SlideShare a Scribd company logo

Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)

Denim Group, profile picture
Denim Group

The document discusses the importance of automated scanning in software security, emphasizing its role in reducing risks and improving software security programs. It outlines common practices, metrics, and patterns for effective scanning programs, highlighting the need for a tailored approach that considers the attack surface of an organization. Additionally, it introduces ThreadFix, a free platform for vulnerability management that aids in the remediation of software vulnerabilities and enhances communication among development, security, and QA teams.

Technology
1 of 43
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Do  You  Have  a  Scanner   or  a  Scanning  Program?  
About  Me     •  Dan  Cornell   •  Founder  and  CTO  of  Denim  Group   •  So@ware  developer  by  background  (Java,  .NET,  etc)   •  OWASP  San  Antonio   •  15  years  experience  in  so@ware  architecture,  development   and  security  
•  StaQc  or  Dynamic?  (Or  Both?)   •  Desktop,  Enterprise  or  Cloud   – (Or  All  the  Above?)     3   Who  Has  Purchased  an   Automated  Scanner?  
Who  Here  Is  Happy   With  Their  Scanner?   •  Yes   •  No   •  Kind  Of   •  Not  Sure   4  
Why  or  Why  Not?       Why  or  Why  Not?   5  
Successful  So@ware  Security   Programs   •  Common  Goal   –  Reduce  Risk  by…   •  Reliably  CreaQng  Acceptably  Secure  So@ware   •  Obligatory  “People,  Process,  Technology”  Reference   –  Anybody  got  a  good  Sun  Tzu  quote?   –  I’d  se^le  for  a  von  Clausewitz…   –  Or  perhaps  we  need  to  look  at  Dalai  Lama  quotes  (topic   for  a  different  day)   •  Common  AcQviQes   –  ImplementaQon  must  be  Qed  to  the  specific  organizaQon   6  
What  Part  Does  Scanning  Play?   •  OpenSAMM  -­‐  Automated  scanning  is  part  of  both  the  “Security  TesQng”   and  “Code  Review”  Security  PracQces  within  the  VerificaQon  Business   FuncQon   –  Dynamic  scanning  and  staQc  scanning,  respecQvely   •  Common  starQng  point  for  many  organizaQons  embarking  on  so@ware   security  programs   –  There  are  lots  of  commercial  and  freely  available  products  that  can  be  used  in   support  of  this  acQvity     RED  FLAG:   Q:  What  are  you  doing  for  so:ware  security?   A:  We  bought  [Vendor  Scanner  XYZ]     ***  BEWARE  FOSTERING  A  CHECKBOX  CULTURE  ***   7  
Scanning  Program:  AnQ-­‐ Pa^erns   •  “Dude  With  a  Scanner”   approach   – Can  also  be   implemented  as  the   “lady  with  a  scanner”   approach   •  “SaaS  and  Forget”   approach   8  
Scanner  Program  Metrics   • Breadth   • Depth   • Frequency  
Is  Your  Scanner   Missing  Something?   •  Breadth  “Misses”   –  Inadequate  applicaQon   porholio   –  ApplicaQons  not  being  scanned   •  Depth  “Misses”   –  IneffecQve  crawling  ignores   applicaQon  a^ack  surface   –  False  negaQves  resulQng  in   ignorance  of  legiQmate   vulnerabiliQes   –  Excessive  false  posiQves   causing  results  to  be  ignored   •  Frequency  “Misses”   –  ApplicaQons  not  being  scanned   o@en  enough   10  
Security  TesQng:  Be^er   Pa^erns   •  Breadth-­‐First  Scanning   –  You  want  a  scanning  program,  not  a   scanner   •  Deep  Assessment  of  CriQcal   ApplicaQons   –  Automated  scanning,  manual  scan   review  and  assessment     •  Understand  that  scanning  is  a  means   to  an  end   –  Not  an  end  in  and  of  itself   –  Start  of  vulnerability  management   11  
What  Goes  Into  a  Good   Scanning  Program?   •  Solid  Understanding  of  A^ack  Surface     •  RealisQc  Concept  of  Scanner  EffecQveness     •  Disciplined  History  of  Scanning   •  PrioriQzed  TesQng  Efforts   12  
