View the slides from Sameer Dixit and Chris Harget's energetic discussion about the five most common obstacles to monitoring production applications for new vulnerabilities. This webinar will set you on a path rise above the production security challenges of downtime, data loss and disgrace.
Webinar recording at: https://info.cenzic.com/overcome-barriers-prod-app-sec.html
Unraveling Multimodality with Large Language Models.pdf
How to Overcome the 5 Barriers to Production App Security Testing
1. How To Overcome the
5 Barriers To Production App
Security Testing
Chris Harget -
Product Marketing
Sameer Dixit -
Managed Services
2. Or…
5 Reasons You’re Not
Monitoring Production Apps For
Vulnerabilities…
…and 7 Reasons You Really Should
3. 3
Agenda
Cenzic, Inc. - Confidential, All Rights Reserved.
Why You’re Not Scanning
Why You Should
Overcoming Barriers
How Cenzic Managed Services Can
4. 4
1. You Use SAST Tools In Development
Cenzic, Inc. - Confidential, All Rights Reserved.
• Good first step
• Efficient for some remediations
• Teaches Developers best practices
• Commonly accepted method
• Insufficient = False sense of security
5. 5
2. Production Team Afraid of Down Time
Cenzic, Inc. - Confidential, All Rights Reserved.
• Production Team measured by up time
• If it’s not broke, don’t fix it
• Security Analyst needs Production Buy-
In to actively monitor production
environments
6. 6
3. Production Team May Not Have Skill Set
Cenzic, Inc. - Confidential, All Rights Reserved.
• Depends on team
• Mostly made up of guys who plan
and manage patches, maintain
hardware, and rollout new
systems.
• If they’re not comfortable…they will
resist
7. 7
4. Confusion Over Whose Budget Pays
Cenzic, Inc. - Confidential, All Rights Reserved.
• Is this Developers’ budget?
• They built it, unless it’s outsourced
• Is it Security Analysts’ budget?
• It’s security…and development and
production…
• Is it Production budget?
• They run it.
8. 8
5. You Haven’t Gotten Around To it Yet
Cenzic, Inc. - Confidential, All Rights Reserved.
• Even if everyone agrees it should be
done…it has to become a priority
• Like brushing teeth…you can skip it,
but eventually there’ll be a hole.
• Gets deferred.
9. 9
5 Barriers To Monitoring Production Apps
Cenzic, Inc. - Confidential, All Rights Reserved.
1. You use SAST tools in Development
2. Production team afraid of down time
3. Production team may not have skill
set
4. Confusion over whose budget pays
5. You haven’t gotten around to it yet
11. 11
1. Some Vulnerabilities Can't Be Found by SAST
Cenzic, Inc. - Confidential, All Rights Reserved.
• Search Strings might miss them
• May only appear in run-time environment
• May be on web server or framework
• QA & Production environment may not
be identical (especially DBs)
12. 12
2. New Vulnerabilities Discovered Daily
Cenzic, Inc. - Confidential, All Rights Reserved.
• >5,200 Web app vulnerabilities
discovered…so far
• ~1,090 discovered last year
• Odds are, hundreds more will be
discovered while your apps are in
production.
13. 13 Cenzic, Inc. - Confidential, All Rights Reserved.
3. Production Apps Are The Biggest Risk
600+ Million Web Sites <10% of the
applications in
development
or in QA stage
>90%
applications are
in production
and deployed
At Greatest Risk!
Vulnerability Testing Must Monitor Run-Time Environments
14. 14
4. Some Vulnerabilities Cause Downtime
Cenzic, Inc. - Confidential, All Rights Reserved.
• Buffer Overflow
• Downs app & can give shell access
• XSS
• Can insert javascript to the web server
100's of times for each user and
spread like a virus
• SQL injection
• Drop tables, remove users, dump
database
• About 110 other types of attacks that can
lead directly to production downtime
15. 15
5. Effective Automated Attacks
Cenzic, Inc. - Confidential, All Rights Reserved.
• Blackbox testing + Cenzic experts
• Designed to emulate what attackers do on your
site, but safer
• Cenzic has 10+ years helping enterprises
and SMB’s protect Production Apps
• Tools and services can find vulnerabilities
with minimized risk to application uptime
and data
16. 16
6. Tightly Integrate WAF to Monitoring
Cenzic, Inc. - Confidential, All Rights Reserved.
• Cenzic integrates with leading Web App
Firewalls
• As few as two-clicks to approve/enact a
policy & virtually patch app vulnerability
• Faster remediation => More Secure
+
Identify Risk
Mitigate
Risk
=
=
17. 17
7. Managed Services For Key Apps
Cenzic, Inc. - Confidential, All Rights Reserved.
