AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and...
Transcript of AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and...
![Page 1: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/1.jpg)
Application Security at
DevOps Speed and Portfolio Scale
Jeff Williams @planetlevel
Contrast Security
![Page 2: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/2.jpg)
OWASP XSS PreventionCheat Sheet
1,000,000 Page Views!
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
![Page 3: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/3.jpg)
About Me
![Page 4: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/4.jpg)
Application Security Is Healthcare
![Page 5: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/5.jpg)
Sensors Are Revolutionizing Healthcare
Instrumenting the body means continuous realtime monitoring…
Not periodic checkups
Your phone will know you’re sick before you
do!
![Page 6: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/6.jpg)
Modern Software Development…
Javascript/Ajax SOAP/REST
Serialized Objects
Raw Socket
Inversion of Control
Libraries and Frameworks
Aspect Oriented
ProgrammingAgile
DevOps
Cloud/Mobile
Traditional appsec tools and techniquessimply can’t handle ANY of these
![Page 7: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/7.jpg)
AppSec Progress
Security
SoftwareContinuous AppSec
![Page 8: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/8.jpg)
Starting Over
![Page 9: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/9.jpg)
The right defenses for every application are…
PresentCorrectUsed Properly
Defining “Portfolio Scale”
![Page 10: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/10.jpg)
Defining “DevOps Speed”
Application security happens continuously
and in real time
![Page 11: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/11.jpg)
Is my portfolio
protected against
clickjacking?
One Thing at a Time…
![Page 12: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/12.jpg)
Gathering Intelligence
Controller
Presentation
Business Functions
DataLayer
Third Party Libraries
Application Server
Platform Runtime
Framework
Operating System
![Page 13: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/13.jpg)
Security Intelligence Sources
HTTPTraffic
Backend Connections
Configuration Data
Libraries and Frameworks
Data Flow
Control Flow
Vulnerability Trace
![Page 14: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/14.jpg)
Designing a Clickjacking Sensor
Experiment Style
Positive
Negative
Environment
Dev
CI
Test
QA
Staging
Security
Analysis Technique
Manual
SAST
DAST
IAST
Passive
Intel Sources
Code
HTTP
Configuration
Choose based on:• Speed• Accuracy• Feedback• Scalability• Ease of Use• Cost
Data Flow
Control Flow
Libraries
Connections
Sampling
Prod
Intelligence
JUnit
![Page 15: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/15.jpg)
Continuous ClickJacking Defense Verification
A new HTTP sensor to verify that theX-Frame-Options header is set to DENY
or SameOrigin on every webpage
Dynamic Interactive JUnitManual Static
DEV CI TEST QA STAG OPSSEC
Data Warehouse:Application SecurityIntelligence
![Page 16: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/16.jpg)
Instrumentation
Internal Networks
Ad-Hoc Servers
External Facing Cloud
Instrument your applications and they report their security
…regardless of your organizational or technical structure.
![Page 17: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/17.jpg)
Run Against Entire Portfolio
Application Name Result Grade
TBMarks 88% A
RPC 0% F
CaseyMotors 0% F
Financials 72% C
International Reporting 0% F
…
“Financials” ClickJacking Defense – C (72%)
/home DENY
/home/error.jsp -
/home/index.jsp DENY
/account SAME-ORIGIN
/account/report.jsp -
…
TB RPC CM
TY JJ RH
CO AS RA
F IR XX
QP X DD
& @ S
![Page 19: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/19.jpg)
Continuous AppSec Dashboard
![Page 20: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/20.jpg)
• We transformed clickjacking verification todevops speed and portfolio scale!
One Small Step Towards Continuous AppSec
Before After
Annual pentest Continuous monitoring
Negative signatures Positive verification
One app at a time Portfolio wide
Okay, clickjacking. Big deal.
![Page 21: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/21.jpg)
More Sensors…
I want a sensor to verify…
My business logic makes access control checks
My libraries are free from known vulnerabilities
My forms are not susceptible to CSRF attacks
My interpreters are protected against injection
My encryption is implemented correctly
My application has no unknown connections
And much more….
