![Page 1: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/1.jpg)
Code & Cannoli < Security >
13th January 2016@DevMob
#CodeCannoli
![Page 2: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/2.jpg)
Code & Cannoli < Security >
17:30- 18:15 Drinks,pasta&cannoli18:15- 19:00 Fabrizio Cilli:"Vulnerability:AssessingandManaging–
Adiveintotheunexpectedweaknesses”19:00– 20:00 Jacco vanTuijl:"PenetrationTestingProcess”- part120:00- 20:15 Break20:15- 21:15 Jacco vanTuijl:"PenetrationTestingProcess”- part221:15 Drinks
@DevMob#CodeCannoli
![Page 3: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/3.jpg)
![Page 4: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/4.jpg)
![Page 5: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/5.jpg)
Vulnerability:Assessing&Managing
Assessingtheexposureswon’tclosethecircle
![Page 6: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/6.jpg)
Vulnerable
Avulnerabilityisaweaknessinanassetorgroupofassets.Anasset’sweaknesscouldallowittobeexploitedandharmedbyoneormorethreatvectors.
InthecyclictickerofaPDCA wheel:Assessing isaphasewecanexecuteatwill.Managingitsresults,isanendeavour,impactingGovernance,ITOperations,addingworkload.
![Page 7: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/7.jpg)
SurfaceandCore
Weexposeourbusinesstoexternal(Surface)attackersandinternal(Core)malicioususers.TheAttackVectorsareamyriad,fromnetworktohosts,andtotheirvirtualcounterparts.
TheconceptofAttackVectorisvitalwhenitcomestoevaluatethegravityofthevulnerabilitiesweareassessinginourenvironment:AndthebestwaytounderstanditisbybreakingdowntheCVSSscoreoffoundvulnerability!
![Page 8: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/8.jpg)
CVSSAccessVector
BaseScore=round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)-1.5)*f(Impact))
Impact=10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))
Exploitability=20*AccessVector*AccessComplexity*Authentication
f(impact)=0ifImpact=0,1.176otherwise
AccessVector =caseAccessVector ofrequireslocalaccess:0.395adjacentnetworkaccessible:0.646networkaccessible:1.0
![Page 9: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/9.jpg)
AttackSurface
![Page 10: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/10.jpg)
AttackSurface
![Page 11: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/11.jpg)
Cyclicchecks
Thebestexercisetoachievea“capable”responsemechanismwhena0-Dayhappenstobeannouncedintothewild,istohaveyourtestcycle,inlinewithyourassetbase.
Thelimitinsecurityoperationsiscompleteness,nothingcanbemeasuredasabsolute,giventhechangingenvironmentITOPSmanage.Toreacttoemergingthreatstheidentificationandsanitizationneedstobefastandprecise.
![Page 12: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/12.jpg)
ToolsorSubscriptions?
Asoundvulnerabilitymanagementprogramdoesnotcostinitselfduetothetechnologyrequirements,itcostsasitisapartofaGRCprogram,onesteptoobtainasmartgovernanceandtomaintainregulatorycompliance.
Cyclicchecks,sync’ed withanassetmanagernotonlyrequireITOperationstobefastreacting,buttheAssessmentresults(orreports)tobeintelligentlyfilteredandanalysedagainstthreatintelandfrequentlyupdatedfeeds.
![Page 13: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/13.jpg)
IntegratingTestingandAssessment
SecurityProgramme:Thisunknown.Wellnot100%unknown,weknowweshouldcommittolongtermintegrationbetweenperiodic(applicationandinfrastructure)tests,andcyclicvulnerabilityassessmentsbutthelackistoachieveitandmaintainthatcommitment.
EverythinginITismostprobablyidentifiableasaSYSTEM,withanINPUT,TRANSFORMATIONandanOUTPUT.PenetrationTestingisafundamentalinput totheVulnerabilityManagementProcessandtogetherthesecanboost yourThreatResponse(andROI).
![Page 14: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/14.jpg)
StaticanalysisandDynamictesting
AnotherelementofasoundVulnerabilityManagementProcessespeciallyinEnterpriseenvironmentsliesinthecertaintyofaqualitativeanalysisofalgorithms,beforemovingapplicationarchitecturestoproductionenvironment.
Letmesaythatit’smostlikelythatunsafeorlazycodinghabitsendwriting 0-Days,insteadofsavingfromthem.Weak codewillfacilitateaccesstoback-ends,data,andimpairyourvulnerabilitymanagementprogramaddingwhatwecallmakefutureZeroDays.
![Page 15: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/15.jpg)
Weakness Awareness SecurityProgram Integration
Getthemost,staysafe!
