Building Your Application Security Data Hub - OWASP AppSecUSA
6 likes2,096 views
The document discusses the need for structured vulnerability information in application security and presents the Application Security Data Hub concept. It outlines challenges in application security, emphasizing the importance of data gathering, automation, and integration of various security tools. Key projects, such as ThreadFix and hybrid analysis mapping, are highlighted as solutions to unify vulnerability data and improve risk management strategies.
Building Your Application Security Data Hub - OWASP AppSecUSA
- 1. AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presenta,on contains informa,on about DHS-‐funded research: Topic Number: H-‐SB013.1-‐002 -‐ Hybrid Analysis Mapping (HAM) Proposal Number: HSHQDC-‐13-‐R-‐00009-‐H-‐SB013.1-‐002-‐0003-‐I
- 2. 2 Dan Cornell with a respectable hair cut, a nice shirt, and a coat Biography Dan Cornell • Founder and CTO of Denim Group • SoQware developer by background (Java, .NET, etc) • OWASP San Antonio
- 3. 3 So You Want To Run an AppSec Program?
- 4. 4 • ApplicaWon Security Challenges – Spans MulWple Disciplines – ComparaWvely New – Scale of the Problem • ApplicaWon Security Data Hub – Sources, Sinks, Flows • Program Metrics and Tracking Agenda
- 5. 5 Spans Multiple Disciplines • InformaWon Security – ApplicaWon Security • Audit and Compliance • Risk Management • (Oh Almost Forgot: SoQware Development) • (And . . . SoQware Development Is Where Most of the Magic Has to Happen)
- 6. 6 Comparatively New Discipline • Physical Security: Old • InformaWon Security: Kinda New • ApplicaWon Security: Really New • New Discipline Means Immature Metrics – Possibly non-‐existent, certainly not generally-‐ accepted – Don’t know how to talk about the problem • New Discipline Means New Tools – No standards for interacWon
- 7. 7 • “Legacy” Lines of Code • QuanWty of ApplicaWons • Dearth of Qualified Professionals Scale of the Problem
- 8. 8 We Have a Huge Mul,disciplinary Problem In An Area We Can’t Properly Characterize Where We’re Horribly Outnumbered So . . .
- 9. 9 What to Do About It? • Gather Data • Communicate to Stakeholders • Automate the Heck Out of Whatever Possible • Repeat
- 10. 10 So What Does This Look Like? Applica,on Security Data Hub • Sources, Sinks and Flows • Vulnerability Data • DetecWon/PrevenWon Sensors • Developer Tools • Risk Management
- 11. 11 Automation In the Absence of Automa,on You’re Doomed • Automate everything you can • Free up people cycles for people-‐only tasks
- 12. 12 Open Source App Security Data Hub ThreadFix • Create a consolidated view of your applicaWons and vulnerabiliWes • PrioriWze applicaWon risk decisions based on data • Translate vulnerabiliWes to developers in the tools they are already using • GitHub Site: github.com/denimgroup/threadfix
- 13. 13 Supported Technologies List of Supported Tools / Technologies: Dynamic Scanners Acune&x Arachni Burp Suite HP WebInspect IBM Security AppScan Standard IBM Security AppScan Enterprise Mavituna Security Netsparker NTO Spider OWASP Zed AAack Proxy Tenable Nessus Skipfish w3aF Sta,c Scanners FindBugs IBM Security AppScan Source HP For&fy SCA MicrosoK CAT.NET Brakeman SaaS Tes,ng PlaHorms WhiteHat Veracode QualysGuard WAS IDS/IPS and WAF DenyAll F5 Imperva Mod_Security Snort Defect Trackers Atlassian JIRA MicrosoK Team Founda&on Server Mozilla Bugzilla Known Vulnerable Component Scanner Dependency Check
- 15. 15 Vulnerability Management • Vulnerability DetecWon • Vulnerability MiWgaWon • Vulnerability RemediaWon
- 16. 16 Vulnerability Detection SAST DAST IAST Known Vulnerable Component Automated Threat Modeling Code Review PenetraWon TesWng Manual Data Hub
- 17. 17 What is a Unique Vulnerability? • (CWE, RelaWve URL) – Predictable resource locaWon – Directory lisWng misconfiguraWon • (CWE, RelaWve URL, InjecWon Point) – SQL injecWon – Cross-‐site ScripWng (XSS) • InjecWon points – Parameters – GET/POST – Cookies – Other headers
- 18. 18 Why Common Weakness Enumeration? • Every tool has their own “spin” on naming vulnerabiliWes • OWASP Top 10 / WASC 24 are helpful but not comprehensive • CWE is exhausWve (though a bit sprawling at Wmes) • Reasonably well-‐adopted standard • Many tools have mappings to CWE for their results • Main site: hgp://cwe.mitre.org/
- 19. 19 Fill ThreadFix Up With Vulnerability Data • Manual file upload • REST API – hgps://github.com/denimgroup/threadfix/wiki/Threadfix-‐ REST-‐Interface • Command Line Interface (CLI) – hgps://github.com/denimgroup/threadfix/wiki/Command-‐ Line-‐Interface – JAR can also be used as a Java REST client library • Jenkins plugin – Contributed from the ThreadFix community (yeah!) – hgps://github.com/automaWondominaWon/threadfix-‐plugin
