1 / 35

Runtime protection in the real world

Runtime protection in the real world. Brooks Garrett, Security Architect. Who are you?. Brooks Garrett. Security Architect, Fortify on Demand. Professional Head Security Architect for Global FOD Operations Information Security professional for 5 years CISSP

shiri
Download Presentation

Runtime protection in the real world

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Runtime protection in the real world Brooks Garrett, Security Architect

  2. Who are you?

  3. Brooks Garrett Security Architect, Fortify on Demand • Professional • Head Security Architect for Global FOD Operations • Information Security professional for 5 years • CISSP • Worked with multiple Fortune 100 companies • OWASP Member • Contributor to community AppSec Projects (DVWA) • Personal • Father • Rugby player for over 8 years

  4. What is Fortify on Demand? Static Analysis Dynamic Analysis Mobile App’s

  5. What is Fortify on Demand? • Distributed Operations • Presence in 4 major regions around the world • Customers in over 15 countries • 5 Data centers • 3 Operations teams High Volume (This Year) • Over 300 customers • Over 3,000 applications • Over 15 languages • Over 225 Million lines of code

  6. The problem

  7. The problem Errors Bugs Performance

  8. Evolving attacks • Obfuscation: • URL Encoding • Javascript Packing • Double encoding • Malformed UTF-7 • Business Logic: • Purchase with negative value • Bypass multi-step process validation • Ship without paying

  9. Security vs. functionality • Developers have competing priorities • Functionality tends to ship ahead of security • Project roadmaps aren’t including exhaustive security reviews • Developer training is often framework or technology centric

  10. Standardized logging, isn’t • What are your apps doing? • If someone is abusing an application how would you know • Network events are standardized and documented • Internal application logging is often the Wild West of IT • Developers tend to log in various formats and focus on debug related events • Less focus on security centric events • Definition of security event varies from application to application • SIEM solutions expect normalized data to work efficiently

  11. The solution

  12. The solution • What if we could: • Block advanced injection attacks • Regardless of obfuscation • Integrate seamlessly with our existing applications • Generate application event logs • Without burdening developers or making code changes • In an industry standard format

  13. What about WAF? • WAF is too far from your application: • WAF can’t block advanced injection attacks • The WAF only sees obfuscated attacks • WAF can’t integrate seamlessly with our existing applications • WAF doesn’t understand application flow • WAF can’t generate application event logs • WAF has no visibility into application functions

  14. Examples • WAF is great in theory but falls short in reality: • Block advanced injection attacks • The WAF only sees obfuscated attacks • id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users–+ • Integrate seamlessly with our existing applications • WAF doesn’t understand application flow • No integration, just another layer of network defense • Generate application event logs • WAF has no visibility into application functions • WAF talks GET and POST, the application talks File.WriteLine(SSN.ToString())

  15. "Give a small boy a hammer, and he will find that everything he encounters needs pounding." Abraham Kaplan (1964)

  16. The solution • Fortify RTA • Integrates into the CLR (Common Language Runtime) for a deep inspection of the application • Fast deployment time • Leverages standard Fortify rule definitions with ongoing support and updates • Increases resource consumption by less than 10% • Extremely flexible response capability • Provides line of code detail for developer remediation • Extends and enables logging from the application without code changes • Removes the need for additional SSL certificate deployment and management

  17. Implementing the solution

  18. Deployment • Basic plan • Deploy SSC (Software Security Center) • Configure Federations • Deploy Agents

  19. SSC • Software Security Center • Java Web Application • Runs well inside Tomcat 7 • Deployed with MySQL • Optional

  20. Configure federations • Federations provide • Centralized configuration management • Centralized update management • Ability to separate endpoints for better visibility • Ability to swap between Protect and Log mode, on the fly • Ability to temporarily disable the solution completely

  21. Agent deployment • Basic plan • Agent installer is a single EXE package • Requires a server service restart • Agents register according to federation rules

  22. Deployment experience • Positive • Able to deploy to all servers with zero downtime inside one week • Deployed via SCCM • Integration with ArcSight and other CEF compliant devices was painless • Considerations • SSC will house all of your security event data, proper database planning advised • Deploy throughout the whole organization starting in QA and Integration • Deploy in log mode initially but commit to enabling Protect mode for the most value

  23. Getting value from the solution

  24. Getting value from the solution • Immediate value from advanced features • Closing the loop and providing developers with line of code detail • Standardized application logging without changing existing code • Versatile response capabilities

  25. Closing the loop • Developer visibility at line of code level • Beyond URLs • Covers both security and performance issues • Line of code reference for issues • Specific stack trace for exceptions • Sample request data for reproducing event

  26. Standardized application logging • DevOps visibility into security issues • OWASP AppSensor without code changes • User logon • User logout • User privilege level change • User password changed • Substituting another user’s session ID • Hidden field manipulation

  27. Standardized application logging • DevOps visibility into security issues • Industry standard events from all apps • CEF format readily consumable by COTS devices • Instant standardization of event data • Common transport mechanism over syslog

  28. Versatile response capabilities • Custom automated responses • Respond to threats based on severity • Ignore the attack • Silently block the attack • Block and display a specific error page • Integrate with SIEM and active response to eradicate malicious users

  29. Conclusions

  30. Real, tangible DevOps

  31. The future is now • RTA provides • Advanced defenses against sophisticated attacks regardless of obfuscation • The closest technology is a WAF… • And it doesn’t come close • Rapid deployment with zero downtime for clustered environments • Line of code references for your developers • Application logging based on industry best practice with zero coding required • Powerful and granular response capability from ignore to nuke from orbit

  32. The new reality of application security • Previous thinking isn’t working • It is no longer enough to provide network level defenses for application level vulnerabilities • Application security must move beyond the network and into the application • The ultimate goal of all application security is safeguarding data • The application is the closest layer to your data

  33. For more information Attend these sessions Visit our booth After the event • 1293, Getting the most out of Fortify SCA • 1239, HP Fortify on Demand • B2 • Contact your sales rep • Visit the website at: http://hp.com/go/appsec Your feedback is important to us. Please take a few minutes to complete the session survey.

  34. Thank you

More Related