SlideShare a Scribd company logo

Automating Your Tools: How to Free Up Your Security Professionals for Actual Security Tasks

Download as PPTX, PDF
Kevin Fealey
Kevin Fealey

Kevin Fealey of Aspect Security will present on automating application security tools to free up security professionals for more important tasks. He will discuss how integrating both open source and commercial security tools into the software development lifecycle as automated "sensors" can provide continuous visibility and real-time intelligence. By automating simple security checks, teams can focus on real security challenges rather than low-hanging fruit. Examples and lessons learned will be shared. The presentation aims to bridge the gap between how development has adopted DevOps practices while security still relies on outdated paradigms.

Related slideshows

Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Review
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
1 of 28
Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com Automating Your Tools How to Free Up Your Security Professionals for Actual Security Tasks Techno Security 06/02/2015
Application security that just works ABOUT ME Kevin Fealey Principal Consultant & Practice Lead, Automation & Integration Services 7 years AppSec experience Specialties: • Process efficiency • Open Source and Commercial Tools • Automation ©2015 Aspect Security. All Rights Reserved 2
Application security that just works ABOUT YOU •Developer? •Part of an AppSec team? •[Want to] Do Continuous/Rapid Delivery? ©2015 Aspect Security. All Rights Reserved 3
Application security that just works APPLICATION SECURITY VS. NETWORK SECURITY ©2015 Aspect Security. All Rights Reserved 4 Application Layer – Attacker sends attacks inside valid HTTP requests – Custom code is tricked into doing something it should not – Security requires software development expertise, not signatures Network Layer – Firewall, hardening, patching, IDS, and SSL/TLS cannot detect or stop attacks inside HTTP requests – Security relies on signature databases Firewall Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions Hardened OS Web Server App Server
Application security that just works COMMON APPLICATION VULNERABILITIES ©2015 Aspect Security. All Rights Reserved 5 – Injection Flaws – Broken Account and Session Management – Cross Site Scripting Flaws – Direct Object References – Web/Application Server Misconfigurations – Sensitive Data Exposure – Broken Access Control – Cross-Site Request Forgery – Using Components with Known Vulnerabilities – Unvalidated Redirects and Forwards ■The OWASP Top Ten:
Application security that just works WHY TALK ABOUT APPSEC HERE? -Many public attacks at the app layer - SQLi for a ‘data breach’ - Pivot: XSS -> Admin Account Compromise -> ?? - Better understanding of the app layer can provide better granularity when performing root cause analysis - Better understanding of these issues can allow for more specific remediation guidance ©2015 Aspect Security. All Rights Reserved 6
TRADITIONAL APPLICATION SECURITY ©2015 Aspect Security. All Rights Reserved 7 Security Like it’s 1999..
Application security that just works TRADITIONAL APPSEC ©2015 Aspect Security. All Rights Reserved 8 ~2 weeks
Application security that just works TRADITIONAL VULNERABILITY MANAGEMENT ©2015 Aspect Security. All Rights Reserved 9 Risk Accepted
UNDERSTANDING THE PROBLEM ©2015 Aspect Security. All Rights Reserved 10
Application security that just works ©2015 Aspect Security. All Rights Reserved 11 RECEIVE NO SECURITY AT ALL Hundreds or thousands of web applications and web services 90% 10% Security teams are understaffed RECEIVE SOME SECURITY Development is getting faster and more abstract “Security causes rework” RESULT: SECURITY IS NOT SCALABLE It’s only getting worse…
Application security that just works ROOT CAUSES ©2015 Aspect Security. All Rights Reserved 12 Development Production Security Oops! Forgot security… SDLC
Application security that just works SOLUTION: AUTOMATION ©2015 Aspect Security. All Rights Reserved 13 Make security a part of the SDLC Deploy sensors for “continuous application security” Hundreds or thousands of web applications and web services RECEIVE SOME SECURITY Widen the security bottleneck With Security Automation Provide broad coverage to more applications in less time 90%
CONTINUOUS APPLICATION SECURITY (CAS) ©2015 Aspect Security. All Rights Reserved 14
Application security that just works TOMORROW: SECURITY SENSORS IN THE SDLC ©2015 Aspect Security. All Rights Reserved 15 Automated, integrated testing and reporting shorten the feedback cycle and enable security at scale Design Develop Test Maintenance Code Sync Build/Deploy Scan Report
Application security that just works COST TO REMEDIATE ISSUES ©2015 Aspect Security. All Rights Reserved 16 $139.00 $1,390.00 $2,780.00 $4,170.00 $- $500.00 $1,000.00 $1,500.00 $2,000.00 $2,500.00 $3,000.00 $3,500.00 $4,000.00 $4,500.00 Coding Testing Beta Release Cost to Fix a Vulnerability Depends on When it is Found Find an issue in Development vs Test – Save 10x
Application security that just works TOOL AUTOMATION ©2015 Aspect Security. All Rights Reserved 17 Leverage efficiencies of scale and reuse to greatly reduce the amount of time spent on analysis. Manual Scanning Automated Scanning Scanning Workflow Activities Triage Scan Scan Configuration Access Source Automated scanning allows your security team to spend less time trying to get the tool to do its job and more time looking for real vulnerabilities
Application security that just works WHAT SENSORS? ©2015 Aspect Security. All Rights Reserved 18
Application security that just works TURN YOU TOOLS INTO SENSORS Most tools have at least one of the following: 1. Command Line Interface 2. REST APIs 3. Public APIs ©2015 Aspect Security. All Rights Reserved 19
Application security that just works CENTRALIZE SENSOR OUTPUT 20 Application ServerWeb Server Database Server SecurityTools ‘ or 1=1; -- Access Control Violation! Heartbleed detected! Invalid HTTP Request Data Central Repository
Application security that just works APPLICATION SECURITY EVENT ALERTS ©2015 Aspect Security. All Rights Reserved 21 Application ServerWeb Server Database Server ‘ or 1=1; -- Central Repository CAS Dashboard/ GRC tool, etc.
Application security that just works CONTINUOUS APPLICATION SECURITY ©2015 Aspect Security. All Rights Reserved 22 Real-Time Actionable Security Intelligence for: - Developers - Security Teams - Managers - Executives
Application security that just works BENEFITS OF SECURITY DASHBOARDS Understand your true risk at the application layer Profile applications & development teams for continuous improvement Consolidated data in the event of a breach Breed security culture by making security visible ©2015 Aspect Security. All Rights Reserved 23
Application security that just works NOW WHAT? • Develop/Enhance sensors • Track security trends via dashboards • Research • Threat Models/Architecture Reviews/Remediation Guidance • Spread security culture Security Team’s Job: ©2015 Aspect Security. All Rights Reserved 24 24/7 Security
Sweet new pool table! What Good is this Tool? 25 Where should we put it?
Application security that just works BEFORE YOU DEVELOP A DASHBOARD Define a security model that fits your business • All encryption = AES, no CBC or ECB • All external/internal connections use SSL • Use defined secure libraries Start small and grow CAS program over time ©2015 Aspect Security. All Rights Reserved 26
Application security that just works THANK YOU! Kevin Fealey | @secfealz Kevin.Fealey@AspectSecurity.com www.AspectSecurity.com Questions? Feedback? ©2015 Aspect Security. All Rights Reserved 27
Application security that just works DESCRIPTION Tuesday, June 2 1:30PM - 2:20PM Automating Your Tools: How to Free Up Your Security Professionals for Actual Security Tasks Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change. This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low- hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years. ©2015 Aspect Security. All Rights Reserved 28