- 20. 20 ThreadFix Jenkins Configuration 20
- 21. 21 What Does ThreadFix Do With Scan Results • Diff against previous scans with same technology – What vulnerabiliWes are new? – What vulnerabiliWes went away? – What vulnerabiliWes resurfaced? • Findings marked as false posiWve are remembered across scans – Hopefully saving analyst Wme • Normalize and merge with other scanners’ findings – SAST to SAST – DAST to DAST – SAST to DAST via Hybrid Analysis Mapping (HAM)
- 22. 22 Demo: Vulnerability Merge
- 23. 23 Know What Would Make My Life Easier? Standard Vulnerability Data Format Couple of current efforts: • SSVL – Based on lessons learned from ThreadFix – hgps://github.com/OWASP/SSVL • OWASP DEF – OWASP effort – hgps://www.owasp.org/index.php/OWASP_Data_Exchange_Format_Project • Working to unify these
- 24. 24 Hybrid Analysis Mapping (HAM) • IniWal research funded by the US Department of Homeland Security (DHS) Science and Technology (S&T) Directorate via a Phase 1 and (now) Phase 2 Small Business InnovaWon Research (SBIR) contract – Acronyms! • IniWal goal: SAST to DAST merging • Results: That, plus other stuff
- 25. 25 Demo: Merging Static and Dynamic Scanner Results
- 26. 26 Demo: Merging Static and Dynamic Scanner Results
- 27. 27 Merging Static and Dynamic Results Is Cool …But I want more • Problem: Many DAST scanners handle applicaWons with RESTful URLs poorly • Problem: Many applicaWons have “hidden” landing pages and parameters that will not be found by standard crawling • Problem: DAST scanner results can be hard for developers to act on • What else can we do with this agack surface model / database? – Clean up scanner results – Enumerate applicaWon agack surface – Map dynamic results to specific lines of code
- 28. 28 Demo: De-Duplicate Dynamic RESTful Scanner Results
- 29. 29 Demo: De-Duplicate Dynamic RESTful Scanner Results
- 30. 30 Demo: Application Attack Surface (CLI)
- 31. 31 Demo: Seed Scanner with Attack Surface
- 32. 32 Vulnerability Mitigation Data Hub WAF/IDS/IPS Sensor
- 33. 33 Demo: Generating Virtual Patches
- 34. 34 Demo: Importing Sensor Logs
- 35. 35 Vulnerability Remediation Security Approaching Development Teams… • PDFs • Excel spreadsheets • “Log into this new system”
- 36. 36 Vulnerability Remediation An Alternate Approach • Help ‘em Out • Take Advantage of the Tools and Processes They Are Already Using
- 37. 37 Vulnerability Remediation Data Hub This is also called “bug tracking” by less-‐fancy people ApplicaWon Lifecycle Management Integrated Development Environment
- 38. 38 Mapping Vulnerabilities to Defects • 1:1 mapping is (usually) a horrible idea – 500 XSS turned into 500 defects? – If it takes longer to administer the bug than it does to fix the code… • Cluster like vulnerabilities – Using the same libraries / funcWons – Cut-‐and-‐paste remediaWon code – Be careful about context-‐specific encoding • Combine by severity – Especially if they are cause for an out-‐of-‐cycle release • Which developer “owns” the code?
- 39. 39 Defect Tracker Integration • Bundle mulWple vulnerabiliWes into a defect – Using standard filtering criteria • ThreadFix periodically updates defect status from the tracker
- 40. 40 Demo: Defect Tracker Integration
- 41. 41 IDE Plug Ins • Import vulnerability data to integrated development environments (IDEs) • StaWc (SAST) scanners – Easy • Dynamic (DAST) scanners – Possible using Hybrid Analysis Mapping (HAM)
- 42. 42 Demo: Maping Vulnerabilities in IDE
- 43. 43 • Nobody Likes Uncertainty • Measurement Is Key Risk Management 43
- 44. 44 Risk Management Data Hub GRC
- 45. 45 Vulnerability Filtering • Filter vulnerability data – Scanner, scanner count – Vulnerability type – Path, parameter – Severity – Status – Aging • Save filters for future use
- 46. 46 Demo: Vulnerability Filtering
- 47. 47 Reporting • Trending • Progress by Vulnerability – For program benchmarking • Porpolio Report – For resource prioriWzaWon • Comparison – For scanner/technology benchmarking
- 48. 48 What to Look For? Metrics That Can Help • Vulnerability Prevalence • Vulnerability ResoluWon Rate • Mean Time To Fix (MTTF) 48
- 50. 50 So What Have We Covered? • ApplicaWon Security Is Hard – Lots of people and systems involved • Data Trumps FUD • AutomaWon Is CriWcal 50
- 51. 51 ThreadFix Links • Main ThreadFix website: www.threadfix.org – General informaWon, downloads • ThreadFix GitHub site: github.com/denimgroup/threadfix – Code, issue tracking • ThreadFix GitHub wiki: hgps://github.com/denimgroup/threadfix/wiki – Project documentaWon • ThreadFix Google Group: hgps://groups.google.com/forum/?fromgroups#!forum/threadfix – Community support, general discussion
- 52. 52 Contact Questions / Contact Information Dan Cornell [email protected] Twiger @danielcornell (210) 572-‐4400