![Page 22: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/22.jpg)
Source File Result @PreAuthorize
TestSBMBugtrackerController.java @PreAuthorize("hasAnyRole('ROLE_BUG_CREATE','ROLE_BUG_EDIT')")
UpdateSBMBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_EDIT')")
SelectBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_CREATE')")
CheckAppStatusController.java MISSING
ViewConsoleEventsController.java @PreAuthorize("hasRole('ROLE_CONSOLE_VIEW')")
DeleteEngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_PROFILES')")
DownloadEngineController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")
EngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")
ErrorController.java MISSING
InboxController.java @PreAuthorize("isAuthenticated()")
InstallationWizardController.java @PreAuthorize("isAuthenticated()")
InviteAFriendController.java @PreAuthorize("isAuthenticated()")
LoginController.java MISSING
DeleteMessageController.java @PreAuthorize("isAuthenticated()")
GetSystemMessagesController.java @PreAuthorize("isAdmin()")
Access Control Intelligence Sensor
Control Flow
SAST
Intelligence
CI
![Page 23: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/23.jpg)
Generated Access Control Matrix from Code
ROLE
_APPLICATIO
N_DELE
TE
ROLE
_APPLICATIO
N_GROUP
ROLE
_APPLICATIO
N_REET
ROLE
_TRACES
_DEL
ETE
ROLE
_TRACES
_SEN
DMAIL
ROLE
_TRACE_
SEARCH
ROLE
_ENGIN
E_DOW
NLOAD
ROLE
_ENGIN
E_PROFI
LES
ROLE
_CONSOLE
_VIEW
ROLE
_BUGTRACKER
_VIEW
ROLE
_BUGTRACKER
_CREATE
ROLE
_BUGTRACKER
_DELETE
ROLE
_AUDIT_VIE
W
ROLE
_ENGIN
E_ACTIV
ITY
ROLE
_LIBRARY_SE
ARCH
TracesGetBugtrackersController.java O
TracesGetUsersController.java O
TracesJIRAExportController.java O
TracesMergeController.java O
TracesSaveStatusController.java O
TracesSearchController.java O
TracesSendToBugtrackersController.java
TracesTreeController.java O
TracesViewerController.java O
TraceViewerWorkingNotificationController.java O
ViewTracesController.java O
UpdateAppConfigurationController.java O
BannerController.java O
BillingAccountActivityController.java O O
BillingApplyPaymentController.java O
BillingAppsController.java O
BillingExecuteOrderController.java O
![Page 24: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/24.jpg)
Known Vulnerable Libraries Sensor
Libraries
SAST
Negative
CI
Run DependencyCheck during every build(and do a build once a month even if nothing changed)
![Page 25: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/25.jpg)
• Run tests through ZAP
• ZEST to check CSRF Token
• Get results via ZAP REST API
CSRF Defense Sensor
HTTP
Passive
Positive
QA
![Page 26: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/26.jpg)
Canonicalization Correctness Sensor
Code
JUnit
Positive
Staging
![Page 27: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/27.jpg)
Injection Sensors
Data Flow
IAST
Negative
Dev
Use code instrumentationtools for DFA vulnerabilities
![Page 28: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/28.jpg)
• What would you like to gather from all your applications?
• Inventory? Architecture? Outbound connections? Lines of code? Security components?
• All possible…. and all at devops speed and portfolio scale
Architecture, Inventory, and More…
![Page 29: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/29.jpg)
Building Continuous AppSec
Dynamic Interactive JUnitManual Static
DEV CI TEST QA STAG OPSSEC
Data Warehouse:Application SecurityIntelligence
![Page 30: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/30.jpg)
Sensors?
How do you know what sensors you need?
1) The OWASP Top Ten?
2) What your tools are good at?
3) What your pentester thinks is important?
4) Actually figure out what matters?
![Page 31: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/31.jpg)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Applications with at Least One Vulnerability in Category
Higher Risk
Lower Risk
Aspect 2013 Global AppSec Risk Report
![Page 32: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/32.jpg)
What’s In Your Expected Model?
ExpectedThreat Model
Abuse Cases
Policy
Standards…
Requirements
There is no security without a model
![Page 33: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/33.jpg)
What Are You Actually Testing?
ActualPentest
Code Review
Tools
Arch Review
…
![Page 34: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/34.jpg)
Unfortunately…
ActualExpected
Not being tested
(aka RISK)
Doesn’t need testing(aka WASTE)
![Page 35: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/35.jpg)
Are You Secure?
Secure?
![Page 36: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/36.jpg)
Sensors
Actual Defenses
Defense Strategies
Business Concerns Data Protection
Minimize Sensitive Data
Role Based Access Control
Encrypt Data in Storage and
Transit
Full Disk Encryption
with TrueCrypt
Programmatic Encryption with ESAPI
Libraries Present and Up-to-date
Encryption Correctness
with Junit Tests
ESAPI Used Properly
TLS Everywhere with Venafi
Logging and Intrusion Detection
Aligning Sensors with Business Concerns
Fraud Availability
![Page 37: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/37.jpg)
Continuous Application Security!
Expected
Actual
ApplicationPortfolio
A A A
A A A
A A A
A A A
A A A
A A A
Application security dashboards
Translate “expected” into sensors
New Threats,Business Priorities
![Page 38: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/38.jpg)
Choose a sensor
Build it with developers
Deploy your sensor
Create a dashboard using Excel
How to Get Started
![Page 39: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/39.jpg)
Transforming AppSec
AppSecCompliance
AppSecMonitoring
AppSecStrategy
AppSecOptimization
AppSec as Business Driver
We will never improve if our only metric is whether we are doing what everyone else is doing
![Page 40: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/40.jpg)
Thank You!
Please stop by our booth!@contrastsec
![Page 41: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/41.jpg)
Expected:Tracking Coverage
InfrastructureSecurity
DataProtection
Logging andAccountability
SecureDevelopment
SecurityVerification
IncidentResponse
▼ Minimal data collection▼ …
▼ Strong encryption in storage and transit▼ All external connections use SSL▼ All internal connections use SSL▼ SSL hardened according to OWASP▼ All highly sensitive data encrypted▼ Encryption uses standard control▼ Encryption uses AES, no CBC or ECB
▼ Universal authentication▼ …
▼ Pervasive access control▼ …
▼ Injection defenses▼ Strict positive validation of all input▼ Use of parameterized interfaces▼ All parsers hardened
▼ XML parsers set to not use DOCTYPE▼ Browser set no content sniffing header▼ Etc…
▼ Use Hibernate and secure coding▼ Use JQuery and secure coding
▼ Etc…
![Page 42: AppSec at DevOps Speed and Portfolio Scale OWASP... · Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security. OWASP XSS Prevention](https://reader034.fdocuments.in/reader034/viewer/2022042220/5ec6dec92dfa263589408060/html5/thumbnails/42.jpg)
Enterprise Controls Dashboard
Expected DefenseDefense
Present?
Defense
Correct?
Applications
Tested?
Training and
Support
Authentication
Authorization
Cryptography
Validation
Escaping
Tokens
Logging
Intrusion Detection
Random Numbers
Browser Security
Safe API Wrappers
Object Reference Management
Error Handling