More Related Content

Automating Your Tools: How to Free Up Your Security Professionals for Actual Security Tasks

  • 1. Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com Automating Your Tools How to Free Up Your Security Professionals for Actual Security Tasks Techno Security 06/02/2015
  • 2. Application security that just works ABOUT ME Kevin Fealey Principal Consultant & Practice Lead, Automation & Integration Services 7 years AppSec experience Specialties: • Process efficiency • Open Source and Commercial Tools • Automation ©2015 Aspect Security. All Rights Reserved 2
  • 3. Application security that just works ABOUT YOU •Developer? •Part of an AppSec team? •[Want to] Do Continuous/Rapid Delivery? ©2015 Aspect Security. All Rights Reserved 3
  • 4. Application security that just works APPLICATION SECURITY VS. NETWORK SECURITY ©2015 Aspect Security. All Rights Reserved 4 Application Layer – Attacker sends attacks inside valid HTTP requests – Custom code is tricked into doing something it should not – Security requires software development expertise, not signatures Network Layer – Firewall, hardening, patching, IDS, and SSL/TLS cannot detect or stop attacks inside HTTP requests – Security relies on signature databases Firewall Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions Hardened OS Web Server App Server
  • 5. Application security that just works COMMON APPLICATION VULNERABILITIES ©2015 Aspect Security. All Rights Reserved 5 – Injection Flaws – Broken Account and Session Management – Cross Site Scripting Flaws – Direct Object References – Web/Application Server Misconfigurations – Sensitive Data Exposure – Broken Access Control – Cross-Site Request Forgery – Using Components with Known Vulnerabilities – Unvalidated Redirects and Forwards ■The OWASP Top Ten:
  • 6. Application security that just works WHY TALK ABOUT APPSEC HERE? -Many public attacks at the app layer - SQLi for a ‘data breach’ - Pivot: XSS -> Admin Account Compromise -> ?? - Better understanding of the app layer can provide better granularity when performing root cause analysis - Better understanding of these issues can allow for more specific remediation guidance ©2015 Aspect Security. All Rights Reserved 6
  • 7. TRADITIONAL APPLICATION SECURITY ©2015 Aspect Security. All Rights Reserved 7 Security Like it’s 1999..
  • 8. Application security that just works TRADITIONAL APPSEC ©2015 Aspect Security. All Rights Reserved 8 ~2 weeks
  • 9. Application security that just works TRADITIONAL VULNERABILITY MANAGEMENT ©2015 Aspect Security. All Rights Reserved 9 Risk Accepted
  • 10. UNDERSTANDING THE PROBLEM ©2015 Aspect Security. All Rights Reserved 10
  • 11. Application security that just works ©2015 Aspect Security. All Rights Reserved 11 RECEIVE NO SECURITY AT ALL Hundreds or thousands of web applications and web services 90% 10% Security teams are understaffed RECEIVE SOME SECURITY Development is getting faster and more abstract “Security causes rework” RESULT: SECURITY IS NOT SCALABLE It’s only getting worse…
  • 12. Application security that just works ROOT CAUSES ©2015 Aspect Security. All Rights Reserved 12 Development Production Security Oops! Forgot security… SDLC
  • 13. Application security that just works SOLUTION: AUTOMATION ©2015 Aspect Security. All Rights Reserved 13 Make security a part of the SDLC Deploy sensors for “continuous application security” Hundreds or thousands of web applications and web services RECEIVE SOME SECURITY Widen the security bottleneck With Security Automation Provide broad coverage to more applications in less time 90%
  • 14. CONTINUOUS APPLICATION SECURITY (CAS) ©2015 Aspect Security. All Rights Reserved 14
  • 15. Application security that just works TOMORROW: SECURITY SENSORS IN THE SDLC ©2015 Aspect Security. All Rights Reserved 15 Automated, integrated testing and reporting shorten the feedback cycle and enable security at scale Design Develop Test Maintenance Code Sync Build/Deploy Scan Report
