FutureStack 2015 - Continuous security for continuous development

CONTINUOUS SECURITYFOR CONTINUOUS DEVELOPMENT

WE USED TO BUILD APPS LIKE THIS:

January - April: Write code

May: Test / Fix Bugs / Security!

June: Deploy

NOW WE BUILD APPS LIKE THIS:

9:00 AM - Noon: Write code

Noon: Test / Fix Bugs / Security!

2:00 PM: Deploy

COMPARING SECURITY TECHNIQUES

▸Code Reviews & Penetration Testing

▸Static Analysis

▸Web Application Firewalls (WAFs)

▸Run-time Application Self Protection


CODE REVIEWS & PEN TESTING

▸ Requires significant expertise

▸ Manual process which takes time

▸ Prone to human error

▸ “Permanently” fixes underlying issue (when done well)



▸Static Analysis



BRAKEMANSCANNER

HTTPS://GITHUB.COM/PRESIDENTBEEF/BRAKEMAN

https://github.com/presidentbeef/brakeman


STATIC CODE ANALYSIS

▸ “Warnings” != Vulnerabilities

▸ Requires manual review and manual correction

▸ Easy-to-implement

▸ Gives engineers code-level details to find and fix vulns



▸Static Analysis




WEB APPLICATION FIREWALL (WAF)

▸ Needs to be manually trained and updated (rule writing)

▸ Has little context available (sits outside the application)

▸ Adds latency (extra network hop, usually)

▸ Protects the app in realtime, in production

▸ A lot of vendors to choose from



▸Static Analysis



LET’S TALK ABOUTRASP(Run-time Application Self-Protection)


RUNTIME APPLICATION SELF-PROTECTION (RASP)

▸ Requires integration, or explicit framework/library support

▸ Protects the app in realtime, in production

▸ Visibility of session, user, behavior, and more

▸ Gives engineers code-level details to find and fix vulns

▸ Protects against many zero-day exploits

INSTALL

CONFIGURE

LIVE DEMO!

IMMUNIO

HTTPS://WWW.IMMUN.IO/

https://www.immun.io/

FutureStack 2015 - Continuous security for continuous development

Technology