Application Security at

DevOps Speed and Portfolio Scale

Jeff Williams @planetlevel

Contrast Security

OWASP XSS PreventionCheat Sheet

1,000,000 Page Views!

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

About Me

Application Security Is Healthcare

Sensors Are Revolutionizing Healthcare

Instrumenting the body means continuous realtime monitoring…

Not periodic checkups

Your phone will know you’re sick before you

do!

Modern Software Development…

Javascript/Ajax SOAP/REST

Serialized Objects

Raw Socket

Inversion of Control

Libraries and Frameworks

Aspect Oriented

ProgrammingAgile

DevOps

Cloud/Mobile

Traditional appsec tools and techniquessimply can’t handle ANY of these

AppSec Progress

Security

SoftwareContinuous AppSec

Starting Over

The right defenses for every application are…

PresentCorrectUsed Properly

Defining “Portfolio Scale”

Defining “DevOps Speed”

Application security happens continuously

and in real time

Is my portfolio

protected against

clickjacking?

One Thing at a Time…

Gathering Intelligence

Controller

Presentation

Business Functions

DataLayer

Third Party Libraries

Application Server

Platform Runtime

Framework

Operating System

Security Intelligence Sources

HTTPTraffic

Backend Connections

Configuration Data

Libraries and Frameworks

Data Flow

Control Flow

Vulnerability Trace

Designing a Clickjacking Sensor

Experiment Style

Positive

Negative

Environment

Dev

CI

Test

QA

Staging

Security

Analysis Technique

Manual

SAST

DAST

IAST

Passive

Intel Sources

Code

HTTP

Configuration

Choose based on:• Speed• Accuracy• Feedback• Scalability• Ease of Use• Cost

Data Flow

Control Flow

Libraries

Connections

Sampling

Prod

Intelligence

JUnit

Continuous ClickJacking Defense Verification

A new HTTP sensor to verify that theX-Frame-Options header is set to DENY

or SameOrigin on every webpage

Dynamic Interactive JUnitManual Static

DEV CI TEST QA STAG OPSSEC

Data Warehouse:Application SecurityIntelligence

Instrumentation

Internal Networks

Ad-Hoc Servers

External Facing Cloud

Instrument your applications and they report their security

…regardless of your organizational or technical structure.

Run Against Entire Portfolio

Application Name Result Grade

TBMarks 88% A

RPC 0% F

CaseyMotors 0% F

Financials 72% C

International Reporting 0% F

…

“Financials” ClickJacking Defense – C (72%)

/home DENY

/home/error.jsp -

/home/index.jsp DENY

/account SAME-ORIGIN

/account/report.jsp -

…

TB RPC CM

TY JJ RH

CO AS RA

F IR XX

QP X DD

& @ S

Check Your Headers

https://cyh.herokuapp.com/cyh

Continuous AppSec Dashboard

• We transformed clickjacking verification todevops speed and portfolio scale!

One Small Step Towards Continuous AppSec

Before After

Annual pentest Continuous monitoring

Negative signatures Positive verification

One app at a time Portfolio wide

Okay, clickjacking. Big deal.

More Sensors…

I want a sensor to verify…

My business logic makes access control checks

My libraries are free from known vulnerabilities

My forms are not susceptible to CSRF attacks

My interpreters are protected against injection

My encryption is implemented correctly

My application has no unknown connections

And much more….

Source File Result @PreAuthorize

TestSBMBugtrackerController.java @PreAuthorize("hasAnyRole('ROLE_BUG_CREATE','ROLE_BUG_EDIT')")

UpdateSBMBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_EDIT')")

SelectBugtrackerController.java @PreAuthorize("hasRole('ROLE_BUG_CREATE')")

CheckAppStatusController.java MISSING

ViewConsoleEventsController.java @PreAuthorize("hasRole('ROLE_CONSOLE_VIEW')")

DeleteEngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_PROFILES')")

DownloadEngineController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")

EngineConfigController.java @PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")

ErrorController.java MISSING

InboxController.java @PreAuthorize("isAuthenticated()")

InstallationWizardController.java @PreAuthorize("isAuthenticated()")

InviteAFriendController.java @PreAuthorize("isAuthenticated()")

LoginController.java MISSING

DeleteMessageController.java @PreAuthorize("isAuthenticated()")

GetSystemMessagesController.java @PreAuthorize("isAdmin()")

