Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Web Application Security Vulnerability Management Framework
Similar to Web Application Security Vulnerability Management Framework (20)
Recently uploaded
Recently uploaded (20)
Web Application Security Vulnerability Management Framework
- 1. The Web Application Vulnerability Management Framework
- 2. Web Application Vulnerability Management Jason Pubal Blog www.intellavis.com/blog Social linkedin.com/in/pubal twitter.com/pubal Presentation: http://bit.ly/WebAppVMFramework I speak for myself. My employer uses press releases. These opinions are shareware - if you like them, send $10. Actual mileage may vary. Some assembly required. Keep in a cool, dark place.
- 3. Web Application Vulnerability Management INTRODUCTION FRAMEWORK PREPARATION VM PROCESSES METRICS VM ON THE CHEAP
- 4. Web Application Vulnerability Management Software Assurance Maturity Model OWASP OpenSAMM
- 5. Web Application Vulnerability Management Building Security in Maturity Model BSIMM
- 6. Web Application Vulnerability Management Application Security Touchpoints
- 7. Web Application Vulnerability Management Problems?! What happens after deployment? • Security issues missed during SDLC • New Attack Techniques • Infrastructure Vulnerabilities What about applications that don’t go through the SDLC? • Hosted Applications • Legacy Applications • Commercial off the Shelf Applications (COTS) According to the Verizon 2014 Data Breach Investigations Report, “web applications remain the proverbial punching bag of the Internet” with 35% of breaches being caused by web application attacks.
- 8. Web Application Vulnerability Management
- 9. Web Application Vulnerability Management Web Application Vulnerability Management Program > 200 Web Applications Big company with A LOT of Internet facing web applications. Continuous Assessments are running all the time, 24-7 x 365. Actual Attack Surface Live, production applications New Program Built in the last year.
- 10. Web Application Vulnerability Management Web Application Vulnerability Management Framework Policy Inventory Enroll Assess Assess Report Remediate Defect Tracking Metrics
- 11. Web Application Vulnerability Management GOAL – Identify & Reduce Risk Vulnerability Management cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities Risk Management process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization Understand web application specific risk exposure and bring it in-line with policies. 푅푖푠푘 = 푇ℎ푟푒푎푡 ∗ 푉푢푙푛푒푟푎푏푖푙푖푡푦 퐶표푢푛푡푒푟푚푒푎푠푢푟푒푠 * Value
- 12. Web Application Vulnerability Management Vulnerability Management Gartner
- 13. Web Application Vulnerability Management Policy Inventory Enroll Assess Assess Report Remediate Defect Tracking Metrics
- 14. Web Application Vulnerability Management Preparation Policy Give YOU the ability to do Vulnerability Assessments, Set Remediation Timelines, Security Coding Practices, Infrastructure Configuration Policies. Processes Decide what you’re doing. Get stakeholder approval. Inventory Create and maintain an inventory of web applications. Project Management Integration Hook into project management as a web application “go live” requirement. Introductory Material Create a communications plan. Build a packet of information to give application owners as you enroll sites. Scanning Tools Choose a web application vulnerability scanner that fits your program requirements.
- 15. Web Application Vulnerability Management Dynamic Application Security Testing (DAST) Detect conditions indicative of a security vulnerability in an application in its running state 1. Spider Application 2. Fuzz Inputs 3. Analyze Response
- 16. Web Application Vulnerability Management Scanner Comparison – sectoolmarket.com
- 17. Web Application Vulnerability Management Building your Inventory - Reconnaissance Google Google for you company. Go through the top 100 results. Build a list of websites. NMAP nmap -P0 -p80,443 -sV --script=http-screenshot <ip range/subnet> Recon-ng Web reconnaissance framework. Google Dorks, IP/DNS Lookups, GPS, PunkSPIDER, Shodan, PwnedList, LinkedIn, etc… DNS Make friends with your DNS administrator Reverse Lookups – ewhois.com Reverse email lookup. Google Analytics or AdSense ID.
