![Page 1: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/1.jpg)
Do You Have a Scanner or a Scanning Program?
![Page 2: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/2.jpg)
About Me
• Dan Cornell • Founder and CTO of Denim Group • So@ware developer by background (Java, .NET, etc) • OWASP San Antonio • 15 years experience in so@ware architecture, development
and security
![Page 3: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/3.jpg)
• StaQc or Dynamic? (Or Both?)
• Desktop, Enterprise or Cloud – (Or All the Above?)
3
Who Has Purchased an Automated Scanner?
![Page 4: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/4.jpg)
Who Here Is Happy With Their Scanner?
• Yes
• No
• Kind Of
• Not Sure 4
![Page 5: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/5.jpg)
Why or Why Not?
Why or Why Not?
5
![Page 6: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/6.jpg)
Successful So@ware Security Programs
• Common Goal – Reduce Risk by…
• Reliably CreaQng Acceptably Secure So@ware
• Obligatory “People, Process, Technology” Reference – Anybody got a good Sun Tzu quote? – I’d se^le for a von Clausewitz… – Or perhaps we need to look at Dalai Lama quotes (topic for a different day)
• Common AcQviQes – ImplementaQon must be Qed to the specific organizaQon
6
![Page 7: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/7.jpg)
What Part Does Scanning Play?
• OpenSAMM -‐ Automated scanning is part of both the “Security TesQng” and “Code Review” Security PracQces within the VerificaQon Business FuncQon – Dynamic scanning and staQc scanning, respecQvely
• Common starQng point for many organizaQons embarking on so@ware security programs – There are lots of commercial and freely available products that can be used in
support of this acQvity RED FLAG: Q: What are you doing for so:ware security? A: We bought [Vendor Scanner XYZ] *** BEWARE FOSTERING A CHECKBOX CULTURE ***
7
![Page 8: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/8.jpg)
Scanning Program: AnQ-‐Pa^erns
• “Dude With a Scanner” approach – Can also be implemented as the “lady with a scanner” approach
• “SaaS and Forget” approach
8
![Page 9: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/9.jpg)
Scanner Program Metrics
• Breadth
• Depth
• Frequency
![Page 10: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/10.jpg)
Is Your Scanner Missing Something?
• Breadth “Misses” – Inadequate applicaQon
porholio – ApplicaQons not being scanned
• Depth “Misses” – IneffecQve crawling ignores
applicaQon a^ack surface – False negaQves resulQng in
ignorance of legiQmate vulnerabiliQes
– Excessive false posiQves causing results to be ignored
• Frequency “Misses” – ApplicaQons not being scanned
o@en enough
10
![Page 11: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/11.jpg)
Security TesQng: Be^er Pa^erns
• Breadth-‐First Scanning – You want a scanning program, not a
scanner
• Deep Assessment of CriQcal ApplicaQons – Automated scanning, manual scan
review and assessment • Understand that scanning is a means
to an end – Not an end in and of itself – Start of vulnerability management
11
![Page 12: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/12.jpg)
What Goes Into a Good Scanning Program?
• Solid Understanding of A^ack Surface • RealisQc Concept of Scanner EffecQveness • Disciplined History of Scanning
• PrioriQzed TesQng Efforts
12
![Page 13: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/13.jpg)
What Is Your So@ware A^ack Surface?
13
So@ware You Currently Know About
Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers menQon it • Bad guys found it and caused an incident (oops)
What? • CriQcal legacy systems • Notable web applicaQons
![Page 14: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/14.jpg)
What Is Your So@ware A^ack Surface?
14
Add In the Rest of the Web ApplicaQons You Actually Develop and Maintain
Why Did You Miss Them? • Forgot it was there • Line of business procured through non-‐standard channels
• Picked it up through a merger / acquisiQon
What? • Line of business applicaQons • Event-‐specific applicaQons
![Page 15: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/15.jpg)
What Is Your So@ware A^ack Surface?
15
Add In the So@ware You Bought from Somewhere
Why Did You Miss Them? • Most scanner only really work on web applicaQons so no vendors pester you about your non-‐web applicaQons
• Assume the applicaQon vendor is handling security
What? • More line of business applicaQons • Support applicaQons • Infrastructure applicaQons
![Page 16: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/16.jpg)
What Is Your So@ware A^ack Surface?
16
MOBILE! THE CLOUD!