What  Is  Your  So@ware  A^ack   Surface?   13   So@ware  You   Currently  Know   About   Why?   •  Lots  of  value  flows  through  it   •  Auditors  hassle  you  about  it   •  Formal  SLAs  with  customers  menQon  it   •  Bad  guys  found  it  and  caused  an  incident   (oops)   What?   •  CriQcal  legacy  systems   •  Notable  web  applicaQons  
What  Is  Your  So@ware  A^ack   Surface?   14   Add  In  the  Rest  of   the  Web   ApplicaQons  You   Actually  Develop   and  Maintain   Why  Did  You  Miss  Them?   •  Forgot  it  was  there   •  Line  of  business  procured  through  non-­‐ standard  channels   •  Picked  it  up  through  a  merger  /  acquisiQon   What?   •  Line  of  business  applicaQons   •  Event-­‐specific  applicaQons  
What  Is  Your  So@ware  A^ack   Surface?   15   Add  In  the   So@ware  You   Bought  from   Somewhere   Why  Did  You  Miss  Them?   •  Most  scanner  only  really  work  on  web   applicaQons  so  no  vendors  pester  you  about   your  non-­‐web  applicaQons   •  Assume  the  applicaQon  vendor  is  handling   security   What?   •  More  line  of  business  applicaQons   •  Support  applicaQons   •  Infrastructure  applicaQons  
What  Is  Your  So@ware  A^ack   Surface?   16   MOBILE!   THE  CLOUD!   Why  Did  You  Miss  Them?   •  Any  jerk  with  a  credit  card  and  the  ability  to   submit  an  expense  report  is  now  runs  their   own  private  procurement  office   What?   •  Support  for  line  of  business  funcQons   •  MarkeQng  and  promoQon  
A^ack  Surface:  The  Security   Officer’s  Journey   •  Two  Dimensions:   – PercepQon  of  So@ware  A^ack  Surface   – Insight  into  Exposed  Assets   17   PercepQon   Insight  
•  As  percepQon  of  the  problem  of  a^ack  surface   widens  the  scope  of  the  problem  increases   A^ack  Surface:  The  Security   Officer’s  Journey   18   PercepQon   Insight   Web Applications
•  As  percepQon  of  the  problem  of  a^ack  surface   widens  the  scope  of  the  problem  increases   A^ack  Surface:  The  Security   Officer’s  Journey   19   PercepQon   Insight   Web Applications Client-Server Applications
•  As  percepQon  of  the  problem  of  a^ack  surface   widens  the  scope  of  the  problem  increases   A^ack  Surface:  The  Security   Officer’s  Journey   20   PercepQon   Insight   Web Applications Client-Server Applications Desktop Applications
•  As  percepQon  of  the  problem  of  a^ack  surface   widens  the  scope  of  the  problem  increases   A^ack  Surface:  The  Security   Officer’s  Journey   21   PercepQon   Insight   Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services
•  As  percepQon  of  the  problem  of  a^ack  surface   widens  the  scope  of  the  problem  increases   A^ack  Surface:  The  Security   Officer’s  Journey   22   PercepQon   Insight   Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
•  Discovery  acQviQes  increase  insight   A^ack  Surface:  The  Security   Officer’s  Journey   23   PercepQon   Insight   Web Applications
•  Discovery  acQviQes  increase  insight   A^ack  Surface:  The  Security   Officer’s  Journey   24   PercepQon   Insight   Web Applications
•  Discovery  acQviQes  increase  insight   A^ack  Surface:  The  Security   Officer’s  Journey   25   PercepQon   Insight   Web Applications
•  Over  Qme  you  end  up  with  a  progression   A^ack  Surface:  The  Security   Officer’s  Journey   26   PercepQon   Insight   Web Applications
•  Over  Qme  you  end  up  with  a  progression   A^ack  Surface:  The  Security   Officer’s  Journey   27   PercepQon   Insight   Web Applications Client-Server Applications
Desktop Applications Client-Server Applications •  Over  Qme  you  end  up  with  a  progression   A^ack  Surface:  The  Security   Officer’s  Journey   28   PercepQon   Insight   Web Applications
Desktop Applications Client-Server Applications •  Over  Qme  you  end  up  with  a  progression   A^ack  Surface:  The  Security   Officer’s  Journey   29   PercepQon   Insight   Web Applications Cloud Applications and Services