- 18. Web Application Vulnerability Management Policy Inventory Enroll Assess Assess Report Remediate Defect Tracking Metrics
- 19. Web Application Vulnerability Management
- 20. Web Application Vulnerability Management Enrollment Process
- 21. Web Application Vulnerability Management Policy Inventory Enroll Assess Assess Report Remediate Defect Tracking Metrics
- 22. Web Application Vulnerability Management
- 23. Web Application Vulnerability Management Remediation Process
- 24. Web Application Vulnerability Management Not Infrastructure Vulnerability Management Not a cookie cutter patch Development team has to take time away from building new functionality. Legacy Applications What if we are no longer actively developing the application? What if we don’t even employ developers who use that language? Software Defects Infrastructure folks have been doing patch management for years. Software developers have fixing “bugs.” Frame the vulnerability as a code defect Determine Level of Effort Each fix is it’s own software development project. Technical vs. Logical Vulnerabilities A technical fix is usually straightforward and repetitive. Logical fixes can require significant redesign.
- 25. Web Application Vulnerability Management Common Mistakes Send PDF Report of 100 Vulnerabilities to Dev Team! Avoid Bystander Apathy Use Development Team’s Defect Tracking Tool No Approval or Notification Knocking over an application that no one knew you were scanning could have detrimental political effects. Not Considering Business Context in Risk Ratings Only looking at the automated tool’s risk ranking is not sufficient. Take the applications business criticality into consideration. Forcing Developers to Use New Tools & Processes Communicating with development teams using their existing tools and processes helps to decrease friction between security and development organizations.
- 26. Web Application Vulnerability Management Policy Inventory Enroll Assess Assess Report Remediate Defect Tracking Metrics
- 27. Web Application Vulnerability Management GOAL – Identify & Reduce Risk Vulnerability Management cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities Risk Management process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization Understand web application specific risk exposure and bring it in-line with policies. 푅푖푠푘 = 푇ℎ푟푒푎푡 ∗ 푉푢푙푛푒푟푎푏푖푙푖푡푦 퐶표푢푛푡푒푟푚푒푎푠푢푟푒푠 * Value
- 28. Web Application Vulnerability Management Metrics Consistently Measured Anyone should be able to look at the data and come up with the same metric using a specific formula or method. Metrics that rely on subjective judgment are not good. Cheap to Gather Metrics ought to be computed at a frequency commensurate with the process’s rate of change. We want to analyze security effectiveness on a day-to-day or week-by-week basis. Figuring out how to automate metric generation is key. Expressed as a Number or Percentage Not with qualitative labels like high, medium, or low. Expressed Using at Least One Unit of Measure Defects, hours, or dollars. Defects per Application. Defects over Time. Contextually Specific The metric needs to be relevant enough to decision makers that they can take action. If no one cares, it is not worth gathering.
- 29. Web Application Vulnerability Management Metrics Security Testing Coverage Percentage of applications in the organization that have been subjected to security testing. Vulnerabilities per Application Number of vulnerabilities that a potential attacker without prior knowledge might find. You could also count by business unit or critically. Company Top 10 Vulnerabilities Like OWASP top 10, but organization specific Mean-Time to Mitigate Vulnerabilities Average time taken to mitigate vulnerabilities identified in an organization’s technologies. This speaks to organization performance and the window in which the vulnerability might be exploited.
- 30. Web Application Vulnerability Management
- 31. Web Application Vulnerability Management Web App VM On the Cheap Dynamic Application Security Testing (DAST) Tools BurpSuite - $299, single license OWASP Zed Attack Proxy (ZAP) – Open Source Vulnerability Aggregation ThreadFix – Open Source Defect Tracking JIRA - $10, 10 users Bugzilla – Open Source
- 32. Web Application Vulnerability Management Jason Pubal Blog www.intellavis.com/blog Social linkedin.com/in/pubal twitter.com/pubal Presentation: http://bit.ly/WebAppVMFramework
- 33. Thank You! Questions? Presentation: http://bit.ly/WebAppVMFramework