application security program management with vulnerability manager
Post on 19-Oct-2014
2.531 views
DESCRIPTION
Using free Java-based software, application security managers can now have increased visibility into and control of enterprise security programs as well as the data that can be used to support sophisticated conversations with their managers and executives. Denim Group's Vulnerability Manager works through a centralized system to allow security teams to import and consolidate application-level vulnerabilities, automatically generate virtual patches, monitor attack attempts, communicate with defect tracking systems, and evaluate team maturity. Vulnerability Manager is a Java-based web application available for free under the Mozilla Public License. This demonstration will cover the major functional areas of the Vulnerability Manager: • Application portfolio management – Creating a portfolio of application under management and tracking critical information about those applications such as associated technologies and sensitivity of data under management. • Vulnerability import and merging – Importing results of both static and dynamic scans of code, de-duplicating results and merging the output from multiple tools into a unified view of the security state of an application. • Automated virtual patch generation – Automatically creating IDS/IPS and WAF rules to provide real-time protection for certain classes of vulnerabilities as well as consuming log results from WAF/IDS/IPS in order to identify which vulnerabilities are under active attack. • Defect tracker integration – Bundling multiple vulnerabilities into packages, sending them to software defect tracking systems, and monitoring the defects to identify when software developers have closed them out. • Team maturity evaluation – Tracking interviews with development teams related to the security practices they have adopted based on maturity models such as OpenSAMM. In addition, the presentation will explain the internals of the Vulnerability Manager software – the design decisions made as well as opportunities to extend the system to support additional technologies.TRANSCRIPT
Application Security Program Management
with Vulnerability Manager
Bryan Beverly
June 2nd, 2010
1
Today's Presentation
• The challenges of application security scanning and remediation
• What Vulnerability Manager can do
• Next steps for Vulnerability Manager
• Next steps for you
2
Denim Group Background
• Privately-held, professional services organization
– Develops secure software
– Helps organizations assess and mitigate risk of existing software
– Provides training and mentoring so clients can build trusted software
• Software-centric view of application security
– Application security experts are practicing developers
– Development pedigree translates to rapport with development managers
– Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution
– Released Sprajax & Vulnerability Manager to open source community
– OWASP national leaders & regular speakers at RSA, OWASP, CSI
– World class alliance partners accelerate innovation to solve client problems
3
My Background
• 13-year business application development background
• Lead Consultant at Denim Group
• Provides technical oversight for Denim Group
development projects
• Responsible for Denim Group development lifecycle
standards and processes
• Performs black box and white box security assessments
• Performs on-site security training
• Co-developer and technical lead for Vulnerability
Manager project
4
Challenges with Scan-Centric Application Security Programs
• Too many application security programs
are scan-centric
– Run scans, generate reports, send to
development teams
• Not enough attention is paid to the entire
process
• Result: Vulnerabilities are not remediated
and continue to expose the organization
to risk
5
Post-Scan Remediation is the “Next” Big AppSec Issue
• Application Scanning Technologies are Improving
– Various improvements provide better testing coverage
• Qualys 2009 Black Hat Conference Paper
– Presented by Qualys CTO Wolfgang Kandek
– Network & host vulnerabilities persist for roughly 30 days from identification
– Measured across 140m Qualys’ SaaS client scans
– Exploitation cycle is getting shorter – down from 60 days in 2004 to 10 days
• WhiteHat Security Study on Application Vulnerabilities
– Application vulnerabilities persist much longer than network vulnerabilities
– Typical persistence timeframe measured in months, not days
• SQL Injection – 38 days
• Insufficient Authentication – 72 days
– Vulnerability time-to-fix metrics are not changing substantively, typically requiring
weeks to months to achieve resolution
6
Why Do Application Vulnerabilities Persist?
• Must rewrite software – can’t just turn “off” service
– Can be straightforward – XSS or SQL Injection
– Can be more difficult – logical errors
• Dev teams detached from security managers
– Lack of organizational influence over dev efforts
– Interaction and tracking between groups is inconsistent and one-off
• The formal process of aggregating and processing application-level
vulnerabilities is immature
– No automated way to import scanning results from multiple sources
• BB, WB, SaaS
– Sophisticated hand off to issue trackers evolving
– Interaction with other systems “one off”
7
The Emergence of Accelerated Software Remediation (ASR)
Technologies
• Security and risk managers are realizing the status quo is
unacceptable
– Application vulnerabilities exist in live environments for months
• A new set of technologies are emerging to address the post-scan
automation of application vulnerabilities
– Application security vendors are developing more post-scan functionality
• Many are creating gated communities and vendor lock-in
– Most 1st generation interactions are “one-to-one” with scanners & WAF’s
• Accelerated Software Remediation Technologies reduce lifespan of
application vulnerabilities:
– Automating import from multiple scanning systems
– “De-duplication” of vulnerabilities from dynamic & static scanners
– Ability to measure incremental improvement
– Capability to generate “virtual patches” to IDS/WAF
Vulnerability Manager: “ThreadFix”
• Mission: Allow organizations to centrally manage the entire range of
software assurance activities
• Finding vulnerabilities is easy – actually addressing the risk is hard
• Freely available under Mozilla 1.1 open source license
• Major Feature Areas
– Application Portfolio Management
– Vulnerability Import
– Real-Time Protection Generation
– Defect Tracking Integration
– Maturity Evaluation
8
Application Portfolio Management
• Many organizations do
not even have a
complete idea of their
application attack
surface
• Track applications,
metadata and
associated
vulnerabilities
9
Vulnerability Import
• Import, de-duplicate
and merge
vulnerability data from
a variety of free and
commercial tools
• Static and dynamic
analysis
10
Real-Time Protection Generation
• Generate vulnerability-
specific rules for
WAFs and IDS/IPS
• Automate the “virtual
patching” process
• Import logs to identify
vulnerabilities under
active attack
11
Defect Tracking Integration
• Group vulnerabilities
and send them to
software development
teams as defects
• Track defect status
over time
12
Maturity Evaluation
• Evaluate application
team practices via
maturity models such
as OpenSAMM
• Track practices over
time
13
14
Demonstration
15
Current Status
• “Technology Preview” release in January 2010
– Demonstrates underlying concepts
– Supports many major technologies
• Not yet recommended for production use
16
Future Plans
• Under active development heading toward 1.0alpha release
• Starting to see interest in customer-sponsored development
• Support for additional technologies – scanners, IDS/IPS/WAF, defect
trackers
• Metrics, reporting and visualization
17
So where do you go from here?
18
What you can do now!
• Conduct a mini-OpenSAMM assessment to understand your current
state of application vulnerability management
• Capture a post-scan workflow to better understand how application
vulnerabilities cycle through the remediation process
• Measure how long your most serious app vulnerabilities persist in your
production environment
• Analyze your static, dynamic, and manual results to understand where
there is overlap and coverage gaps
• Understand how application vulnerabilities are consumed by
development teams
– Understand what issue tracker they use
– Understand how vulns are represented and dealt with by devs
19
Contact Information
Bryan Beverly
Denim Group
(210) 572-4400
www.denimgroup.com
blog.denimgroup.com
vulnerabilitymanager.denimgroup.com