Desktop Applications Client-Server Applications •  Over  Qme  you  end  up  with  a  progression   A^ack  Surface:  The  Security   Officer’s  Journey   30   PercepQon   Insight   Web Applications Cloud Applications and Services Mobile Applications
•  When  you  reach  this  point  it  is  called   “enlightenment”   •  You  won’t  reach  this  point   A^ack  Surface:  The  Security   Officer’s  Journey   31   PercepQon   Insight   Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
An Application Test What  Goes  Into  An  ApplicaQon   Test?   32  
Dynamic Analysis What  Goes  Into  An  ApplicaQon   Test?   33   Static Analysis
Automated Application Scanning What  Goes  Into  An  ApplicaQon   Test?   34   Static Analysis Manual Application Testing
Automated Application Scanning What  Goes  Into  An  ApplicaQon   Test?   35   Automated Static Analysis Manual Application Testing Manual Static Analysis
Unauthenticated AutomatedScan What  Goes  Into  An  ApplicaQon   Test?   36   Automated Static Analysis Blind Penetration Testing Manual Static Analysis Authenticated AutomatedScan Informed ManualTesting
Unauthenticated AutomatedScan What  Goes  Into  An  ApplicaQon   Test?   37   Automated SourceCode Scanning Blind Penetration Testing ManualSource CodeReview Authenticated AutomatedScan Informed ManualTesting Automated BinaryAnalysis ManualBinary Analysis
Value  and  Risk  Are  Not  Equally   Distributed   •  Some  ApplicaQons  Ma^er  More  Than  Others   –  Value  and  character  of  data  being  managed   –  Value  of  the  transacQons  being  processed   –  Cost  of  downQme  and  breaches   •  Therefore  All  ApplicaQons  Should  Not  Be  Treated   the  Same   –  Allocate  different  levels  of  resources  to  assurance   –  Select  different  assurance  acQviQes   –  Also  must  o@en  address  compliance  and  regulatory   requirements   38  
Do  Not  Treat  All  ApplicaQons   the  Same   •  Allocate  Different  Levels  of  Resources  to   Assurance   •  Select  Different  Assurance  AcQviQes   •  Also  Must  O@en  Address  Compliance  and   Regulatory  Requirements   39  
•  Free  /  Open  Source  vulnerability  management  and  aggregaUon  plaVorm:   –  Allows  so@ware  security  teams  to  reduce  the  Qme  to  remediate  so@ware  vulnerabiliQes   –  Enables  managers to speak intelligently about the status / trends of software security within their organization. •  Features/Benefits: –  Imports  dynamic,  staQc  and  manual  tesQng  results  into  a  centralized  plahorm   –  Removes  duplicate  findings  across  tesQng  plahorms  to  provide  a  prioriQzed  list  of  security  faults   –  Eases  communicaQon  across  development,  security  and  QA  teams   –  Exports  prioriQzed  list  into  defect  tracker  of  choice  to  streamline  so@ware  remediaQon  efforts     –  Auto  generates  web  applicaQon  firewall  rules  to  protect  data  during  vulnerability  remediaQon   –  Empowers  managers  with  vulnerability  trending  reports  to  pinpoint  team  issues  and  illustrate  applicaQon   security  progress   –  Benchmark  security  pracQce  improvement  against  industry  standards       •  Freely  available  under  the  Mozilla  Public  License  (MPL)  2.0   •  Download  available  at:  www.denimgroup.com/threadfix   •  Code  available  at:  h^ps://code.google.com/p/threadfix/   40   The  ThreadFix  Approach  
ThreadFix  DemonstraQon   •  Building  Your  ApplicaQon  Porholio   •  Storing  Scanning  Results  Over  Time   •  ReporQng   –  Trending   –  Vulnerability  RemediaQon  Progress   –  Scanner  Benchmarking   –  Porholio  Status   41  
•  Build  Your  ApplicaQon   Porholio   •  Characterize  the   EffecQveness  of  Efforts   Made  to  Date   •  Build  a  Plan  for  Coverage   •  Monitor  Progress   42   Steps  for  Improvement  
43   Dan  Cornell   Principal  and  CTO   dan@denimgroup.com   Twi^er  @danielcornell   +1  (210)  572-­‐4400     www.denimgroup.com   blog.denimgroup.com                             QuesQons?  

