2. âSecurity is limiting the speed of innovationâ
CHALLENGE: DEVSECOPS IN A FORTUNE 100 COMPANY
CEO â âWe are not running an insurance company
per se, but a data and technology companyâ
COMPLIANCE CLOUD &
CONTAINERS
DEVOPS
FALSE
POSITIVES
ATTACKS
OPEN
SOURCE
LEGACY APPSOUTSOURCING
DIGITAL
TRANSFORMATION
10. 10
In DEV and TEST
RAS
P
Config
Sensors
Code
Sensors
Control
Flow
Sensors
HTTP
Sensors
Backend
Sensors
Data Flow
Sensors
Library
Sensors
IAST
In PROD
â
Exploit
Prevented
Vulnerability
Confirmed
Config
Sensors
Code
Sensors
Control
Flow
Sensors
HTTP
Sensors
Backend
Sensors
Data Flow
Sensors
Library
Sensors
Interactive Application
Security Testing is
simply using
instrumentation to
detect vulnerabilities.
USE IT IN
DEVELOPMENT.
Runtime Application Self-
Protection is simply using
instrumentation to detect
attacks and prevent
exploits.
USE IT IN PRODUCTION
11. PROD
Continuous automated security testing
and exploit prevention
Instant Feedback
Attacks
MODERN
SECURITY
(INSIDE â OUT)
DEV
RUNTIME
APP SERVER
FRAMEWORKS
LIBRARIES
CUSTOM CODE
Vulnerabilities
Instrumentation
(IAST, SCA, RASP)
RUNTIME
APP SERVER
FRAMEWORKS
LIBRARIES
CUSTOM CODE
SECURITY INSTRUMENTATION ACCELERATES INNOVATION
CI/CD
14. 14
https://www.contrastsecurity.com/
ce
C O M M U N I T Y E D I T I O N
AVAILABLE NOW COMING SOON
A totally free and full-strength application security platform
Protect against attacks with RASP Find vulnerabilities with IAST Secure open-source with SCA
Hi Everyone!
My name is Jeff Williams
Great to be back at SpringOne!
Iâve spent the last 25 years in software and security⊠and Iâm incredibly excited to talk to you today about security instrumentation and what you can do with it today.
Ultimately, I believe security observability is the key bringing security into DEVOPS.
=====================
TITLE: Practical DevSecOps Using Security Instrumentation
Â
FORMAT: A 25 minute presentation + 15 mins questions in a separate room. Â
ABSTRACT: The traditional âoutside inâ scanning and firewalling approach to application security has failed. After decades of attempts to improve software security, vulnerability rates are still staggering while attacks are increasing in volume and severity. We need a new approach to security that doesnât slow development or hamper innovation. In this talk, weâll show how you can ensure software security from the âinside outâ by leveraging the power of software instrumentation. Unlike scanning and firewalling, this approach establishes a safe and powerful way for development, security, and operations teams to collaborate. In this talk, weâll show how software security instrumentation works, how itâs being used in many organizations, and what the future holds for DevSecOps.
Â
The CEO of a Fortune 100 insurance company recently saidâŠ.theyâre a data and technology company that happens to sell insurance.
But they were struggling with a ton of challneges around appsec.
SAST and DAST were fully automated, but scans still taking over two hours and producing âcrappyâ results
No value despite spending immense hours to automate security
Their CIO shared with me that âsecurity is limiting the speed of innovation.â He complained about security being âimpedenceâ â and said security is adding story points to everything they do.
And it makes sense when you dig in.
Every tool you run
All these scanners and firewalls â SAST, DAST, SCA, and WAF generate both true and false positives
So you need an experts to review them ALL.
All those experts in the critical path slow innovation. SLOW the flow of value to customers.
And so not surprisingly, most organizations do the minimum.
Security cannot keep up with software â the economics are BROKEN.
IT DOESNâT HAVE TO BE THIS WAYâŠ. BUT
WE HAVE TO FIX THIS PICTURE CHANGE THE ECONOMICS
This is the 94-50âŠ. Itâs an instrumented basketball.
