SlideShare a Scribd company logo

Automated Security Testing with Seccubus confidence 2015

Download as PPTX, PDF
Frank Breedijk, profile picture
Frank Breedijk

The document presents an analysis of the Seccubus project, initiated to automate vulnerability scanning and improve security operations. It details the evolution of Seccubus, its integration with continuous delivery, and the benefits of scheduled scans to reduce false positives and enhance efficiency. The authors emphasize the importance of proactive security measures and collaboration among security professionals.

Technology
1 of 69
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
CONFIDENCE CONFERENCE Analyzing Security Findigns the Easy Way 6 years later… SECCUBUS This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CONFIDENCE CONFERENCE Frank Breedijk • Security Officer at Schuberg Philis • (Official) Security dude since 2000 • Author of Seccubus Coordinates: • fbreedijk@schubergphilis.com • https://www.linkedin.com/in/seccubus • @Seccubus on Twitter Glenn ten Cate • Mission Critical Engineer Security at Schuberg Philis • Security Dude • Author of Security Knowledge Framework Coordinates: • gtencate@schubergphilis • https://nl.linkedin.com/pub/glenn-ten-cate/3b/11a/117 WHO ARE WE?
CONFIDENCE CONFERENCE Frustration Being challanged To make my life easier WHY DID I START THE SECCUBUS PROJECT? Y ? A CC NC ND image by Tehmina Goskar https://www.flickr.com/photos/13114254@N00/119475590/
CONFIDENCE CONFERENCE C. Lueless Mission: • Mission: Perform a bi-weekly vulnerability scan of all our public IP addresses B. Rightlad A STORY ABOUT TWO GUYS These and all non-attributed photos of Frank Breedijk are taken by Jan Jacob Bos
CONFIDENCE CONFERENCE C. LUELESS – TAKES A CLASSIC APPROACH
CONFIDENCE CONFERENCE GETTING UP WAY TO EARLY…
CONFIDENCE CONFERENCE … STARTING THE SCANNER IN THE MAINTENANCE WINDOW…
CONFIDENCE CONFERENCE … WAITING …
CONFIDENCE CONFERENCE … ANALYSIS
CONFIDENCE CONFERENCE Scanners are written for consultants, not operations Scanners need to make a tradeoff between false positives and false negatives Most scanners produce an awfull lot of output Scanning takes time, tools are poorly automated WHAT IS C. LUELESS’ PROBLEM?
CONFIDENCE CONFERENCE B. RIGHTLAD CHOOSES SECCUBUS
CONFIDENCE CONFERENCE CONFIGURATION IN THE MORNING
CONFIDENCE CONFERENCE … GO HOME …
CONFIDENCE CONFERENCE … RELAX …
CONFIDENCE CONFERENCE … THE SCAN RUNS AT NIGHT … Image: Orion's Umbra, a CC NC image from jahdakinebrah's photostream
CONFIDENCE CONFERENCE … IN THE MORNING …
CONFIDENCE CONFERENCE … ANALYZE AND REMEDIATE
CONFIDENCE CONFERENCE WHAT HAPPENED UNDER THE HOOD? Do-scan Nessus/sc an Nessus .nessus files nessus2ivilIvil file Load ivil Database
CONFIDENCE CONFERENCE ALLABOUT STATUS New Open No issue
CONFIDENCE CONFERENCE Is the work in balance with the profit? BALANCE A fine balance a CC NC ND Image by Anish B George https://www.flickr.com/photos/22199070@N00/3311106984/
CONFIDENCE CONFERENCE TWO WEEKS LATER Image: 1/365, a CC NC ND image from cubedude27's photostream
CONFIDENCE CONFERENCE C. LUELESS – TAKES A CLASSIC APPROACH
CONFIDENCE CONFERENCE GETTING UP WAY TO EARLY…
CONFIDENCE CONFERENCE … STARTING THE SCANNER IN THE MAINTENANCE WINDOW…
CONFIDENCE CONFERENCE … WAITING …
CONFIDENCE CONFERENCE … ANALYSIS
CONFIDENCE CONFERENCE WAS IT REALLY WORTH IT?
CONFIDENCE CONFERENCE B. RIGHTLAD CHOOSES SECCUBUS
CONFIDENCE CONFERENCE … GO HOME …
CONFIDENCE CONFERENCE … RELAX …
CONFIDENCE CONFERENCE … THE SCAN RUNS AT NIGHT … Image: Half Moon, a CC NC ND image from za3tooor's photostream
CONFIDENCE CONFERENCE … IN THE MORNING …
CONFIDENCE CONFERENCE … ANALYZE AND REMEDIATE
CONFIDENCE CONFERENCE ALLABOUT STATUS New Open No issue ChangedGone Closed Masked
CONFIDENCE CONFERENCE Don’t bother users with non-actionable findings OK IS OK… Woo a CC NC SA image by Rick Harrison https://www.flickr.com/photos/81851211@N00/2682663297/
CONFIDENCE CONFERENCE ANOTHER TWO WEEKS PASS… Image: Cosas hechas, a CC ND image from srgblog's photostream
CONFIDENCE CONFERENCE C. LUELESS – TAKES A CLASSIC APPROACH
CONFIDENCE CONFERENCE GETTING UP WAY TO EARLY…
CONFIDENCE CONFERENCE … STARTING THE SCANNER IN THE MAINTENANCE WINDOW…
CONFIDENCE CONFERENCE … WAITING …
CONFIDENCE CONFERENCE … ANALYSIS
CONFIDENCE CONFERENCE B. RIGHTLAD CHOOSES SECCUBUS
