Kevin Fealey of Aspect Security will present on automating application security tools to free up security professionals for more important tasks. He will discuss how integrating both open source and commercial security tools into the software development lifecycle as automated "sensors" can provide continuous visibility and real-time intelligence. By automating simple security checks, teams can focus on real security challenges rather than low-hanging fruit. Examples and lessons learned will be shared. The presentation aims to bridge the gap between how development has adopted DevOps practices while security still relies on outdated paradigms.

1. Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com
Automating Your Tools
How to Free Up Your Security Professionals for Actual Security Tasks
Techno Security
06/02/2015

2. Application security that just works
ABOUT ME
Kevin Fealey
Principal Consultant & Practice Lead,
Automation & Integration Services
7 years AppSec experience
Specialties:
• Process efficiency
• Open Source and Commercial Tools
• Automation
©2015 Aspect Security. All Rights Reserved 2

3. Application security that just works
ABOUT YOU
•Developer?
•Part of an AppSec team?
•[Want to] Do Continuous/Rapid Delivery?
©2015 Aspect Security. All Rights Reserved 3

4. Application security that just works
APPLICATION SECURITY VS. NETWORK SECURITY
©2015 Aspect Security. All Rights Reserved 4
Application Layer
– Attacker sends attacks inside
valid HTTP requests
– Custom code is tricked into
doing something it should not
– Security requires software
development expertise, not
signatures
Network Layer
– Firewall, hardening, patching,
IDS, and SSL/TLS cannot
detect or stop attacks inside
HTTP requests
– Security relies on signature
databases
Firewall
Firewall
Databases
LegacySystems
WebServices
Directories
HumanResrcs
Billing
Custom Code
APPLICATION
ATTACK
NetworkLayerApplicationLayer
Accounts
Finance
Administration
Transactions
Communication
Knowledge
Mgmt
E-Commerce
Bus.Functions
Hardened OS
Web Server
App Server

5. Application security that just works
COMMON APPLICATION VULNERABILITIES
©2015 Aspect Security. All Rights Reserved 5
– Injection Flaws
– Broken Account and
Session Management
– Cross Site Scripting Flaws
– Direct Object References
– Web/Application Server
Misconfigurations
– Sensitive Data Exposure
– Broken Access Control
– Cross-Site Request Forgery
– Using Components with
Known Vulnerabilities
– Unvalidated Redirects and
Forwards
■The OWASP Top Ten:

6. Application security that just works
WHY TALK ABOUT APPSEC HERE?
-Many public attacks at the app layer
- SQLi for a ‘data breach’
- Pivot: XSS -> Admin Account Compromise -> ??
- Better understanding of the app layer can
provide better granularity when performing
root cause analysis
- Better understanding of these issues can allow
for more specific remediation guidance
©2015 Aspect Security. All Rights Reserved 6

7. TRADITIONAL APPLICATION SECURITY
©2015 Aspect Security. All Rights Reserved 7
Security Like it’s 1999..

8. Application security that just works
TRADITIONAL APPSEC
©2015 Aspect Security. All Rights Reserved 8
~2 weeks

9. Application security that just works
TRADITIONAL VULNERABILITY MANAGEMENT
©2015 Aspect Security. All Rights Reserved 9
Risk
Accepted

10. UNDERSTANDING THE PROBLEM
©2015 Aspect Security. All Rights Reserved 10

11. Application security that just works
©2015 Aspect Security. All Rights Reserved 11
RECEIVE
NO
SECURITY
AT ALL
Hundreds or thousands of
web applications and web
services
90%
10%
Security teams are
understaffed
RECEIVE
SOME
SECURITY
Development is getting
faster and more abstract
“Security causes rework”
RESULT: SECURITY IS NOT SCALABLE
It’s only getting worse…

12. Application security that just works
ROOT CAUSES
©2015 Aspect Security. All Rights Reserved 12
Development
Production
Security
Oops! Forgot
security…
SDLC

13. Application security that just works
SOLUTION: AUTOMATION
©2015 Aspect Security. All Rights Reserved 13
Make security a part of the
SDLC
Deploy sensors for “continuous
application security”
Hundreds or thousands
of web applications and
web services
RECEIVE
SOME
SECURITY
Widen the security bottleneck
With Security Automation
Provide broad coverage
to more applications
in less time
90%

