Do You Have a Scanner or a Scanning Program?
About Me
• Dan Cornell • Founder and CTO of Denim Group • So@ware developer by background (Java, .NET, etc) • OWASP San Antonio • 15 years experience in so@ware architecture, development
and security
• StaQc or Dynamic? (Or Both?)
• Desktop, Enterprise or Cloud – (Or All the Above?)
3
Who Has Purchased an Automated Scanner?
Who Here Is Happy With Their Scanner?
• Yes
• No
• Kind Of
• Not Sure 4
Why or Why Not?
Why or Why Not?
5
Successful So@ware Security Programs
• Common Goal – Reduce Risk by…
• Reliably CreaQng Acceptably Secure So@ware
• Obligatory “People, Process, Technology” Reference – Anybody got a good Sun Tzu quote? – I’d se^le for a von Clausewitz… – Or perhaps we need to look at Dalai Lama quotes (topic for a different day)
• Common AcQviQes – ImplementaQon must be Qed to the specific organizaQon
6
What Part Does Scanning Play?
• OpenSAMM -‐ Automated scanning is part of both the “Security TesQng” and “Code Review” Security PracQces within the VerificaQon Business FuncQon – Dynamic scanning and staQc scanning, respecQvely
• Common starQng point for many organizaQons embarking on so@ware security programs – There are lots of commercial and freely available products that can be used in
support of this acQvity RED FLAG: Q: What are you doing for so:ware security? A: We bought [Vendor Scanner XYZ] *** BEWARE FOSTERING A CHECKBOX CULTURE ***
7
Scanning Program: AnQ-‐Pa^erns
• “Dude With a Scanner” approach – Can also be implemented as the “lady with a scanner” approach
• “SaaS and Forget” approach
8
Scanner Program Metrics
• Breadth
• Depth
• Frequency
Is Your Scanner Missing Something?
• Breadth “Misses” – Inadequate applicaQon
porholio – ApplicaQons not being scanned
• Depth “Misses” – IneffecQve crawling ignores
applicaQon a^ack surface – False negaQves resulQng in
ignorance of legiQmate vulnerabiliQes
– Excessive false posiQves causing results to be ignored
• Frequency “Misses” – ApplicaQons not being scanned
o@en enough
10
Security TesQng: Be^er Pa^erns
• Breadth-‐First Scanning – You want a scanning program, not a
scanner
• Deep Assessment of CriQcal ApplicaQons – Automated scanning, manual scan
review and assessment • Understand that scanning is a means
to an end – Not an end in and of itself – Start of vulnerability management
11
What Goes Into a Good Scanning Program?
• Solid Understanding of A^ack Surface • RealisQc Concept of Scanner EffecQveness • Disciplined History of Scanning
• PrioriQzed TesQng Efforts
12
What Is Your So@ware A^ack Surface?
13
So@ware You Currently Know About
Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers menQon it • Bad guys found it and caused an incident (oops)
What? • CriQcal legacy systems • Notable web applicaQons
What Is Your So@ware A^ack Surface?
14
Add In the Rest of the Web ApplicaQons You Actually Develop and Maintain
Why Did You Miss Them? • Forgot it was there • Line of business procured through non-‐standard channels
• Picked it up through a merger / acquisiQon
What? • Line of business applicaQons • Event-‐specific applicaQons
What Is Your So@ware A^ack Surface?
15
Add In the So@ware You Bought from Somewhere
Why Did You Miss Them? • Most scanner only really work on web applicaQons so no vendors pester you about your non-‐web applicaQons
• Assume the applicaQon vendor is handling security
What? • More line of business applicaQons • Support applicaQons • Infrastructure applicaQons
What Is Your So@ware A^ack Surface?
16
MOBILE! THE CLOUD!