More Related Content

What's hot (20)

PDF
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
PDF
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
PDF
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
PDF
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
PDF
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
PDF
Blending Automated and Manual Testing
Denim Group
 
PDF
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
PDF
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
PDF
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
PDF
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
PDF
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
PDF
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
PDF
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
PDF
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
PDF
Secure DevOps with ThreadFix 2.3
Denim Group
 
PDF
Application Assessment Techniques
Denim Group
 
PPTX
Building a Mobile Security Program
Denim Group
 
PDF
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
PDF
SecDevOps: Development Tools for Security Pros
Denim Group
 
PDF
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Blending Automated and Manual Testing
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
Secure DevOps with ThreadFix 2.3
Denim Group
 
Application Assessment Techniques
Denim Group
 
Building a Mobile Security Program
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
SecDevOps: Development Tools for Security Pros
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 

Similar to Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013) (20)

PPTX
Augmented Reality based Product Identification and Advertising System - Final...
Udara Alwis
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
PDF
IPNEC - Security Services
Abdus Saboor
 
PPTX
Unveiling the World of Web App Development.pptx
PriyankShah174006
 
PPTX
20th Anniversary - OWASP Top 10 2021.pptx
Dedy Hariyadi
 
PPTX
OWASP Top 10.pptx for latest security lapses in applications
sanjeev2k
 
PPTX
Hacker Proof web app using Functional tests
Ankita Gupta
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
PPTX
Google App engine
Indika Munaweera Kankanamge
 
PPTX
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
PPSX
Scaling-up and Automating Web Application Security Tech Talk
Netsparker
 
PDF
Threat modelling & apps testing
Adrian Munteanu
 
PDF
Kimberly-Clark: Challenging the Customer Engagement Status-Quo with an iPad, ...
Xamarin
 
PDF
Application Security in an Agile World - Agile Singapore 2016
Stefan Streichsbier
 
PDF
Put yourself in the appsec pipe - Paolo Perego - Codemotion Milan 2016
Codemotion
 
PDF
Projects Walook
Walook
 
PPTX
Application security in a hurry webinar
kdinerman
 
PDF
Webinar: Why Are You Still Paying for Retired Applications
panagenda
 
PPTX
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Rana Khalil
 
PDF
Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Luká...
apidays
 
Augmented Reality based Product Identification and Advertising System - Final...
Udara Alwis
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
IPNEC - Security Services
Abdus Saboor
 
Unveiling the World of Web App Development.pptx
PriyankShah174006
 
20th Anniversary - OWASP Top 10 2021.pptx
Dedy Hariyadi
 
OWASP Top 10.pptx for latest security lapses in applications
sanjeev2k
 
Hacker Proof web app using Functional tests
Ankita Gupta
 
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
Google App engine
Indika Munaweera Kankanamge
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
Scaling-up and Automating Web Application Security Tech Talk
Netsparker
 
Threat modelling & apps testing
Adrian Munteanu
 
Kimberly-Clark: Challenging the Customer Engagement Status-Quo with an iPad, ...
Xamarin
 
Application Security in an Agile World - Agile Singapore 2016
Stefan Streichsbier
 
Put yourself in the appsec pipe - Paolo Perego - Codemotion Milan 2016
Codemotion
 
Projects Walook
Walook
 
Application security in a hurry webinar
kdinerman
 
Webinar: Why Are You Still Paying for Retired Applications
panagenda
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Rana Khalil
 
Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Luká...
apidays
 
Ad

More from Denim Group (20)

PDF
Long-term Impact of Log4J
Denim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
PDF
Application Asset Management with ThreadFix
Denim Group
 
PDF
OWASP San Antonio Meeting 10/2/20
Denim Group
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
PDF
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
PDF
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
PDF
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
PDF
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
PPTX
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
PDF
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
PDF
AppSec in a World of Digital Transformation
Denim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
PDF
AppSec in a World of Digital Transformation
Denim Group
 
PDF
Enumerating Enterprise Attack Surface
Denim Group
 
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Application Asset Management with ThreadFix
Denim Group
 
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Denim Group
 
Ad

Recently uploaded (20)

PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PDF
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PPTX
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
The Future of Artificial Intelligence (AI)
Mukul
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 

Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)

