The world has been doing AppSec for years now. In fact, lots of years. The Open Web Application Security Project (OWASP) is 15 years old (just barely younger than the Agile manifesto!). Yet, even though application security is well into it’s teenage years, vulnerabilities like XSS, SQL injection, and command execution fill the top ranks of the OWASP Top Ten. This is concerning. What is more concerning is that while the attack vectors and techniques are still largely the same, software development models have completely shifted over the last 15 years.
One major change in software development is the delivery cadence of an application. Instead of a largely static application that changes only a handful of times a year, deploys now happen multiple times per day. Another change is that the NOC (Network Operations Center) has mostly disappeared and operational telemetry is no longer centralized. Now, operational metrics are distributed. Most software development teams have adopted DevOps and have operational insight (via dashboards and metrics) and operational control (via chatops) without root access. The practices of DevOps, Continuous Delivery and Agile have become a part of the development, operations, and security teams. (n.b. I wrote a short book on DevOps and Security available for free.)
APIs are everywhere and microservice architecture patterns are proliferating across organizations. But application security problems still persist because the lingua franca of all these services is http. In the modern era of DevOps and computing, there are 5 Application Security Defense needs.
5. OWASP Top Ten coverage is Expected
The OWASP Top Ten is a regularly released report that indicates the top ten application security problems in the market right now. It is “a broad consensus about what the most critical web application security flaws are.” (source)
In the early application security days many vendors led with the message of defending against the OWASP Top Ten. That was fine then, however OWASP is 15 years old now and the problems still largely remain. The industry realizes that covering the OWASP Top Ten is table stakes today—that is to say, it’s expected. Application security defense products aren’t differentiating on OWASP Top Ten any longer. The industry is shifting to meet the needs of modern architectures, cloud scaling, docker containers and rapid development cycles.
4. Defense against Bots and Scrapers
Some products specialize in keeping out bots and scrapers. Other products like honeypots specialize on enticing them. Not all bots are http-based, however most application security defense has some method to deal with bots coming in over http.
AppSec does defense against bots and scrapers through:
- Usage of CAPTCHAs
- Analyzing traffic sources
- Fingerprinting traffic and headers
- Anomalous traffic patterns
Since not all bots are http, a pure application security defense approach won’t cut it. However, most appsec programs implement a safety valve at the http layer.
3. Business Logic
Now we get into more interesting territory. Though you may debate that as this section is boringly called “business logic.” What we mean here is that there are certain parts of our application that are more important to our business.
Do we care if someone attempts XSS on our site? Maybe.
Do we care if the number of failed logins has spiked in the last hour? Probably.
Do we care if those are two events are correlated? Definitely.
Do we care if we are seeing SQL injections and HTTP 500’s spike at the same time? You bet!
When dealing with business logic and attacks specific to the application being defended, its critical to be able to correlate disparate data sets. This includes:
- XSS, SQLi, CMDEXE, and other application security attacks
- HTTP errors, Tor exit node traffic, and other anomaly flows
- Account Creations, Successful Logins, and other business flows
2. Operational Insight through Visualizations and Dashboards
Web Application Firewalls (WAFs) have largely gone unvisualized for the whole of their existence. Even with the rise of the OWASP and the prominence of application security over the last 15 years there has been little telemetry back the developers who wrote the application. Some of the major WAF vendors provide high level metrics, however, the whole of their offerings mostly look like log management software. Traditionally, WAFs give you a list of 1000’s of “events”, where each request that potentially contains SQLi is an event, this is done in lieu of a graph of SQLi over time.
Since most of this data was being fed back into a SEIM system, this process was acceptable. However, in the modern era of DevOps, sharing is key. One piece of advice that Zane Lackey often offers is, be able to answer these two basic questions:
- Am I being attacked right now?
- Where are the attacks being successful?
Answering these two questions require visual representations in order to detect outliers and statistically relevant data.
In the intro to this article, we mentioned that in a modern web context the NOC has moved from a physical place where a select few gather to chat rooms where everyone gathers. With the rise of IRC replacement systems like Slack or HipChat there has been an outcropping in the DevOps movement known as ChatOps. ChatOps encourages alerting, system actions, and events to not live in logs, but to live where the development team already is: in chat.
Your application security program should distribute events back to the developer teams. When under attack, messages should appear in Slack showing that defensive measures were taken. Something like this:
The goal is to bring the team together and keep security data in front of the people who create and deliver the application or service without getting in the way.
The Top 5 Application Security Defense in the Modern Era:
- OWASP Top Ten coverage is Expected
- Defense against Bots and Scrapers
- Business Logic
- Operational Insight through Visualizations and Dashboards
In our modern era of DevOps, microservices, and containers, it’s critical to use security tooling that adds value to developers and operations staff in addition to InfoSec.
Thanks for reading
I wrote a short book on The Roadmap for DevOps and Security that outlines the 4 key areas Security can provide value in a DevOps organization. At Signal Sciences we provide a modern approach to application security and web application firewalls that DevOps shops love. I hope you find it useful.