30
Filling your AppSec Toolbox Which Tools, When to Use Them, and Why

Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Embed Size (px)

Citation preview

Page 1: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Filling your AppSec Toolbox Which Tools, When to

Use Them, and Why

Page 2: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Where Do I Start?

WAF

Fuzzing IASTPen

Testing

DAST

SAST

RASPArchitecture

Risk Analysis

Threat Modeling

Training

Page 3: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

WEB APPLICATION VULNERABILITIES XSS AND SQL INJECTION EXPLOITATIONS

XSS AND SQL INJECTION EXPLOITS ARE

CONTINUING IN HIGH NUMBERSSource: IBM X-Force Threat Intelligence Quarterly, 2014Source: IBM X-Force Threat Intelligence Quarterly, 2014

25%

20%

15%

10%

5%

0%

2009 2010 2011 2012 2013

WEB APPLICATION VULNERABILITIES

33% OF VULNERABILITY DISCLOSURES ARE WEB

APPLICATION VULNERABILITIES

33%

Applications - The Weakest Link in the IT Security Chain

Page 4: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Attack types XSS Heart-bleed

Physical access

Brute force

Misconfig.

Watering hole

Phishing SQLi DDoS Malware Un-disclosed

January February March April May June July August September October November December

SQL Injection - Still Reliable For Breaching Applications

Source: IBM X-Force Threat Intelligence Quarterly 1Q

2015

SAMPLING OF

2014 ATTACKS

SQL injection accounted for

8.4% of attacks in 2014.

Source: IBM X-Force Threat Intelligence Quarterly 1Q 2015

Page 5: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Investment Priority - “Security Risks” vs. Your “Spend”

MANY CLIENTS DO NOT PRIORITIZE APPLICATION SECURITY IN THEIR ENVIRONMENTS

35%

30%

25%

20%

15%

10%

5%

APPLICATION

LAYER

DATA

LAYER

NETWORK

LAYER

HUMAN

LAYER

HOST

LAYER

PHYSICAL

LAYER

SECURITY RISK

SPENDING

SPENDING DOES

NOT EQUAL RISK

Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013

Page 6: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Application Security Goal: Build Security In

Earlier Visibility to Vulnerabilities Pays Dividends

Page 7: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Application Security Goal: Move “Left” in the SDLC

Analyze Design Implement Test Maintain

1x

6.5x

15x

100x

Source: IBM Systems Sciences Institute

Earlier Visibility to Vulnerabilities Pays Dividends

Page 8: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Tools

Page 9: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Static Analysis (SAST)

Inside Out View

• Testing of source code or binaries for unknown security vulnerabilities in custom code

• Advantages in buffer overflow, some types of SQL injection

• Provides results in source code

SDLC Ecosystem

Analyze Design Implement Test Maintain

Static Analysis

When Used• First builds

• Continuous in Agile

Environment1x

6.5x

15x

100x

Page 10: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Dynamic Analysis (DAST)

Outside In View

• Testing of compiled application in a staging environment to detect unknown security

vulnerabilities in custom code

• Advantages in injection errors, XSS

• Provides results by URL, must be traced to sourceSDLC Ecosystem

Analyze Design Implement Test Maintain

1x

6.5x

15x

100xWhen Used• Pre-deployment

• Staging environment

required

Dynamic Analysis

Page 11: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Interactive Security Testing (IAST)

Outside In – with Benefits

• Runtime analysis

• Instruments the application to monitor behavior during attack

SDLC Ecosystem

Analyze Design Implement Test Maintain

1x

6.5x

15x

100xWhen Used• QA testing

• Continuous in Agile

IAST

Page 12: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Open Source Vulnerability Management

Identifies all open source to the version level, at any stage of the SDL

Provides information on associated risk• License Risk

• Security Risk

• Operational Risk

When Used• Design

• First commit

• Continuous monitoring

SDLC Ecosystem

Analyze Design Implement Test Maintain

1x

6.5x

15x

100x

Open Source Selection Detection and Notification

Page 13: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Challenges

Page 14: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

GROWING ATTACK

SURFACE

NEW DEPLOYMENT

MODELS

Web, Mobile, Cloud, IoTContainers, IT and Small

Security Teams

• Which apps are people using?

• How do I set internal policy

requirements for app security?

• Is my private / sensitive data

exposed by apps?

• Who is developing the apps?

• How do we prioritize the work

for the resources I have?

• What do we test and how do we

test it?

• How do we staff and improve

skills and awareness?

