Providence: rapid vulnerability prevention

Presented at AppSec USA 2015, Sept. 25, 2015, 3 p.m. (55 minutes).

One challenging aspect of achieving software security is the struggle to catch up with the speed of development and deployment. We built Providence with the goal of preventing obvious bugs from ever being deployed into production.

Providence is a lightweight and scalable tool which finds bugs and anti-patterns of varying complexity from code commits, and we've used it to prevent vulnerabilities ranging from XSS, to access control issues, to XXE. It works by continuously monitoring and pulling commits from version control systems and scanning them for bugs with rules defined in plugins. Additional plugins are easy to create and deploy, which has allowed for quick reaction to new bugs or problems as they are discovered.

Providence is easily integrated with SDLC workflows or bug-tracking tools, and we will discuss how we have integrated it in-house in an unobtrusive manner. This model of addressing issues also provides relative immediacy of resolution; on average, potential problems found by Providence are resolved more quickly than other vulnerabilities because developers are presented the issues right after they commit the code, instead of weeks to months later.

We are currently in the process of open-sourcing Providence in order to share the tool with the DevOps/security community (or any interested parties). This talk will cover the internals of Providence, its engine and plugin architecture (including examples of plugins and their ease of creation), as well as its integration with our SDLC and the faster and more efficient responses we've achieved as a result. We're continuing to build new plugins and features, and we're excited see what ideas others may have in mind!

Presenters:

• Hormazd Billimoria - Security Engineer - Salesforce
  Hormazd Billimoria is a security engineer at Salesforce with an interest in web security. A long time code and security enthusiast from his high school days, he recently earned his master's degree from Carnegie Mellon. His past research includes side channel attacks for encrypted traffic and cross VM side channel attacks. In his spare time he loves breaking and finding security vulnerabilities in software that he uses everyday.
• Max Feldman - Product Security Engineer - Salesforce.com
  Max Feldman is a Product Security Engineer at Salesforce, where he focuses on penetration tests of AppExchange partners and security assessments of Salesforce features, as well as the development of security tools and automation. Max has a breadth of security interests and enjoys sharing this passion with others. Outside of work, Max enjoys learning new (human) languages, playing music, rock climbing, and dodgeball.
• Xiaoran Wang - Senior Product Security Engineer - Salesforce
  Xiaoran Wang is a Senior Product Security Engineer at Salesforce. He has spoken several times at conferences such as Black Hat USA, Black Hat Asia, ToorCon, HackerHalted, etc. He is passionate about security, especially web and application security. At work, he does architectural feature review for security, web penetration testing, security training and automations. In his personal time, he hunts for vulnerabilities and writes EDM musics.

Links:

• https://appsecusa2015.sched.com/event/46Cm/providence-rapid-vulnerability-prevention

Similar Presentations:

• AppSec USA 2016 / Cleaning Your Applications' Dirty Laundry with Scumblr
• AppSec USA 2015 / Security as Code: A New Frontier
• May Contain Hackers (MCH2022) / Detecting Log4J on a global scale using collaborative security