do you have a scanner or do you have a scanning program? (appseceu 2013)
DESCRIPTION
By this point, most organizations have acquired at least one code or application scanning technology to incorporate into their software security program. Unfortunately, for many organizations the scanner represents the entirety of that so-called “program” and often the scanners are not used correctly or on a consistent basis. This presentation looks at the components of a comprehensive software security program, the role that automation plays in these programs and tools and techniques that can be used to help increase the value an organization receives from its application scanning activities. It starts by examining common traps organizations fall into where they fail to address coverage concerns – either breadth of scanning coverage across the application portfolio or depth of coverage issues where application scans do not provide sufficient insight into the security state of target applications. After discussing approaches to address these coverage issues, the presentation walks through metrics organizations can use to keep tabs on their scanning progress to better understand what is being scanned, how frequently and at what depth. The presentation also contains a demonstration of how freely available tools such as the open source ThreadFix application vulnerability management platform and the OWASP Zed Attack Proxy (ZAP) scanner can be combined to create a baseline scanning program for an organization and how this approach can be generalized to use any scanning technology.TRANSCRIPT
![Page 1: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/1.jpg)
Do You Have a Scanner or a Scanning Program?
![Page 2: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/2.jpg)
About Me
• Dan Cornell • Founder and CTO of Denim Group • So@ware developer by background (Java, .NET, etc) • OWASP San Antonio • 15 years experience in so@ware architecture, development
and security
![Page 3: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/3.jpg)
• StaQc or Dynamic? (Or Both?)
• Desktop, Enterprise or Cloud – (Or All the Above?)
3
Who Has Purchased an Automated Scanner?
![Page 4: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/4.jpg)
Who Here Is Happy With Their Scanner?
• Yes
• No
• Kind Of
• Not Sure 4
![Page 5: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/5.jpg)
Why or Why Not?
Why or Why Not?
5
![Page 6: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/6.jpg)
Successful So@ware Security Programs
• Common Goal – Reduce Risk by…
• Reliably CreaQng Acceptably Secure So@ware
• Obligatory “People, Process, Technology” Reference – Anybody got a good Sun Tzu quote? – I’d se^le for a von Clausewitz… – Or perhaps we need to look at Dalai Lama quotes (topic for a different day)
• Common AcQviQes – ImplementaQon must be Qed to the specific organizaQon
6
![Page 7: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/7.jpg)
What Part Does Scanning Play?
• OpenSAMM -‐ Automated scanning is part of both the “Security TesQng” and “Code Review” Security PracQces within the VerificaQon Business FuncQon – Dynamic scanning and staQc scanning, respecQvely
• Common starQng point for many organizaQons embarking on so@ware security programs – There are lots of commercial and freely available products that can be used in
support of this acQvity RED FLAG: Q: What are you doing for so:ware security? A: We bought [Vendor Scanner XYZ] *** BEWARE FOSTERING A CHECKBOX CULTURE ***
7
![Page 8: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/8.jpg)
Scanning Program: AnQ-‐Pa^erns
• “Dude With a Scanner” approach – Can also be implemented as the “lady with a scanner” approach
• “SaaS and Forget” approach
8
![Page 9: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/9.jpg)
Scanner Program Metrics
• Breadth
• Depth
• Frequency
![Page 10: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/10.jpg)
Is Your Scanner Missing Something?
• Breadth “Misses” – Inadequate applicaQon
porholio – ApplicaQons not being scanned
• Depth “Misses” – IneffecQve crawling ignores
applicaQon a^ack surface – False negaQves resulQng in
ignorance of legiQmate vulnerabiliQes
– Excessive false posiQves causing results to be ignored
• Frequency “Misses” – ApplicaQons not being scanned
o@en enough
10
![Page 11: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/11.jpg)
Security TesQng: Be^er Pa^erns
• Breadth-‐First Scanning – You want a scanning program, not a
scanner
• Deep Assessment of CriQcal ApplicaQons – Automated scanning, manual scan
review and assessment • Understand that scanning is a means
to an end – Not an end in and of itself – Start of vulnerability management
11
![Page 12: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/12.jpg)
What Goes Into a Good Scanning Program?
• Solid Understanding of A^ack Surface • RealisQc Concept of Scanner EffecQveness • Disciplined History of Scanning
• PrioriQzed TesQng Efforts
12
![Page 13: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/13.jpg)
What Is Your So@ware A^ack Surface?
13
So@ware You Currently Know About
Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers menQon it • Bad guys found it and caused an incident (oops)
What? • CriQcal legacy systems • Notable web applicaQons
![Page 14: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/14.jpg)
What Is Your So@ware A^ack Surface?
14
Add In the Rest of the Web ApplicaQons You Actually Develop and Maintain
Why Did You Miss Them? • Forgot it was there • Line of business procured through non-‐standard channels
• Picked it up through a merger / acquisiQon
What? • Line of business applicaQons • Event-‐specific applicaQons
![Page 15: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/15.jpg)
What Is Your So@ware A^ack Surface?
15
Add In the So@ware You Bought from Somewhere
Why Did You Miss Them? • Most scanner only really work on web applicaQons so no vendors pester you about your non-‐web applicaQons
• Assume the applicaQon vendor is handling security
What? • More line of business applicaQons • Support applicaQons • Infrastructure applicaQons
![Page 16: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/16.jpg)
What Is Your So@ware A^ack Surface?
16
MOBILE! THE CLOUD!
