Application Security Program Management
with Vulnerability Manager

    Bryan Beverly


    June 2nd, 2010
Today's Presentation

•   The challenges of application security scanning and remediation
•   What Vulnerability Manager c...
Denim Group Background

• Privately-held, professional services organization
    – Develops secure software
    – Helps or...
My Background

• 13-year business application development background
• Lead Consultant at Denim Group
• Provides technical...
Challenges with Scan-Centric Application Security Programs

• Too many application security programs
  are scan-centric
  ...
Post-Scan Remediation is the “Next” Big AppSec Issue

• Application Scanning Technologies are Improving
   – Various impro...
Why Do Application Vulnerabilities Persist?

• Must rewrite software – can’t just turn “off” service
    – Can be straight...
The Emergence of Accelerated Software Remediation (ASR)
Technologies
• Security and risk managers are realizing the status...
Vulnerability Manager: “ThreadFix”

• Mission: Allow organizations to centrally manage the entire range of
  software assu...
Application Portfolio Management

                                   • Many organizations do
                             ...
Vulnerability Import

• Import, de-duplicate
  and merge
  vulnerability data from
  a variety of free and
  commercial to...
Real-Time Protection Generation

                                  • Generate vulnerability-
                             ...
Defect Tracking Integration

• Group vulnerabilities
  and send them to
  software development
  teams as defects
• Track ...
Maturity Evaluation

                      • Evaluate application
                        team practices via
             ...
Demonstration




                14
Current Status

• “Technology Preview” release in January 2010
   – Demonstrates underlying concepts
   – Supports many ma...
Future Plans

• Under active development heading toward 1.0alpha release
• Starting to see interest in customer-sponsored ...
So where do you go from here?




                                17
What you can do now!
• Conduct a mini-OpenSAMM assessment to understand your current
  state of application vulnerability ...
Contact Information

Bryan Beverly
bryan@denimgroup.com

Denim Group
(210) 572-4400
www.denimgroup.com
blog.denimgroup.com...
Upcoming SlideShare
Loading in …5
×

Application Security Program Management with Vulnerability Manager

2,350 views
2,238 views

Published on

Using free Java-based software, application security managers can now have increased visibility into and control of enterprise security programs as well as the data that can be used to support sophisticated conversations with their managers and executives. Denim Group's Vulnerability Manager works through a centralized system to allow security teams to import and consolidate application-level vulnerabilities, automatically generate virtual patches, monitor attack attempts, communicate with defect tracking systems, and evaluate team maturity. Vulnerability Manager is a Java-based web application available for free under the Mozilla Public License.

This demonstration will cover the major functional areas of the Vulnerability Manager: • Application portfolio management – Creating a portfolio of application under management and tracking critical information about those applications such as associated technologies and sensitivity of data under management. • Vulnerability import and merging – Importing results of both static and dynamic scans of code, de-duplicating results and merging the output from multiple tools into a unified view of the security state of an application. • Automated virtual patch generation – Automatically creating IDS/IPS and WAF rules to provide real-time protection for certain classes of vulnerabilities as well as consuming log results from WAF/IDS/IPS in order to identify which vulnerabilities are under active attack. • Defect tracker integration – Bundling multiple vulnerabilities into packages, sending them to software defect tracking systems, and monitoring the defects to identify when software developers have closed them out. • Team maturity evaluation – Tracking interviews with development teams related to the security practices they have adopted based on maturity models such as OpenSAMM.

In addition, the presentation will explain the internals of the Vulnerability Manager software – the design decisions made as well as opportunities to extend the system to support additional technologies.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,350
On SlideShare
0
From Embeds
0
Number of Embeds
548
Actions
Shares
0
Downloads
55
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Application Security Program Management with Vulnerability Manager