It tells you dribble speed, shot rotation, arc of your shot, makes/misses, and a bunch more.
It also has a bunch of drills and metrics
Iâve been playing basketball for a LONG time.
After one hour, 94-50 let me know I was shooting too flat. Amazing.
With an instrumented ball â the role of the coach changes. Theyâre not involved in every drill. They can be much more strategic.
They can scale.
All it took was a few sensors directly in the basketball.
Itâs the same in medicine and other fields â instrumentation changes the economics.
GREAT NEWS!!
Instrumenting software IS EASY!! Itâs amazingly powerful.
We add an agent to the application. Not an OS level agent. For Java itâs a jar file.
As the code loads, the agent SURGICALLY adds sensors to exactly right methods.
We can record and analyze the telemetry from these sensors to keep an eye on everything in the software.
The only limit is your imagination.
Iâm going to show you three things you can do today!
Imagine you have a friend that lives inside your code. They have access to the code, the HTTP traffic, the libraries, the configuration, the data flow, backend connections, everything.
Anytime your code steps out of line â your friend sends you an alert with ALL the details.
Hereâs the cool thing.
You donât have to attack your applicationâŠ. Just do normal testing.
If your friend sees untrusted data flow through the application into a SQL query without being escaped or parameerizedâŠ. He shouts out âHEY SQL INJECTIONâ
You donât need to be an expert â you donât need to exploit anything.
ANYONE can be a pentester with a smart enough agent!
Itâs not that hard to write your own instrumentationâŠ. But to make it easier,
I created an open source platform so that you can create sensors fast and easy without any coding.
The Java Observability
You just add this agent to your application
No code changes. No experts. Just a heads up on EVERYWHERE youâre using a non-Parameterized query.
And USE IT NORMALLY! You donât need to know anything about security.
Simple, safe, and remarkably effective without any code changes for all the apps
You donât have to write all this stuff yourself.
Although you certainly CAN
But there are many products in the market that use instrumentation for security testing and protection.
IAST isâŠ
RASP isâŠ.
DSCA too!!!
Detecting a vulnerability and preventing an exploit actually arenât very diffiuclt.
Like how seeing an open window isnât that different from closing it when an attacker tries to break in.
Itâs totally insane to have two totally different technologies to do this same thing.
Modern Security is different.Â
First, we will test the entire fully assembled application stack, not source code and components separately.
We will use security instrumentation to inject sensors directly into the app, so we can measure whatâs actually happening. This is entirely automated. No changes to code or process.
This instrumentation allows us to accurately identify vulnerabilities in real time, so we can feed them to developers and they can fix them without breaking stride.
But it doesnât stop there â the instrumentation continues to work right through the pipeline.
Continuous security testing at every step. Feedback on open source libraries too.
And when the app goes into production, you get visibility into who is attacking and what theyâre trying.
The instrumentation automatically prevents most vulnerabilities from being exploited too.
That means youâre safe while you go back and fix vulnerabilities with no fire drill.
All this means that your pipeline can run full speed.
This is the essence of DEV-SEC-OPS. Weâre using the power of security instrumentation to create harmony between security, development, and operations teams. We fixed the broken economics of software security and now security contributes to flow.
Application security isnât hopeless
Â
Iâm not saying that technology alone can solve our security issues.
Good security requires the right mix of culture, people, process, and technology.
But SECINST can create a PLATFORM where development and security can FINALLY work together.
Thatâs the key to getting âSECURITY CODEâ into your production apps
And ultimately the key to delivering innovation and value faster
If youâre interested in trying security instrumentation on your apps...
Iâm VERY proud to tell you that well over 2000 organizations are already using CONTRAST Community Edition
Itâs fantastic for Spring apps and you can use our Pivotal tile.
Itâs totally free and full strength forever â for ONE APP.
Please reach out and me know what you think.
Now Iâd love to take any questions you might have about anything.