n with ESAP
I
Libraries
Presen
t and
Up-
to-date
Encryption
Correctness
with
Junit
Tests
ESAPI Used Pro
perly
TLS Everywhere with
Venafi
Logging and Intrusion Detection
Business Concern (category)
Defense Strategies (subcategory)
Actual Defenses(testname)
Sensors
Aligning Sensors with Business Concerns
Fraud Availability
![Page 32: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/32.jpg)
Continuous Application Security!
Expected
Actual
ApplicationPortfolio
A A AA A AA A A
A A AA A AA A A
Application security dashboards
Translate “expected” into sensors
New Threats,Business Priorities
![Page 33: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/33.jpg)
How to Get Started
![Page 34: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/34.jpg)
Thank You!
Hit me up on twitter @planetlevel
![Page 35: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/35.jpg)
Identification and Authentica
tion
Input Vali
dation and Enco
ding
Sessi
on Manage
ment
Sensiti
ve Data Protecti
on
Access
Control/A
uthorizati
on
Error H
andlin
g
Logging and In
trusio
n Detection
Cross
Site Request
Forge
ry (CSR
F)
Platform Sec
urity
Database Sec
urity
Code Quality
Syste
m Availab
ility - D
OS Protecti
on
Accessi
ng Exte
rnal S
ervice
s0%
10%
20%
30%
40%
50%
60%
70%
80%
90%Applications with at Least One Vulnerability in Category
Higher Risk
Lower Risk
Aspect 2013 Global AppSec Risk Report
![Page 36: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/36.jpg)
Source File Result @PreAuthorize
TestSBMBugtrackerController.java @PreAuthorize("hasAnyRole('ROLE_BUG_CREATE','ROLE_BUG_EDIT')")
UpdateSBMBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_EDIT')")
SelectBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_CREATE')")
CheckAppStatusController.java MISSING
ViewConsoleEventsController.java @PreAuthorize("hasRole('ROLE_CONSOLE_VIEW')")
DeleteEngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_PROFILES')")
DownloadEngineController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")
EngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")
ErrorController.java MISSING
InboxController.java @PreAuthorize("isAuthenticated()")
InstallationWizardController.java @PreAuthorize("isAuthenticated()")
InviteAFriendController.java @PreAuthorize("isAuthenticated()")
LoginController.java MISSING
DeleteMessageController.java @PreAuthorize("isAuthenticated()")
GetSystemMessagesController.java @PreAuthorize("isAdmin()")
Access Control Intelligence Sensor
![Page 37: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/37.jpg)
Known Vulnerable Libraries Sensor
Libraries
SAST
Negative
CI
Run DependencyCheck during every build(and do a build once a month even if nothing changed)
![Page 38: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/38.jpg)
• Run tests through ZAP• ZEST to check CSRF Token• Get results via ZAP REST API
CSRF Defense Sensor
HTTP
Passive
Positive
QA
![Page 39: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/39.jpg)
A Junit Sensor?
![Page 40: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/40.jpg)
Injection Sensors
Data Flow
IAST
Negative
Dev
Use code instrumentationtools for DFA vulnerabilities
![Page 41: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/41.jpg)
• What would you like to gather from all your applications?
• Inventory? Architecture? Outbound connections? Lines of code? Security components?
• All possible…. and all at devops speed and portfolio scale
Architecture, Inventory, and More…
![Page 42: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/42.jpg)
Security Intelligence Sources
HTTPTraffic
Backend Connections
Configuration Data
Libraries and Frameworks
Data Flow
Control Flow
Vulnerability Trace
![Page 43: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/43.jpg)
Enterprise Controls Dashboard
Expected Defense Defense Present?
Defense Correct?
Applications Tested?
Training and Support
Authentication Authorization Cryptography
Validation Escaping Tokens Logging Intrusion Detection Random Numbers
Browser Security
Safe API Wrappers
Object Reference Management
Error Handling
![Page 44: Continuous Application Security “We’re Pulling Out All the Stops” Jeff Williams @ planetlevel](https://reader036.vdocument.in/reader036/viewer/2022062817/56816976550346895de15f3a/html5/thumbnails/44.jpg)
Basic Infrastructure
DEV CI TEST QA STAG OPSSEC
Puppet
rsync
Sensor
Raw Results