Dynamic App Patching

Transcript

1. Resolving*Applica/on* Vulnerabili/es* Blending(App(Scanners,(WAF’s,( and(Code(Instrumenta:on(

2. Agenda( •  The(Problem( •  Iden:fying(Risk( –  Web(App(Scanning( –  Code(Review( • 

   Mi:ga:ng(Risks( –  Code(Patches( –  Web(Applica:on(Firewall( •  A(Blended(Solu:on(

3. The(Problem( •  Web(apps(have(security(vulnerabili:es( ( •  Feature(deadlines( •  Inexperienced( developers( • 

   Poor(system( administra:on( •  Insecure(defaults( •  Vulnerable(libraries(

4. The(Threat(Is(Increasing( AHackers(techniques(&(toolkits(have(advanced(

5. CrossKEyed(( Scrip:ng( ( Click(Jacking( ( GIFAR( ( Deblaze( ( (

6. Recent(AHacks(

7. Common(Approaches( Iden:fica:on( – Web(Applica:on(Scanning( – Code(Review( ( Remedia:on( – Web(Applica:on(Firewall( – Code(Patches( (

8. Iden:fica:on(

9. Web(App(Scanning(K(Strengths( •  Easily(finds(common( vulnerabili:es( •  Language(/(PlaTorm( independent( •  Fast(and(Repeatable( • 

   CostKeffec:ve(( •  Consistent(Repor:ng(

10. Web(App(Scanning(K(Weaknesses( •  AHack(Surface(Coverage( •  Detec:ng(complex(&( unique(flaws( ( •  Pinpoint(vulnerable(code( loca:on(

    •  Providing(specific( recommenda:ons(

11. Code(Review(K(Strengths( •  Iden:fy(logic(flaws( •  Uncover(hard(to( discover(bugs( •  Code(coverage( •  Pinpoints(vulnerable(

    code(loca:on(

12. Code(Review(K(Weaknesses( •  Resource(Intensive( •  Expensive( •  Slow( •  Requires(source(code( • 

    Requires(tuning(and( configura:on(

13. Mi:ga:on(Techniques(

14. Web(App(Firewall(K(Strengths( •  Cost(Effec:ve( •  Reduces(vulnerability( exposure(( •  Provides(breathing( room(for(fixes( • 

    Dynamic(Patching(

15. Web(App(Firewall(K(Weaknesses( •  Advanced(configura:on( requires(manual(tuning( •  May(lead(to(false(sense( of(security( •  Another(device/ Applica:on(to(manage(

16. Code(Patches(K(Strengths( •  Solves(the(root(cause(of( the(issue( •  Raises(developers( security(awareness( •  Increases(applica:on( reliability(

17. Code(Patches(K(Weaknesses( •  Resource(intensive( •  Costly( •  Slow( •  Third(Party(Developers( • 

    Legacy(Apps(

18. Blended(Approach( Web(App(Scanner( App(Server( Instrumenta:on( App(Firewall(

19. How(It(Works(–(Instrumenta:on( •  Aspect(Orientated(Programming((AOP)( – Apply(security(checks(and(controls(across(an( applica:on(without(modifying(the(source(code( Input( Output( Target(Applica:on(

20. How(It(Works(–(Instrumenta:on( •  Aspect(Orientated(Programming((AOP)( – Apply(security(checks(and(controls(across(an( applica:on(without(modifying(the(source(code( Input( Output( Target(Applica:on( AOP(Checks(and( controls(

    on(entry(and(end(points((

21. AOP(Advice( •  Input/output(valida:on( •  Logging( •  Access(control( •  Error(handling( • 

    Transac:on(management( •  Session(management( Method( AOP(Advice( Method(

22. AOP(as(a(WAF( •  Intercept(HTTP(requests(and(responses( – Input(valida:on( – Session(Management( – Output(encoding( – Filter(informa:on(leakage(

23. Blended(Approach( Web(App(Scanner( App(Server( Instrumenta:on( App(Firewall( Provides(input(variables( Coverage(&(data(flow(( Provides(dynamic(patch(info( Retest(verifies(fixes( Intercepts((

    Requests(&(Responses(

24. Applica:on(Instrumenta:on( •  Provide(aHack(surface(details(to(Applica:on( Scanner( •  Iden:fy(Scanner(code(coverage( •  Generate(dynamic(patches(based(on(scanner( results(

25. Similar(Solu:ons(

26. Next(Steps( •  Further(research(on( applying(AOP( Instrumenta:on( •  AOP(based(WAF( •  Integrate(Scanner( technology(

27. Conclusion( •  Blended(App(Scanner,(WAF,(and( Instrumenta:on(provides:( – Cost(effec:ve( – Efficient( – Comprehensive( – Scalable( – Repeatable( – Consistent(results(

28. Ques:ons((

29. None

30. Introspec:on(

31. Addi:onal(Checks( •  Regularly(checks(config( file(for(insecure(seangs( •  Monitor(files(in(the( webroot( •  Determines(all( applica:on(input(by(

    evalua:ng(applica:on( code( •  Trace(SQL( •  Intercepts(all(requests/ responses( •  Basic(WAF(capability(