CombiningthefollowingactionsweDOgetthemostwithameasurablereturnonoursecurityprogrammeinvestment.
Achievement
![Page 16: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/16.jpg)
SecurityProgrammeInvestmentWheel
0%10%20%30%40%50%60%70%80%90%100%Weakness
Awareness
SecurityProgramIntegration
Achievement
WeaknesstoAchievement
Insecurity ROI
STARTInvestmentReturns Effects
0% OpenAttackSurface
5% IncreasingAwareness
15% Plansanddeployments
25% Enablinginterchange
30% Achievingreturns
ExposureFactor Effects
99% Easilyviolatedbyanyvector
85% Understandingattacksurface
75% Reducingexposurebymeansofspecial tools
50% Integratingdiversetoolstoachieveintelligence
25% Only0-Daysandunknow threatscanhurt
![Page 17: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/17.jpg)
Apracticalcasestudy.
Whathappenswhen.
![Page 18: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/18.jpg)
TheBattleshipYamato!
![Page 19: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/19.jpg)
TheBattleshipYamato!
…oops…that’sthe !
…ehm …let’sgetbackto !
![Page 20: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/20.jpg)
TheBattleshipYamato
![Page 21: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/21.jpg)
TheBattleshipYamato
Assessing:
Whileinhomewatersafterthewinter1944-1945refitting(moreanti-aircraftweapons),shewasspottedandattackedbyU.S.NavycarrierplanesinMarch1945.Sheescapedwithlightdamage,buthervulnerabilityagainsttheswarmingAmericanaircrafts wasnowclear.[…]
![Page 22: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/22.jpg)
TheBattleshipYamato
Q1:Bylookingatthebattleshiparchitectureanddefense,whatcanyouassess theBattleshiptobeconsidered“vulnerable”inyouropinion?
![Page 23: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/23.jpg)
TheBattleshipYamato
Exploit:
[…] At1220on7Apr1945,whilestillsome270milesnorthofOkinawa,afterbeingtracked byAmericanreconnaissance aircraftandsubmarinesalmosttheentireway,Yamatowasattacked bywavesandwavesofAmericancarrierplanes. […]
![Page 24: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/24.jpg)
TheBattleshipYamato
Q2:Bywhatattackvector,thevulnerabilitycouldhavebeenexploited?
![Page 25: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/25.jpg)
TheBattleshipYamato
Pwnage:
[…] Afteranagonizingtwohours,thelargestbattleshipintheworldsankasthelistreachednearly90degrees.[…]
![Page 26: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/26.jpg)
TheBattleshipYamato
Q3:Toadapt totheupcomingpwonage,whatdoyouthinkitwaspossibletodo,on-the-fly?…ormaybeaftertheinevitablehappened?
![Page 27: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/27.jpg)
TheBattleshipYamato
Zero-Day:
[…] Shethenexplodedtwiceunderwater;thecauseoftheexplosionwaslikelytheshellsfromtheprimaryandsecondarymagazinesfallingofftheirshelvesanddetonatingtheirfusesagainsttheoverhead.[…]
![Page 28: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/28.jpg)
TheBattleshipYamato
Q4:Whatdoyouthinkwasthereasonforalltheopponent’sforcestoconcentrateahugesetofresourcesjustagainstthissingletarget?
![Page 29: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/29.jpg)
TheBattleshipYamato
Loss:
Only269mensurvivedthesinkingsuperbattleship.(Outof2750originalcrewlist)
![Page 30: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/30.jpg)
Resilient
DefinitionandSubstantialmeaning
![Page 31: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/31.jpg)
OPENTALKSESSION: RSAYONTOPIC!
FewtopicsforyoutoJointheTalk[BeforethethirdbeerJ]!
![Page 32: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/32.jpg)
Assessment
RSAYON…
…
![Page 33: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/33.jpg)
CodeSecurity
RSAYON…
…
![Page 34: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/34.jpg)
CodeSecurity
RSAYON…OWASPASVSv.3.0
![Page 35: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/35.jpg)
Disclosure
RSAYON…
…
![Page 36: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/36.jpg)
GoinghomebyTrain?
RSAYON… http://trainwatch.u0d.de/
![Page 37: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/37.jpg)
Thanksforyourtime!
Wehopeourmessageinabottlelefttheshores!
Sendyourfeedback withthereference#CODECANNOLIonourSocial Channels!Togetintouchuseinstead@DEVMOB !
![Page 38: Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1](https://reader031.vdocuments.us/reader031/viewer/2022030212/589ff5e21a28ab46598b5765/html5/thumbnails/38.jpg)