vulnerability management and threat detection by the numbers
TRANSCRIPT
Eoin Keary
CTO/Founder edgescan.com & BCC Risk AdvisoryOWASP Leader/Member/Ireland Founder
OWASP Global Board Member (2009-2014)
One problem, Many solutionsDAST – Peoples front of JudeaRASP – Judean peoples front
IAST - Judean Popular People's FrontSAST - Popular Front of Judea
Web Risk• Application Security• Host Security• Both / Either / Or
• It’s all software right?
“We gotta cover all the bases, an attacker only needs to find one…..”
Bits between the Bits• A developer Introduces bugs in code..
• A Security assessment may deliver false positives/negatives..
Potential vulnerabilities in code & Potential vulnerabilities in assessment techniques.
Continuous what?CI -> Continuous Integration CD -> Continuous Deployment TDD -> Test Driven Development Continuous MaintenanceContinuous Security
Continuous Security“Keeping up” with development
Assisting secure deploymentCatching bugs early – Push LeftHelp ensure “change” is secure
Host/Server/FrameworkBuilding bricks – Frameworks / ComponentsSpring, Jquery, Jade, Angular, Hibernate
13 billion Open source downloads 201490% of application code is framework63%* don’t monitor component security43%* don’t have open source policy
* http://www.sonatype.com/about/2014-open-source-software-development-survey
ComponentsSpring (3.0-3.05) – CVE-2011-2894 – Code exe
7,000,000 downloads since vuln discoveredCVSS: 6.8
Apache Xerces2 – CVE-2009-2625 – DoS4,000,000 downloads since vuln discoveredCVSS: 5
Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM 4,000,000 downloads since vuln discoveredCVSS: 4.9
Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection179,050 downloads since vuln discoveredCVSS: 10
“65% of vulnerabilities discovered in 2015 by edgescan were outside of software developer control – Operating System CVE, Component CVE, Misconfiguration etc ..”
- edgescan Vulnerability Statistics Report 2015
AppSec/Component Sec• “If you're not doing component vulnerability
management you’re not doing appsec…”– 90% of application code is framework
• “If you’re not doing full-stack you are not doing security…”– Hackers don’t give a S*#t
Automation!!• Jenkins, Hudson, Bamboo– Event driven– Scheduled– Incremental
• CHEF, Puppet, Phoenix (immutable)
Sounds great…. but
Accuracy/Information/ContextThe “Anti-Scale”
Risk ContextBusiness ContextAccuracyInformation Vs DataHuman Decisions and IntelTechnical constraints
-> Chokepoints
The “Anti-Scale”New languages and programming methods
Growth of interpreted languages with no strong typing hurts SAST (Javascript, Ruby,…)
Few automated tools to test APIs / RESTful APIs
Testing Window is squeezed, manual testing is doomed!?#
Fighting The “Anti-Scale”Accuracy
“Rule Tuning” – DAST & SASTBuild Fails!White Noise / SupressionReal Security Vs “Best Practice”Updates to Rules
Scale“Delta Analysis”Previous Vs CurrentChangesFP’s
Fighting The “AntiScale” - Delta AnalysisMeasure of change in a target environment.Focusing on change in risk posture compared to last assessment.-> Closed, New, False Positives
Fighting The “Anti-Scale”-Testing like a Developer
Break testing into little piecesSmoke / Incremental Vs full regression testing
“Early and Often”– Continuous, on demand– Testing duration drives testing frequency
Business & Behavioural TestingAt scale:
Can be Difficult …..Technical Security is covered….AutomationMore Time to “Deep Dive”
“Future of Pentesting”Technical Vulnerabilities rooted out using technical methods/services …..Move from chasing Top 10 (SQLI, XSS, etc) -To- Behavioural, Logical, Business flow assessment
FIN• We can scale but not everything is [easily] scalable• Discover Tech Vulns using Tech• No “Fire and forget” Security• Lets test to mirror development methodologies