appsec usa 2014 denver, colorado building your application security data hub the imperative for...
TRANSCRIPT
![Page 1: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/1.jpg)
AppSec USA 2014
Denver, Colorado
Building Your Application Security Data Hub
The Imperative for Structured Vulnerability Information
This presentation contains information about DHS-funded research:Topic Number: H-SB013.1-002 - Hybrid Analysis Mapping (HAM) Proposal Number: HSHQDC-13-R-00009-H-SB013.1-002-0003-I
![Page 2: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/2.jpg)
2
Dan Cornell with a respectable hair cut, a nice shirt, and a coat
Dan Cornell• Founder and CTO of Denim Group
• Software developer by background (Java, .NET, etc)
• OWASP San Antonio
Biography
![Page 3: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/3.jpg)
3
So You Want To Run an AppSec Program?
![Page 4: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/4.jpg)
4
• Application Security Challenges– Spans Multiple Disciplines– Comparatively New– Scale of the Problem
• Application Security Data Hub– Sources, Sinks, Flows
• Program Metrics and Tracking
Agenda
![Page 5: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/5.jpg)
5
• Information Security– Application Security
• Audit and Compliance• Risk Management
• (Oh Almost Forgot: Software Development)• (And . . . Software Development Is Where
Most of the Magic Has to Happen)
Spans Multiple Disciplines
![Page 6: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/6.jpg)
6
• Physical Security: Old• Information Security: Kinda New• Application Security: Really New
• New Discipline Means Immature Metrics– Don’t know how to talk about the problem
• New Discipline Means New Tools– No standards for interaction
Comparatively New Discipline
![Page 7: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/7.jpg)
7
• “Legacy” Lines of Code• Quantity of Applications• Dearth of Qualified Professionals
Scale of the Problem
![Page 8: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/8.jpg)
8
We Have a Huge Multidisciplinary Problem
In An Area We Can’t Properly Characterize
Where We’re Horribly Outnumbered
So . . .
![Page 9: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/9.jpg)
9
• Gather Data• Communicate to Stakeholders• Automate the Heck Out of Whatever Possible• Repeat
What to Do About It?
![Page 10: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/10.jpg)
10
Application Security Data Hub• Sources, Sinks and Flows
• Vulnerability Data• Detection/Prevention Sensors• Developer Tools• Risk Management
So What Does This Look Like?
![Page 11: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/11.jpg)
11
Automation
![Page 12: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/12.jpg)
12
ThreadFix• Create a consolidated view of your applications
and vulnerabilities• Prioritize application risk decisions based on
data• Translate vulnerabilities to developers in the
tools they are already using
• GitHub Site: github.com/denimgroup/threadfix
Open Source App Security Data Hub
![Page 13: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/13.jpg)
13
List of Supported Tools / Technologies:Dynamic ScannersAcunetixArachniBurp SuiteHP WebInspectIBM Security AppScan StandardIBM Security AppScan EnterpriseMavituna Security NetsparkerNTO SpiderOWASP Zed Attack ProxyTenable NessusSkipfishw3aF
Static ScannersFindBugsIBM Security AppScan SourceHP Fortify SCAMicrosoft CAT.NETBrakeman
SaaS Testing Platforms WhiteHatVeracodeQualysGuard WAS
IDS/IPS and WAFDenyAllF5ImpervaMod_SecuritySnort
Defect TrackersAtlassian JIRAMicrosoft Team Foundation ServerMozilla Bugzilla
Known Vulnerable Component ScannerDependency Check
Supported Technologies
![Page 14: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/14.jpg)
14
Supported Technologies
![Page 15: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/15.jpg)
15
• Vulnerability Detection
• Vulnerability Mitigation
• Vulnerability Remediation
Vulnerability Management
![Page 16: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/16.jpg)
16
Vulnerability Detection
SAST DAST IASTKnown
Vulnerable Component
Automated
Threat Modeling
Code Review
Penetration Testing
Man
ual
Data Hub
![Page 17: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/17.jpg)
17
What is a Unique Vulnerability?
• (CWE, Relative URL)– Predictable resource location– Directory listing misconfiguration
• (CWE, Relative URL, Injection Point)– SQL injection– Cross-site Scripting (XSS)
• Injection points– Parameters – GET/POST– Cookies– Other headers
![Page 18: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/18.jpg)
18
Why Common Weakness Enumeration?
• Every tool has their own “spin” on naming vulnerabilities
• OWASP Top 10 / WASC 24 are helpful but not comprehensive
• CWE is exhaustive (though a bit sprawling at times)• Reasonably well-adopted standard• Many tools have mappings to CWE for their results• Main site: http://cwe.mitre.org/
![Page 19: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/19.jpg)
19
Fill ThreadFix Up With Vulnerability Data
• Manual file upload• REST API
– https://github.com/denimgroup/threadfix/wiki/Threadfix-REST-Interface
• Command Line Interface (CLI)– https://github.com/denimgroup/threadfix/wiki/Command-Li
ne-Interface
– JAR can also be used as a Java REST client library
• Jenkins plugin– Contributed from the ThreadFix community (yeah!)– https://github.com/automationdomination/threadfix-plugin
![Page 20: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/20.jpg)
20
What Does ThreadFix Do With Scan Results
• Diff against previous scans with same technology– What vulnerabilities are new?– What vulnerabilities went away?– What vulnerabilities resurfaced?