Why Did You Miss Them? • Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office
What? • Support for line of business funcQons • MarkeQng and promoQon
![Page 17: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/17.jpg)
A^ack Surface: The Security Officer’s Journey
• Two Dimensions: – PercepQon of So@ware A^ack Surface – Insight into Exposed Assets
17
PercepQon
Insig
ht
![Page 18: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/18.jpg)
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
18
PercepQon
Insig
ht
Web Applications
![Page 19: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/19.jpg)
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
19
PercepQon
Insig
ht
Web Applications
Client-Server Applications
![Page 20: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/20.jpg)
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
20
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
![Page 21: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/21.jpg)
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
21
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
![Page 22: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/22.jpg)
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
22
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
![Page 23: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/23.jpg)
• Discovery acQviQes increase insight
A^ack Surface: The Security Officer’s Journey
23
PercepQon
Insig
ht
Web Applications
![Page 24: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/24.jpg)
• Discovery acQviQes increase insight
A^ack Surface: The Security Officer’s Journey
24
PercepQon
Insig
ht
Web Applications
![Page 25: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/25.jpg)
• Discovery acQviQes increase insight
A^ack Surface: The Security Officer’s Journey
25
PercepQon
Insig
ht
Web Applications
![Page 26: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/26.jpg)
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
26
PercepQon
Insig
ht
Web Applications
![Page 27: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/27.jpg)
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
27
PercepQon
Insig
ht
Web Applications
Client-Server Applications
![Page 28: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/28.jpg)
Desktop Applications
Client-Server Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
28
PercepQon
Insig
ht
Web Applications
![Page 29: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/29.jpg)
Desktop Applications
Client-Server Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
29
PercepQon
Insig
ht
Web Applications
Cloud Applications and Services
![Page 30: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/30.jpg)
Desktop Applications
Client-Server Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
30
PercepQon
Insig
ht
Web Applications
Cloud Applications and Services
Mobile Applications
![Page 31: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/31.jpg)
• When you reach this point it is called “enlightenment”
• You won’t reach this point
A^ack Surface: The Security Officer’s Journey
31
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
![Page 32: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/32.jpg)
An Application Test
What Goes Into An ApplicaQon Test?
32
![Page 33: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/33.jpg)
Dynamic Analysis
What Goes Into An ApplicaQon Test?
33
Static Analysis
![Page 34: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/34.jpg)
Automated Application Scanning
What Goes Into An ApplicaQon Test?
34
Static Analysis
Manual Application Testing
![Page 35: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/35.jpg)
Automated Application Scanning
What Goes Into An ApplicaQon Test?
35
Automated Static Analysis
Manual Application Testing
Manual Static Analysis
![Page 36: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/36.jpg)
Una
uthe
ntic
ated
A
utom
ated
Sca
n
What Goes Into An ApplicaQon Test?
36
Automated Static Analysis
Blin
d Pe
netr
atio
n Te
stin
g
Manual Static Analysis
Aut
hent
icat
ed
Aut
omat
ed S
can
Info
rmed
M
anua
l Tes
ting
![Page 37: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/37.jpg)
Una
uthe
ntic
ated
A
utom
ated
Sca
n
What Goes Into An ApplicaQon Test?
37
Aut
omat
ed
Sour
ce C
ode
Scan
ning
Blin
d Pe
netr
atio
n Te
stin
g
Man
ual S
ourc
e C
ode
Rev
iew
Aut
hent
icat
ed
Aut
omat
ed S
can
Info
rmed
M
anua
l Tes
ting
Aut
omat
ed
Bin
ary
Ana
lysi
s M
anua
l Bin
ary
Ana
lysi
s
![Page 38: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/38.jpg)
Value and Risk Are Not Equally Distributed
• Some ApplicaQons Ma^er More Than Others – Value and character of data being managed – Value of the transacQons being processed – Cost of downQme and breaches
• Therefore All ApplicaQons Should Not Be Treated the Same – Allocate different levels of resources to assurance – Select different assurance acQviQes – Also must o@en address compliance and regulatory requirements
38
![Page 39: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/39.jpg)
Do Not Treat All ApplicaQons the Same
• Allocate Different Levels of Resources to Assurance
• Select Different Assurance AcQviQes
• Also Must O@en Address Compliance and Regulatory Requirements
39
![Page 40: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/40.jpg)
• Free / Open Source vulnerability management and aggregaUon plaVorm: – Allows so@ware security teams to reduce the Qme to remediate so@ware vulnerabiliQes – Enables managers to speak intelligently about the status / trends of software security within their
organization.
• Features/Benefits: – Imports dynamic, staQc and manual tesQng results into a centralized plahorm – Removes duplicate findings across tesQng plahorms to provide a prioriQzed list of security faults – Eases communicaQon across development, security and QA teams – Exports prioriQzed list into defect tracker of choice to streamline so@ware remediaQon efforts – Auto generates web applicaQon firewall rules to protect data during vulnerability remediaQon – Empowers managers with vulnerability trending reports to pinpoint team issues and illustrate applicaQon
security progress – Benchmark security pracQce improvement against industry standards
• Freely available under the Mozilla Public License (MPL) 2.0 • Download available at: www.denimgroup.com/threadfix • Code available at: h^ps://code.google.com/p/threadfix/
40
The ThreadFix Approach
![Page 41: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/41.jpg)
ThreadFix DemonstraQon
• Building Your ApplicaQon Porholio
• Storing Scanning Results Over Time
• ReporQng – Trending – Vulnerability RemediaQon Progress – Scanner Benchmarking – Porholio Status
41
![Page 42: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/42.jpg)
• Build Your ApplicaQon Porholio
• Characterize the EffecQveness of Efforts Made to Date
• Build a Plan for Coverage
• Monitor Progress
42
Steps for Improvement
![Page 43: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.net/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/43.jpg)
43
Dan Cornell Principal and CTO [email protected] Twi^er @danielcornell +1 (210) 572-‐4400
www.denimgroup.com blog.denimgroup.com
QuesQons?