CONFIDENCE CONFERENCE … GO HOME …
CONFIDENCE CONFERENCE … RELAX …
CONFIDENCE CONFERENCE … THE SCAN RUNS AT NIGHT … Image: Himalayan Moonrise, a CC NC ND image from swamysk's photostream
CONFIDENCE CONFERENCE … IN THE MORNING …
CONFIDENCE CONFERENCE … ANALYZE AND REMEDIATE
CONFIDENCE CONFERENCE Succubus In-Seccubus Seccubus WHAT IS IN A NAME?
CONFIDENCE CONFERENCE Monthly Seccubus runs means: Scans are scheduled via crontab Only the findings that need attention get it Less errors due to less repetitave work. The amount of effort is proportional to the amount of changes Risk is proportional to the amount of changes SO…
CONFIDENCE CONFERENCE COMPARE Image: Apples & Oranges - They Don't Compare, a CC image from thebusybrain's photostream
CONFIDENCE CONFERENCE REDUCE Image: Slimmer, a CC NC ND image from mkmabus's photostream
CONFIDENCE CONFERENCE 6 YEARS AGO…
CONFIDENCE CONFERENCE ULTIMATE GOAL Image: StuttgargoalRobin, a CC image from dankamminga's photostream
CONFIDENCE CONFERENCE Name Seccubus chosen here at Confidence Added new scanners Wrote a new GUI SECCUBUS HAS EVOLVED Medusa SSLyze
CONFIDENCE CONFERENCE Intermediate Vulnerability Information Language Intermediate format that allows tools to interface and exchange findings A LITTLE IVIL GOES A LONG WAY Image: EVIL a CC NC SA image from krazydad's photostream
CONFIDENCE CONFERENCE It does not try to capture everything It does not try to fit each case The specification is not 63 pages Simple to read Simple to write Simple to use Simple License (MIT) Easy to integrate new tools into Seccubus IVIL
CONFIDENCE CONFERENCE Joined Schuberg Philis 2 years ago Main focus: Web Application Security We need to integrate this into our pipeline ENTER GLENN Enter here a CC NC ND image by Anne Petersen https://www.flickr.com/photos/60258967@N00/4183985730/
CONFIDENCE CONFERENCE Breaches are moving from layer 3 to layer 7 There’s only so many security dudes to drive the tools Integrate into continuous delivery WHY?
CONFIDENCE CONFERENCE Google’s web application security scanner Open Source Noisy Not very subtile Not production safe! FIRST WIN: SKIPFISH Skip w/ fish a CC NC ND image by AlBakker https://www.flickr.com/photos/45213160@N00/206944920/
CONFIDENCE CONFERENCE Open source Like Burp but free (as in speech) Actively developed and maintained OWASP Flag Ship Project SECOND WIN: OWASP ZAP IEEE Scrum a CC NC SA image by Jim Carson https://www.flickr.com/photos/44124442504@N01/2208956607/
CONFIDENCE CONFERENCE Help developers write better code Enable Security by Design • Knowledge system for risk analysis Code Securely • Code examples Check code before commit • OWASP Application Security Verification Standard Newly adopted as OWASP Project SECURITY KNOWLEDGE FRAMEWORK Moving Hacks a CC NC SA image by Brian Sawyer https://www.flickr.com/photos/45609637@N00/229360390/
CONFIDENCE CONFERENCE Coding • Perl • Angular Requirements • What do you want Testers • Challenge the quality of our crack ;) Documentation • Help us get new users Users SECCUBUS CAN USE YOUR HELP Image: Hang On, a CC NC ND image from brraveheart's photostream
CONFIDENCE CONFERENCE First public preview of new interface SNEAK PREVIEW "Celebs" a cc by nc sa licensed photo by Nick Sherman: http://flickr.com/photos/nicksherman/4145966095/
Automated Security Testing with Seccubus confidence 2015
Automated Security Testing with Seccubus confidence 2015
Automated Security Testing with Seccubus confidence 2015
CONFIDENCE CONFERENCE New user interface (RSN) Start/schedule scans from the GUI Integration with Security Knowledge Framework Add user/rights management Track issues as well as findings Reporting More??? ROADMAP Albany NY 1950 a CC image by david https://www.flickr.com/photos/23465812@N00/6877290919/
CONFIDENCE CONFERENCE www.seccubus.com QUESTIONS Image: What now?, a CC ND image from laurenclose's photostream
CONFIDENCE CONFERENCE Frank Breedijk • Security Officer at Schuberg Philis • (Official) Security dude since 2000 • Author of Seccubus Coordinates: • fbreedijk@schubergphilis.com • https://www.linkedin.com/in/seccubus • @Seccubus on Twitter Glenn ten Cate • Mission Critical Engineer Security at Schuberg Philis • Security Dude • Author of Security Knowledge Framework Coordinates: • gtencate@schubergphilis • https://nl.linkedin.com/pub/glenn-ten-cate/3b/11a/117 WHO ARE WE?

