DevOps Indonesia "How Security with DevOps can Deliver more secure software"
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation) by Mr. Faisal Yahya
1. PAGE1
DEVOPS INDONESIA
DEVOPS INDONESIA
Jakarta, 20 June 2019
DevOps Community in Indonesia
Leveraging Vulnerability Management Beyond DPR
(Discovery – Prioritization – Remediation)
Presented by:
Faisal Yahya
2. About Faisal Yahya,
CISSP, CCISO, CCSK v3&4, CSX-P, ITIL-Fv3, CySA+, CEI
CyberSecurity Nexus - Practitioner
Top ASEAN CIOs to follow on Twitter
https://www.cio.com/article/3342
397/top-asean-cios-to-follow-on-
twitter.html
Wrote for:
Peerlyst | APACCIOOutlook | InfoKomputer | [ .. wait for this space .. ]
3. CVE-2019-0174 – RAMBleed
Side Channel Attack
The new attack methods described in this
paper are not microprocessor-specific, they
leverage known issues in DRAM
memory. These attacks only impact DDR4
and DDR3 memory modules, and older
generations DDR2 and DDR1 memory
modules are not vulnerable to these attacks.
(ORACLE, 11 June 2019)
• Threat found in March 2016, and started to
exploit in June 2019. (check
http://www.thirdio.com/rowhammer.pdf)
https://www.theregister.co.uk/2019/06
/11/rambleed_rowhammer_attack/
16 June 2019
PAGE3DevOpsIndonesia
4. Global
CyberSecurity
Landscape
The cyber attack surface has significantly increased
through advances in automation and connected
devices. Combined with the commercialization of
attack tools that were once limited to a nation
state’s arsenal, and you have the ingredients for
significant disruption.
The expected global cost of cybersecurity breaches across all
sectors by 2021 is US$6 trillion. ey.com
PAGE4DevOpsIndonesia
5. CyberCrime: Global Statistic
70
49
56
63
51
44
58
70 65 69 64
77
94
115
75 81
95
85
108
66
93 91
107
84
0
20
40
60
80
100
120
140
Jan Feb Mar Apr May June July Ags Sept Oct Nov Dec
2017 2018
Total: 736 1,094 49%
AVG: 61 91
potential catastrophic events?
source data from: https://www.hackmageddon.com
PAGE5DevOpsIndonesia
6. The 4 Biggest Data Breach of
2018
1.1 billion records breached
Date disclosed: Jan 3, 2018
340 million records breached
Date disclosed: June 26, 2018
150 million records breached
Date disclosed: May 25, 2018
500 million records breached
Date disclosed: Nov 19, 2018
On average, it takes 120 days
to discover a data breach
PAGE6DevOpsIndonesia
7. Target Distribution – Global – Top Ten (2018)
Hackmageddon, 2018
PAGE7DevOpsIndonesia
8. 2018 Vulnerability by Impact Type
Source: VulnDB, 2019
Integrity
61%
Confidentiality
19%
Availability
15%
Unknown
5%
PAGE8DevOpsIndonesia
9. Indonesia - CyberSecurity Positioning
# Criteria Indonesia Worst (60) Best (1)
1 The percentage of mobiles infected with
malware
Position: 53/60
25.02% of users
Bangladesh
35.91% of users
Japan
1.34% of users
2 The percentage of computers infected
with malware
Position: 56/60
24.7% of users
Algeria
32.41%
Denmark
5.9% of users
3 The number of financial malware attacks Position: 54/60
1.8% of users
Germany
3% of users
Ukraine
0.3% of users
4 The percentage of telnet attacks (by
originating country)
Position: 49/60
1.51% of users
China
27.15%
Algeria, Uzbekistan,
and Sri Lanka –
0.01%
5 The percentage of attacks by
cryptominers
Position: 57/60
8.8% of users
Uzbekistan
14.23% of users
Denmark
0.61% of users
6 The best-prepared countries for cyber
attacks
Position: 54/60
0.424 score
Vietnam
0.245 score
Singapore
0.925 score
7 The countries with the most up-to-date
legislation Position: 36/60
4 key category covered
Algeria
1 key category
covered
France, China,
Russia, and Germany
– all 7 categories
covered
https://www.comparitech.com
PAGE9DevOpsIndonesia
10. Top 10 Vulnerabilities on 2018 – for ….
407
250
201
158 129 110 92 72 58 48
Google inc. Samsung SGP Tech. Adobe
Systems
Microsoft WECON
Tech.
Zoho Corp. LG
Electronics
Cisco
Systems
XEROX Corp.