14. CONTINUOUS APPLICATION SECURITY (CAS)
©2015 Aspect Security. All Rights Reserved 14

15. Application security that just works
TOMORROW: SECURITY SENSORS IN THE SDLC
©2015 Aspect Security. All Rights Reserved 15
Automated, integrated testing and reporting shorten the feedback cycle and
enable security at scale
Design
Develop
Test
Maintenance
Code Sync
Build/Deploy
Scan
Report

16. Application security that just works
COST TO REMEDIATE ISSUES
©2015 Aspect Security. All Rights Reserved 16
$139.00
$1,390.00
$2,780.00
$4,170.00
$-
$500.00
$1,000.00
$1,500.00
$2,000.00
$2,500.00
$3,000.00
$3,500.00
$4,000.00
$4,500.00
Coding Testing Beta Release
Cost to Fix a Vulnerability
Depends on When it is Found
Find an issue in Development vs Test – Save 10x

17. Application security that just works
TOOL AUTOMATION
©2015 Aspect Security. All Rights Reserved 17
Leverage efficiencies of scale and reuse to greatly reduce the amount of time
spent on analysis.
Manual
Scanning Automated
Scanning
Scanning Workflow Activities
Triage
Scan
Scan Configuration
Access Source
Automated scanning allows your security team to spend less time trying to
get the tool to do its job and more time looking for real vulnerabilities

18. Application security that just works
WHAT SENSORS?
©2015 Aspect Security. All Rights Reserved 18

19. Application security that just works
TURN YOU TOOLS INTO SENSORS
Most tools have at least one of the following:
1. Command Line Interface
2. REST APIs
3. Public APIs
©2015 Aspect Security. All Rights Reserved 19

20. Application security that just works
CENTRALIZE SENSOR OUTPUT
20
Application ServerWeb Server Database Server SecurityTools
‘ or 1=1; --
Access Control
Violation! Heartbleed
detected!
Invalid HTTP Request
Data
Central Repository

21. Application security that just works
APPLICATION SECURITY EVENT ALERTS
©2015 Aspect Security. All Rights Reserved 21
Application ServerWeb Server Database Server
‘ or 1=1; --
Central Repository
CAS Dashboard/
GRC tool, etc.

22. Application security that just works
CONTINUOUS APPLICATION SECURITY
©2015 Aspect Security. All Rights Reserved 22
Real-Time Actionable
Security Intelligence
for:
- Developers
- Security Teams
- Managers
- Executives

23. Application security that just works
BENEFITS OF SECURITY DASHBOARDS
Understand your true risk at the application layer
Profile applications & development teams for continuous
improvement
Consolidated data in the event of a breach
Breed security culture by making security visible
©2015 Aspect Security. All Rights Reserved 23

24. Application security that just works
NOW WHAT?
• Develop/Enhance sensors
• Track security trends via dashboards
• Research
• Threat Models/Architecture Reviews/Remediation Guidance
• Spread security culture
Security Team’s Job:
©2015 Aspect Security. All Rights Reserved 24
24/7 Security

25. Sweet new pool table!
What Good is this Tool? 25
Where should we put it?

26. Application security that just works
BEFORE YOU DEVELOP A DASHBOARD
Define a security model that fits your business
• All encryption = AES, no CBC or ECB
• All external/internal connections use SSL
• Use defined secure libraries
Start small and grow CAS program over time
©2015 Aspect Security. All Rights Reserved 26

27. Application security that just works
THANK YOU!
Kevin Fealey | @secfealz
Kevin.Fealey@AspectSecurity.com
www.AspectSecurity.com
Questions? Feedback?
©2015 Aspect Security. All Rights Reserved 27

28. Application security that just works
DESCRIPTION
Tuesday, June 2
1:30PM - 2:20PM
Automating Your Tools: How to Free Up Your Security Professionals for Actual Security Tasks
Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST
tools is necessary to achieve security at portfolio scale; but as agile development practices become
more popular, tool-assisted security reviews used as gates to production become more disruptive and
expensive. While development teams evolve toward continuous release and deployment, the security
industry continues to use the same paradigms developed 15 years ago. If organizations hope to
produce more secure code at DevOps speed, something has to change.
This session will describe how many of the application security tasks performed manually today can be
automated to allow security professionals to look for novel security problems, rather than just low-
hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into
the development lifecycle; 2) How using security tools as automated sensors can improve security
visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks
can free up security teams to work on real security challenges. We'll also describe some common
pitfalls when incorporating security into development, as well as real-world solutions learned from our
work in this area over the past 6 years.
©2015 Aspect Security. All Rights Reserved 28