More Related Content

PDF
Data Days 2014 - Matt Weiden
datadays
 
PPTX
Content Delivery in an On-Demand Age
Hostway|HOSTING
 
PDF
The Blameless Cloud: Bringing Actionable Retrospectives to Salesforce
J. Paul Reed
 
PDF
Operational Software Design
Theo Schlossnagle
 
PDF
Enterprise Vulnerability Management - ZeroNights16
Alexander Leonov
 
PPTX
We Heart It Powerpoint FIT 1050
fionaahuang
 
PDF
Nessus and Reporting Karma
n|u - The Open Security Community
 
PPTX
Design Practices for a Secure Azure Solution
Michele Leroux Bustamante
 
Data Days 2014 - Matt Weiden
datadays
 
Content Delivery in an On-Demand Age
Hostway|HOSTING
 
The Blameless Cloud: Bringing Actionable Retrospectives to Salesforce
J. Paul Reed
 
Operational Software Design
Theo Schlossnagle
 
Enterprise Vulnerability Management - ZeroNights16
Alexander Leonov
 
We Heart It Powerpoint FIT 1050
fionaahuang
 
Nessus and Reporting Karma
n|u - The Open Security Community
 
Design Practices for a Secure Azure Solution
Michele Leroux Bustamante
 

Viewers also liked (20)

PPT
Portfolio
Geek Zwetsloot Fotograaf
 
PPTX
2015 Halifax Index Presentation
Halifax Partnership
 
PDF
#ForoEGovAR | Plataforma UNKSOC.ORG y Desarrollo de la Comunidad
CESSI Argentina
 
PDF
Baseline & impact assessments & lessons learnt: UTZ Certified Ghana and Ivory...
Verina Ingram
 
PPTX
RESTful Web Services @AnkaraPHP meetup
Fatih Karatana
 
PDF
Beyond xUnit example-based testing: property-based testing with ScalaCheck
Franklin Chen
 
PDF
Hellomynameis,lindsayhoward
Lindsay Howard
 
PPTX
#myHFXpledge
Halifax Partnership
 
PPTX
Flat plans
Becca McPartland
 
PPTX
Rene descartes
Jackie Magaña
 
PPT
Blue wrap recycling
Capital G
 
KEY
Boris Chan - FITC SCREENS - Becoming Social By Default on Mobile
Boris Chan
 
PPTX
Pres
Andrey L
 
PDF
How to use ustream producer
Amiel Pangilinan
 
PDF
Strategic research agenda for cocoa coffee Wageningen UR 09062014
Verina Ingram
 
