Full stack vulnerability management at scale
Download as PPTX, PDF2 likes193 views
- Full-stack vulnerability management is needed to address security risks across applications, servers, databases, services, and operating systems. Automation is key to assessing security at scale across the full technology stack. - While automation can detect many technical vulnerabilities, it cannot assess logical vulnerabilities involving business logic, authorization, or compliance issues that require human judgment and context. - Continuous vulnerability management is needed to keep pace with today's agile development cycles and constantly changing environments, focusing on changes since the last assessment to prioritize remediation.
![FIN
• We can scale but not everything is [easily]
scalable
• Discover Tech Vulns using Tech
• Consider full-stack, don’t let marketing dictate risk.
• Lets test to mirror DevOps
• Convergence is necessary to address issue.
@eoinkeary
eoin@bccriskadvisory.com](https://image.slidesharecdn.com/full-stackvulnerabilitymanagementatscalethefutureofsecurityassessment-190415134303/85/Full-stack-vulnerability-management-at-scale-41-320.jpg)
Full stack vulnerability management at scale
- 1. Full-stack Vulnerability Management at Scale & The Future of Security Assessment Eoin Keary CTO edgescan™
- 2. Eoin Keary CTO/Founder edgescan.com OWASP Leader/Member/Ireland Founder OWASP Global Board Member (2009-2015)
- 3. Web Risk • Application Security • Host Security • Both / Either / Or • It’s all software right.
- 4. Full-Stack!
- 5. Web Applications App Server SSL/TLS Databases Services Operating Systems Networks Full Stack Security
- 6. Appsec VA Threat Intel ENdPoint One Problem – “silos of solutions”
- 7. 2015 - Year in Review
- 8. 2016 – First 100 days • 83,000 impacted by breach at Gyft Inc • 7,000,000 Minecraft • 55,000,000 Records - COMELEC • Hyatt data beach 250 hotels in 50 countries • Neiman Marcus – 5,200 accounts • TaxSlayer – 8,800 customers
- 9. Old Vulnerabilities 99.9% of the exploited vulnerabilities in had been compromised more than a year after the associated CVE was published. - “Zero day’s” are overrated.
- 10. Segregated Industry • Developers Vs Security • Admin Vs Developers • Security Vs Admin
- 11. Divergence Application Security Vs Vulnerability Analysis Market Driven Separation Vs Risk Convergence Developer ←→ Security ←→ Admin DevSecOps AppSec + HostSec -> Fullstack
- 12. Agile Risk Model Fail Early – Fail Often “Push Left”
- 13. Continuous Security “Keeping up” with development. Assisting secure deployment. Catching bugs early – Push Left. Help ensure “change” is secure
- 14. Host/Server/Framework > 30 billion Open source downloads 2015 90% of application code is framework 63%* don’t monitor component security 43%* don’t have open source policy * http://www.sonatype.com/about/2014-open-source-software-development-survey
- 15. AppSec/Component Sec • “If you're not doing component vulnerability management you’re not doing appsec…” – 90% of application code is framework • “If you’re not doing full-stack you are not doing security…” – Hackers don’t give a S*#t
- 16. Security by Numbers Likelihood of a vulnerability being discovered – Web Applications
- 17. Security by Numbers Likelihood of a vulnerability being discovered (root cause) – Hosting Layer
- 18. Security by Numbers edgescan Vulnerability Statistics Report 2015
- 19. Thoughts – Patching & Component Management “Of all the vulnerabilities discovered in 2015, 63% could have been mitigated via patch, configuration and component management combined.” edgescan Vulnerability Statistics Report 2015
- 20. Problems? Security in a constant state of flux.
- 21. “We Can” scale.. Automation of assessment Depth Coverage / Breadth Rigour
- 23. Levelling the Playing Field
- 24. Automation!! • Jenkins, Hudson, Bamboo – Event driven – Scheduled – Incremental • CHEF, Puppet, Cloud(immutable) Sounds great…. but
- 25. Automation and Integration • Automation can detect technical vulnerabilities – Misuse of code – Coding Bugs – Implementation Mistakes
- 26. Automation and Integration • Automation can NOT detect Logical vulnerabilities – Business Logic – Backdoors (E.g. Juniper, Fortinet) – Provide Risk measurement – Business Context
- 27. Accuracy/Information/Context The “Anti-Scale” Risk/ Business Context Information Vs Data Human Decisions and Intel Technical constraints -> Chokepoints
- 28. The “Anti-Scale” New languages and programming methods Growth of interpreted languages with no strong typing (Javascript, Ruby,…) – “hurts” SAST Few automated tools to test APIs / RESTful APIs Testing Window is squeezed, manual testing is doomed!?
- 29. Fighting The “Anti-Scale” Accuracy “Rule Tuning” – DAST & SAST Build Fails! White Noise Suppression Real Security Vs “Best Practice” Updates to Rules Scale “Delta Analysis” Previous Vs Current Changes FP’s / FN’s
- 30. SAST Integration • Analysis without Runtime - SAST • More than just tooling • Management Lifecycle – Rule Management & Tuning / False Positives • Cant cover Vuln Taxonomy –Blindspots
- 31. SAST Blindspots • Storage and transmission of confidential information • Logic: Authentication, brute force attacks, effectiveness of password reset etc. • Logic: Privilege escalation and insufficient authorization. Business Logic • Data privacy: data retention and other compliance (e.g. ensuring credit card numbers are masked when displayed) - context
- 32. DAST Tool/Runtime Vulnerability Management - Pitfalls • Coverage Depth – can be shallow • App Complexity - enemy • Logical vulns – poor • “Trial and error” testing
- 33. Vulnerability Assessment (Host) • Easy to perform, Harder to manage • First assessment – higher work effort – establish coverage (Reduce FN’s) – Weed out FP’s • Delta Analysis – Previous Vs Current
- 34. Component Security Don’t forget…. • Unpredictable (Like Host Security). • Requires frequent/continuous vigilance. • Fix can be difficult and not backward friendly
- 35. Delta-Metrics • Vuln type - (CVE, OWASP, WASC, SANS..) • Tech Stack - (Code, F-work, Host etc) • Layer - (App/Host) • Root Cause - (Code, Patch, Config / Deploy) – Technical, Logical/Behavioural Vuln
- 36. Continuous Asset Profiling • Detect Global Estate Changes – New / Dead active IP’s – Service Changes (Ports open / enabled). – Perimeter Change – Firewall/ACL changes – Rogue deployments
- 37. Fighting The “AntiScale” - Delta Analysis Measure of change in a target environment. Focusing on change in risk posture compared to last assess -> Closed, New, False Positives
- 38. Fighting The “Anti-Scale”- Testing like a Developer Break testing into little pieces Smoke / Incremental Vs full regression testing “Early and Often” – Continuous, on demand – Testing duration drives testing frequency
- 39. Business & Behavioural Testing At scale: Can be Difficult ….. Technical Security is covered by “tuned” Automation….. More Time to “Deep Dive”
- 40. “Future of Pentesting” • Push towards Technical Vulnerabilities rooted out using technical methods/services ….. • Push from time chasing Top 10 (SQLI, XSS, etc) -To- Behavioural, Logical, Business flow assessment. • Constant flux requires constant assessment. • Point-in-time is dead?
- 41. FIN • We can scale but not everything is [easily] scalable • Discover Tech Vulns using Tech • Consider full-stack, don’t let marketing dictate risk. • Lets test to mirror DevOps • Convergence is necessary to address issue. @eoinkeary [email protected]