FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE

Mikael Le Gall Security Sales Engineer EMEA, Rapid7 Application Security Testing, Application Development, Vulnerability Management, Incident Detection & Response French ✔ English ✔ Arabic ✖

APPLICATION SECURITY IS A KEY CHALLENGE

Web applications are a primary target Accounted for up to 40% of confirmed breaches in some industries. 95% of confirmed web app breaches were financially motivated. The 2016 Verizon Data Breach Investigation Report 4 40% 95%

So, why is application security so hard? 5 Are in constant evolution AttackersAttacksApplications

Evolving attackers 6 Hacktivists State Sponsored Cyber Criminals Insider Threat

Evolving Attacks OWASP Top 10 7

OK GET IT… I NEED TO SCAN MY APPLICATIONS

Plenty of free attacking tools SQLMap w3af Burp Suite Skipfish Grendel-Scan ZAP Proxy etc… All great exploit tools, good way to get started… but they can only do so much

Attacking is the easy part

You can’t attack what you can’t see

HTML Static Pages CGI Scripted Pages Web 2.0 (AJAX) Web 3.0 & Mobile AJAX, Flash/Flex, Silverlight JSON, REST, AMF, SOAP Application Frameworks (SOA’s) 2020 Javascript Evolving Application complexity

Summary 13 Economically motivated attackers use sophisticated tools Sophisticated applications confuse some automated detection Attacks are changing OWASP Top 10 is not enough AttackersAttacksApplications

DEVSECOPS

Different teams, different goals… 15

What is DevOps? DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.

DevSecOps “Everyone is responsible for security” with the goal of safely distributing security decisions at speed and scale It does not have to be like this Image : Pete Cheslock at #DevOpsDaysAustin.

Problems with Security at the end 18 1.Increased costs 2.Delayed releases

30X 15X 10X 5X 2X Find and fix security issues early in the SDLC! After an application is released into Production, it costs 30x more than during design. Cost Source: NIST Production System testing Integration/ component testing CodingRequirements

Development Cycle based on Continuous Integration

Embed Scanning Into the Development Cycle

VIRTUAL PATCHING

How long does it take for web vulns to get fixed? From: Whitehat’s 2012 Report

Challenges around protecting the applications WAFs are a critical component of your Appsec strategy Efficiency ratio : # Attacks Blocked / # False Positives Challenges ‒ Applications are changing to quickly to keep up (technologies and pace of releases) ‒ Lack of time/expertise/resource to manage the WAF ‒ FP are paralysing (WAF used in non blocking)

Leverage the result of a scan to automate rule creation Virtual patching 25 WAF Effective custom virtual patch WAF knowledge + App knowledge Patch WAF Ineffective virtual patch Turn on default WAF rule Patch

Accelerate your remediation : the defensive workflow Run scan and import discovered vulnerabilities into rule creation module Select vulns to protect against Generate filters & upload them into WAF\IPS Run QuickScan to verify effectiveness of rules

Always measure efficiency!

THANK YOU