  • 1. Do  You  Have  a  Scanner   or  a  Scanning  Program?  
  • 2. About  Me     •  Dan  Cornell   •  Founder  and  CTO  of  Denim  Group   •  So@ware  developer  by  background  (Java,  .NET,  etc)   •  OWASP  San  Antonio   •  15  years  experience  in  so@ware  architecture,  development   and  security  
  • 3. •  StaQc  or  Dynamic?  (Or  Both?)   •  Desktop,  Enterprise  or  Cloud   – (Or  All  the  Above?)     3   Who  Has  Purchased  an   Automated  Scanner?  
  • 4. Who  Here  Is  Happy   With  Their  Scanner?   •  Yes   •  No   •  Kind  Of   •  Not  Sure   4  
  • 5. Why  or  Why  Not?       Why  or  Why  Not?   5  
  • 6. Successful  So@ware  Security   Programs   •  Common  Goal   –  Reduce  Risk  by…   •  Reliably  CreaQng  Acceptably  Secure  So@ware   •  Obligatory  “People,  Process,  Technology”  Reference   –  Anybody  got  a  good  Sun  Tzu  quote?   –  I’d  se^le  for  a  von  Clausewitz…   –  Or  perhaps  we  need  to  look  at  Dalai  Lama  quotes  (topic   for  a  different  day)   •  Common  AcQviQes   –  ImplementaQon  must  be  Qed  to  the  specific  organizaQon   6  
  • 7. What  Part  Does  Scanning  Play?   •  OpenSAMM  -­‐  Automated  scanning  is  part  of  both  the  “Security  TesQng”   and  “Code  Review”  Security  PracQces  within  the  VerificaQon  Business   FuncQon   –  Dynamic  scanning  and  staQc  scanning,  respecQvely   •  Common  starQng  point  for  many  organizaQons  embarking  on  so@ware   security  programs   –  There  are  lots  of  commercial  and  freely  available  products  that  can  be  used  in   support  of  this  acQvity     RED  FLAG:   Q:  What  are  you  doing  for  so:ware  security?   A:  We  bought  [Vendor  Scanner  XYZ]     ***  BEWARE  FOSTERING  A  CHECKBOX  CULTURE  ***   7  
  • 8. Scanning  Program:  AnQ-­‐ Pa^erns   •  “Dude  With  a  Scanner”   approach   – Can  also  be   implemented  as  the   “lady  with  a  scanner”   approach   •  “SaaS  and  Forget”   approach   8  
  • 9. Scanner  Program  Metrics   • Breadth   • Depth   • Frequency  
  • 10. Is  Your  Scanner   Missing  Something?   •  Breadth  “Misses”   –  Inadequate  applicaQon   porholio   –  ApplicaQons  not  being  scanned   •  Depth  “Misses”   –  IneffecQve  crawling  ignores   applicaQon  a^ack  surface   –  False  negaQves  resulQng  in   ignorance  of  legiQmate   vulnerabiliQes   –  Excessive  false  posiQves   causing  results  to  be  ignored   •  Frequency  “Misses”   –  ApplicaQons  not  being  scanned   o@en  enough   10  
  • 11. Security  TesQng:  Be^er   Pa^erns   •  Breadth-­‐First  Scanning   –  You  want  a  scanning  program,  not  a   scanner   •  Deep  Assessment  of  CriQcal   ApplicaQons   –  Automated  scanning,  manual  scan   review  and  assessment     •  Understand  that  scanning  is  a  means   to  an  end   –  Not  an  end  in  and  of  itself   –  Start  of  vulnerability  management   11  
  • 12. What  Goes  Into  a  Good   Scanning  Program?   •  Solid  Understanding  of  A^ack  Surface     •  RealisQc  Concept  of  Scanner  EffecQveness     •  Disciplined  History  of  Scanning   •  PrioriQzed  TesQng  Efforts   12  
  • 13. What  Is  Your  So@ware  A^ack   Surface?   13   So@ware  You   Currently  Know   About   Why?   •  Lots  of  value  flows  through  it   •  Auditors  hassle  you  about  it   •  Formal  SLAs  with  customers  menQon  it   •  Bad  guys  found  it  and  caused  an  incident   (oops)   What?   •  CriQcal  legacy  systems   •  Notable  web  applicaQons  
  • 14. What  Is  Your  So@ware  A^ack   Surface?   14   Add  In  the  Rest  of   the  Web   ApplicaQons  You   Actually  Develop   and  Maintain   Why  Did  You  Miss  Them?   •  Forgot  it  was  there   •  Line  of  business  procured  through  non-­‐ standard  channels   •  Picked  it  up  through  a  merger  /  acquisiQon   What?   •  Line  of  business  applicaQons   •  Event-­‐specific  applicaQons  