OPEN SOURCE

Increasing Portion of Code Base

• What policies are in place for

open source use?

• How are those policies

enforced?

• Who is tracking usage for new

vulnerabilities

14

Software Security Challenges

Page 15: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Changing Attack Surface

Web applications

Cloud applications and services

IoT

15

“If perimeter control is to

remain the paradigm of

cybersecurity, then the

number of perimeters to

defend in the Internet of

Things is doubling every

17 months.”

Dan Geer | RSA 2015

Page 16: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Containers can be vulnerable by

virtue of the code that runs inside

them

• OSS components running inside

containers represent potential

attack vectors

• Could cause problems for the

application itself

• Could cause more problems if

the container is running with the

–privileged flag set

Containers and DevOps

Page 17: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

OPEN SOURCE EMBRACED BY THE ENTEROPEN SOURCE EMBRACED BY THE ENTERPRISE

OPEN SOURCE

• Needed functionality without

acquisition costs

• Faster time to market

• Lower development costs

• Broad support from communities

CUSTOM CODE

• Proprietary functionality

• Core enterprise IP

• Competitive differentiation

CUSTOM CODE

OPEN SOURCE

Page 18: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Recommendations

Page 19: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Initial Recommendations

Build Security In

• Don’t “bolt on” security after building software

Move left in the SDLC

• Involve security as early as possible

Measure everything you can

• Baseline allows you to track performance

Page 20: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

The Right Tools for the Right Code

Security Requirements, Threat Modeling prior to coding

Static and Dynamic Analysis for Custom Code

Black Duck for Open Source

• Preproduction

• SDLC

• Continuous Monitoring

CUSTOM CODE

• SAST

• DAST

• IASTOPEN SOURCE

• Black Duck

Page 21: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

The Right Tool at the Right Time

SDLC Ecosystem

Analyze Design Implement Test Maintain

Security Intelligence (including data sources)

Open Source Selection Detection and Notification

IAST

Dynamic Analysis

Static Analysis

SIEM

Vulnerability

Assessment

Page 22: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

New Integrated and Secure Development Lifecycle

OSS Security

Requirements

OSS Risk Assessment

Guided OSS Selection

OSS Review Board

Broad coverage of

Open Source code

& snippets

Application Criticality

Ranking

OSS Controls

• Implement Open

Source Security

Controls

• Non-compliant OSS

Identification &

Reporting

• Correlation with Bills

of Material

OSS Enforcement

Timely OSS

Vulnerability

Identification &

Reporting

Bug Severity

Remediation Advice

Correlation with Bills

of Material

Vulnerability

Monitoring

• Timely Vulnerability

Identification &

Reporting

• Remediation &

Mitigation Advice

Establish Security

Requirements

Create Quality Gates

Risk Assessments

Establish Design

Requirements

Analyze Attack Surface

Threat Modeling

Use Approved Tools

Deprecate Unsafe

Functions

Static Analysis

Dynamic Analysis

Fuzz Testing

Attack Surface Review

Incident Response

Plan

Final Security Review

Release Archive

REQUIREMENTS DESIGN BUILD TEST RELEASE

OPEN SOURCE

CUSTOM CODE

Page 23: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

INTEGRATED APPLICATION

SECURITY

Page 24: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Binary Repository Management

(Artifactory / Nexus)

Developers / IDE

(Eclipse)Deployment Environments (Amazon /

Docker / VMWare / Openstack)

Continuous Integration Server

(Jenkins / TeamCity / Bamboo)

Test Automation Tools

(Selenium / JUnit)

Quality Management Tools

Bug Tracking Tools

Source Control Management (Git, CVS /

Subversion / Perforce)

Build Tools (Maven / Bundler)

Continuous Integration Environment

DAST / IASTSAST / OSS

Bug Tracking

Integration

OSS

IDE integration

Page 25: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Custom Code Vulnerabilities

CUSTOM CODE VULNERABILITIES

Page 26: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Open Source Vulnerabilities – Black Duck

Page 27: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

OPEN SOURCE VULNERABILITIES

Open Source Vulnerabilities

Page 28: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Holistic View – Custom and Open Source

Page 29: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Application development ecosystem is changing

• Open source provides increasing large foundation for custom

code.

Open source is here to stay (and growing)

• Saves development costs and accelerates time to market.

New paradigm requires new methodologies

• Best practices for custom code continues to require automated

testing.

• Best practices of open source requires full visibility and continuous

monitoring.

Key Takeaways

Page 30: Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Q&A