Why Did You Miss Them? • Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office
What? • Support for line of business funcQons • MarkeQng and promoQon
A^ack Surface: The Security Officer’s Journey
• Two Dimensions: – PercepQon of So@ware A^ack Surface – Insight into Exposed Assets
17
PercepQon
Insig
ht
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
18
PercepQon
Insig
ht
Web Applications
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
19
PercepQon
Insig
ht
Web Applications
Client-Server Applications
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
20
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
21
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
• As percepQon of the problem of a^ack surface widens the scope of the problem increases
A^ack Surface: The Security Officer’s Journey
22
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
• Discovery acQviQes increase insight
A^ack Surface: The Security Officer’s Journey
23
PercepQon
Insig
ht
Web Applications
• Discovery acQviQes increase insight
A^ack Surface: The Security Officer’s Journey
24
PercepQon
Insig
ht
Web Applications
• Discovery acQviQes increase insight
A^ack Surface: The Security Officer’s Journey
25
PercepQon
Insig
ht
Web Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
26
PercepQon
Insig
ht
Web Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
27
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
Client-Server Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
28
PercepQon
Insig
ht
Web Applications
Desktop Applications
Client-Server Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
29
PercepQon
Insig
ht
Web Applications
Cloud Applications and Services
Desktop Applications
Client-Server Applications
• Over Qme you end up with a progression
A^ack Surface: The Security Officer’s Journey
30
PercepQon
Insig
ht
Web Applications
Cloud Applications and Services
Mobile Applications
• When you reach this point it is called “enlightenment”
• You won’t reach this point
A^ack Surface: The Security Officer’s Journey
31
PercepQon
Insig
ht
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
An Application Test
What Goes Into An ApplicaQon Test?
32
Dynamic Analysis
What Goes Into An ApplicaQon Test?
33
Static Analysis
Automated Application Scanning
What Goes Into An ApplicaQon Test?
34
Static Analysis
Manual Application Testing
Automated Application Scanning
What Goes Into An ApplicaQon Test?
35
Automated Static Analysis
Manual Application Testing
Manual Static Analysis
Una
uthe
ntic
ated
A
utom
ated
Sca
n
What Goes Into An ApplicaQon Test?
36
Automated Static Analysis
Blin
d Pe
netr
atio
n Te
stin
g
Manual Static Analysis
Aut
hent
icat
ed
Aut
omat
ed S
can
Info
rmed
M
anua
l Tes
ting
Una
uthe
ntic
ated
A
utom
ated
Sca
n
What Goes Into An ApplicaQon Test?
37
Aut
omat
ed
Sour
ce C
ode
Scan
ning
Blin
d Pe
netr
atio
n Te
stin
g
Man
ual S
ourc
e C
ode
Rev
iew
Aut
hent
icat
ed
Aut
omat
ed S
can
Info
rmed
M
anua
l Tes
ting
Aut
omat
ed
Bin
ary
Ana
lysi
s M
anua
l Bin
ary
Ana
lysi
s
Value and Risk Are Not Equally Distributed
• Some ApplicaQons Ma^er More Than Others – Value and character of data being managed – Value of the transacQons being processed – Cost of downQme and breaches
• Therefore All ApplicaQons Should Not Be Treated the Same – Allocate different levels of resources to assurance – Select different assurance acQviQes – Also must o@en address compliance and regulatory requirements
38
Do Not Treat All ApplicaQons the Same
• Allocate Different Levels of Resources to Assurance
• Select Different Assurance AcQviQes
• Also Must O@en Address Compliance and Regulatory Requirements
39
• Free / Open Source vulnerability management and aggregaUon plaVorm: – Allows so@ware security teams to reduce the Qme to remediate so@ware vulnerabiliQes – Enables managers to speak intelligently about the status / trends of software security within their
organization.
• Features/Benefits: – Imports dynamic, staQc and manual tesQng results into a centralized plahorm – Removes duplicate findings across tesQng plahorms to provide a prioriQzed list of security faults – Eases communicaQon across development, security and QA teams – Exports prioriQzed list into defect tracker of choice to streamline so@ware remediaQon efforts – Auto generates web applicaQon firewall rules to protect data during vulnerability remediaQon – Empowers managers with vulnerability trending reports to pinpoint team issues and illustrate applicaQon
security progress – Benchmark security pracQce improvement against industry standards
• Freely available under the Mozilla Public License (MPL) 2.0 • Download available at: www.denimgroup.com/threadfix • Code available at: h^ps://code.google.com/p/threadfix/
40
The ThreadFix Approach
ThreadFix DemonstraQon
• Building Your ApplicaQon Porholio
• Storing Scanning Results Over Time
• ReporQng – Trending – Vulnerability RemediaQon Progress – Scanner Benchmarking – Porholio Status
41
• Build Your ApplicaQon Porholio
• Characterize the EffecQveness of Efforts Made to Date
• Build a Plan for Coverage
• Monitor Progress
42
Steps for Improvement
43
Dan Cornell Principal and CTO [email protected] Twi^er @danielcornell +1 (210) 572-‐4400
www.denimgroup.com blog.denimgroup.com
QuesQons?