  • 15. What  Is  Your  So@ware  A^ack   Surface?   15   Add  In  the   So@ware  You   Bought  from   Somewhere   Why  Did  You  Miss  Them?   •  Most  scanner  only  really  work  on  web   applicaQons  so  no  vendors  pester  you  about   your  non-­‐web  applicaQons   •  Assume  the  applicaQon  vendor  is  handling   security   What?   •  More  line  of  business  applicaQons   •  Support  applicaQons   •  Infrastructure  applicaQons  
  • 16. What  Is  Your  So@ware  A^ack   Surface?   16   MOBILE!   THE  CLOUD!   Why  Did  You  Miss  Them?   •  Any  jerk  with  a  credit  card  and  the  ability  to   submit  an  expense  report  is  now  runs  their   own  private  procurement  office   What?   •  Support  for  line  of  business  funcQons   •  MarkeQng  and  promoQon  
  • 17. A^ack  Surface:  The  Security   Officer’s  Journey   •  Two  Dimensions:   – PercepQon  of  So@ware  A^ack  Surface   – Insight  into  Exposed  Assets   17   PercepQon   Insight  
  • 18. •  As  percepQon  of  the  problem  of  a^ack  surface   widens  the  scope  of  the  problem  increases   A^ack  Surface:  The  Security   Officer’s  Journey   18   PercepQon   Insight   Web Applications
  • 19. •  As  percepQon  of  the  problem  of  a^ack  surface   widens  the  scope  of  the  problem  increases   A^ack  Surface:  The  Security   Officer’s  Journey   19   PercepQon   Insight   Web Applications Client-Server Applications
  • 20. •  As  percepQon  of  the  problem  of  a^ack  surface   widens  the  scope  of  the  problem  increases   A^ack  Surface:  The  Security   Officer’s  Journey   20   PercepQon   Insight   Web Applications Client-Server Applications Desktop Applications
  • 21. •  As  percepQon  of  the  problem  of  a^ack  surface   widens  the  scope  of  the  problem  increases   A^ack  Surface:  The  Security   Officer’s  Journey   21   PercepQon   Insight   Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services
  • 22. •  As  percepQon  of  the  problem  of  a^ack  surface   widens  the  scope  of  the  problem  increases   A^ack  Surface:  The  Security   Officer’s  Journey   22   PercepQon   Insight   Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
  • 23. •  Discovery  acQviQes  increase  insight   A^ack  Surface:  The  Security   Officer’s  Journey   23   PercepQon   Insight   Web Applications
  • 24. •  Discovery  acQviQes  increase  insight   A^ack  Surface:  The  Security   Officer’s  Journey   24   PercepQon   Insight   Web Applications
  • 25. •  Discovery  acQviQes  increase  insight   A^ack  Surface:  The  Security   Officer’s  Journey   25   PercepQon   Insight   Web Applications
  • 26. •  Over  Qme  you  end  up  with  a  progression   A^ack  Surface:  The  Security   Officer’s  Journey   26   PercepQon   Insight   Web Applications
  • 27. •  Over  Qme  you  end  up  with  a  progression   A^ack  Surface:  The  Security   Officer’s  Journey   27   PercepQon   Insight   Web Applications Client-Server Applications
  • 28. Desktop Applications Client-Server Applications •  Over  Qme  you  end  up  with  a  progression   A^ack  Surface:  The  Security   Officer’s  Journey   28   PercepQon   Insight   Web Applications
  • 29. Desktop Applications Client-Server Applications •  Over  Qme  you  end  up  with  a  progression   A^ack  Surface:  The  Security   Officer’s  Journey   29   PercepQon   Insight   Web Applications Cloud Applications and Services
  • 30. Desktop Applications Client-Server Applications •  Over  Qme  you  end  up  with  a  progression   A^ack  Surface:  The  Security   Officer’s  Journey   30   PercepQon   Insight   Web Applications Cloud Applications and Services Mobile Applications
