SlideShare a Scribd company logo

Feeding the Virtual Patch Pipeline

DevOps.com, profile picture
DevOps.com

The document presents a discussion led by Cody Wood about application security challenges and introduces Signal Sciences' next-gen web application firewall and runtime application self-protection technology. It emphasizes the inadequate current security measures against web app attacks and the need for more advanced solutions like virtual patching. The presentation highlights a systematic approach to automating virtual patch triage and leveraging open vulnerabilities for enhanced application security.

Technology
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Feeding the Virtual Patch Pipeline July 9, 2019 Cody Wood – Security Engineer, Signal Sciences
Introduction Cody Wood Security Software Engineer Signal Sciences @sprkyco • Previously earth mining operations (because apparently “miner” means data or cryptocoin) • Whitehat security, PCI Stuff, NBCUniversal, Rapid7 • AppSec, Python, GoLang • https://sprky.co
Application Security Challenges (We Know What You’re Up Against)
Web App Attacks Are the #1 Source of Data Breaches Incumbent Products Aren’t Solving the Problem Less Than 5% of data center security budgets are spent on AppSec Web App Attacks POS Intrusions Miscellaneous Errors Privilege Misuse Cyber-Espionage Everything Else Payment Card Skimmers Physical Theft / Loss Crimeware Denial Of Service 908 525 197 172 155 125 86 1 49 56 20 % 10 % 40 % 30 % Percent of Breaches Sources: Gartner, Verizon
The Security Problem You Can’t Secure New App Tech with Legacy App Sec Account Takeover Direct Object Reference Forceful Browsing Feature Abuse Evasion Techniques Subdomain Takeover Misconfiguration • Legacy WAFs focus on the same threats as 15 years ago • False positives result from generic signatures without context • Rarely used in blocking mode OWASP Injection Attacks Real-World Problems
Signal Sciences: Next-gen WAF and RASP Defensive Technology Designed to increase security and maintain site reliability without sacrificing speed or scale while unifying the efforts of engineering, security and operations.
Active Protection Everywhere Any App Cloud Containers, PaaS & Serverless Web Servers & Languages Gateways & Proxies Any Attack OWASP Injection Attacks PLUS: Application DDoS Brute Force Attacks Application Abuse & Misuse Account Takeover Bad Bots Virtual Patching Any DevOps Toolchain INCLUDING: Generic Webhooks & Any Custom Tools via Full RESTFul/JSON API
Onto Virtual Patching
Virtual Patch Pipeline “JARVIS” Behind The Scenes DIY The SigSci Approach to Automating Virtual Patch Triage, Develop, and Deploy Generalized Methodology for Developing a Virtual Patch Building Your Own Detections
• TEMPORARY • Mistakes happen • Helpful in “Constrained” Business Conditions • Reliant on public information • Bypasses are difficult to detect Duct Tape...
Virtual Patch Pipeline
“Jarvis”
Sciencing • Find => “CVE” • Copy • Paste • Replace ▪ CVEXXXXXXXX ▪ CVE-XXXX-XXXX • With ▪ CVE-0day-mageddon • Write rule • Push to master and deploy! ▪ No, but seriously we do at SigSci
Section 31 Jupyter Notebooks ❤🐍 run during post virtual patch deploy • Number of Corps/Sites Enabled • Boilerplate for further analysis • Exclude burpsuite, nessus, and other scanners • Scrape results for unique payloads, bitcoin miners for example • Proactive false positive identification • Cross customer cve exploit activity patterns, threat intel 🤷
And now...
CVE-2017-12615 Apache Tomcat - JSP Upload Bypass / Remote Code Execution 16
Q&A
Thank you!

