Jumpstarting Your DevSECOps

Pipeline with IAST and RASP

Jeff Williams – @planetlevel
CTO and Co-FOUNDER – Contrast Security
 26.7 Vulnerabilities The Average
application is
21% Custom Code extremely
8% USED Libraries
vulnerable
2 Vulnerabilities

71% unused Libraries

You are
Under
AttacK

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 3

 DevSecOps is very promising…
DEVOPS DEVSECOPS
1.Establish work flow 1.Establish security work flow

2.Ensure instant feedback 2.Ensure instant security feedback

3.Culture of experimentation 3.Build a security culture

https://itrevolution.com/the-three-ways-principles-underpinning-devops/
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 4
 Dzone DevSecOps Refcard

WRITTEN BY JEFF WILLIAMS

CO-FOUNDER AND CTO OF CONTRAST SECURITY
https://dzone.com/refcardz
/introduction-to-devsecops
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 5
 Evolution of appsec Automation
Development (find vulnerabilities) Operations (Prevent Exploit)
SAST DAST WAF IDS/IPS
2002 (Static (Dynamic 2002 (Web Application (Intrusion Detection/
AppSec Testing) AppSec Testing) Firewall) Prevention System)

IAST RASP
2012 (Interactive 2015 (Runtime Application
AppSec Testing) Self-Protection)

Unified
Today IAST, RASP, SCA
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 6
 How IAST and RASP WOrk
IAST Interactive Application
Security Testing
Your Application or API
Exploit
• Detects vulnerabilities in both
custom code and libraries during ✘ Prevented
normal use

Vulnerability
Confirmed
RASP Runtime Application
Self- Protection
HTTP Code Data Flow Control
• Prevents vulnerabilities from Sensors Sensors Sensors Flow
Sensors
being exploited in both custom
Library Config Backend
code and libraries Sensors Sensors Sensors AGENT

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 7

Turning Devops into DevSECOPS

IAST/RASP IAST/RASP IAST/RASP

Development CI/CD/QA Operations

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 8

 Today’s MISSION…

1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits

Development Source libraries Security Testing in Operation

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 9

 SECURITY
• Must cover policies/rules I care about
• Must have minimal false positives/false negatives

DevSecOPs GOALS: SPEED

• Must integrate in tools I’m already using – NOT PDF
• Must notify with ChatOps!

DEV
Scale
• Must not create bottleneck – NO SCANNING
• Must work on my portfolio including APIs!

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 10

 GET an iast/RASP agent
https://www.contrastsecurity.com/ce

1. Download 2. install 3. Enjoy

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 11

Using IAST from within Maven

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 12

HQL injection

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 13

 How do you want your security?

IDE Chatops Browser

OTHERS:

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 14

 Today’s MISSION…

✓ • Security
• Speed
• Scale

1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits

Development Source libraries Security Testing in Operation

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 15

 inventory
• Must identify all components everywhere
• Must show libraries that are actually used (72% unused)

DevSecOPs GOALS: ASSESS

• Must pinpoint apps and servers with vulnerable libraries
• Must identify both known and unknown vulnerabilities

Open source
PROTECT
• Detection isn’t enough
• Protect against both known and unknown flaws

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 16

Actual attack on CVE-2017 -5638
Jumpstarting Your DevSecOps Pipeline with IAST and RASP |
contrastsecurity.com 17
 How fast can you respond?
March 7 Mid-May July 29 Sept 7
CVE-2017 -5638 Equifax Equifax Equifax discloses,
Disclosed, Apache breach learns of Four more Struts2
releases fixed version occurs breach CVEs disclosed

No updates No detection Disaster

March 8
We observe
widespread
attacks
You must have the
infrastructure in place to
respond within hours.
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 18
DEV CI/CD PROD

Cloud P riv a te Public Cloud

ASSESS OSS
A P Is C o n ta in e rs P riv a te A P Is C o n ta in e rs
with IAST
1. continuously
Inventory all oSS

2. Automatically detect
vulnerabilities in OSS
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 19
 PROTECT OSS WITH RASP
1. Prevent known OSS
vulnerabilities from being
exploited

2. Defend applications from

attacks on unknown OSS
vulnerabilities
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 20
 Today’s MISSION…

✓ • Security
✓ • Inventory
• Speed • Assess
• Scale • Protect

1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits

Development Source libraries Security Testing in Operation

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 21

 CONTINUOUS
• Security testing automatically with every build
• Works without extensive test cases

DevSecOPs GOALS: Integrated

• Open vulnerability tickets automatically
• Plugins, integrations, webhooks, and full REST API

Ci / CD
FEEDBACK
• Set criteria for when to break the build
• Manage appsec policy across application portfolio

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 22

IAST works the same in CI/CD

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 23

 IAST works with
all types of
testing… Vulnerabilities

…even production
Anywhere

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 24

 Security
Coverage
with JACOCO

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel 25

 Today’s MISSION…

✓ • Security
✓ • Inventory
✓ • Continuous
• Speed • Assess • Integrated
• Scale • Protect • Feedback

1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits

Development Source libraries Security Testing in Operation

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 26

 visibility
• Who is attacking? What attack vectors?
• What applications and vulnerabilities are they targeting?

DevSecOPs GOALS: Protect

• Must not overblock (FP) or underblock (FN)
• No tailoring or “learn mode”

OPS
CONTROL
• Change rules centrally, enforce from within apps
• Automatic updates

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 27

 RASP protects
from within
Who is attacking?
What techniques are they using?
Which apps and aPIs are they targeting?

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 28

 RASP is accurate
Bad Guy Application

AcmeInternalType#cmd: Untrusted deserialization Name:

AcmeInternalType#cmd:
Smith, James
java.lang.Runtime Application expects java.lang.Runtime

AcmeInternalType#mtd:
Attacker sends malicious
to receiveobject
this Record ID:
AcmeInternalType#mtd:
123456
getRuntime().exec object getRuntime().exec

Owner:
AcmeInternalType#args: AcmeInternalType#args:
Finance
‘cmd.exe’,’/C’,’calc’ ‘cmd.exe’,’/C’,’calc’

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 29

 RASP IS FAST
SSL +5 ms
Contrast
Protect
+50 µs 100x faster than SSL
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 30
 • Ansible
RASP Deploys • Puppet
• Docker
automatically • Kubernetes
with your • Whatever…
application

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 31

Is your soc blind
to appsec?

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 32

 You can start today!

✓• Security
✓ • Inventory
✓ • Continuous
✓ • Visibility
• Speed • Assess • Integrated • Protect
• Scale • Protect • Feedback • Control

1. Add Security to 2. Lock Down Open 3. Enable automatic 4. Prevent exploits

Development Source libraries Security Testing in Operation

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 33

Scanners and Firewalls don’t Scale
Assurance

$$
$$ Experts
Process Fit

Expert Awful
Tools Results Coverage

Application Traditional AppSec

Portfolio Program
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 34
IAST/RASP – fully distributed approach

Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 35

AppSEc EU Early Access
Contrast Community Edition – FREE
Contrast CE provides full-featured
IAST and RASP for Java applications and APIs.

Finally, you can replace your SAST, DAST, SCA

and WAF with something better…

Just some of the Contrast CE integrations…

http://contrastsecurity.com/ce
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 36
 THANK YOU!
Ask me anything

Jumpstarting Your DevSecOps Pipeline with IAST and RASP

Jeff Williams @planetlevel