Download presentation
Presentation is loading. Please wait.
Published byCollin Sherman Modified over 8 years ago
1
FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE
2
Mikael Le Gall Security Sales Engineer EMEA, Rapid7 Application Security Testing, Application Development, Vulnerability Management, Incident Detection & Response French ✔ English ✔ Arabic ✖
3
APPLICATION SECURITY IS A KEY CHALLENGE
4
Web applications are a primary target Accounted for up to 40% of confirmed breaches in some industries. 95% of confirmed web app breaches were financially motivated. The 2016 Verizon Data Breach Investigation Report 4 40% 95%
5
So, why is application security so hard? 5 Are in constant evolution AttackersAttacksApplications
6
Evolving attackers 6 Hacktivists State Sponsored Cyber Criminals Insider Threat
7
Evolving Attacks OWASP Top 10 7
8
OK GET IT… I NEED TO SCAN MY APPLICATIONS
9
Plenty of free attacking tools SQLMap w3af Burp Suite Skipfish Grendel-Scan ZAP Proxy etc… All great exploit tools, good way to get started… but they can only do so much
10
Attacking is the easy part
11
You can’t attack what you can’t see
12
1990 1995200020052010 2015 HTML Static Pages CGI Scripted Pages Web 2.0 (AJAX) Web 3.0 & Mobile AJAX, Flash/Flex, Silverlight JSON, REST, AMF, SOAP Application Frameworks (SOA’s) 2020 Javascript Evolving Application complexity
13
Summary 13 Economically motivated attackers use sophisticated tools Sophisticated applications confuse some automated detection Attacks are changing OWASP Top 10 is not enough AttackersAttacksApplications
14
DEVSECOPS
15
Different teams, different goals… 15
16
What is DevOps? DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.
17
DevSecOps “Everyone is responsible for security” with the goal of safely distributing security decisions at speed and scale It does not have to be like this Image : Pete Cheslock at #DevOpsDaysAustin.
18
Problems with Security at the end 18 1.Increased costs 2.Delayed releases
19
30X 15X 10X 5X 2X Find and fix security issues early in the SDLC! After an application is released into Production, it costs 30x more than during design. Cost Source: NIST Production System testing Integration/ component testing CodingRequirements
20
Development Cycle based on Continuous Integration
21
Embed Scanning Into the Development Cycle
22
VIRTUAL PATCHING
23
How long does it take for web vulns to get fixed? From: Whitehat’s 2012 Report
24
Challenges around protecting the applications WAFs are a critical component of your Appsec strategy Efficiency ratio : # Attacks Blocked / # False Positives Challenges ‒ Applications are changing to quickly to keep up (technologies and pace of releases) ‒ Lack of time/expertise/resource to manage the WAF ‒ FP are paralysing (WAF used in non blocking)
25
Leverage the result of a scan to automate rule creation Virtual patching 25 WAF Effective custom virtual patch WAF knowledge + App knowledge Patch WAF Ineffective virtual patch Turn on default WAF rule Patch
26
Accelerate your remediation : the defensive workflow Run scan and import discovered vulnerabilities into rule creation module Select vulns to protect against Generate filters & upload them into WAF\IPS Run QuickScan to verify effectiveness of rules
27
Always measure efficiency!
28
THANK YOU mikael_legall@rapid7.com
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.