Breakout session title here

Download Report

Transcript Breakout session title here

Runtime protection in the real world

Brooks Garrett, Security Architect

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Who are you?

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Brooks Garrett

Security Architect, Fortify on Demand

Professional

• Head Security Architect for Global FOD Operations • Information Security professional for 5 years • CISSP • Worked with multiple Fortune 100 companies • OWASP Member • Contributor to community AppSec Projects (DVWA)

Personal

• Father • Rugby player for over 8 years 3 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What is Fortify on Demand?

Static Analysis Dynamic Analysis Mobile App’s

4 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What is Fortify on Demand?

Distributed Operations

• Presence in 4 major regions around the world • Customers in over 15 countries • 5 Data centers • 3 Operations teams

High Volume (This Year)

• Over 300 customers • Over 3,000 applications • Over 15 languages • Over 225 Million lines of code 5 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The problem

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The problem

Bugs Errors 7 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Performance

Evolving attacks

Obfuscation:

• URL Encoding • Javascript Packing • Double encoding • Malformed UTF-7

Business Logic:

• Purchase with negative value • Bypass multi-step process validation • Ship without paying 8 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security vs. functionality

Developers have competing priorities

• Functionality tends to ship ahead of security • Project roadmaps aren’t including exhaustive security reviews • Developer training is often framework or technology centric 9 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Standardized logging, isn’t

What are your apps doing?

• If someone is abusing an application how would you know • Network events are standardized and documented – Internal application logging is often the Wild West of IT • Developers tend to log in various formats and focus on debug related events – Less focus on security centric events • Definition of security event varies from application to application • SIEM solutions expect normalized data to work efficiently 10 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The solution

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The solution

What if we could:

• Block advanced injection attacks – Regardless of obfuscation • Integrate seamlessly with our existing applications • Generate application event logs – – Without burdening developers or making code changes In an industry standard format 12 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What about WAF?

WAF is too far from your application:

• WAF can’t block advanced injection attacks –

The WAF only sees obfuscated attacks

• WAF can’t integrate seamlessly with our existing applications –

WAF doesn’t understand application flow

• WAF can’t generate application event logs –

WAF has no visibility into application functions

13 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Examples

WAF is great in theory but falls short in reality:

• Block advanced injection attacks –

The WAF only sees obfuscated attacks

– id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users–+ • Integrate seamlessly with our existing applications –

WAF doesn’t understand application flow

– No integration, just another layer of network defense • Generate application event logs – –

WAF has no visibility into application functions

WAF talks GET and POST, the application talks File.WriteLine(SSN.ToString()) 14 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

"Give a small boy a hammer, and he will find that everything he encounters needs pounding."

Abraham Kaplan (1964) © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The solution

Fortify RTA

• Integrates into the CLR (Common Language Runtime) for a deep inspection of the application • Fast deployment time • Leverages standard Fortify rule definitions with ongoing support and updates • Increases resource consumption by less than 10% • Extremely flexible response capability • Provides line of code detail for developer remediation • Extends and enables logging from the application without code changes • Removes the need for additional SSL certificate deployment and management 16 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Implementing the solution

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Deployment

Basic plan

1.

2.

3.

Deploy SSC (Software Security Center) Configure Federations Deploy Agents 18 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

SSC

Software Security Center

• Java Web Application • Runs well inside Tomcat 7 • Deployed with MySQL • Optional 19 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Configure federations

Federations provide

• Centralized configuration management • Centralized update management • Ability to separate endpoints for better visibility • Ability to swap between Protect and Log mode,

on the fly

• Ability to temporarily disable the solution completely 20 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Agent deployment

Basic plan

1.

2.

3.

Agent installer is a single EXE package Requires a server service restart Agents register according to federation rules 21 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Deployment experience

Positive

• Able to deploy to all servers with zero downtime inside one week • Deployed via SCCM • Integration with ArcSight and other CEF compliant devices was painless

Considerations

• SSC will house all of your security event data, proper database planning advised • Deploy throughout the whole organization starting in QA and Integration • Deploy in log mode initially but commit to enabling Protect mode for the most value 22 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Getting value from the solution

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Getting value from the solution

Immediate value from advanced features

• Closing the loop and providing developers with line of code detail • Standardized application logging without changing existing code • Versatile response capabilities 24 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Closing the loop

Developer visibility at line of code level

• Beyond URLs – – – – Covers both security and performance issues Line of code reference for issues Specific stack trace for exceptions Sample request data for reproducing event 25 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Standardized application logging

DevOps visibility into security issues

• OWASP AppSensor without code changes – – – – – – User logon User logout User privilege level change User password changed Substituting another user’s session ID Hidden field manipulation 26 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Standardized application logging

DevOps visibility into security issues

• Industry standard events from all apps – CEF format readily consumable by COTS devices – – Instant standardization of event data Common transport mechanism over syslog 27 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Versatile response capabilities

Custom automated responses

• Respond to threats based on severity – Ignore the attack – – – Silently block the attack Block and display a specific error page Integrate with SIEM and active response to eradicate malicious users 28 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Conclusions

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Real, tangible DevOps

30 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The future is now

RTA provides

• Advanced defenses against sophisticated attacks regardless of obfuscation • The closest technology is a WAF… – And it doesn’t come close • Rapid deployment with zero downtime for clustered environments • Line of code references for your developers • Application logging based on industry best practice with zero coding required • Powerful and granular response capability from ignore to nuke from orbit 31 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The new reality of application security

Previous thinking isn’t working

• It is no longer enough to provide network level defenses for application level vulnerabilities • Application security must move beyond the network and into the application • The ultimate goal of all application security is safeguarding data – The application is the closest layer to your data 32 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

For more information

Attend these sessions

• 1293, Getting the most out of Fortify SCA • 1239, HP Fortify on Demand

Visit our booth

• B2

After the event

• Contact your sales rep • Visit the website at: http://hp.com/go/appsec

Your feedback is important to us. Please take a few minutes to complete the session survey.

33 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security for the new reality

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.