• Findings marked as false positive are remembered across scans– Hopefully saving analyst time
• Normalize and merge with other scanners’ findings– SAST to SAST– DAST to DAST– SAST to DAST via Hybrid Analysis Mapping (HAM)
![Page 21: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/21.jpg)
21
Demo: Vulnerability Merge
![Page 22: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/22.jpg)
22
Hybrid Analysis Mapping (HAM)
• Initial research funded by the US Department of Homeland Security (DHS) Science and Technology (S&T) Directorate via a Phase 1 and (now) Phase 2 Small Business Innovation Research (SBIR) contract– Acronyms!
• Initial goal: SAST to DAST merging• Results: That, plus other stuff
![Page 23: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/23.jpg)
23
Demo: Merging Static and Dynamic Scanner Results
![Page 24: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/24.jpg)
24
Demo: Merging Static and Dynamic Scanner Results
![Page 25: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/25.jpg)
25
Merging Static and Dynamic Results Is Cool
…But I want more
• Problem: Many DAST scanners handle applications with RESTful URLs poorly
• Problem: Many applications have “hidden” landing pages and parameters that will not be found by standard crawling
• Problem: DAST scanner results can be hard for developers to act on
• What else can we do with this attack surface model / database?– Clean up scanner results– Enumerate application attack surface– Map dynamic results to specific lines of code
![Page 26: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/26.jpg)
26
Demo: De-Duplicate Dynamic RESTful Scanner Results
![Page 27: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/27.jpg)
27
Demo: De-Duplicate Dynamic RESTful Scanner Results
![Page 28: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/28.jpg)
28
Demo: Application Attack Surface (CLI)
![Page 29: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/29.jpg)
29
Demo: Seed Scanner with Attack Surface
![Page 30: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/30.jpg)
30
Vulnerability Mitigation
Data Hub
WAF/IDS/IPS Sensor
![Page 31: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/31.jpg)
31
Demo: Generating Virtual Patches
![Page 32: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/32.jpg)
32
Demo: Importing Sensor Logs
![Page 33: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/33.jpg)
33
Security Approaching Development Teams…
• PDFs
• Excel spreadsheets
• “Log into this new system”
Vulnerability Remediation
![Page 34: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/34.jpg)
34
An Alternate Approach
• Help ‘em Out
• Take Advantage of the Tools and Processes They Are Already Using
Vulnerability Remediation
![Page 35: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/35.jpg)
35
Vulnerability Remediation
Data Hub
Application Lifecycle
Management
Integrated Development Environment
This is also called “bug tracking” by less-fancy people
![Page 36: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/36.jpg)
36
Mapping Vulnerabilities to Defects
• 1:1 mapping is (usually) a horrible idea– 500 XSS turned into 500 defects?– If it takes longer to administer the bug than it does to fix the code…
• Cluster like vulnerabilities– Using the same libraries / functions– Cut-and-paste remediation code– Be careful about context-specific encoding
• Combine by severity– Especially if they are cause for an out-of-cycle release
• Which developer “owns” the code?
![Page 37: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/37.jpg)
37
Defect Tracker Integration
• Bundle multiple vulnerabilities into a defect– Using standard filtering criteria
• ThreadFix periodically updates defect status from the tracker
![Page 38: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/38.jpg)
38
Demo: Defect Tracker Integration
![Page 39: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/39.jpg)
39
IDE Plug Ins
• Import vulnerability data to integrated development environments (IDEs)
• Static (SAST) scanners– Easy
• Dynamic (DAST) scanners– Possible using Hybrid Analysis Mapping (HAM)
![Page 40: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/40.jpg)
40
Demo: Maping Vulnerabilities in IDE
![Page 41: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/41.jpg)
41
• Nobody Likes Uncertainty
• Measurement Is Key
Risk Management
41
![Page 42: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/42.jpg)
42
Risk Management
Data Hub
GRC
![Page 43: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/43.jpg)
43
Vulnerability Filtering
• Filter vulnerability data– Scanner, scanner count– Vulnerability type– Path, parameter– Severity– Status– Aging
• Save filters for future use
![Page 44: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/44.jpg)
44
Demo: Vulnerability Filtering
![Page 45: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/45.jpg)
45
Reporting
• Trending• Progress by Vulnerability
– For program benchmarking• Portfolio Report
– For resource prioritization• Comparison
– For scanner/technology benchmarking
![Page 46: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/46.jpg)
46
Metrics That Can Help• Vulnerability Prevalence• Vulnerability Resolution Rate• Mean Time To Fix (MTTF)
What to Look For?
46
![Page 47: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/47.jpg)
47
Demo: Reporting
![Page 48: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/48.jpg)
48
• Application Security Is Hard– Lots of people and systems involved
• Data Trumps FUD• Automation Is Critical
So What Have We Covered?
48
![Page 49: AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9d5503460f94b9ee7f/html5/thumbnails/49.jpg)
49
ThreadFix Links
• Main ThreadFix website: www.threadfix.org– General information, downloads
• ThreadFix GitHub site: github.com/denimgroup/threadfix – Code, issue tracking
• ThreadFix GitHub wiki: https://github.com/denimgroup/threadfix/wiki – Project documentation
• ThreadFix Google Group: https://groups.google.com/forum/?fromgroups#!forum/threadfix – Community support, general discussion