Upload
immunio
View
385
Download
1
Embed Size (px)
Citation preview
WE USED TO BUILD APPS LIKE THIS:
January - April: Write code
May: Test / Fix Bugs / Security!
June: Deploy
NOW WE BUILD APPS LIKE THIS:
9:00 AM - Noon: Write code
Noon: Test / Fix Bugs / Security!
2:00 PM: Deploy
COMPARING SECURITY TECHNIQUES
▸Code Reviews & Penetration Testing
▸Static Analysis
▸Web Application Firewalls (WAFs)
▸Run-time Application Self Protection
COMPARING SECURITY TECHNIQUES
CODE REVIEWS & PEN TESTING
▸ Requires significant expertise
▸ Manual process which takes time
▸ Prone to human error
▸ “Permanently” fixes underlying issue (when done well)
COMPARING SECURITY TECHNIQUES
▸Code Reviews & Penetration Testing
▸Static Analysis
▸Web Application Firewalls (WAFs)
▸Run-time Application Self Protection
COMPARING SECURITY TECHNIQUES
STATIC CODE ANALYSIS
▸ “Warnings” != Vulnerabilities
▸ Requires manual review and manual correction
▸ Easy-to-implement
▸ Gives engineers code-level details to find and fix vulns
COMPARING SECURITY TECHNIQUES
▸Code Reviews & Penetration Testing
▸Static Analysis
▸Web Application Firewalls (WAFs)
▸Run-time Application Self Protection
COMPARING SECURITY TECHNIQUES
WEB APPLICATION FIREWALL (WAF)
▸ Needs to be manually trained and updated (rule writing)
▸ Has little context available (sits outside the application)
▸ Adds latency (extra network hop, usually)
▸ Protects the app in realtime, in production
▸ A lot of vendors to choose from
COMPARING SECURITY TECHNIQUES
▸Code Reviews & Penetration Testing
▸Static Analysis
▸Web Application Firewalls (WAFs)
▸Run-time Application Self Protection
COMPARING SECURITY TECHNIQUES
RUNTIME APPLICATION SELF-PROTECTION (RASP)
▸ Requires integration, or explicit framework/library support
▸ Protects the app in realtime, in production
▸ Visibility of session, user, behavior, and more
▸ Gives engineers code-level details to find and fix vulns
▸ Protects against many zero-day exploits