Upload
jpubal
View
379
Download
7
Embed Size (px)
DESCRIPTION
Web Application Security Vulnerability Management Framework for building an application security program
Citation preview
Framework
Web ApplicationVulnerability Management
The
Web ApplicationVulnerability Management
Jason Pubal
Blogwww.intellavis.com/blog
Sociallinkedin.com/in/pubaltwitter.com/pubal
I speak for myself. My employer uses press releases. These opinions are shareware - if you like them, send $10. Actual mileage may vary. Some assembly required. Keep in a cool, dark place.
Presentation: http://bit.ly/WebAppVMFramework
Web ApplicationVulnerability Management
INTRODUCTION
FRAMEWORK
PREPARATION
VM PROCESSES
METRICS
VM ON THE CHEAP
Web ApplicationVulnerability Management
OWASP OpenSAMM
Software Assurance Maturity Model
Web ApplicationVulnerability Management
BSIMM
Building Security in Maturity Model
Web ApplicationVulnerability Management
Application Security Touchpoints
Web ApplicationVulnerability Management
Problems?!What happens after deployment?• Security issues missed during
SDLC• New Attack Techniques• Infrastructure Vulnerabilities
What about applications that don’t go through the SDLC?• Hosted Applications• Legacy Applications• Commercial off the Shelf
Applications (COTS)
According to the Verizon 2014 Data Breach Investigations Report, “web applications remain the proverbial punching bag of the Internet” with 35% of breaches being caused by web application attacks.
Web ApplicationVulnerability Management
BFFs4
EVA!
Web ApplicationVulnerability Management
> 200 Web ApplicationsBig company with A LOT of Internet facing web applications.
ContinuousAssessments are running all the time, 24-7 x 365.
Actual Attack SurfaceLive, production applications
New ProgramBuilt in the last year.
Web Application Vulnerability Management Program
Web ApplicationVulnerability Management
Inventory Enroll Report RemediateAssessAssess
Policy
Defect Tracking
Metrics
Web Application Vulnerability Management Framework
Web ApplicationVulnerability Management
Risk Managementprocess of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization
Vulnerability Managementcyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities
GOAL – Identify & Reduce Risk
Understand web application specific risk exposure and bring it in-line with policies.
* Value
Web ApplicationVulnerability Management
Gartner
Vulnerability Management
Web ApplicationVulnerability Management
Inventory Enroll Report RemediateAssessAssess
Policy
Defect Tracking
Metrics
Web ApplicationVulnerability Management
ProcessesDecide what you’re doing. Get stakeholder approval.
PolicyGive YOU the ability to do Vulnerability Assessments, Set Remediation Timelines, Security Coding Practices, Infrastructure Configuration Policies.
Preparation
Scanning ToolsChoose a web application vulnerability scanner that fits your program requirements.
InventoryCreate and maintain an inventory of web applications.
Introductory MaterialCreate a communications plan. Build a packet of information to give application owners as you enroll sites.
Project Management IntegrationHook into project management as a web application “go live” requirement.
Web ApplicationVulnerability Management
Dynamic Application Security Testing (DAST)
Detect conditions indicative of a security vulnerability in an application in its running state
1. Spider Application2. Fuzz Inputs3. Analyze Response
Web ApplicationVulnerability Management
Scanner Comparison – sectoolmarket.com
Web ApplicationVulnerability Management
Recon-ngWeb reconnaissance framework. Google Dorks, IP/DNS Lookups, GPS, PunkSPIDER, Shodan, PwnedList, LinkedIn, etc…
NMAPnmap -P0 -p80,443 -sV --script=http-screenshot <ip range/subnet>
Building your Inventory - Reconnaissance
DNSMake friends with your DNS administrator
Reverse Lookups – ewhois.comReverse email lookup. Google Analytics or AdSense ID.
GoogleGoogle for you company. Go through the top 100 results. Build a list of websites.