Why Did You Miss Them? • Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office
What? • Support for line of business funcQons • MarkeQng and promoQon
![Page 17: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/17.jpg)
A^ack Surface: The Security Officer’s Journey
• Two Dimensions: – PercepQon of So@ware A^ack Surface – Insight into Exposed Assets
17
PercepQon
Insig
ht
![Page 18: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/18.jpg)
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
18
PercepQon
Insig
ht
Web Applications
![Page 19: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/19.jpg)
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
19
PercepQon
Insig
ht
Web Applications
Client-Server Applications
![Page 20: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/20.jpg)
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
20
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
![Page 21: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/21.jpg)
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
21
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
![Page 22: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/22.jpg)
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
22
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
![Page 23: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/23.jpg)
• Discovery acQviQes increase insight
A^ack Surface: The Security Officer’s Journey
23
PercepQon
Insig
ht
Web Applications
![Page 24: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/24.jpg)
• Discovery acQviQes increase insight
A^ack Surface: The Security Officer’s Journey
24
PercepQon
Insig
ht
Web Applications
![Page 25: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/25.jpg)
• Discovery acQviQes increase insight
A^ack Surface: The Security Officer’s Journey
25
PercepQon
Insig
ht
Web Applications
![Page 26: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/26.jpg)
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
26
PercepQon
Insig
ht
Web Applications
![Page 27: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/27.jpg)
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
27
PercepQon
Insig
ht
Web Applications
Client-Server Applications
![Page 28: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/28.jpg)
Desktop Applications
Client-Server Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
28
PercepQon
Insig
ht
Web Applications
![Page 29: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/29.jpg)
Desktop Applications
Client-Server Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
29
PercepQon
Insig
ht
Web Applications
Cloud Applications and Services
![Page 30: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/30.jpg)
Desktop Applications
Client-Server Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
30
PercepQon
Insig
ht
Web Applications
Cloud Applications and Services
Mobile Applications
![Page 31: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/31.jpg)
• When you reach this point it is called “enlightenment”
• You won’t reach this point
A^ack Surface: The Security Officer’s Journey
31
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
![Page 32: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/32.jpg)
An Application Test
What Goes Into An ApplicaQon Test?
32
![Page 33: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/33.jpg)
Dynamic Analysis
What Goes Into An ApplicaQon Test?
33
Static Analysis
![Page 34: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/34.jpg)
Automated Application Scanning
What Goes Into An ApplicaQon Test?
34
Static Analysis
Manual Application Testing
![Page 35: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/35.jpg)
Automated Application Scanning
What Goes Into An ApplicaQon Test?
35
Automated Static Analysis
Manual Application Testing
Manual Static Analysis
![Page 36: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/36.jpg)
Una
uthe
ntic
ated
A
utom
ated
Sca
n
What Goes Into An ApplicaQon Test?
36
Automated Static Analysis
Blin
d Pe
netr
atio
n Te
stin
g
Manual Static Analysis
Aut
hent
icat
ed
Aut
omat
ed S
can
Info
rmed
M
anua
l Tes
ting
![Page 37: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/37.jpg)
Una
uthe
ntic
ated
A
utom
ated
Sca
n
What Goes Into An ApplicaQon Test?
37
Aut
omat
ed
Sour
ce C
ode
Scan
ning
Blin
d Pe
netr
atio
n Te
stin
g
Man
ual S
ourc
e C
ode
Rev
iew
Aut
hent
icat
ed
Aut
omat
ed S
can
Info
rmed
M
anua
l Tes
ting
Aut
omat
ed
Bin
ary
Ana
lysi
s M
anua
l Bin
ary
Ana
lysi
s
![Page 38: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/38.jpg)
Value and Risk Are Not Equally Distributed
• Some ApplicaQons Ma^er More Than Others – Value and character of data being managed – Value of the transacQons being processed – Cost of downQme and breaches
• Therefore All ApplicaQons Should Not Be Treated the Same – Allocate different levels of resources to assurance – Select different assurance acQviQes – Also must o@en address compliance and regulatory requirements
38
![Page 39: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/39.jpg)
Do Not Treat All ApplicaQons the Same
• Allocate Different Levels of Resources to Assurance
• Select Different Assurance AcQviQes
• Also Must O@en Address Compliance and Regulatory Requirements
39
![Page 40: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/40.jpg)
• Free / Open Source vulnerability management and aggregaUon plaVorm: – Allows so@ware security teams to reduce the Qme to remediate so@ware vulnerabiliQes – Enables managers to speak intelligently about the status / trends of software security within their
organization.
• Features/Benefits: – Imports dynamic, staQc and manual tesQng results into a centralized plahorm – Removes duplicate findings across tesQng plahorms to provide a prioriQzed list of security faults – Eases communicaQon across development, security and QA teams – Exports prioriQzed list into defect tracker of choice to streamline so@ware remediaQon efforts – Auto generates web applicaQon firewall rules to protect data during vulnerability remediaQon – Empowers managers with vulnerability trending reports to pinpoint team issues and illustrate applicaQon
security progress – Benchmark security pracQce improvement against industry standards
• Freely available under the Mozilla Public License (MPL) 2.0 • Download available at: www.denimgroup.com/threadfix • Code available at: h^ps://code.google.com/p/threadfix/
40
The ThreadFix Approach
![Page 41: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/41.jpg)
ThreadFix DemonstraQon
• Building Your ApplicaQon Porholio
• Storing Scanning Results Over Time
• ReporQng – Trending – Vulnerability RemediaQon Progress – Scanner Benchmarking – Porholio Status
41
![Page 42: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/42.jpg)
• Build Your ApplicaQon Porholio
• Characterize the EffecQveness of Efforts Made to Date
• Build a Plan for Coverage
• Monitor Progress
42
Steps for Improvement
![Page 43: Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)](https://reader033.vdocuments.us/reader033/viewer/2022042613/554a186cb4c9055c598b51d1/html5/thumbnails/43.jpg)
43
Dan Cornell Principal and CTO [email protected] Twi^er @danielcornell +1 (210) 572-‐4400
www.denimgroup.com blog.denimgroup.com
QuesQons?