  • 31. •  When  you  reach  this  point  it  is  called   “enlightenment”   •  You  won’t  reach  this  point   A^ack  Surface:  The  Security   Officer’s  Journey   31   PercepQon   Insight   Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
  • 32. An Application Test What  Goes  Into  An  ApplicaQon   Test?   32  
  • 33. Dynamic Analysis What  Goes  Into  An  ApplicaQon   Test?   33   Static Analysis
  • 34. Automated Application Scanning What  Goes  Into  An  ApplicaQon   Test?   34   Static Analysis Manual Application Testing
  • 35. Automated Application Scanning What  Goes  Into  An  ApplicaQon   Test?   35   Automated Static Analysis Manual Application Testing Manual Static Analysis
  • 36. Unauthenticated AutomatedScan What  Goes  Into  An  ApplicaQon   Test?   36   Automated Static Analysis Blind Penetration Testing Manual Static Analysis Authenticated AutomatedScan Informed ManualTesting
  • 37. Unauthenticated AutomatedScan What  Goes  Into  An  ApplicaQon   Test?   37   Automated SourceCode Scanning Blind Penetration Testing ManualSource CodeReview Authenticated AutomatedScan Informed ManualTesting Automated BinaryAnalysis ManualBinary Analysis
  • 38. Value  and  Risk  Are  Not  Equally   Distributed   •  Some  ApplicaQons  Ma^er  More  Than  Others   –  Value  and  character  of  data  being  managed   –  Value  of  the  transacQons  being  processed   –  Cost  of  downQme  and  breaches   •  Therefore  All  ApplicaQons  Should  Not  Be  Treated   the  Same   –  Allocate  different  levels  of  resources  to  assurance   –  Select  different  assurance  acQviQes   –  Also  must  o@en  address  compliance  and  regulatory   requirements   38  
  • 39. Do  Not  Treat  All  ApplicaQons   the  Same   •  Allocate  Different  Levels  of  Resources  to   Assurance   •  Select  Different  Assurance  AcQviQes   •  Also  Must  O@en  Address  Compliance  and   Regulatory  Requirements   39  
  • 40. •  Free  /  Open  Source  vulnerability  management  and  aggregaUon  plaVorm:   –  Allows  so@ware  security  teams  to  reduce  the  Qme  to  remediate  so@ware  vulnerabiliQes   –  Enables  managers to speak intelligently about the status / trends of software security within their organization. •  Features/Benefits: –  Imports  dynamic,  staQc  and  manual  tesQng  results  into  a  centralized  plahorm   –  Removes  duplicate  findings  across  tesQng  plahorms  to  provide  a  prioriQzed  list  of  security  faults   –  Eases  communicaQon  across  development,  security  and  QA  teams   –  Exports  prioriQzed  list  into  defect  tracker  of  choice  to  streamline  so@ware  remediaQon  efforts     –  Auto  generates  web  applicaQon  firewall  rules  to  protect  data  during  vulnerability  remediaQon   –  Empowers  managers  with  vulnerability  trending  reports  to  pinpoint  team  issues  and  illustrate  applicaQon   security  progress   –  Benchmark  security  pracQce  improvement  against  industry  standards       •  Freely  available  under  the  Mozilla  Public  License  (MPL)  2.0   •  Download  available  at:  www.denimgroup.com/threadfix   •  Code  available  at:  h^ps://code.google.com/p/threadfix/   40   The  ThreadFix  Approach  
  • 41. ThreadFix  DemonstraQon   •  Building  Your  ApplicaQon  Porholio   •  Storing  Scanning  Results  Over  Time   •  ReporQng   –  Trending   –  Vulnerability  RemediaQon  Progress   –  Scanner  Benchmarking   –  Porholio  Status   41  
  • 42. •  Build  Your  ApplicaQon   Porholio   •  Characterize  the   EffecQveness  of  Efforts   Made  to  Date   •  Build  a  Plan  for  Coverage   •  Monitor  Progress   42   Steps  for  Improvement  
  • 43. 43   Dan  Cornell   Principal  and  CTO   [email protected]   Twi^er  @danielcornell   +1  (210)  572-­‐4400     www.denimgroup.com   blog.denimgroup.com                             QuesQons?