• No results found

Do You Have a Scanner or a Scanning Program?

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Do You Have a Scanner or a Scanning Program?"

Copied!
43
0
0

Loading.... (view fulltext now)

Download now ( 43 Page )

Full text

(1)

Do You Have a Scanner

or a Scanning Program?

(2)

About Me

Dan Cornell

Founder and CTO of Denim Group

Software developer by background (Java, .NET, etc)

OWASP San Antonio

15 years experience in software architecture,

development and security

(3)

Static or Dynamic? (Or Both?) Desktop, Enterprise or Cloud

(Or All the Above?)

Who Has Purchased an

Automated Scanner?

(4)

Who Here Is Happy

With Their Scanner?

Yes No

Kind Of Not Sure

(5)

Why or Why Not?

(6)

Successful Software

Security Programs

Common Goal

Reduce Risk by…

● Reliably Creating Acceptably Secure Software

Obligatory “People, Process, Technology” Reference Anybody got a good Sun Tzu quote?

I’d settle for a von Clausewitz…

Or perhaps we need to look at Dalai Lama quotes (topic for a different day)

Common Activities

(7)

What Part Does Scanning

Play?

OpenSAMM - Automated scanning is part of both the “Security Testing” and “Code Review” Security Practices within the Verification Business Function

Dynamic scanning and static scanning, respectively

Common starting point for many organizations embarking on software security programs

There are lots of commercial and freely available products that can be used in support of this activity

RED FLAG:

Q: What are you doing for software security? A: We bought [Vendor Scanner XYZ]

(8)

Scanning Program:

Anti-Patterns

“Dude With a Scanner” approach

Can also be implemented as the “lady with a scanner” approach “SaaS and Forget” approach

(9)

Scanner Program Metrics

Breadth

Depth

(10)

Is Your Scanner

Missing Something?

Breadth “Misses”

Inadequate application portfolio Applications not being scanned Depth “Misses”

Ineffective crawling ignores application attack surface False negatives resulting in ignorance of legitimate vulnerabilities

Excessive false positives causing results to be ignored

Frequency “Misses”

Applications not being scanned often enough

(11)

Security Testing: Better

Patterns

Breadth-First Scanning

You want a scanning program, not a scanner

Deep Assessment of Critical Applications

Automated scanning, manual scan review and assessment

Understand that scanning is a means to an end

Not an end in and of itself

(12)

What Goes Into a Good

Scanning Program?

Solid Understanding of Attack Surface

Realistic Concept of Scanner Effectiveness Disciplined History of Scanning

(13)

What Is Your Software

Attack Surface?

Software You Currently Know About Why?

• Lots of value flows through it

• Auditors hassle you about it

• Formal SLAs with customers mention it

• Bad guys found it and caused an incident (oops)

What?

• Critical legacy systems

(14)

What Is Your Software

Attack Surface?

Add In the Rest of the Web

Applications You Actually Develop and Maintain

Why Did You Miss Them?

• Forgot it was there

• Line of business procured through non-standard channels

• Picked it up through a merger / acquisition

What?

• Line of business applications

(15)

What Is Your Software

Attack Surface?

Add In the Software You Bought from Somewhere

Why Did You Miss Them?

• Most scanner only really work on web applications so no vendors pester you about your non-web applications

• Assume the application vendor is handling security

What?

• More line of business applications

• Support applications

(16)

What Is Your Software

Attack Surface?

MOBILE! THE CLOUD!

Why Did You Miss Them?

• Any jerk with a credit card and the ability to submit an expense report is now runs their own private

procurement office What?

• Support for line of business functions

(17)

Attack Surface: The

Security Officer’s Journey

Two Dimensions:

Perception of Software Attack Surface Insight into Exposed Assets

Perception

In

sig

(18)

As perception of the problem of attack surface widens the scope of the problem increases

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications

(19)

As perception of the problem of attack surface widens the scope of the problem increases

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications Client-Server Applications

(20)

As perception of the problem of attack surface widens the scope of the problem increases

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications Client-Server Applications Desktop Applications

(21)

As perception of the problem of attack surface widens the scope of the problem increases

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services

(22)

As perception of the problem of attack surface widens the scope of the problem increases

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications

(23)

Discovery activities increase insight

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications

(24)

Discovery activities increase insight

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications

(25)

Discovery activities increase insight

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications

(26)

Over time you end up with a progression

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications

(27)

Over time you end up with a progression

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications Client-Server Applications

(28)

Desktop Applications

Client-Server Applications

Over time you end up with a progression

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications

(29)

Desktop Applications

Client-Server Applications

Over time you end up with a progression

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications Cloud Applications and Services

(30)

Desktop Applications

Client-Server Applications

Over time you end up with a progression

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications Cloud Applications and Services Mobile Applications

(31)

When you reach this point it is called “enlightenment” You won’t reach this point

Attack Surface: The

Security Officer’s Journey

Perception In sig ht Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications

(32)

An Application

Test

What Goes Into An

Application Test?