Access Control Intelligence Sensor

Control Flow

SAST

Intelligence

CI

Generated Access Control Matrix from Code

ROLE

_APPLICATIO

N_DELE

TE

ROLE

_APPLICATIO

N_GROUP

ROLE

_APPLICATIO

N_REET

ROLE

_TRACES

_DEL

ETE

ROLE

_TRACES

_SEN

DMAIL

ROLE

_TRACE_

SEARCH

ROLE

_ENGIN

E_DOW

NLOAD

ROLE

_ENGIN

E_PROFI

LES

ROLE

_CONSOLE

_VIEW

ROLE

_BUGTRACKER

_VIEW

ROLE

_BUGTRACKER

_CREATE

ROLE

_BUGTRACKER

_DELETE

ROLE

_AUDIT_VIE

W

ROLE

_ENGIN

E_ACTIV

ITY

ROLE

_LIBRARY_SE

ARCH

TracesGetBugtrackersController.java O

TracesGetUsersController.java O

TracesJIRAExportController.java O

TracesMergeController.java O

TracesSaveStatusController.java O

TracesSearchController.java O

TracesSendToBugtrackersController.java

TracesTreeController.java O

TracesViewerController.java O

TraceViewerWorkingNotificationController.java O

ViewTracesController.java O

UpdateAppConfigurationController.java O

BannerController.java O

BillingAccountActivityController.java O O

BillingApplyPaymentController.java O

BillingAppsController.java O

BillingExecuteOrderController.java O

Known Vulnerable Libraries Sensor

Libraries

SAST

Negative

CI

Run DependencyCheck during every build(and do a build once a month even if nothing changed)

• Run tests through ZAP

• ZEST to check CSRF Token

• Get results via ZAP REST API

CSRF Defense Sensor

HTTP

Passive

Positive

QA

Canonicalization Correctness Sensor

Code

JUnit

Positive

Staging

Injection Sensors

Data Flow

IAST

Negative

Dev

Use code instrumentationtools for DFA vulnerabilities

• What would you like to gather from all your applications?

• Inventory? Architecture? Outbound connections? Lines of code? Security components?

• All possible…. and all at devops speed and portfolio scale

Architecture, Inventory, and More…

Building Continuous AppSec

Dynamic Interactive JUnitManual Static

DEV CI TEST QA STAG OPSSEC

Data Warehouse:Application SecurityIntelligence

Sensors?

How do you know what sensors you need?

1) The OWASP Top Ten?

2) What your tools are good at?

3) What your pentester thinks is important?

4) Actually figure out what matters?

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Applications with at Least One Vulnerability in Category

Higher Risk

Lower Risk

Aspect 2013 Global AppSec Risk Report

What’s In Your Expected Model?

ExpectedThreat Model

Abuse Cases

Policy

Standards…

Requirements

There is no security without a model

What Are You Actually Testing?

ActualPentest

Code Review

Tools

Arch Review

…

Unfortunately…

ActualExpected

Not being tested

(aka RISK)

Doesn’t need testing(aka WASTE)

Are You Secure?

Secure?

Sensors

Actual Defenses

Defense Strategies

Business Concerns Data Protection

Minimize Sensitive Data

Role Based Access Control

Encrypt Data in Storage and

Transit

Full Disk Encryption

with TrueCrypt

Programmatic Encryption with ESAPI

Libraries Present and Up-to-date

Encryption Correctness

with Junit Tests

ESAPI Used Properly

TLS Everywhere with Venafi

Logging and Intrusion Detection

Aligning Sensors with Business Concerns

Fraud Availability

Continuous Application Security!

Expected

Actual

ApplicationPortfolio

A A A

A A A

A A A

A A A

A A A

A A A

Application security dashboards

Translate “expected” into sensors

New Threats,Business Priorities

Choose a sensor

Build it with developers

Deploy your sensor

Create a dashboard using Excel

How to Get Started

Transforming AppSec

AppSecCompliance

AppSecMonitoring

AppSecStrategy

AppSecOptimization

AppSec as Business Driver

We will never improve if our only metric is whether we are doing what everyone else is doing

Thank You!

Please stop by our booth!@contrastsec

Expected:Tracking Coverage

InfrastructureSecurity

DataProtection

Logging andAccountability

SecureDevelopment

SecurityVerification

IncidentResponse

▼ Minimal data collection▼ …

▼ Strong encryption in storage and transit▼ All external connections use SSL▼ All internal connections use SSL▼ SSL hardened according to OWASP▼ All highly sensitive data encrypted▼ Encryption uses standard control▼ Encryption uses AES, no CBC or ECB

▼ Universal authentication▼ …

▼ Pervasive access control▼ …

▼ Injection defenses▼ Strict positive validation of all input▼ Use of parameterized interfaces▼ All parsers hardened

▼ XML parsers set to not use DOCTYPE▼ Browser set no content sniffing header▼ Etc…

▼ Use Hibernate and secure coding▼ Use JQuery and secure coding

▼ Etc…

Enterprise Controls Dashboard

Expected DefenseDefense

Present?

Defense

Correct?

Applications

Tested?

Training and

Support

Authentication

Authorization

Cryptography

Validation

Escaping

Tokens

Logging

Intrusion Detection

Random Numbers

Browser Security

Safe API Wrappers

Object Reference Management

Error Handling