Practical DevSecOps Using Security Instrumentation
âąAls PPTX, PDF herunterladenâą
0 gefĂ€llt mirâą337 views
SpringOne 2020 Practical DevSecOps Using Security Instrumentation Jeff Williams, CTO & Co-Founder at Contrast Security
Empfohlen
Empfohlen
Weitere Àhnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ăhnlich wie Practical DevSecOps Using Security Instrumentation
Ăhnlich wie Practical DevSecOps Using Security Instrumentation (20)
Mehr von VMware Tanzu
Mehr von VMware Tanzu (20)
KĂŒrzlich hochgeladen
KĂŒrzlich hochgeladen (20)
Practical DevSecOps Using Security Instrumentation
- 1. PRACTICAL DEVSECOPS USING SECURITY INSTRUMENTATION JEFF WILLIAMS, COFOUNDER AND CTO @PLANETLEVEL SPRINGONE 2020
- 2. âSecurity is limiting the speed of innovationâ CHALLENGE: DEVSECOPS IN A FORTUNE 100 COMPANY CEO â âWe are not running an insurance company per se, but a data and technology companyâ COMPLIANCE CLOUD & CONTAINERS DEVOPS FALSE POSITIVES ATTACKS OPEN SOURCE LEGACY APPSOUTSOURCING DIGITAL TRANSFORMATION
- 3. TRADITIONAL SECURITY (OUTSIDE â IN) LIBRARIES CUSTOM CODE SECURITY BACKLOG TRADITIONAL APPSEC IS KILLING INNOVATION
- 5. 5 WHAT IS SECURITY INSTRUMENTATION? Platform Agent Loader ClassClassClass ClassClassClass Transformer Original Code Instrumented Code Add sensors here! Run instrumented code!
- 6. 6 SECURITY SPECIALISTS TRANSLATE NEW THREATS INTO RULES MEET YOUR NEW SECURITY âFRIENDâ ON THE INSIDE! INSTRUMENTA TION PROVIDES INSTANT SECURITY FEEDBACK DEVELOPER USES APPLICATION NORMALLY, GETS INSTANT FEEDBACK
- 7. 7 FREE OPEN SOURCE INSTRUMENTATION: THE JAVA OBSERVABILITY TOOLKIT (JOT) https://github.com/planetlevel/jot
- 9. 9 DEMO: PREVENTING EXPRESSION LANGUAGE INJECTION ATTACKS WITH INSTRUMENTATION! Runtime Protection!
- 10. 10 In DEV and TEST RAS P Config Sensors Code Sensors Control Flow Sensors HTTP Sensors Backend Sensors Data Flow Sensors Library Sensors IAST In PROD â Exploit Prevented Vulnerability Confirmed Config Sensors Code Sensors Control Flow Sensors HTTP Sensors Backend Sensors Data Flow Sensors Library Sensors Interactive Application Security Testing is simply using instrumentation to detect vulnerabilities. USE IT IN DEVELOPMENT. Runtime Application Self- Protection is simply using instrumentation to detect attacks and prevent exploits. USE IT IN PRODUCTION
- 11. PROD Continuous automated security testing and exploit prevention Instant Feedback Attacks MODERN SECURITY (INSIDE â OUT) DEV RUNTIME APP SERVER FRAMEWORKS LIBRARIES CUSTOM CODE Vulnerabilities Instrumentation (IAST, SCA, RASP) RUNTIME APP SERVER FRAMEWORKS LIBRARIES CUSTOM CODE SECURITY INSTRUMENTATION ACCELERATES INNOVATION CI/CD
- 12. SECURITY INSTRUMENATI ON PROVIDES A 40X IMPROVEMENT IN MTTR OVER SAST â SAST â IAST â IAST (BELOW AVERAGE BACKLOG) * DATA FROM CONTRAST 2020 APPSEC OBSERVABILITY REPORT AND VERACODE 2020 SOSS REPORT
- 14. 14 https://www.contrastsecurity.com/ ce C O M M U N I T Y E D I T I O N AVAILABLE NOW COMING SOON A totally free and full-strength application security platform Protect against attacks with RASP Find vulnerabilities with IAST Secure open-source with SCA
- 15. ASK ME ANYTHING JEFF WILLIAMS, COFOUNDER AND CTO @PLANETLEVEL
Hinweis der Redaktion
- Hi Everyone! My name is Jeff Williams Great to be back at SpringOne! Iâve spent the last 25 years in software and security⊠and Iâm incredibly excited to talk to you today about security instrumentation and what you can do with it today. Ultimately, I believe security observability is the key bringing security into DEVOPS. ===================== TITLE: Practical DevSecOps Using Security Instrumentation  FORMAT: A 25 minute presentation + 15 mins questions in a separate room.  ABSTRACT: The traditional âoutside inâ scanning and firewalling approach to application security has failed. After decades of attempts to improve software security, vulnerability rates are still staggering while attacks are increasing in volume and severity. We need a new approach to security that doesnât slow development or hamper innovation. In this talk, weâll show how you can ensure software security from the âinside outâ by leveraging the power of software instrumentation. Unlike scanning and firewalling, this approach establishes a safe and powerful way for development, security, and operations teams to collaborate. In this talk, weâll show how software security instrumentation works, how itâs being used in many organizations, and what the future holds for DevSecOps. Â
- The CEO of a Fortune 100 insurance company recently saidâŠ.theyâre a data and technology company that happens to sell insurance. But they were struggling with a ton of challneges around appsec. SAST and DAST were fully automated, but scans still taking over two hours and producing âcrappyâ results No value despite spending immense hours to automate security Their CIO shared with me that âsecurity is limiting the speed of innovation.â He complained about security being âimpedenceâ â and said security is adding story points to everything they do.