More Related Content

PDF
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
PDF
BeyondCorp New York Meetup: Closing the Adherence Gap
Ivan Dwyer
 
PPTX
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
PDF
Guy Podjarmy - Secure Node Code
DevSecCon
 
PPTX
Web security: concepts and tools used by attackers
tomasperezv
 
PPTX
Solnet dev secops meetup
pbink
 
PPTX
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PROIDEA
 
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
BeyondCorp New York Meetup: Closing the Adherence Gap
Ivan Dwyer
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
Guy Podjarmy - Secure Node Code
DevSecCon
 
Web security: concepts and tools used by attackers
tomasperezv
 
Solnet dev secops meetup
pbink
 
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PROIDEA
 

What's hot (20)

PDF
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
PPTX
Bug bounty
Ramin Farajpour Cami
 
PPTX
Owasp mobile top 10
Pawel Rzepa
 
PPTX
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
PPTX
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
PDF
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
PPTX
Basics of getting Into Bug Bounty Hunting
Muhammad Khizer Javed
 
PDF
Owasp Mobile Top 10 - M7 & M8
5h1vang
 
PDF
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
PDF
Top Azure security fails and how to avoid them
Karl Ots
 
PPTX
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
PDF
BeyondCorp: Closing the Adherence Gap
Ivan Dwyer
 
PDF
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
5h1vang
 
PPTX
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
PDF
Hijacking Softwares for fun and profit
Nipun Jaswal
 
PDF
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
 
PPTX
SPI Dynamics web application security 101
Wade Malone
 
PPTX
How an Attacker "Audits" Your Software Systems
Security Innovation
 
PDF
Building Security Controls around Attack Models
SeniorStoryteller
 
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
Bug bounty
Ramin Farajpour Cami
 
Owasp mobile top 10
Pawel Rzepa
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
Basics of getting Into Bug Bounty Hunting
Muhammad Khizer Javed
 
Owasp Mobile Top 10 - M7 & M8
5h1vang
 
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Top Azure security fails and how to avoid them
Karl Ots
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
BeyondCorp: Closing the Adherence Gap
Ivan Dwyer
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
5h1vang
 
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Hijacking Softwares for fun and profit
Nipun Jaswal
 
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
 
SPI Dynamics web application security 101
Wade Malone
 
How an Attacker "Audits" Your Software Systems
Security Innovation
 
Building Security Controls around Attack Models
SeniorStoryteller
 
Ad

Similar to Feeding the Virtual Patch Pipeline (20)

PPTX
Top Application Security Trends of 2012
DaveEdwards12
 
PDF
SQL Injection - The Unknown Story
Imperva
 
PDF
iOS Application Security.pdf
Ravi Aggarwal
 
PPTX
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
PPTX
Outpost24 webinar - Api security
Outpost24
 
PDF
Top Application Security Threats
ColumnInformationSecurity
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
Luis Grangeia IBWAS
Luis Grangeia
 
PDF
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
PPTX
A DevOps Guide to Web Application Security
Imperva Incapsula
 
PDF
Web Application Security Testing Guide | Secure Web Apps
digitaljignect
 
PPTX
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
PDF
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
PDF
CSS17: Houston - Protecting Web Apps
Alert Logic
 
PDF
How to find Zero day vulnerabilities
Mohammed A. Imran
 
PDF
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
PDF
Web Security - Introduction v.1.3
Oles Seheda
 
PDF
Web Security - Introduction
SQALab
 
PPTX
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
PPTX
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Ory Segal
 
Top Application Security Trends of 2012
DaveEdwards12
 
SQL Injection - The Unknown Story
Imperva
 
iOS Application Security.pdf
Ravi Aggarwal
 
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
Outpost24 webinar - Api security
Outpost24
 
Top Application Security Threats
ColumnInformationSecurity
 
Realities of Security in the Cloud
Alert Logic
 
Luis Grangeia IBWAS
Luis Grangeia
 
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
A DevOps Guide to Web Application Security
Imperva Incapsula
 
Web Application Security Testing Guide | Secure Web Apps
digitaljignect
 
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
CSS17: Houston - Protecting Web Apps
Alert Logic
 
How to find Zero day vulnerabilities
Mohammed A. Imran
 
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
Web Security - Introduction v.1.3
Oles Seheda
 
Web Security - Introduction
SQALab
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Ory Segal
 
Ad

More from DevOps.com (20)

PDF
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PDF
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
PPTX
Vulnerability Discovery in the Cloud
DevOps.com
 
