Web Application Vulnerability Management

1,515 views

Published on

How to build a web application vulnerability management program.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,515
On SlideShare
0
From Embeds
0
Number of Embeds
150
Actions
Shares
0
Downloads
55
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web Application Vulnerability Management

  1. 1. Building a Web Application Vulnerability Management Program
  2. 2. Web Application Vulnerability Management Jason Pubal Blog www.intellavis.com/blog Social linkedin.com/in/pubal twitter.com/pubal
  3. 3. Web Application Vulnerability Management INTRODUCTION PREPARATION DAST TOOLS VM PROCESS METRICS VM ON THE CHEAP
  4. 4. Web Application Vulnerability Management GOAL – Identify & Reduce Risk Vulnerability Management cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities Risk Management process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization Understand web application specific risk exposure and bring it in-line with policies.
  5. 5. Web Application Vulnerability Management Vulnerability Management Gartner
  6. 6. Web Application Vulnerability Management Software Assurance Maturity Model OWASP OpenSAMM
  7. 7. Web Application Vulnerability Management Building Security in Maturity Model BSIMM
  8. 8. Web Application Vulnerability Management Application Security Touchpoints
  9. 9. Web Application Vulnerability Management What’s Missing? Recurring Vulnerability Assessments Infrastructure vulnerability scanning is best practices. Why not applications? Bug Bounty Program  Now in BSIMM v 5 Google Facebook
  10. 10. Web Application Vulnerability Management Software Assurance Maturity Model Security Testing Penetration tests and other automated security tests done before deployment. Vulnerability Management Handling security incidents and externally reported vulnerabilities.
  11. 11. Web Application Vulnerability Management Vulnerability Management Process Policy Inventory Metrics Enroll Assess Assess Report Remediate Defect Tracking
  12. 12. Web Application Vulnerability Management Policy Preparation Give YOU the ability to do Vulnerability Assessments, Set Remediation Timelines, Security Coding Practices, Infrastructure Configuration Policies. Processes Decide what you’re doing. Get stakeholder approval. Inventory Create and maintain an inventory of web applications. Project Management Integration Hook into project management as a web application “go live” requirement. Introductory Material Create a communications plan. Build a packet of information to give application owners as you enroll sites. Scanning Tools Choose a web application vulnerability scanner that fits your program requirements.
  13. 13. Web Application Vulnerability Management Dynamic Application Security Testing (DAST) Detect conditions indicative of a security vulnerability in an application in its running state 1. Spider Application 2. Fuzz Inputs 3. Analyze Response
  14. 14. Web Application Vulnerability Management Scanner Comparison – sectoolmarket.com
  15. 15. Web Application Vulnerability Management Building your Inventory - Reconnaissance Google Google for you company. Go through the top 100 results. Build a list of websites. NMAP nmap -P0 -p80,443 -sV --script=http-screenshot <ip range/subnet> Recon-ng Web reconnaissance framework. Google Dorks, IP/DNS Lookups, GPS, PunkSPIDER, Shodan, PwnedList, LinkedIn, etc… DNS Make friends with your DNS administrator Reverse Lookups – ewhois.com Reverse email lookup. Google Analytics or AdSense ID.
  16. 16. Web Application Vulnerability Management Vulnerability Management Process Policy Inventory Metrics Enroll Assess Assess Report Remediate Defect Tracking
  17. 17. Web Application Vulnerability Management Enrollment Process
  18. 18. Web Application Vulnerability Management Policy Inventory Metrics Enroll Assess Assess Report Remediate Defect Tracking
  19. 19. Web Application Vulnerability Management Remediation Process
  20. 20. Web Application Vulnerability Management Not Infrastructure Vulnerability Management Not a cookie cutter patch Development team has to take time away from building new functionality. Legacy Applications What if we are no longer actively developing the application? What if we don’t even employ developers who use that language? Software Defects Infrastructure folks have been doing patch management for years. Software developers have fixing “bugs.” Frame the vulnerability as a code defect Determine Level of Effort Each fix is it’s own software development project. Technical vs. Logical Vulnerabilities A technical fix is usually straightforward and repetitive. Logical fixes can require significant redesign.
  21. 21. Web Application Vulnerability Management Common Mistakes Send PDF Report of 100 Vulnerabilities to Dev Team! Avoid Bystander Apathy Use Development Team’s Defect Tracking Tool No Approval or Notification Knocking over an application that no one knew you were scanning could have detrimental political effects. Not Considering Business Context in Risk Ratings Only looking at the automated tool’s risk ranking is not sufficient. Take the applications business criticality into consideration. Forcing Developers to Use New Tools & Processes Communicating with development teams using their existing tools and processes helps to decrease friction between security and development organizations.
  22. 22. Web Application Vulnerability Management Policy Inventory Metrics Enroll Assess Assess Report Remediate Defect Tracking
  23. 23. Web Application Vulnerability Management Metrics Consistently Measured Anyone should be able to look at the data and come up with the same metric using a specific formula or method. Metrics that rely on subjective judgment are not good. Cheap to Gather Metrics ought to be computed at a frequency commensurate with the process’s rate of change. We want to analyze security effectiveness on a day-to-day or week-by-week basis. Figuring out how to automate metric generation is key. Expressed as a Number or Percentage Not with qualitative labels like high, medium, or low. Expressed Using at Least One Unit of Measure Defects, hours, or dollars. Defects per Application. Defects over Time. Contextually Specific The metric needs to be relevant enough to decision makers that they can take action. If no one cares, it is not worth gathering.
  24. 24. Web Application Vulnerability Management Metrics Security Testing Coverage Percentage of applications in the organization that have been subjected to security testing. Vulnerabilities per Application Number of vulnerabilities that a potential attacker without prior knowledge might find. You could also count by business unit or critically. Company Top 10 Vulnerabilities Like OWASP top 10, but organization specific Mean-Time to Mitigate Vulnerabilities Average time taken to mitigate vulnerabilities identified in an organization’s technologies. This speaks to organization performance and the window in which the vulnerability might be exploited.
  25. 25. Web Application Vulnerability Management
  26. 26. Web Application Vulnerability Management On the Cheap Web Application Vulnerability Scanner BurpSuite - $299, single license OWASP Zed Attack Proxy (ZAP) – Open Source Defect Tracking JIRA - $10, 10 users Bugzilla – Open Source Vulnerability Aggregation ThreadFix – Open Source
  27. 27. Web Application Vulnerability Management Jason Pubal Blog www.intellavis.com/blog Social linkedin.com/in/pubal twitter.com/pubal
  28. 28. THANK YOU

×