Application Security at
DevOps Speed and Portfolio Scale
Jeff Williams, CEO
Aspect Security, Inc.
About Me
Application Security Is Healthcare
Sensors Are Revolutionizing Healthcare
Your phone will know
you’re sick before you
do!
Instrumenting the body means
continuous realtime monitoring…
Not periodic checkups
Traditional Tools and Techniques Are Failing…
DevOps
Agile
Aspect Oriented
Programming
Libraries and
Frameworks
Serialized
Objects
Inversion of
Control
SOAP/REST
Javascript
Ajax
Raw
Socket
Cloud
Mobile
AppSec Progress
Continuous
Software AppSec
Security
Starting Over
Defining “Portfolio Scale”
The right defenses for every
application are…
 Present
 Correct
 Used Properly
Defining “DevOps Speed”
Application security happens
continuously and in real time
One Thing at a Time…
Is my portfolio
protected against
clickjacking?
Gathering Intelligence
Controller
Business
Functions
Presentation
Third Party Libraries
Framework
Application Server
Platform Runtime
Operating System
Data
Layer
Security Intelligence Sources
Vulnerability Trace
HTTP
Traffic
Backend
Connections
Data Flow
Control Flow
Libraries and
Frameworks
Configuration
Data
Designing a Clickjacking Sensor
Data Sources

Analysis Technique
Experiment Style

Environment
Positive
Dev
SAST
Negative
CI
Configuration
DAST
Sampling
Data Flow
IAST
Intelligence
Code
Manual
HTTP
Control Flow
Libraries
Connections


Test
QA
Passive
Staging
JUnit
Security
Choose based on:
• Speed
• Accuracy
• Feedback
• Scalability
• Ease of Use
• Cost
Prod
Continuous ClickJacking Defense Verification
A new HTTP sensor to verify that the
X-Frame-Options header is set to DENY
or SameOrigin on every webpage
DEV
CI
Manual
TEST
QA
Dynamic
STAG
Static
SEC
OPS
Interactive
Data
Warehouse:
Application
Security
Intelligence
JUnit
Run Against Entire Portfolio
TB RPC CM
TY
JJ
F
RH QP
CO AS RA
&
IR
XX
X
DD
@
S
Application Name
Result Grade
TBMarks
88%
A
RPC
0%
F
CaseyMotors
0%
F
Financials
72%
C
International Reporting
0%
F
…
“Financials” ClickJacking Defense – C (72%)
/home
DENY
/home/error.jsp
-
/home/index.jsp
DENY
/account
/account/report.jsp
…
SAME-ORIGIN
-
Check Your Headers
https://cyh.herokuapp.com/cyh
Continuous AppSec Dashboard
One Small Step Towards Continuous AppSec
• We transformed clickjacking verification to
devops speed and portfolio scale!
Before
Annual pentest
Negative signatures
One app at a time
After
Continuous monitoring
Positive verification
Portfolio wide
Okay, clickjacking. Big deal.
More Sensors…
I want a sensor to verify…
My business logic makes access control checks
My libraries are free from known vulnerabilities
My forms are not susceptible to CSRF attacks
My interpreters are protected against injection
My encryption is implemented correctly
My application has no unknown connections
And much more….
Access Control Intelligence Sensor
Source File
Result
@PreAuthorize
TestSBMBugtrackerController.java
@PreAuthorize("hasAnyRole('ROLE_BUG_CREATE','ROLE_BUG_EDIT')")
UpdateSBMBugtrackerController.java
@PreAuthorize("hasRole('ROLE_BUG_EDIT')")
SelectBugtrackerController.java
@PreAuthorize("hasRole('ROLE_BUG_CREATE')")
CheckAppStatusController.java
MISSING
ViewConsoleEventsController.java
@PreAuthorize("hasRole('ROLE_CONSOLE_VIEW')")
DeleteEngineConfigController.java
@PreAuthorize("hasRole('ROLE_ENGINE_PROFILES')")
DownloadEngineController.java
@PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")
EngineConfigController.java
@PreAuthorize("hasRole('ROLE_ENGINE_DOWNLOAD')")
ErrorController.java
MISSING
InboxController.java
@PreAuthorize("isAuthenticated()")
InstallationWizardController.java
@PreAuthorize("isAuthenticated()")
InviteAFriendController.java
@PreAuthorize("isAuthenticated()")
LoginController.java
MISSING
DeleteMessageController.java
@PreAuthorize("isAuthenticated()")
GetSystemMessagesController.java
@PreAuthorize("isAdmin()")