(33)

Dynamic

Analysis

What Goes Into An

Application Test?

Static

Analysis

(34)

Automated

Application

Scanning

What Goes Into An

Application Test?

Static

Analysis

Manual

Application

Testing

(35)

Automated

Application

Scanning

What Goes Into An

Application Test?

Automated

Static

Analysis

Manual

Application

Testing

Manual

Static

Analysis

(36)

U n a u th en tic at ed A u to m at ed S ca n

What Goes Into An

Application Test?

Automated

Static

Analysis

B lin d P en et ra tio n Te st in g

Manual

Static

Analysis

A u th en tic at ed A u to m at ed S ca n In fo rm ed M an u al Te st in g

(37)

U n a u th en tic at ed A u to m at ed S ca n

What Goes Into An

Application Test?

A u to m at ed S o u rc e C o d e S ca n n in g B lin d P en et ra tio n Te st in g M an u al S o u rc e C o d e R ev ie w A u th en tic at ed A u to m at ed S ca n In fo rm ed M an u al Te st in g A u to m at ed B in ar y A n aly si s

M

a

n

u

al

B

in

a

ry

A

n

a

ly

s

is

(38)

Value and Risk Are Not

Equally Distributed

Some Applications Matter More Than Others

Value and character of data being managed Value of the transactions being processed Cost of downtime and breaches

Therefore All Applications Should Not Be Treated the Same Allocate different levels of resources to assurance

Select different assurance activities

(39)

Do Not Treat All Applications

the Same

Allocate Different Levels of Resources to Assurance Select Different Assurance Activities

(40)

Free / Open Source vulnerability management and aggregation platform:

Allows software security teams to reduce the time to remediate software vulnerabilities

Enables managers to speak intelligently about the status / trends of software security within their organization.

Features/Benefits:

Imports dynamic, static and manual testing results into a centralized platform

Removes duplicate findings across testing platforms to provide a prioritized list of security faults Eases communication across development, security and QA teams

Exports prioritized list into defect tracker of choice to streamline software remediation efforts Auto generates web application firewall rules to protect data during vulnerability remediation

Empowers managers with vulnerability trending reports to pinpoint team issues and illustrate application security progress Benchmark security practice improvement against industry standards  

Freely available under the Mozilla Public License (MPL) 2.0 Download available at: www.denimgroup.com/threadfix Code available at: https://code.google.com/p/threadfix/

(41)

ThreadFix Demonstration

Building Your Application Portfolio Storing Scanning Results Over Time Reporting

Trending

Vulnerability Remediation Progress Scanner Benchmarking

(42)

Build Your Application Portfolio Characterize the Effectiveness of Efforts Made to Date

Build a Plan for Coverage Monitor Progress

(43)

Dan Cornell

Principal and CTO

[email protected] Twitter @danielcornell +1 (210) 572-4400 www.denimgroup.com blog.denimgroup.com

Questions?

References

Download now ( PDF - 43 Page - 7.79 MB )

Related documents

Topside Pipeline Design for Slug Attenuation and Increased Oil Production

The results showed that the optimised design of topside pipe diameter has potential for slug flow attenuation at larger valve opening which effectively translates to

Disparities of poverty and wealth in the Philippines. An analysis of policy effect(iveness)

Hence, the outreach of policy to the peripheral, marginalised and most problematic poverty issues determines where and how spatial and social boundaries are inscribed, which regions,

Rory Gallagher Guitar Tab Compilation.pdf

†Symbols in parentheses represent chord names with respect to GCFBbDG tuning (or Capoed Gtr, TAB 0 = 3rd fret) Symbols above represent actual sounding chords.. Play Guitar 1

Press Trip in TUSCANY - BUY WINE From February 15 th to 20 th 2014

Terratico di Bibbona is a relatively new addition to Tuscany's impressive array of DOCs, introduced in 2006 to cover red, rose and white (rosso, rosato and bianco) wines

Commonalities in EEG Spectral Power Abnormalities Between Women With ADHD and Women With Bipolar Disorder During Rest and Cognitive Performance

The results support our previous work in an all-male sample, which showed no differences in cortical activation between controls and individuals with ADHD during the CPT and no

Consumo de álcool entre estudantes de enfermagem Alcohol consumption among nursing students

Possible explanation would be that second year student are more socialized and therefore attending many party where drinking more at same time second year student need further

NLP eBooks Collection

Ebook - Hypnosis - Self Help - Improve Your Confidence An.pdf (ebook - Hypnosis) Seven Success Secrets of Hypnotism.pdf (eBook) - Hypnosis - Seven Success Secrets of Hypnotism.pdf

Network/Internet Forensic and Intrusion Log Analysis

To understand behavior of current attacks to corporate network To experience a hands-on exercise of intrusion analysis. To learn how to comply new Thailand ICT