  1. 1. Application Security Program Management with Vulnerability Manager Bryan Beverly June 2nd, 2010
  2. 2. Today's Presentation • The challenges of application security scanning and remediation • What Vulnerability Manager can do • Next steps for Vulnerability Manager • Next steps for you 1
  3. 3. Denim Group Background • Privately-held, professional services organization – Develops secure software – Helps organizations assess and mitigate risk of existing software – Provides training and mentoring so clients can build trusted software • Software-centric view of application security – Application security experts are practicing developers – Development pedigree translates to rapport with development managers – Business impact: shorter time-to-fix application vulnerabilities • Culture of application security innovation and contribution – Released Sprajax & Vulnerability Manager to open source community – OWASP national leaders & regular speakers at RSA, OWASP, CSI – World class alliance partners accelerate innovation to solve client problems 2
  4. 4. My Background • 13-year business application development background • Lead Consultant at Denim Group • Provides technical oversight for Denim Group development projects • Responsible for Denim Group development lifecycle standards and processes • Performs black box and white box security assessments • Performs on-site security training • Co-developer and technical lead for Vulnerability Manager project 3
  5. 5. Challenges with Scan-Centric Application Security Programs • Too many application security programs are scan-centric – Run scans, generate reports, send to development teams • Not enough attention is paid to the entire process • Result: Vulnerabilities are not remediated and continue to expose the organization to risk 4
  6. 6. Post-Scan Remediation is the “Next” Big AppSec Issue • Application Scanning Technologies are Improving – Various improvements provide better testing coverage • Qualys 2009 Black Hat Conference Paper – Presented by Qualys CTO Wolfgang Kandek – Network & host vulnerabilities persist for roughly 30 days from identification – Measured across 140m Qualys’ SaaS client scans – Exploitation cycle is getting shorter – down from 60 days in 2004 to 10 days • WhiteHat Security Study on Application Vulnerabilities – Application vulnerabilities persist much longer than network vulnerabilities – Typical persistence timeframe measured in months, not days • SQL Injection – 38 days • Insufficient Authentication – 72 days – Vulnerability time-to-fix metrics are not changing substantively, typically requiring weeks to months to achieve resolution 5
  7. 7. Why Do Application Vulnerabilities Persist? • Must rewrite software – can’t just turn “off” service – Can be straightforward – XSS or SQL Injection – Can be more difficult – logical errors • Dev teams detached from security managers – Lack of organizational influence over dev efforts – Interaction and tracking between groups is inconsistent and one-off • The formal process of aggregating and processing application-level vulnerabilities is immature – No automated way to import scanning results from multiple sources • BB, WB, SaaS – Sophisticated hand off to issue trackers evolving – Interaction with other systems “one off” 6
  8. 8. The Emergence of Accelerated Software Remediation (ASR) Technologies • Security and risk managers are realizing the status quo is unacceptable – Application vulnerabilities exist in live environments for months • A new set of technologies are emerging to address the post-scan automation of application vulnerabilities – Application security vendors are developing more post-scan functionality • Many are creating gated communities and vendor lock-in – Most 1st generation interactions are “one-to-one” with scanners & WAF’s • Accelerated Software Remediation Technologies reduce lifespan of application vulnerabilities: – Automating import from multiple scanning systems – “De-duplication” of vulnerabilities from dynamic & static scanners – Ability to measure incremental improvement – Capability to generate “virtual patches” to IDS/WAF 7
  9. 9. Vulnerability Manager: “ThreadFix” • Mission: Allow organizations to centrally manage the entire range of software assurance activities • Finding vulnerabilities is easy – actually addressing the risk is hard • Freely available under Mozilla 1.1 open source license • Major Feature Areas – Application Portfolio Management – Vulnerability Import – Real-Time Protection Generation – Defect Tracking Integration – Maturity Evaluation 8
  10. 10. Application Portfolio Management • Many organizations do not even have a complete idea of their application attack surface • Track applications, metadata and associated vulnerabilities 9
  11. 11. Vulnerability Import • Import, de-duplicate and merge vulnerability data from a variety of free and commercial tools • Static and dynamic analysis 10
  12. 12. Real-Time Protection Generation • Generate vulnerability- specific rules for WAFs and IDS/IPS • Automate the “virtual patching” process • Import logs to identify vulnerabilities under active attack 11
  13. 13. Defect Tracking Integration • Group vulnerabilities and send them to software development teams as defects • Track defect status over time 12
  14. 14. Maturity Evaluation • Evaluate application team practices via maturity models such as OpenSAMM • Track practices over time 13
  15. 15. Demonstration 14
  16. 16. Current Status • “Technology Preview” release in January 2010 – Demonstrates underlying concepts – Supports many major technologies • Not yet recommended for production use 15
  17. 17. Future Plans • Under active development heading toward 1.0alpha release • Starting to see interest in customer-sponsored development • Support for additional technologies – scanners, IDS/IPS/WAF, defect trackers • Metrics, reporting and visualization 16
  18. 18. So where do you go from here? 17
  19. 19. What you can do now! • Conduct a mini-OpenSAMM assessment to understand your current state of application vulnerability management • Capture a post-scan workflow to better understand how application vulnerabilities cycle through the remediation process • Measure how long your most serious app vulnerabilities persist in your production environment • Analyze your static, dynamic, and manual results to understand where there is overlap and coverage gaps • Understand how application vulnerabilities are consumed by development teams – Understand what issue tracker they use – Understand how vulns are represented and dealt with by devs 18
  20. 20. Contact Information Bryan Beverly bryan@denimgroup.com Denim Group (210) 572-4400 www.denimgroup.com blog.denimgroup.com vulnerabilitymanager.denimgroup.com 19

×