CONTRAST SECURITY291 Lambert AvenuePalo Alto, CA 94306www.contrastsecurity.com

Jeff Williams, CTO@planetlevelCONTINUOUS APPLICATION SECURITY

AT SCALEWITH IAST AND RASP

2

ENTERPRISE APPLICATIONS ARE 37% OF IT SPEND… AND GROWING 24.8% ANNUALLY

Application(37% of IT spend)

• Develop• Purchase/Rent• Support

Data Center Compute Storage Network Delivery

Output Communication End User IT Management Compliance

Internal Labor(36% of app spend)

External Labor(11% of app spend)

Software(28% of app spend)

Outside Services (15% of app spend)

Other(10% of app spend)

Every dollar spent on enterprise applications increases vulnerability

3

APPLICATION SECURITY IS YOUR BIGGEST RISKWorld Trade Org U.S. Army LinkedIn

SAP United Nations Royal Navy

Wall Street Journal Heartland JP Morgan

LivingSocial Target Diners Club

Tesla JC Penney PBS

Microsoft UK

Yahoo NASDAQ Sony Music

FBI 7-Eleven Sony Playstation

HBGary Federal Guess Sony Pictures

NASA Yahoo U.S. IRS

Adobe eHarmony U.S. Dept of Census

Application security has

been the leading cause of breaches for the past nine years.

Source:2016VerizonDataBreachInvestigationReport(DBIR)

4

Experts

ExpertTools

ApplicationPortfolio

Assurance

Coverage

Process Fit

AwfulResults

Traditional AppSecProgram

TRADITIONAL APPSEC PROGRAMS ARE FAILING

CONTAINERS

5

A HISTORY OF APPLICATION SECURITY AUTOMATION

DAST(Dynamic

AppSec Testing)

WAF(Web Application

Firewall)

SAST(Static

AppSec Testing)

IDS/IPS(Intrusion Detection/ Prevention System)

Development (find vulnerabilities) Operations (block attacks)

IAST(Interactive

AppSec Testing)

RASP(Runtime Application

Self-Protection)

Unified AgentIAST and RASP

6

SOFTWARE TRENDS CHALLENGING SAST/DAST/WAF

Explosive growth in libraries and frameworks

Libraries

Microservices, APIs, REST/XML services

Services

Rapidly growing use of cloud and containers

Cloud

High speed software development

Agile

SAST can’t handle scale and complexity of supply chain

SAST and DAST can’t handle API and web service complexity

WAF can’t handle infrastructure deployment pace and complexity

SAST, DAST, and WAF all require experts in the critical path

7

CONTRAST IAST & RASP DELIVER SECURITY WHERE IT’S NEEDED

Contrast IAST/RASP Agent instruments your application with sensors that protect against both

vulnerabilities and attacks

RuntimeFrameworks

LibrariesCustom Code

All agents report to Contrast TeamServer to protect the entire application portfolio in parallel

Yourapplicationstack

ContrastAgent

8

DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES

DeveloperTesterUser

Attacker

Controller Validation Session BusinessLogic

Data Layer

SQLAPI Database

HTTP Request

Validation Tags

Data Tracking

Data Parsing

Escaping Tags Query

Vulnerability?

Attack?

✓✓

✘

Sensorswovenintorunning application

SecuritycontextassembledwithinContrastAgent

9

Software is a black box.

ACCURACY: IAST/RASP HAS AN UNFAIR ADVANTAGE

HTTPTraffic

Code

Frameworks

Libraries Runtime Data Flow

Runtime Control Flow

Backend Connections

Configuration Data

Server Configuration

Etc…Platform Runtime

Software Architecture

SAST

DAST

WAF

IAST/RASP

IAST/RASP provide full visibility into running application

10

CONTRAST IAST – PROTECT DEVELOPMENT

Contrast accurately identifies

vulnerabilities inreal-time without

scanning or hacking

11

CONTRAST RASP – PROTECT OPERATIONS

Contrast blocks attacks efficiently and

accurately with full application context

12

CONTRAST INVENTORY – PROTECT YOUR SUPPLY CHAIN

Contrast instantly profiles all of your

applications,open-source libraries,

and servers

13

IAST accuracy dominates SAST and

DAST

OWASP Benchmark -21,000 test cases across

a range of vulnerabilities

33%

100%

Sponsored by DHS

14

PERFORMANCE: IAST AND RASP ARE BLAZINGLY FAST

WebGoat RASP ProcessingTypical traffic 50 microsecondsMixed traffic 170 microsecondsHeavy attack traffic 230 microseconds

• Number of applications doesn’t matter• As fast or faster than if it was coded by hand• No bottleneck on either bandwidth or CPU (next slide)

millionths of a second

15

RASP

RASP

RASP

SCAN

WAF

IAST/RASP

Three problems:1) Bottleneck2) Impedance mismatch3) False alarms – no context

RASP

APPLICATION DECISION POINTSPERIMETER DECISION POINT

ELIMINATE THE SAST/DAST/WAF BOTTLENECK

SCAN/WAF

16

Enable application portfolio with IAST/RASP agents

Assurance

Coverage

Process Fit

IAST AND RASP ARE A DISTRIBUTED APPROACH

CONTAINERS

Continuous assessment and protection in parallel

17

IMAGINE MANAGING APPLICATION SECURITY POLICY AT SCALE

Development Environment

UnitTesting

Continuous Integration

QA Testing

Performance and Usability

TestingProduction

Web Apps

Web Services/APIs

New Development

Legacy Apps

Third Party Apps

Internal Apps

External Apps

Frameworks

operations

informationsecurity

applicationsecurity

development

compliance

Cloud/Mobile/IoT

Staging and Acceptance

18

• ContrastoffersaunifiedIASTandRASPproduct(SAASandon-premise)• Provenwithhigh-profilecustomersin:

– GlobalFinancialServices– eCommerce/Retail– Healthcare– Software– Government/Defense– Manymore…

• Continuouslyassessingandsecuringthousandsofapplications(10billionSLOC)• Discoveringover6,000 zero-day vulnerabilitiesmonthly- ~72,000annually

CONTRAST ENTERPRISE

CONTRAST SECURITY291 Lambert AvenuePalo Alto, CA 94306www.contrastsecurity.com

“Leader”

“Visionary”

“Innovator”

Are you ready for real application security?