2. Web Application
Vulnerability Management
Jason Pubal
Blog
www.intellavis.com/blog
Social
linkedin.com/in/pubal
twitter.com/pubal
Presentation: http://bit.ly/WebAppVMFramework
I speak for myself. My employer uses press releases. These opinions are shareware - if you like
them, send $10. Actual mileage may vary. Some assembly required. Keep in a cool, dark place.
7. Web Application
Vulnerability Management
Problems?!
What happens after deployment?
• Security issues missed during
SDLC
• New Attack Techniques
• Infrastructure Vulnerabilities
What about applications that don’t
go through the SDLC?
• Hosted Applications
• Legacy Applications
• Commercial off the Shelf
Applications (COTS)
According to the Verizon 2014 Data
Breach Investigations Report, “web
applications remain the proverbial
punching bag of the Internet” with
35% of breaches being caused by web
application attacks.
9. Web Application
Vulnerability Management
Web Application Vulnerability Management Program
> 200 Web Applications
Big company with A LOT of Internet facing web
applications.
Continuous
Assessments are running all the time,
24-7 x 365.
Actual Attack Surface
Live, production applications
New Program
Built in the last year.
10. Web Application
Vulnerability Management
Web Application Vulnerability Management Framework
Policy
Inventory Enroll Assess Assess Report Remediate
Defect Tracking
Metrics
11. Web Application
Vulnerability Management
GOAL – Identify & Reduce Risk
Vulnerability Management
cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities
Risk Management
process of identifying vulnerabilities and threats to the information resources used by
an organization in achieving business objectives, and deciding what countermeasures,
if any, to take in reducing risk to an acceptable level, based on the value of the
information resource to the organization
Understand web application specific risk
exposure and bring it in-line with
policies.
푅푖푠푘 =
푇ℎ푟푒푎푡 ∗ 푉푢푙푛푒푟푎푏푖푙푖푡푦
퐶표푢푛푡푒푟푚푒푎푠푢푟푒푠
* Value
14. Web Application
Vulnerability Management
Preparation
Policy
Give YOU the ability to do Vulnerability Assessments, Set Remediation Timelines,
Security Coding Practices, Infrastructure Configuration Policies.
Processes
Decide what you’re doing. Get stakeholder approval.
Inventory
Create and maintain an inventory of web applications.
Project Management Integration
Hook into project management as a web application “go live” requirement.
Introductory Material
Create a communications plan. Build a packet of information to give application owners
as you enroll sites.
Scanning Tools
Choose a web application vulnerability scanner that fits your program requirements.
15. Web Application
Vulnerability Management
Dynamic Application Security Testing (DAST)
Detect conditions indicative of a security vulnerability in an
application in its running state
1. Spider Application
2. Fuzz Inputs
3. Analyze Response
17. Web Application
Vulnerability Management
Building your Inventory - Reconnaissance
Google
Google for you company. Go through the top 100 results. Build a list of websites.
NMAP
nmap -P0 -p80,443 -sV --script=http-screenshot <ip range/subnet>
Recon-ng
Web reconnaissance framework.
Google Dorks, IP/DNS Lookups, GPS, PunkSPIDER, Shodan, PwnedList, LinkedIn, etc…
DNS
Make friends with your DNS administrator
Reverse Lookups – ewhois.com
Reverse email lookup. Google Analytics or AdSense ID.
24. Web Application
Vulnerability Management
Not Infrastructure Vulnerability Management
Not a cookie cutter patch
Development team has to take time away from building new functionality.
Legacy Applications
What if we are no longer actively developing the application?
What if we don’t even employ developers who use that language?
Software Defects
Infrastructure folks have been doing patch management for years. Software developers
have fixing “bugs.” Frame the vulnerability as a code defect
Determine Level of Effort
Each fix is it’s own software development project.
Technical vs. Logical Vulnerabilities
A technical fix is usually straightforward and repetitive. Logical fixes can require
significant redesign.
25. Web Application
Vulnerability Management
Common Mistakes
Send PDF Report of 100 Vulnerabilities to Dev Team!
Avoid Bystander Apathy
Use Development Team’s Defect Tracking Tool
No Approval or Notification
Knocking over an application that no one knew you were scanning could have
detrimental political effects.
Not Considering Business Context in Risk Ratings
Only looking at the automated tool’s risk ranking is not sufficient. Take the applications
business criticality into consideration.
Forcing Developers to Use New Tools & Processes
Communicating with development teams using their existing tools and processes helps
to decrease friction between security and development organizations.
27. Web Application
Vulnerability Management
GOAL – Identify & Reduce Risk
Vulnerability Management
cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities
Risk Management
process of identifying vulnerabilities and threats to the information resources used by
an organization in achieving business objectives, and deciding what countermeasures,
if any, to take in reducing risk to an acceptable level, based on the value of the
information resource to the organization
Understand web application specific risk
exposure and bring it in-line with
policies.
푅푖푠푘 =
푇ℎ푟푒푎푡 ∗ 푉푢푙푛푒푟푎푏푖푙푖푡푦
퐶표푢푛푡푒푟푚푒푎푠푢푟푒푠
* Value
28. Web Application
Vulnerability Management
Metrics
Consistently Measured
Anyone should be able to look at the data and come up with the same metric using a
specific formula or method. Metrics that rely on subjective judgment are not good.
Cheap to Gather
Metrics ought to be computed at a frequency commensurate with the process’s rate of
change. We want to analyze security effectiveness on a day-to-day or week-by-week
basis. Figuring out how to automate metric generation is key.
Expressed as a Number or Percentage
Not with qualitative labels like high, medium, or low.
Expressed Using at Least One Unit of Measure
Defects, hours, or dollars. Defects per Application. Defects over Time.
Contextually Specific
The metric needs to be relevant enough to decision makers that they can take action. If
no one cares, it is not worth gathering.
29. Web Application
Vulnerability Management
Metrics
Security Testing Coverage
Percentage of applications in the organization that have been subjected to security testing.
Vulnerabilities per Application
Number of vulnerabilities that a potential attacker without prior knowledge might find.
You could also count by business unit or critically.
Company Top 10 Vulnerabilities
Like OWASP top 10, but organization specific
Mean-Time to Mitigate Vulnerabilities
Average time taken to mitigate vulnerabilities identified in an organization’s
technologies. This speaks to organization performance and the window in which the
vulnerability might be exploited.
31. Web Application
Vulnerability Management
Web App VM On the Cheap
Dynamic Application Security Testing (DAST) Tools
BurpSuite - $299, single license
OWASP Zed Attack Proxy (ZAP) – Open Source
Vulnerability Aggregation
ThreadFix – Open Source
Defect Tracking
JIRA - $10, 10 users
Bugzilla – Open Source
32. Web Application
Vulnerability Management
Jason Pubal
Blog
www.intellavis.com/blog
Social
linkedin.com/in/pubal
twitter.com/pubal
Presentation: http://bit.ly/WebAppVMFramework