Runtime Protection in the Real World

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Runtime protection in the real worldBrooks Garrett, Security Architect


Who are you?

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3

Brooks Garrett

Professional• Head Security Architect for Global FOD

Operations• Information Security professional for 5

years• CISSP• Worked with multiple Fortune 100

companies• OWASP Member• Contributor to community AppSec Projects

(DVWA)Personal• Father• Rugby player for over 8 years

Security Architect, Fortify on Demand


What is Fortify on Demand?

Mobile App’s

Dynamic Analysis

Static Analysis


What is Fortify on Demand?

Distributed Operations• Presence in 4 major regions around the

world• Customers in over 15 countries• 5 Data centers• 3 Operations teams

High Volume (This Year)• Over 300 customers• Over 3,000 applications• Over 15 languages• Over 225 Million lines of code


The problem


The problem

Bugs Errors Performance


Evolving attacks

Obfuscation:• URL Encoding• Javascript Packing• Double encoding• Malformed UTF-7

Business Logic:• Purchase with negative value• Bypass multi-step process validation• Ship without paying


Security vs. functionality

Developers have competing priorities• Functionality tends to ship ahead of security• Project roadmaps aren’t including exhaustive security reviews• Developer training is often framework or technology centric


Standardized logging, isn’t

What are your apps doing?• If someone is abusing an application how would you know• Network events are standardized and documented

– Internal application logging is often the Wild West of IT• Developers tend to log in various formats and focus on debug related events

– Less focus on security centric events• Definition of security event varies from application to application• SIEM solutions expect normalized data to work efficiently


The solution


The solution

What if we could:• Block advanced injection attacks

– Regardless of obfuscation• Integrate seamlessly with our existing applications• Generate application event logs

– Without burdening developers or making code changes– In an industry standard format


What about WAF?

WAF is too far from your application:• WAF can’t block advanced injection attacks

– The WAF only sees obfuscated attacks

• WAF can’t integrate seamlessly with our existing applications– WAF doesn’t understand application flow

• WAF can’t generate application event logs– WAF has no visibility into application functions


Examples

WAF is great in theory but falls short in reality:• Block advanced injection attacks

– The WAF only sees obfuscated attacks– id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users–+

• Integrate seamlessly with our existing applications– WAF doesn’t understand application flow– No integration, just another layer of network defense

• Generate application event logs– WAF has no visibility into application functions– WAF talks GET and POST, the application talks File.WriteLine(SSN.ToString())


"Give a small boy a hammer, and he will find that everything he encounters needs pounding."Abraham Kaplan (1964)


The solution

Fortify RTA• Integrates into the CLR (Common Language Runtime) for a deep inspection of the

application• Fast deployment time• Leverages standard Fortify rule definitions with ongoing support and updates• Increases resource consumption by less than 10%• Extremely flexible response capability• Provides line of code detail for developer remediation• Extends and enables logging from the application without code changes• Removes the need for additional SSL certificate deployment and management


Implementing the solution


Deployment

Basic plan1. Deploy SSC (Software Security Center)2. Configure Federations3. Deploy Agents


Click icon to add picture

SSC

Software Security Center• Java Web Application• Runs well inside Tomcat 7• Deployed with MySQL• Optional


Configure federations

Federations provide• Centralized configuration management• Centralized update management• Ability to separate endpoints for better visibility• Ability to swap between Protect and Log mode, on the fly• Ability to temporarily disable the solution completely


Agent deployment

Basic plan1. Agent installer is a single EXE package2. Requires a server service restart3. Agents register according to federation rules


Deployment experience

Positive• Able to deploy to all servers with zero downtime inside one week• Deployed via SCCM• Integration with ArcSight and other CEF compliant devices was painless

Considerations• SSC will house all of your security event data, proper database planning advised• Deploy throughout the whole organization starting in QA and Integration• Deploy in log mode initially but commit to enabling Protect mode for the most value


Getting value from the solution


Getting value from the solution

Immediate value from advanced features• Closing the loop and providing developers with line of code detail• Standardized application logging without changing existing code• Versatile response capabilities



Closing the loop

Developer visibility at line of code level• Beyond URLs

– Covers both security and performance issues

– Line of code reference for issues– Specific stack trace for exceptions– Sample request data for reproducing

event



Standardized application logging

DevOps visibility into security issues• OWASP AppSensor without code changes

– User logon– User logout– User privilege level change– User password changed– Substituting another user’s session ID– Hidden field manipulation


Standardized application logging

DevOps visibility into security issues• Industry standard events from all apps

– CEF format readily consumable by COTS devices

– Instant standardization of event data– Common transport mechanism over

syslog


Versatile response capabilities

Custom automated responses• Respond to threats based on severity

– Ignore the attack– Silently block the attack– Block and display a specific error page– Integrate with SIEM and active response

to eradicate malicious users


Conclusions


Real, tangible DevOps


The future is now

RTA provides• Advanced defenses against sophisticated attacks regardless of obfuscation• The closest technology is a WAF…

– And it doesn’t come close• Rapid deployment with zero downtime for clustered environments• Line of code references for your developers• Application logging based on industry best practice with zero coding required• Powerful and granular response capability from ignore to nuke from orbit


The new reality of application security

Previous thinking isn’t working• It is no longer enough to provide network level defenses for application level

vulnerabilities• Application security must move beyond the network and into the application• The ultimate goal of all application security is safeguarding data

– The application is the closest layer to your data


For more information

Attend these sessions

• 1293, Getting the most out of Fortify SCA

• 1239, HP Fortify on Demand

Visit our booth

• B2

After the event

• Contact your sales rep• Visit the website at:

http://hp.com/go/appsec

Your feedback is important to us. Please take a few minutes to complete the session survey.


Thank you


Security for the new reality

Technology

Runtime Protection in the Real World