web application vulnerability management

Program

Web ApplicationVulnerability Management

Building a


Jason Pubal

Blogwww.intellavis.com/blog

Sociallinkedin.com/in/pubaltwitter.com/pubal


INTRODUCTION

PREPARATION

DAST TOOLS

VM PROCESS

METRICS

VM ON THE CHEAP


Risk Managementprocess of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization

Vulnerability Managementcyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities

GOAL – Identify & Reduce Risk

Understand web application specific risk exposure and bring it in-line with policies.


Gartner

Vulnerability Management


OWASP OpenSAMM

Software Assurance Maturity Model


BSIMM

Building Security in Maturity Model


Application Security Touchpoints


Bug Bounty Program Now in BSIMM v 5Google Facebook

What’s Missing?Recurring Vulnerability AssessmentsInfrastructure vulnerability scanning is best practices. Why not applications?


Software Assurance Maturity Model

Security TestingPenetration tests and other automated security tests done before deployment.

Vulnerability Management Handling security incidents and externally reported vulnerabilities.


Inventory Enroll Report RemediateAssessAssess

Policy

Defect Tracking

Metrics

Vulnerability Management Process


ProcessesDecide what you’re doing. Get stakeholder approval.

PolicyGive YOU the ability to do Vulnerability Assessments, Set Remediation Timelines, Security Coding Practices, Infrastructure Configuration Policies.

Preparation

Scanning ToolsChoose a web application vulnerability scanner that fits your program requirements.

InventoryCreate and maintain an inventory of web applications.

Introductory MaterialCreate a communications plan. Build a packet of information to give application owners as you enroll sites.

Project Management IntegrationHook into project management as a web application “go live” requirement.


Dynamic Application Security Testing (DAST)

Detect conditions indicative of a security vulnerability in an application in its running state

1. Spider Application2. Fuzz Inputs3. Analyze Response


Scanner Comparison – sectoolmarket.com


Recon-ngWeb reconnaissance framework. Google Dorks, IP/DNS Lookups, GPS, PunkSPIDER, Shodan, PwnedList, LinkedIn, etc…

NMAPnmap -P0 -p80,443 -sV --script=http-screenshot <ip range/subnet>

Building your Inventory - Reconnaissance

DNSMake friends with your DNS administrator

Reverse Lookups – ewhois.comReverse email lookup. Google Analytics or AdSense ID.

GoogleGoogle for you company. Go through the top 100 results. Build a list of websites.



Policy

Defect Tracking

Metrics

Vulnerability Management Process


Enrollment Process



Policy

Defect Tracking

Metrics


Remediation Process


Software DefectsInfrastructure folks have been doing patch management for years. Software developers have fixing “bugs.” Frame the vulnerability as a code defect

Legacy ApplicationsWhat if we are no longer actively developing the application?What if we don’t even employ developers who use that language?

Not Infrastructure Vulnerability Management

Determine Level of EffortEach fix is it’s own software development project.

Technical vs. Logical VulnerabilitiesA technical fix is usually straightforward and repetitive. Logical fixes can require significant redesign.

Not a cookie cutter patchDevelopment team has to take time away from building new functionality.


Not Considering Business Context in Risk RatingsOnly looking at the automated tool’s risk ranking is not sufficient. Take the applications business criticality into consideration.

No Approval or NotificationKnocking over an application that no one knew you were scanning could have detrimental political effects.

Common Mistakes

Forcing Developers to Use New Tools & Processes Communicating with development teams using their existing tools and processes helps to decrease friction between security and development organizations.

Send PDF Report of 100 Vulnerabilities to Dev Team!Avoid Bystander ApathyUse Development Team’s Defect Tracking Tool



Policy

Defect Tracking

Metrics


Expressed as a Number or PercentageNot with qualitative labels like high, medium, or low.

Cheap to GatherMetrics ought to be computed at a frequency commensurate with the process’s rate of change. We want to analyze security effectiveness on a day-to-day or week-by-week basis. Figuring out how to automate metric generation is key.

Metrics

Expressed Using at Least One Unit of MeasureDefects, hours, or dollars. Defects per Application. Defects over Time.

Contextually SpecificThe metric needs to be relevant enough to decision makers that they can take action. If no one cares, it is not worth gathering.

Consistently MeasuredAnyone should be able to look at the data and come up with the same metric using a specific formula or method. Metrics that rely on subjective judgment are not good.


Company Top 10 VulnerabilitiesLike OWASP top 10, but organization specific

Vulnerabilities per ApplicationNumber of vulnerabilities that a potential attacker without prior knowledge might find. You could also count by business unit or critically.

Metrics

Mean-Time to Mitigate VulnerabilitiesAverage time taken to mitigate vulnerabilities identified in an organization’s technologies. This speaks to organization performance and the window in which the vulnerability might be exploited.

Security Testing CoveragePercentage of applications in the organization that have been subjected to security testing.


Vulnerability AggregationThreadFix – Open Source

Defect TrackingJIRA - $10, 10 usersBugzilla – Open Source

On the CheapWeb Application Vulnerability ScannerBurpSuite - $299, single licenseOWASP Zed Attack Proxy (ZAP) – Open Source


Jason Pubal

Blogwww.intellavis.com/blog

Sociallinkedin.com/in/pubaltwitter.com/pubal

THANK YOU

web application vulnerability management

Technology

vulnerability

vulnerability

defect tracking

jason pubal

web application

vulnerability

application

vulnerabilities