AWS re:Inforce 2024
I Dont Always Do Appsec Testing but When I Do Its in Production Aps324 S

Title: AWS re:Inforce 2024 - I don’t always do AppSec testing, but when I do, it’s in production (APS324-S)

Insights:

  • The speaker advocates for conducting Application Security (AppSec) testing directly in production rather than in pre-production environments.
  • Conducting AppSec testing in production is presented as safer, cheaper, and faster compared to traditional pre-production testing.
  • The speaker has significant experience in security and development, having been the founding director of the Scilab at Carnegie Mellon and launching the Build Security Initiative.
  • The speaker emphasizes the inefficiencies and inaccuracies of pre-production load and performance testing, drawing parallels to AppSec testing.
  • Key benefits of production testing include cost reduction, increased accuracy due to real environment conditions, and leveraging real user interactions.
  • Technological advancements such as efficient agents, canary deploys, and dynamic sampling are crucial for enabling effective production testing.
  • The speaker introduces a new product optimized for real-time, low-cost AppSec testing in production, which is already available for Java and being developed for other languages.
  • The product features dynamic sampling, which minimizes resource consumption by turning off once necessary information is gathered.
  • The speaker describes a method for runtime protection against SQL injection by modifying code at runtime to enforce trust boundaries around critical function calls.
  • The product can detect both known and unknown vulnerabilities in libraries and report unsanitized data inputs to developers, providing a comprehensive security solution.
  • The solution also offers runtime application self-protection, potentially replacing traditional Web Application Firewalls (WAFs) and Static Application Security Testing (SAST) tools.
  • The product enhances observability by mapping external resources and connections, aiding in threat modeling and attack blocking.

Quotes:

  • "I don't always do AppSec testing, but when I do, it's in production."
  • "You can skip pre-prod AppSec testing and wait until you're in production before you start doing it."
  • "It's safer, it's cheaper, it's faster. You'll be much better off."
  • "All that money and energy you're spending on SAS tools and DAS tools and SEA tools pre-prod, you can do all that better and cheaper and more reliably in production."
  • "Your customers become your testers in that situation. It's much more accurate because it's real."
  • "We needed low resource consumption agents, highly efficient agents. We have those."
  • "We modify the code at runtime. We insert ourselves in the Java class loader and we see as the code is loaded and we literally modify the code."
  • "We can replace your SCA tool with this."
  • "We can replace your SAS tool with this."
  • "You get runtime application self-protection. Basically, you can replace that functionality of your WAF."
  • "We actually can draw a threat modeling diagram of your application. We call it the flow map."
How to Protect Generative Ai Models Using Genai Secure Dap322 SIam Policy Power Hour Iam304