- And it makes sense when you dig in. Every tool you run All these scanners and firewalls â SAST, DAST, SCA, and WAF generate both true and false positives So you need an experts to review them ALL. All those experts in the critical path slow innovation. SLOW the flow of value to customers. And so not surprisingly, most organizations do the minimum. Security cannot keep up with software â the economics are BROKEN. IT DOESNâT HAVE TO BE THIS WAYâŠ. BUT WE HAVE TO FIX THIS PICTURE CHANGE THE ECONOMICS
- This is the 94-50âŠ. Itâs an instrumented basketball. It tells you dribble speed, shot rotation, arc of your shot, makes/misses, and a bunch more. It also has a bunch of drills and metrics Iâve been playing basketball for a LONG time. After one hour, 94-50 let me know I was shooting too flat. Amazing. With an instrumented ball â the role of the coach changes. Theyâre not involved in every drill. They can be much more strategic. They can scale. All it took was a few sensors directly in the basketball. Itâs the same in medicine and other fields â instrumentation changes the economics.
- GREAT NEWS!! Instrumenting software IS EASY!! Itâs amazingly powerful. We add an agent to the application. Not an OS level agent. For Java itâs a jar file. As the code loads, the agent SURGICALLY adds sensors to exactly right methods. We can record and analyze the telemetry from these sensors to keep an eye on everything in the software. The only limit is your imagination. Iâm going to show you three things you can do today!
- Imagine you have a friend that lives inside your code. They have access to the code, the HTTP traffic, the libraries, the configuration, the data flow, backend connections, everything. Anytime your code steps out of line â your friend sends you an alert with ALL the details. Hereâs the cool thing. You donât have to attack your applicationâŠ. Just do normal testing. If your friend sees untrusted data flow through the application into a SQL query without being escaped or parameerizedâŠ. He shouts out âHEY SQL INJECTIONâ You donât need to be an expert â you donât need to exploit anything. ANYONE can be a pentester with a smart enough agent!
- Itâs not that hard to write your own instrumentationâŠ. But to make it easier, I created an open source platform so that you can create sensors fast and easy without any coding. The Java Observability
- You just add this agent to your application No code changes. No experts. Just a heads up on EVERYWHERE youâre using a non-Parameterized query. And USE IT NORMALLY! You donât need to know anything about security. Simple, safe, and remarkably effective without any code changes for all the apps
- You donât have to write all this stuff yourself. Although you certainly CAN But there are many products in the market that use instrumentation for security testing and protection. IAST is⊠RASP isâŠ. DSCA too!!! Detecting a vulnerability and preventing an exploit actually arenât very diffiuclt. Like how seeing an open window isnât that different from closing it when an attacker tries to break in. Itâs totally insane to have two totally different technologies to do this same thing.
- Modern Security is different. First, we will test the entire fully assembled application stack, not source code and components separately. We will use security instrumentation to inject sensors directly into the app, so we can measure whatâs actually happening. This is entirely automated. No changes to code or process. This instrumentation allows us to accurately identify vulnerabilities in real time, so we can feed them to developers and they can fix them without breaking stride. But it doesnât stop there â the instrumentation continues to work right through the pipeline. Continuous security testing at every step. Feedback on open source libraries too. And when the app goes into production, you get visibility into who is attacking and what theyâre trying. The instrumentation automatically prevents most vulnerabilities from being exploited too. That means youâre safe while you go back and fix vulnerabilities with no fire drill. All this means that your pipeline can run full speed. This is the essence of DEV-SEC-OPS. Weâre using the power of security instrumentation to create harmony between security, development, and operations teams. We fixed the broken economics of software security and now security contributes to flow.
- Application security isnât hopeless  Iâm not saying that technology alone can solve our security issues. Good security requires the right mix of culture, people, process, and technology. But SECINST can create a PLATFORM where development and security can FINALLY work together. Thatâs the key to getting âSECURITY CODEâ into your production apps And ultimately the key to delivering innovation and value faster
- If youâre interested in trying security instrumentation on your apps... Iâm VERY proud to tell you that well over 2000 organizations are already using CONTRAST Community Edition Itâs fantastic for Spring apps and you can use our Pivotal tile. Itâs totally free and full strength forever â for ONE APP. Please reach out and me know what you think. Now Iâd love to take any questions you might have about anything.