PDF
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
PDF
A New Year’s Ransomware Resolution
DevOps.com
 
PPTX
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
PDF
Don't Panic! Effective Incident Response
DevOps.com
 
PDF
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
PDF
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
PDF
Monitoring Serverless Applications with Datadog
DevOps.com
 
PDF
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
PPTX
Securing medical apps in the age of covid final
DevOps.com
 
PDF
How to Build a Healthy On-Call Culture
DevOps.com
 
PPTX
The Evolving Role of the Developer in 2021
DevOps.com
 
PDF
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
PPTX
Secure Data Sharing in OpenShift Environments
DevOps.com
 
PPTX
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
PDF
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Teaching material agriculture food technology
LiaRayya
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Encapsulation theory and applications.pdf
gurumoop
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

Feeding the Virtual Patch Pipeline

  • 1. Feeding the Virtual Patch Pipeline July 9, 2019 Cody Wood – Security Engineer, Signal Sciences
  • 2. Introduction Cody Wood Security Software Engineer Signal Sciences @sprkyco • Previously earth mining operations (because apparently “miner” means data or cryptocoin) • Whitehat security, PCI Stuff, NBCUniversal, Rapid7 • AppSec, Python, GoLang • https://sprky.co
  • 3. Application Security Challenges (We Know What You’re Up Against)
  • 4. Web App Attacks Are the #1 Source of Data Breaches Incumbent Products Aren’t Solving the Problem Less Than 5% of data center security budgets are spent on AppSec Web App Attacks POS Intrusions Miscellaneous Errors Privilege Misuse Cyber-Espionage Everything Else Payment Card Skimmers Physical Theft / Loss Crimeware Denial Of Service 908 525 197 172 155 125 86 1 49 56 20 % 10 % 40 % 30 % Percent of Breaches Sources: Gartner, Verizon
  • 5. The Security Problem You Can’t Secure New App Tech with Legacy App Sec Account Takeover Direct Object Reference Forceful Browsing Feature Abuse Evasion Techniques Subdomain Takeover Misconfiguration • Legacy WAFs focus on the same threats as 15 years ago • False positives result from generic signatures without context • Rarely used in blocking mode OWASP Injection Attacks Real-World Problems
  • 6. Signal Sciences: Next-gen WAF and RASP Defensive Technology Designed to increase security and maintain site reliability without sacrificing speed or scale while unifying the efforts of engineering, security and operations.
  • 7. Active Protection Everywhere Any App Cloud Containers, PaaS & Serverless Web Servers & Languages Gateways & Proxies Any Attack OWASP Injection Attacks PLUS: Application DDoS Brute Force Attacks Application Abuse & Misuse Account Takeover Bad Bots Virtual Patching Any DevOps Toolchain INCLUDING: Generic Webhooks & Any Custom Tools via Full RESTFul/JSON API
  • 9. Virtual Patch Pipeline “JARVIS” Behind The Scenes DIY The SigSci Approach to Automating Virtual Patch Triage, Develop, and Deploy Generalized Methodology for Developing a Virtual Patch Building Your Own Detections
  • 10. • TEMPORARY • Mistakes happen • Helpful in “Constrained” Business Conditions • Reliant on public information • Bypasses are difficult to detect Duct Tape...
  • 13. Sciencing • Find => “CVE” • Copy • Paste • Replace ▪ CVEXXXXXXXX ▪ CVE-XXXX-XXXX • With ▪ CVE-0day-mageddon • Write rule • Push to master and deploy! ▪ No, but seriously we do at SigSci
  • 14. Section 31 Jupyter Notebooks ❤🐍 run during post virtual patch deploy • Number of Corps/Sites Enabled • Boilerplate for further analysis • Exclude burpsuite, nessus, and other scanners • Scrape results for unique payloads, bitcoin miners for example • Proactive false positive identification • Cross customer cve exploit activity patterns, threat intel 🤷
  • 16. CVE-2017-12615 Apache Tomcat - JSP Upload Bypass / Remote Code Execution 16
  • 17. Q&A