Vulnerability management and threat detection by the numbers
Download as PPTX, PDF1 like367 views
The document discusses vulnerability management and threat detection, emphasizing the necessity of adopting various security practices such as continuous integration and deployment. It highlights that a significant percentage of vulnerabilities are outside developers' control and stresses the importance of comprehensive component security in application security. The text also addresses the challenges of scaling automated assessment tools while maintaining accuracy and context in vulnerability identification.
![FIN
• We can scale but not everything is [easily] scalable
• Discover Tech Vulns using Tech
• No “Fire and forget” Security
• Lets test to mirror development methodologies
@eoinkeary
eoin@bccriskadvisory.com](https://image.slidesharecdn.com/vulnerabilitymanagementandthreatdetectionbythenumbers-160105161302/85/Vulnerability-management-and-threat-detection-by-the-numbers-26-320.jpg)
Vulnerability management and threat detection by the numbers
- 1. Vulnerability Management and Threat Detection by the numbers Daggercon 2015
- 2. Eoin Keary CTO/Founder edgescan.com & BCC Risk Advisory OWASP Leader/Member/Ireland Founder OWASP Global Board Member (2009-2014)
- 3. One problem, Many solutions DAST – Peoples front of Judea RASP – Judean peoples front IAST - Judean Popular People's Front SAST - Popular Front of Judea
- 4. Web Risk • Application Security • Host Security • Both / Either / Or • It’s all software right? “We gotta cover all the bases, an attacker only needs to find one…..”
- 5. Bits between the Bits • A developer Introduces bugs in code.. • A Security assessment may deliver false positives/negatives.. Potential vulnerabilities in code & Potential vulnerabilities in assessment techniques.
- 6. Market Driven Approaches to a Market Driven Problem.
- 7. Agile Risk Model Fail Early – Fail Often “Push Left”
- 8. Continuous what? CI -> Continuous Integration CD -> Continuous Deployment TDD -> Test Driven Development Continuous Maintenance Continuous Security
- 9. Continuous Security “Keeping up” with development Assisting secure deployment Catching bugs early – Push Left Help ensure “change” is secure
- 10. Host/Server/Framework Building bricks – Frameworks / Components Spring, Jquery, Jade, Angular, Hibernate 13 billion Open source downloads 2014 90% of application code is framework 63%* don’t monitor component security 43%* don’t have open source policy * http://www.sonatype.com/about/2014-open-source-software-development-survey
- 11. Components Spring (3.0-3.05) – CVE-2011-2894 – Code exe 7,000,000 downloads since vuln discovered CVSS: 6.8 Apache Xerces2 – CVE-2009-2625 – DoS 4,000,000 downloads since vuln discovered CVSS: 5 Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM 4,000,000 downloads since vuln discovered CVSS: 4.9 Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection 179,050 downloads since vuln discovered CVSS: 10
- 12. “65% of vulnerabilities discovered in 2015 by edgescan were outside of software developer control – Operating System CVE, Component CVE, Misconfiguration etc ..” - edgescan Vulnerability Statistics Report 2015
- 13. AppSec/Component Sec • “If you're not doing component vulnerability management you’re not doing appsec…” – 90% of application code is framework • “If you’re not doing full-stack you are not doing security…” – Hackers don’t give a S*#t
- 14. Problems?
- 15. “We Can” scale.. Automation of assessment Depth Coverage / Breadth Rigour
- 17. Automation!! • Jenkins, Hudson, Bamboo – Event driven – Scheduled – Incremental • CHEF, Puppet, Phoenix (immutable) Sounds great…. but
- 18. Accuracy/Information/Context The “Anti-Scale” Risk Context Business Context Accuracy Information Vs Data Human Decisions and Intel Technical constraints -> Chokepoints
- 19. The “Anti-Scale” New languages and programming methods Growth of interpreted languages with no strong typing hurts SAST (Javascript, Ruby,…) Few automated tools to test APIs / RESTful APIs Testing Window is squeezed, manual testing is doomed!?#
- 20. Fighting The “Anti-Scale” Accuracy “Rule Tuning” – DAST & SAST Build Fails! White Noise / Supression Real Security Vs “Best Practice” Updates to Rules Scale “Delta Analysis” Previous Vs Current Changes FP’s
- 21. CI Integration
- 22. Fighting The “AntiScale” - Delta Analysis Measure of change in a target environment. Focusing on change in risk posture compared to last assessment. -> Closed, New, False Positives
- 23. Fighting The “Anti-Scale”- Testing like a Developer Break testing into little pieces Smoke / Incremental Vs full regression testing “Early and Often” – Continuous, on demand – Testing duration drives testing frequency
- 24. Business & Behavioural Testing At scale: Can be Difficult ….. Technical Security is covered….Automation More Time to “Deep Dive”
- 25. “Future of Pentesting” Technical Vulnerabilities rooted out using technical methods/services ….. Move from chasing Top 10 (SQLI, XSS, etc) -To- Behavioural, Logical, Business flow assessment
- 26. FIN • We can scale but not everything is [easily] scalable • Discover Tech Vulns using Tech • No “Fire and forget” Security • Lets test to mirror development methodologies @eoinkeary eoin@bccriskadvisory.com