Web ApplicationVulnerability Management
Inventory Enroll Report RemediateAssessAssess
Policy
Defect Tracking
Metrics
Web ApplicationVulnerability Management
Web ApplicationVulnerability Management
Enrollment Process
Web ApplicationVulnerability Management
Inventory Enroll Report RemediateAssessAssess
Policy
Defect Tracking
Metrics
Web ApplicationVulnerability Management
Web ApplicationVulnerability Management
Remediation Process
Web ApplicationVulnerability Management
Software DefectsInfrastructure folks have been doing patch management for years. Software developers have fixing “bugs.” Frame the vulnerability as a code defect
Legacy ApplicationsWhat if we are no longer actively developing the application?What if we don’t even employ developers who use that language?
Not Infrastructure Vulnerability Management
Determine Level of EffortEach fix is it’s own software development project.
Technical vs. Logical VulnerabilitiesA technical fix is usually straightforward and repetitive. Logical fixes can require significant redesign.
Not a cookie cutter patchDevelopment team has to take time away from building new functionality.
Web ApplicationVulnerability Management
Not Considering Business Context in Risk RatingsOnly looking at the automated tool’s risk ranking is not sufficient. Take the applications business criticality into consideration.
No Approval or NotificationKnocking over an application that no one knew you were scanning could have detrimental political effects.
Common Mistakes
Forcing Developers to Use New Tools & Processes Communicating with development teams using their existing tools and processes helps to decrease friction between security and development organizations.
Send PDF Report of 100 Vulnerabilities to Dev Team!Avoid Bystander ApathyUse Development Team’s Defect Tracking Tool
Web ApplicationVulnerability Management
Inventory Enroll Report RemediateAssessAssess
Policy
Defect Tracking
Metrics
Web ApplicationVulnerability Management
Risk Managementprocess of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization
Vulnerability Managementcyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities
GOAL – Identify & Reduce Risk
Understand web application specific risk exposure and bring it in-line with policies.
* Value
Web ApplicationVulnerability Management
Expressed as a Number or PercentageNot with qualitative labels like high, medium, or low.
Cheap to GatherMetrics ought to be computed at a frequency commensurate with the process’s rate of change. We want to analyze security effectiveness on a day-to-day or week-by-week basis. Figuring out how to automate metric generation is key.
Metrics
Expressed Using at Least One Unit of MeasureDefects, hours, or dollars. Defects per Application. Defects over Time.
Contextually SpecificThe metric needs to be relevant enough to decision makers that they can take action. If no one cares, it is not worth gathering.
Consistently MeasuredAnyone should be able to look at the data and come up with the same metric using a specific formula or method. Metrics that rely on subjective judgment are not good.
Web ApplicationVulnerability Management
Company Top 10 VulnerabilitiesLike OWASP top 10, but organization specific
Vulnerabilities per ApplicationNumber of vulnerabilities that a potential attacker without prior knowledge might find. You could also count by business unit or critically.
Metrics
Mean-Time to Mitigate VulnerabilitiesAverage time taken to mitigate vulnerabilities identified in an organization’s technologies. This speaks to organization performance and the window in which the vulnerability might be exploited.
Security Testing CoveragePercentage of applications in the organization that have been subjected to security testing.
Web ApplicationVulnerability Management
Web ApplicationVulnerability Management
Vulnerability AggregationThreadFix – Open Source
Defect TrackingJIRA - $10, 10 usersBugzilla – Open Source
Web App VM On the CheapDynamic Application Security Testing (DAST) ToolsBurpSuite - $299, single licenseOWASP Zed Attack Proxy (ZAP) – Open Source
Web ApplicationVulnerability Management
Jason Pubal
Blogwww.intellavis.com/blog
Sociallinkedin.com/in/pubaltwitter.com/pubal
Presentation: http://bit.ly/WebAppVMFramework
Questions?
Thank You!
Presentation: http://bit.ly/WebAppVMFramework