• Production Team = Security Team
• Priority Apps deserve specialists
• Frees Production Team To:
• Receive results
• Manage patches (virtual or code
refresh)
• Maximize uptime
18. 18
Overcoming Barrier 1
Cenzic, Inc. - Confidential, All Rights Reserved.
1. You use SAST tools in Development
• But that’s not a complete solution
• Some vulnerabilities require real-
time scanning
• New vulnerabilities discovered all
the time
19. 19
Overcoming Barrier 2
Cenzic, Inc. - Confidential, All Rights Reserved.
2. Production team afraid of down time
• …and vulnerable apps can increase
downtime.
• You patch other bugs in Production
• Monitoring can be done fairly safely
20. 20
Overcoming Barrier 3
Cenzic, Inc. - Confidential, All Rights Reserved.
3. Production team may not have skill set
• Cenzic Managed Service can cover it
until your team gets the skills
• Cenzic takes care of F100 customers
for Production Monitoring
21. 21
Overcoming Barrier 4
Cenzic, Inc. - Confidential, All Rights Reserved.
4. Confusion Over Who Pays
• Whoever has the most budget
• Production…probably
22. 22
Overcoming Barrier 5
Cenzic, Inc. - Confidential, All Rights Reserved.
5. You haven’t Got Around To It Yet
• It’s important
• It’s relatively safe
• It’s easy
• Production can probably afford it
24. 24
What's Best Form Factor For You?
Cenzic, Inc. - Confidential, All Rights Reserved.
Low-Risk Apps High Priority Apps
Under-resourced,
broad-duties Security
Analysts
Cloud (self-service)
Production Scanning
Managed Service
Production Scanning
Sizeable, Focused
Security Analyst
Group
Cloud or Software
Production Scanning
Software or Managed
Service Production
Scanning
25. 25
What's Important To Success
Cenzic, Inc. - Confidential, All Rights Reserved.
• Consistent Detection Accuracy
• Erratic technicians or ad hoc tools
can mask changes in security
posture
• Quality of Service
• Production Teams benefit from
vulnerability monitoring managed
services that meet high standards
26. 26
Monitoring Available 24x7
Cenzic, Inc. - Confidential, All Rights Reserved.
• Frequent Assessments = shorter
vulnerability windows
• Reports should include trend data
and ranking of vulnerabilities for
easy response
• Vulnerabilities should be time-
stamped so you know report was
actually run that week.
27. 27
What's Important To Success?
Cenzic, Inc. - Confidential, All Rights Reserved.
• Options To Evolve
• Managed Service might be great
way to start. Self-service Saas,
software, or service/software hybrid
might make sense in the long run.
• Scalability
• Start with key apps, scale to all
apps
28. 28
Choosing Vendor By References
Cenzic, Inc. - Confidential, All Rights Reserved.
• Services harder to rate than
software.
• (People)*(Software)= Results
• Talent doesn’t scale well
• Look for best-in-class software
• Look for excellent customer survey
results
29. 29
Cenzic Can Help
Cenzic, Inc. - Confidential, All Rights Reserved.
• Cenzic is a leading provider of Web
Application Production Scanning as a
Managed Service.
• 10+ Years
• Leverages patented Hailstorm™
engine for more consistently accurate
and efficient results
• Large and happy customers
30. 30
How Cenzic Can Help
Cenzic, Inc. - Confidential, All Rights Reserved.
• We Do It All
• Cenzic is the only vendor who
offers you excellent software, or
excellent managed services
leveraging our excellent solutions
• Evolve wherever you want with
Cenzic
31. 31
Customers Rate Cenzic Higher
Cenzic, Inc. - Confidential, All Rights Reserved.
• 2013 Gartner surveyed App
Security Testing Customers
• ONLY Cenzic scored high marks
from customers in Accuracy,
Service, Support and Overall
Satisfaction
• Cenzic provides the best services!
32. Managed Services Offerings – At-a-Glance
32 Cenzic, Inc. - Confidential, All Rights Reserved.
Bronze Silver Gold Platinum
Industry Best-
Practices for
Brochureware
sites
Industry Best-
Practices for forms
and login protected
sites
Compliance for
sites with user
data
Comprehensive
scans for Mission
critical
applications
Phishing X X X x
Light input
validation X X X
x
Data Security X X X x
Session
management X X
x
OWASP
compliance X
x
PCI compliance X x
Business logic
testing
x
Application logic
testing
x
Manual
penetration
testing
x
33. 33 Cenzic, Inc. - Confidential, All Rights Reserved.
Pre-production &
App Development
Production
Partner /
Supply Chain
Enterprise Application Security
Complete Enterprise Security by Cenzic