Date post: | 19-Jan-2017 |
Category: |
Technology |
Upload: | denim-group |
View: | 344 times |
Download: | 1 times |
© 2016 Denim Group, Prevoty – All Rights Reserved
Running a High-Efficiency,
High-Visibility Application Security
Program with Prevoty and ThreadFix
July 19, 2016
0
Arpit JoshipuraVP Product Management, Prevoty
Dan CornellCTO, Denim Group
© 2016 Denim Group, Prevoty – All Rights Reserved
Agenda
• State of Application Security
• ThreadFix Overview
• RASP and Prevoty Overview
• ThreadFix / Prevoty Integration
1
© 2016 Denim Group, Prevoty – All Rights Reserved
State of Runtime Application Security
Market Trends show movement in Adoption of RASP
Key Executive Updates
1. Attacks on the rise (Web Attacks as the #1
vector in 2015 - Verizon Report)
2. Vulnerability backlog on the rise (>90% have up
to 5000 vulnerabilities that cannot be fixed)*
3. Analysts and Customers now believe that RASP
augments traditional runtime security
4. Customers moving past the stage of education
to active interest in RASP
5. Prevoty emerging as the leader (2 year lead) in
Runtime Application Security with new
competitors like Veracode announcing plans for
RASP this month
* http://blog.prevoty.com/news/the-great-divide-new-report-finds-it-pros-and-security-pros-at-odds-over-appsec
© 2016 Denim Group, Prevoty – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions based
on data
• Translate vulnerabilities to developers in
the tools they are already using
3
© 2016 Denim Group, Prevoty – All Rights Reserved
ThreadFix Overview
4
© 2016 Denim Group, Prevoty – All Rights Reserved
Create a consolidated
view of your
applications and
vulnerabilities
5
© 2016 Denim Group, Prevoty – All Rights Reserved
Application Portfolio Tracking
6
© 2016 Denim Group, Prevoty – All Rights Reserved
Vulnerability Consolidation
7
© 2016 Denim Group, Prevoty – All Rights Reserved
Prioritize application
risk decisions based on
data
8
© 2016 Denim Group, Prevoty – All Rights Reserved
Vulnerability Prioritization
9
© 2016 Denim Group, Prevoty – All Rights Reserved
Reporting and Metrics
10
© 2016 Denim Group, Prevoty – All Rights Reserved
Translate vulnerabilities
to developers in the
tools they are already
using
11
© 2016 Denim Group, Prevoty – All Rights Reserved
Defect Tracker Integration
12
© 2016 Denim Group, Prevoty – All Rights Reserved
Secure DevOps with ThreadFix
• What does your
pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceuhttp://www.slideshare.net/denimgroup/rsa2015-blending-
theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
© 2016 Denim Group, Prevoty – All Rights Reserved
Runtime Application Security
(Visibility & Protection)
The Most Innovative
Startup 2016
People Shaping Info Security:
Kunal Anand, Co-founder/CTO
Most Innovative Security Product
(Software) of the Year
20 Most Promising
Enterprise Security
Companies
The Most Innovative
Application Security
Solution for 2016
© 2016 Denim Group, Prevoty – All Rights Reserved
Survey Results: IT & Security
Professionals Gap
Key findings• >90% have up to
5000 Vulnerabilities
in backlog
• Security Prof spend
>3.5 days every
week to tune
current runtime
solutions
* http://blog.prevoty.com/news/the-great-divide-new-report-finds-it-pros-and-security-pros-at-odds-over-appsec
© 2016 Denim Group, Prevoty – All Rights Reserved
2015 Enterprise Survey
16
Applications are being targeted at RuntimeEnterprise survey results, Dec 2015
What is the most common gateway attack experienced by your organization over the past 12 months?
In a recent Ponemon Institute research study, % of those
surveyed believe…
of applications are more vulnerable
today>75%
believe organizations are ineffective at
security>50%
Say application security is a top
priority~50%
Source: Security Survey by Ponemon Institute
Dec 2015
Top 3 Vectors constitute 95% of the Attacks in production
© 2016 Denim Group, Prevoty – All Rights Reserved
3 Easy Steps to Runtime
Application Security
© 2016 Denim Group, Prevoty – All Rights Reserved
Step 1: Identify the maturity of Application Security
Detection, Remediation and Protection spectrum of programs
Early Stage
Ad-hoc approach for
Testing, remediation.