Control Flow

SAST


Intelligence
CI
RO
LE
_A
RO PP
LIC
LE
AT
_A
IO
P
RO
PL
N_
IC
LE
DE
A
_A
TI
ON LET
RO PP
E
L
I
LE
CA _G
_T
R
TI
ON OU
RO RA
P
CE
LE
S_ _RE
_T
ET
DE
RO RA
LE
C
T
LE
ES
_T
_S E
E
RO RA
CE NDM
LE
_S
_E
E A AIL
RO NG
IN RCH
LE
E_
_E
DO
RO NG
W
I
N
LE
NL
E_
_C
OA
PR
O
RO
D
NS
OF
LE
OL
ILE
_B
E
S
RO UG _VI
E
TR
W
LE
AC
_B
KE
RO UG
R_
TR
LE
VI
AC
_B
K E EW
RO UG
R_
TR
LE
CR
AC
_A
E
RO UD K ER ATE
I
_
T
LE
DE
_ E _ VI
LE
E
N
W
RO
TE
GI
NE
LE
_L
_A
IB
R A CT I
VI
RY
_S TY
EA
R
Generated Access Control Matrix from Code
TracesGetBugtrackersController.java
TracesGetUsersController.java
TracesJIRAExportController.java
TracesMergeController.java
TracesSaveStatusController.java
TracesSearchController.java
O
O
O
O
O
O
TracesSendToBugtrackersController.java
TracesTreeController.java
TracesViewerController.java
TraceViewerWorkingNotificationController.java
ViewTracesController.java
UpdateAppConfigurationController.java
BannerController.java
BillingAccountActivityController.java
BillingApplyPaymentController.java
BillingAppsController.java
BillingExecuteOrderController.java
O
O
O
O
O
O
O
O
O
O
O
Known Vulnerable Libraries Sensor
Run DependencyCheck during every build

Libraries
(and do a build once a month even if nothing changed)

SAST


Negative
CI
CSRF Defense Sensor

HTTP

Passive


Positive
QA
• Run tests through ZAP
• ZEST to check CSRF Token
• Get results via ZAP REST API
Canonicalization Correctness Sensor

Code

JUnit


Positive
Staging
Injection Sensors
Use IAST tools for DFA vulnerabilities

Data Flow

IAST


Negative
Dev
Architecture, Inventory, and More…
• What would you like to gather from all your
applications?
• Inventory? Architecture? Outbound
connections? Lines of code? Security
components?
• All possible…. and all at devops speed and
portfolio scale
Building Continuous AppSec
DEV
CI
Manual
TEST
QA
Dynamic
STAG
Static
SEC
OPS
Interactive
Data
Warehouse:
Application
Security
Intelligence
JUnit
Sensors?
How do you know what sensors you need?
1)
2)
3)
4)
The OWASP Top Ten?
What your tools are good at?
What your pentester thinks is important?
Actually figure out what matters?
Aspect 2013 Global AppSec Risk Report
Applications with at Least One Vulnerability in Category
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Higher Risk
Lower Risk
What’s In Your Expected Model?
Expected
Requirements
Threat Model
Abuse Cases
Policy
Standards…
There is no security without a model
What Are You Actually Testing?
Pentest
Code Review
Tools
Arch Review
…
Actual
Unfortunately…
Expected
Not being
tested
(aka RISK)
Actual
Doesn’t
need testing
(aka WASTE)
Are You Secure?
Secure?
Aligning Sensors with Business Concerns
Business Concerns
Defense Strategies
Actual Defenses
Sensors
Data
Protection
Fraud
Minimize
Sensitive Data
Availability
Role Based
Access Control
Encrypt Data in
Storage and
Transit
Logging and
Intrusion
Detection
Full Disk
Encryption
with TrueCrypt
Programmatic
Encryption
with ESAPI
TLS
Everywhere
with Venafi
Libraries
Present and
Up-to-date
Encryption
Correctness
with Junit Tests
ESAPI Used
Properly
Continuous Application Security!
Translate “expected” into sensors
New Threats,
Business Priorities
Expected
Actual
Application security dashboards
Application
Portfolio
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
How to Get Started
Choose a sensor
Build it with developers
Deploy your sensor
Create a dashboard using Excel
Transforming AppSec
AppSec
Optimization
AppSec as
Business
Driver
AppSec
Strategy
AppSec
Monitoring
AppSec
Compliance
We will never improve if
our only metric is whether
we are doing what
everyone else is doing
Thank You!
Please stop by the Contrast Security booth!
@planetlevel
Expected:Tracking Coverage
Infrastructure
Security
Secure
Development
Logging and
Accountability
Security
Verification
Data
Protection
▼ Minimal data collection
▼…
Incident
Response
▼ Strong encryption in storage and transit
▼ All external connections use SSL
▼ All internal connections use SSL
▼ SSL hardened according to OWASP
▼ All highly sensitive data encrypted
▼ Encryption uses standard control
▼ Encryption uses AES, no CBC or ECB
▼ Universal authentication
▼…
▼ Pervasive access control
▼…
▼ Injection defenses
▼ Strict positive validation of all input
▼ Use of parameterized interfaces
▼ All parsers hardened
▼ XML parsers set to not use DOCTYPE
▼ Browser set no content sniffing header
▼ Etc…
▼ Use Hibernate and secure coding
▼ Use JQuery and secure coding
▼ Etc…
Enterprise Controls Dashboard
Expected Defense
Authentication
Authorization
Defense
Present?
Defense
Correct?
Applications
Tested?
Training and
Support






Cryptography
Validation
Escaping
Tokens
Logging
Intrusion Detection
Random Numbers
Browser Security
Safe API Wrappers
Object Reference Management
Error Handling