258 248
201
130 129 127 109 97 69
Google Pixel /
Nexus
Samsung
Mobile
(Android OS)
SilentOS Acrobat
Reader DC
Acrobat DC Acrobat LeviStudioU Chrome OS LG Mobile
Devices
(Android OS)
Vendors
Products
n=1,525
n=1,495
CVVS score 9.0 – 10.0
CVVS score 9.0 – 10.0
Source: vulndb
PAGE10DevOpsIndonesia
11. Current Prioritization Methods Don’t Help
CVSS
< 7
CVSS
7+
1.3%
resulted in a
breach
6.9%
resulted in a
breach
Kenna, 2019
PAGE11DevOpsIndonesia
12. Areas of Interest - 2018
… The number of software apps deployed by
large firms across all industries world-wide has
increased 68% over the past four years,
reaching an average of 129 apps per company
by the end of 2018…. (OKTA, 2019)
https://www.wsj.com/articles/employees-are-accessing-more-and-more-
business-apps-study-finds-11549580017
PAGE12DevOpsIndonesia
13. SQL injection and Cross-
Site Scripting (XSS)
vulnerabilities are still
counted as the biggest
threat for Web
Applications.
2018 Web Vulnerabilities
by Specified Type
PAGE13DevOpsIndonesia
15. Why Manually Managing Vulnerabilities
is not Humanly Possible?
14350 15273 16126 22230 22022
0
5000
10000
15000
20000
25000
2014 2015 2016 2017 2018
VULNERABILITIES
AVG days from Publish to Exploit: 19.68 days
AVG days from Publish to Event: 27.36 days
PAGE15DevOpsIndonesia
16. Security Challenges in DevOps
Software security is often viewed as an impediment to DevOps
• Barrier to velocity and innovation
• Causes deadlines to slip
• Time-consuming and doesn’t support hourly developments
• Needs a lot of customization
• No uniform way to provide continuous feedback
• Scaling remains a challenge
• Finally, no risk-based approach
17. The Three Biggest Challenges
in Vulnerability Tracking
Number of vulnerabilities reported are continuously
increasing
In 2010 < 10,000 vulnerabilities were reported. In 2018 >
22,000 vulnerabilities were disclosed. Two main reason: more
software being created and a growing focus on vulnerability
research.
Vulnerability reporting becoming decentralized
Too many sources that reported same vulnerability caused
many disputes.
The quality of vulnerability reports has generally fallen
Some reports are simply invalid or duplicates of already known
vulnerabilities. Numbers of invalid CVE are increasing.
PAGE17
DevOpsIndonesia
18. Changing on the Thread Landscape
Carmine Rimi, 2019
PAGE18DevOpsIndonesia
22. Requirements for Vulnerability Management
Context
Vulnerability
scanners lack the
context security
teams require to
prioritize what to
remediate first.
Visibility
IT teams lack the
visibility
required to
understand
what to fix, how
to fix, and why.
Precision
Poor reporting
reduces visibility
and reduces board
confidence.
Measure + Prioritize Predict
more than just: Detection – Prioritization – Remediation
PAGE22DevOpsIndonesia
27. Spoofing Identity
Tampering with Data
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
Framework:
Damage Potential Reproducibility Exploitability
Affected users Discoverability DREAD
Calculation Formula:
Threats D R E A D Rating
Repudiation AVG from sub total 8.5
Attacker obtain authentication
credentials by Phishing
10 9 7 8 10 9
SQL Command injection 8 8 8 9 7 8
… more
Information Disclosure …
… more
Denial of Service …
Elevation of Privilege …
Rating = (D + R + E + A + D) / 5
Measure & Prioritize UNIQUE Risk Rating
PAGE27DevOpsIndonesia
28. Predict: Improving Current Landscape
TA02
TA01
TA03
TA04
C02
C02
C01
C03
A01
A02
A03
A01
A02
A03
A04
Model sample taken from: https://michenriksen.com/blog/drawio-for-threat-modeling
A04
A02
A03
Take Control of your risk posture
CVSS XX?
CVSS XX?
CVSS XX?
CVSS XX?
CVSS XX?
CVSS XX?
PAGE28DevOpsIndonesia
30. Why do we need
to Leverage Vulnerability Management?
1. Reporting: Scan penetration reports are generated more faster
and more contextual, reduction processing time of 57% (n=8,
2017). This achieved by combine the countermeasure strategy
for the same threat sources.
2. Remediation: with this prioritization approach, it is significantly
reducing vulnerabilities exposure and overall related risk.
3. Risk Metrics: reduction of Risk Score, and also median time to
discover and remediate high risk issues.
4. Vulnerabilities Focus: contextual vulnerabilities help to mitigate
the exposure leveraging reputational and financial risk to
company.
PAGE30
DevOpsIndonesia
31. So, what do we get !
• Eventually we are closing the gap
between DevOps & Security teams.
• Implement predictive from intelligence
within pipeline by:
• Matching the both DevOps and
Security team’s velocity.
• Providing contextual and
intelligence changes on threat
landscape.
• Supporting organizations business
demands at scale.
PAGE31DevOpsIndonesia
32. Take away
• Latest innovation of technologies highly possible to
introduce new vulnerabilities and change the threat
landscape. Exploits are keep coming. Be vigilant!
• Developers can also introduce vulnerabilities
outside of the code itself. Vulnerability
Management involves finding flaws (or bugs).
• Vulnerability Management alone is not enough, you
need to have your own risk model. Be contextual or
do more by: Measure, Prioritize, and Predict.
PAGE32