web application security vulnerability management framework

Framework

Web ApplicationVulnerability Management

The


Jason Pubal

Blogwww.intellavis.com/blog

Sociallinkedin.com/in/pubaltwitter.com/pubal

I speak for myself. My employer uses press releases. These opinions are shareware - if you like them, send $10. Actual mileage may vary. Some assembly required. Keep in a cool, dark place.

Presentation: http://bit.ly/WebAppVMFramework


INTRODUCTION

FRAMEWORK

PREPARATION

VM PROCESSES

METRICS

VM ON THE CHEAP


OWASP OpenSAMM

Software Assurance Maturity Model


BSIMM

Building Security in Maturity Model


Application Security Touchpoints


Problems?!What happens after deployment?• Security issues missed during

SDLC• New Attack Techniques• Infrastructure Vulnerabilities

What about applications that don’t go through the SDLC?• Hosted Applications• Legacy Applications• Commercial off the Shelf

Applications (COTS)

According to the Verizon 2014 Data Breach Investigations Report, “web applications remain the proverbial punching bag of the Internet” with 35% of breaches being caused by web application attacks.


BFFs4

EVA!


> 200 Web ApplicationsBig company with A LOT of Internet facing web applications.

ContinuousAssessments are running all the time, 24-7 x 365.

Actual Attack SurfaceLive, production applications

New ProgramBuilt in the last year.

Web Application Vulnerability Management Program


Inventory Enroll Report RemediateAssessAssess

Policy

Defect Tracking

Metrics

Web Application Vulnerability Management Framework


Risk Managementprocess of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization

Vulnerability Managementcyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities

GOAL – Identify & Reduce Risk

Understand web application specific risk exposure and bring it in-line with policies.

* Value


Gartner

Vulnerability Management



Policy

Defect Tracking

Metrics


ProcessesDecide what you’re doing. Get stakeholder approval.

PolicyGive YOU the ability to do Vulnerability Assessments, Set Remediation Timelines, Security Coding Practices, Infrastructure Configuration Policies.

Preparation

Scanning ToolsChoose a web application vulnerability scanner that fits your program requirements.

InventoryCreate and maintain an inventory of web applications.

Introductory MaterialCreate a communications plan. Build a packet of information to give application owners as you enroll sites.

Project Management IntegrationHook into project management as a web application “go live” requirement.


Dynamic Application Security Testing (DAST)

Detect conditions indicative of a security vulnerability in an application in its running state

1. Spider Application2. Fuzz Inputs3. Analyze Response


Scanner Comparison – sectoolmarket.com


Recon-ngWeb reconnaissance framework. Google Dorks, IP/DNS Lookups, GPS, PunkSPIDER, Shodan, PwnedList, LinkedIn, etc…

NMAPnmap -P0 -p80,443 -sV --script=http-screenshot <ip range/subnet>

Building your Inventory - Reconnaissance

DNSMake friends with your DNS administrator

Reverse Lookups – ewhois.comReverse email lookup. Google Analytics or AdSense ID.

GoogleGoogle for you company. Go through the top 100 results. Build a list of websites.



Policy

Defect Tracking

Metrics


Enrollment Process



Policy

Defect Tracking

Metrics


Remediation Process


Software DefectsInfrastructure folks have been doing patch management for years. Software developers have fixing “bugs.” Frame the vulnerability as a code defect

Legacy ApplicationsWhat if we are no longer actively developing the application?What if we don’t even employ developers who use that language?

Not Infrastructure Vulnerability Management

Determine Level of EffortEach fix is it’s own software development project.

Technical vs. Logical VulnerabilitiesA technical fix is usually straightforward and repetitive. Logical fixes can require significant redesign.

Not a cookie cutter patchDevelopment team has to take time away from building new functionality.


Not Considering Business Context in Risk RatingsOnly looking at the automated tool’s risk ranking is not sufficient. Take the applications business criticality into consideration.

No Approval or NotificationKnocking over an application that no one knew you were scanning could have detrimental political effects.

Common Mistakes

Forcing Developers to Use New Tools & Processes Communicating with development teams using their existing tools and processes helps to decrease friction between security and development organizations.

Send PDF Report of 100 Vulnerabilities to Dev Team!Avoid Bystander ApathyUse Development Team’s Defect Tracking Tool



Policy

Defect Tracking

Metrics


Risk Managementprocess of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization

Vulnerability Managementcyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities

GOAL – Identify & Reduce Risk

Understand web application specific risk exposure and bring it in-line with policies.

* Value


Expressed as a Number or PercentageNot with qualitative labels like high, medium, or low.

Cheap to GatherMetrics ought to be computed at a frequency commensurate with the process’s rate of change. We want to analyze security effectiveness on a day-to-day or week-by-week basis. Figuring out how to automate metric generation is key.

Metrics

Expressed Using at Least One Unit of MeasureDefects, hours, or dollars. Defects per Application. Defects over Time.

Contextually SpecificThe metric needs to be relevant enough to decision makers that they can take action. If no one cares, it is not worth gathering.

Consistently MeasuredAnyone should be able to look at the data and come up with the same metric using a specific formula or method. Metrics that rely on subjective judgment are not good.


Company Top 10 VulnerabilitiesLike OWASP top 10, but organization specific

Vulnerabilities per ApplicationNumber of vulnerabilities that a potential attacker without prior knowledge might find. You could also count by business unit or critically.

Metrics

Mean-Time to Mitigate VulnerabilitiesAverage time taken to mitigate vulnerabilities identified in an organization’s technologies. This speaks to organization performance and the window in which the vulnerability might be exploited.

Security Testing CoveragePercentage of applications in the organization that have been subjected to security testing.


Vulnerability AggregationThreadFix – Open Source

Defect TrackingJIRA - $10, 10 usersBugzilla – Open Source

Web App VM On the CheapDynamic Application Security Testing (DAST) ToolsBurpSuite - $299, single licenseOWASP Zed Attack Proxy (ZAP) – Open Source


Jason Pubal

Blogwww.intellavis.com/blog

Sociallinkedin.com/in/pubaltwitter.com/pubal


Questions?

Thank You!
