CONTRAST SECURITY291 Lambert AvenuePalo Alto, CA 94306www.contrastsecurity.com
Jeff Williams, CTO@planetlevelCONTINUOUS APPLICATION SECURITY
AT SCALEWITH IAST AND RASP
2
ENTERPRISE APPLICATIONS ARE 37% OF IT SPEND… AND GROWING 24.8% ANNUALLY
Application(37% of IT spend)
• Develop• Purchase/Rent• Support
Data Center Compute Storage Network Delivery
Output Communication End User IT Management Compliance
Internal Labor(36% of app spend)
External Labor(11% of app spend)
Software(28% of app spend)
Outside Services (15% of app spend)
Other(10% of app spend)
Every dollar spent on enterprise applications increases vulnerability
3
APPLICATION SECURITY IS YOUR BIGGEST RISKWorld Trade Org U.S. Army LinkedIn
SAP United Nations Royal Navy
Wall Street Journal Heartland JP Morgan
LivingSocial Target Diners Club
Tesla JC Penney PBS
Microsoft UK
Yahoo NASDAQ Sony Music
FBI 7-Eleven Sony Playstation
HBGary Federal Guess Sony Pictures
NASA Yahoo U.S. IRS
Adobe eHarmony U.S. Dept of Census
Application security has
been the leading cause of breaches for the past nine years.
Source:2016VerizonDataBreachInvestigationReport(DBIR)
4
Experts
ExpertTools
ApplicationPortfolio
Assurance
Coverage
Process Fit
AwfulResults
Traditional AppSecProgram
TRADITIONAL APPSEC PROGRAMS ARE FAILING
CONTAINERS
5
A HISTORY OF APPLICATION SECURITY AUTOMATION
DAST(Dynamic
AppSec Testing)
WAF(Web Application
Firewall)
SAST(Static
AppSec Testing)
IDS/IPS(Intrusion Detection/ Prevention System)
Development (find vulnerabilities) Operations (block attacks)
IAST(Interactive
AppSec Testing)
RASP(Runtime Application
Self-Protection)
Unified AgentIAST and RASP
6
SOFTWARE TRENDS CHALLENGING SAST/DAST/WAF
Explosive growth in libraries and frameworks
Libraries
Microservices, APIs, REST/XML services
Services
Rapidly growing use of cloud and containers
Cloud
High speed software development
Agile
SAST can’t handle scale and complexity of supply chain
SAST and DAST can’t handle API and web service complexity
WAF can’t handle infrastructure deployment pace and complexity
SAST, DAST, and WAF all require experts in the critical path
7
CONTRAST IAST & RASP DELIVER SECURITY WHERE IT’S NEEDED
Contrast IAST/RASP Agent instruments your application with sensors that protect against both
vulnerabilities and attacks
RuntimeFrameworks
LibrariesCustom Code
All agents report to Contrast TeamServer to protect the entire application portfolio in parallel
Yourapplicationstack
ContrastAgent
8
DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES
DeveloperTesterUser
Attacker
Controller Validation Session BusinessLogic
Data Layer
SQLAPI Database
HTTP Request
Validation Tags
Data Tracking
Data Parsing
Escaping Tags Query
Vulnerability?
Attack?
✓✓
✘
Sensorswovenintorunning application
SecuritycontextassembledwithinContrastAgent
9
Software is a black box.
ACCURACY: IAST/RASP HAS AN UNFAIR ADVANTAGE
HTTPTraffic
Code
Frameworks
Libraries Runtime Data Flow
Runtime Control Flow
Backend Connections
Configuration Data
Server Configuration
Etc…Platform Runtime
Software Architecture
SAST
DAST
WAF
IAST/RASP
IAST/RASP provide full visibility into running application
10
CONTRAST IAST – PROTECT DEVELOPMENT
Contrast accurately identifies
vulnerabilities inreal-time without
scanning or hacking
11
CONTRAST RASP – PROTECT OPERATIONS
Contrast blocks attacks efficiently and
accurately with full application context
12
CONTRAST INVENTORY – PROTECT YOUR SUPPLY CHAIN
Contrast instantly profiles all of your
applications,open-source libraries,
and servers
13
IAST accuracy dominates SAST and
DAST
OWASP Benchmark -21,000 test cases across
a range of vulnerabilities
33%
100%
Sponsored by DHS
14
PERFORMANCE: IAST AND RASP ARE BLAZINGLY FAST
WebGoat RASP ProcessingTypical traffic 50 microsecondsMixed traffic 170 microsecondsHeavy attack traffic 230 microseconds
• Number of applications doesn’t matter• As fast or faster than if it was coded by hand• No bottleneck on either bandwidth or CPU (next slide)
millionths of a second
15
RASP
RASP
RASP
SCAN
WAF
IAST/RASP
Three problems:1) Bottleneck2) Impedance mismatch3) False alarms – no context
RASP
APPLICATION DECISION POINTSPERIMETER DECISION POINT
ELIMINATE THE SAST/DAST/WAF BOTTLENECK
SCAN/WAF
16
Enable application portfolio with IAST/RASP agents
Assurance
Coverage
Process Fit
IAST AND RASP ARE A DISTRIBUTED APPROACH
CONTAINERS
Continuous assessment and protection in parallel
17
IMAGINE MANAGING APPLICATION SECURITY POLICY AT SCALE
Development Environment
UnitTesting
Continuous Integration
QA Testing
Performance and Usability
TestingProduction
Web Apps
Web Services/APIs
New Development
Legacy Apps
Third Party Apps
Internal Apps
External Apps
Frameworks
operations
informationsecurity
applicationsecurity
development
compliance
Cloud/Mobile/IoT
Staging and Acceptance
18
• ContrastoffersaunifiedIASTandRASPproduct(SAASandon-premise)• Provenwithhigh-profilecustomersin:
– GlobalFinancialServices– eCommerce/Retail– Healthcare– Software– Government/Defense– Manymore…
• Continuouslyassessingandsecuringthousandsofapplications(10billionSLOC)• Discoveringover6,000 zero-day vulnerabilitiesmonthly- ~72,000annually
CONTRAST ENTERPRISE
CONTRAST SECURITY291 Lambert AvenuePalo Alto, CA 94306www.contrastsecurity.com
“Leader”
“Visionary”
“Innovator”
Are you ready for real application security?