Driven by compliance
Limited AppSec Tools &
Process
Intermediate
Continuous Testing
Inconsistent remediation &
protection with a backlog of
vulnerability
AppSec Testing Tools in
place
SSDLC Process
Framework
WAF in passive mode
Mature
Continuous Testing
Consistent Remediation
Continuous Monitoring
AppSec Testing Tools
operationalized
SSDLC operationalized
WAF in Passive/Active
mode
Runtime Monitoring
© 2016 Denim Group, Prevoty – All Rights Reserved
Step 2: Plan for a Modern security architecture
Backend Application
SQL
Database
Web API
NG Firewall
Web App Firewall
Load
Balancer
SIEM
Database Firewall
Runtime Sec
API Gateway
Runtime Sec
Mobile App
Hardening
SDK/Wrapper
Endpoint
Users Network Applications Data
Web Browser
CONFIDENTIAL°
© 2016 Denim Group, Prevoty – All Rights Reserved
Step 3: Plan for xAST in Development, RASP in Production
Layered Application Security
RASP works through the SDLC process, with protection in Operations
© 2016 Denim Group, Prevoty – All Rights Reserved
SignaturesRegular expressions
White lists/Black lists
Pattern matching
HeuristicsAnomaly Detection
Taint analysis
Data Flow Analysis
Not All RASPs are equal: LANGSEC based RASPSecurity without Signatures & Heuristics
LANGSEC
Language-theoretic Security
NO
Accurate <1% false positives
Simple Low TCO, No Tuning
Fast30-50X better than RegX
LANGSEC is the latest innovation in security technology that removes
obfuscation/fuzzing on Data Input so that security protections can be
accurately applied at the “moment of truth” (code execution)
© 2016 Denim Group, Prevoty – All Rights Reserved
PREVOTY SOLUTION TODAYProtecting applications in production at runtime
Application Security Monitoring and Protection from
inside the application itself at runtimeNo changes to the applications required
Deployed in the cloud, as a virtual appliance or self-contained in the
application
Monitoring: Application Security IntelligenceUnparalleled insights into what attacks are actually hitting applications
in production
Identifies “who / what / where / when” of an attack
Protection: RASP (Runtime Application Self-
Protection)Automatic vulnerability mitigation
Protects content (XSS), databases (SQL injection), tokens (CSRF) and
more
Allow time for development team to remediate critical vulnerabilities
© 2016 Denim Group, Prevoty – All Rights Reserved
PREVOTY APPLICATION SECURITY MONITORINGUnparalleled insights into the threats hitting your applications at runtime
IP address, session info (with
User ID), cookie detail
Identify the origin of the
threat
Who
Contents of the payload,
payload intelligence
Provide details of the
nature of the threat
What
Timestamp (down to the
nanosecond)
When did the attack take
place
When
URL for web applications, stack
trace for SQL queries
Where the exploit
happened
Where
Legacy Applications New Applications 3rd Party Applications
© 2016 Denim Group, Prevoty – All Rights Reserved
Ecosystem Integration
Prevoty delivers data on
production application attacks
in progress to:
• SIEMS
• NGFWs
• IPS’s
• WAFs
© 2016 Denim Group, Prevoty – All Rights Reserved
ThreadFix and Prevoty
• Value of integrating RASP with your
Vulnerability Resolution Platform
• Mechanics of integration
25
© 2016 Denim Group, Prevoty – All Rights Reserved
Marking Applications as RASP-
Protected
26
© 2016 Denim Group, Prevoty – All Rights Reserved
Vulnerability Risk Management and
RASP
27
© 2016 Denim Group, Prevoty – All Rights Reserved
Prioritizing Your Prevoty Rollout
28
© 2016 Denim Group, Prevoty – All Rights Reserved
Summary & Joint Value
• Un-paralleled insights from within the
application
• Efficient prioritization and remediation of
identified vulnerabilities
• Optimize deployment of Prevoty based on
risk and value
29
© 2016 Denim Group, Prevoty – All Rights Reserved
Questions and Contact
• ThreadFix www.threadfix.it
• Prevoty www.prevoty.com
30