  • 16. Application security that just works COST TO REMEDIATE ISSUES ©2015 Aspect Security. All Rights Reserved 16 $139.00 $1,390.00 $2,780.00 $4,170.00 $- $500.00 $1,000.00 $1,500.00 $2,000.00 $2,500.00 $3,000.00 $3,500.00 $4,000.00 $4,500.00 Coding Testing Beta Release Cost to Fix a Vulnerability Depends on When it is Found Find an issue in Development vs Test – Save 10x
  • 17. Application security that just works TOOL AUTOMATION ©2015 Aspect Security. All Rights Reserved 17 Leverage efficiencies of scale and reuse to greatly reduce the amount of time spent on analysis. Manual Scanning Automated Scanning Scanning Workflow Activities Triage Scan Scan Configuration Access Source Automated scanning allows your security team to spend less time trying to get the tool to do its job and more time looking for real vulnerabilities
  • 18. Application security that just works WHAT SENSORS? ©2015 Aspect Security. All Rights Reserved 18
  • 19. Application security that just works TURN YOU TOOLS INTO SENSORS Most tools have at least one of the following: 1. Command Line Interface 2. REST APIs 3. Public APIs ©2015 Aspect Security. All Rights Reserved 19
  • 20. Application security that just works CENTRALIZE SENSOR OUTPUT 20 Application ServerWeb Server Database Server SecurityTools ‘ or 1=1; -- Access Control Violation! Heartbleed detected! Invalid HTTP Request Data Central Repository
  • 21. Application security that just works APPLICATION SECURITY EVENT ALERTS ©2015 Aspect Security. All Rights Reserved 21 Application ServerWeb Server Database Server ‘ or 1=1; -- Central Repository CAS Dashboard/ GRC tool, etc.
  • 22. Application security that just works CONTINUOUS APPLICATION SECURITY ©2015 Aspect Security. All Rights Reserved 22 Real-Time Actionable Security Intelligence for: - Developers - Security Teams - Managers - Executives
  • 23. Application security that just works BENEFITS OF SECURITY DASHBOARDS Understand your true risk at the application layer Profile applications & development teams for continuous improvement Consolidated data in the event of a breach Breed security culture by making security visible ©2015 Aspect Security. All Rights Reserved 23
  • 24. Application security that just works NOW WHAT? • Develop/Enhance sensors • Track security trends via dashboards • Research • Threat Models/Architecture Reviews/Remediation Guidance • Spread security culture Security Team’s Job: ©2015 Aspect Security. All Rights Reserved 24 24/7 Security
  • 25. Sweet new pool table! What Good is this Tool? 25 Where should we put it?
  • 26. Application security that just works BEFORE YOU DEVELOP A DASHBOARD Define a security model that fits your business • All encryption = AES, no CBC or ECB • All external/internal connections use SSL • Use defined secure libraries Start small and grow CAS program over time ©2015 Aspect Security. All Rights Reserved 26
  • 27. Application security that just works THANK YOU! Kevin Fealey | @secfealz Kevin.Fealey@AspectSecurity.com www.AspectSecurity.com Questions? Feedback? ©2015 Aspect Security. All Rights Reserved 27
  • 28. Application security that just works DESCRIPTION Tuesday, June 2 1:30PM - 2:20PM Automating Your Tools: How to Free Up Your Security Professionals for Actual Security Tasks Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change. This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low- hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years. ©2015 Aspect Security. All Rights Reserved 28

Editor's Notes

  1. Source: US Dept. of Commerce, National Institute of Standards & Technology (NIST). "Planning Report 02-3: The Economic Impacts of Inadequate Infrastructure for Software Testing." Technology Program Office, Strategic Planning & Economic Analysis Group. May, 2002. www.nist.gov/director/prog-ofc/report02-3.pdf