PDF
The Image Of Den helder
Wouter Valkenier
 
PPT
Samsung Monitor
Paul T
 
PDF
Entity Linking via Graph-Distance Minimization
Roi Blanco
 
PDF
User-centred innovation at Digital World Research Centre
Peter Lancaster
 
PPTX
Q4 evaluation
Becca McPartland
 
Portfolio
Geek Zwetsloot Fotograaf
 
2015 Halifax Index Presentation
Halifax Partnership
 
#ForoEGovAR | Plataforma UNKSOC.ORG y Desarrollo de la Comunidad
CESSI Argentina
 
Baseline & impact assessments & lessons learnt: UTZ Certified Ghana and Ivory...
Verina Ingram
 
RESTful Web Services @AnkaraPHP meetup
Fatih Karatana
 
Beyond xUnit example-based testing: property-based testing with ScalaCheck
Franklin Chen
 
Hellomynameis,lindsayhoward
Lindsay Howard
 
#myHFXpledge
Halifax Partnership
 
Flat plans
Becca McPartland
 
Rene descartes
Jackie Magaña
 
Blue wrap recycling
Capital G
 
Boris Chan - FITC SCREENS - Becoming Social By Default on Mobile
Boris Chan
 
Pres
Andrey L
 
How to use ustream producer
Amiel Pangilinan
 
Strategic research agenda for cocoa coffee Wageningen UR 09062014
Verina Ingram
 
The Image Of Den helder
Wouter Valkenier
 
Samsung Monitor
Paul T
 
Entity Linking via Graph-Distance Minimization
Roi Blanco
 
User-centred innovation at Digital World Research Centre
Peter Lancaster
 
Q4 evaluation
Becca McPartland
 
Ad

Similar to Automated Security Testing with Seccubus confidence 2015 (20)

PDF
API Training 10 Nov 2014
Digital Bond
 
PDF
Tech w23
SelectedPresentations
 
PPTX
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
PDF
Strategies for Web Application Security
OpSource
 
PDF
Strategies for Web Application Security
OpSource
 
PDF
Acunetix Training and ScanAssist
Bryan Ferrario
 
PDF
Defcon 23 - damon small - beyond the scan
Felipe Prado
 
PPTX
Hacker Halted Miami , USA 2010
Aditya K Sood
 
PPTX
Using Assessment Tools on ICS (English)
Digital Bond
 
PDF
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
PDF
Cloud penetrator-hakin9-review-march-2012
Amiga Utomo
 
PPTX
Bringing CD to the DoD
Gene Gotimer
 
PPTX
Aksit profile final
Saurabh Kumar
 
PPTX
AKS IT Corporate Presentation
aksit_services
 
PPTX
Security Testing.pptx
osandadeshan
 
PPT
Security Testing
ISsoft
 
PPTX
Domain 6 - Security Assessment and Testing
Maganathin Veeraragaloo
 
PPTX
Security testing fundamentals
Cygnet Infotech
 
PPTX
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
PPT
Practical Security Architecture Analysis
Phil Huggins FBCS CITP
 
API Training 10 Nov 2014
Digital Bond
 
Tech w23
SelectedPresentations
 
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Strategies for Web Application Security
OpSource
 
Strategies for Web Application Security
OpSource
 
Acunetix Training and ScanAssist
Bryan Ferrario
 
Defcon 23 - damon small - beyond the scan
Felipe Prado
 
Hacker Halted Miami , USA 2010
Aditya K Sood
 
Using Assessment Tools on ICS (English)
Digital Bond
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Cloud penetrator-hakin9-review-march-2012
Amiga Utomo
 
Bringing CD to the DoD
Gene Gotimer
 
Aksit profile final
Saurabh Kumar
 
AKS IT Corporate Presentation
aksit_services
 
Security Testing.pptx
osandadeshan
 
Security Testing
ISsoft
 
Domain 6 - Security Assessment and Testing
Maganathin Veeraragaloo
 
Security testing fundamentals
Cygnet Infotech
 
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
Practical Security Architecture Analysis
Phil Huggins FBCS CITP
 
Ad

Recently uploaded (20)

PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Five Habits of High-Impact Board Members
OnBoard
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 

Automated Security Testing with Seccubus confidence 2015