Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode


Published on

Digital Defense Inc (DDI) and Veracode present the "Crafting Super-Powered Risk Assessments" webinar and slides. The presentation covers security assessments, application security, and how to manage risk.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode

  1. 1. Crafting Super-PoweredRisk AssessmentsGordon MacKay | EVP & CTO, Digital Defense, Inc.Chris Wysopal | CTO & Co-founder, Veracode
  2. 2. Logistics Presentation is designed for 30 to 45 minutes with time for questions. Please use your control panel (shown on the right) to ask questions at any time during the presentation. Presentation is being recorded Both presentation and slides will be made available 2 2
  3. 3. Gordon MacKay | Digital Defense, Inc.Gordon MacKay, Digital Defense Executive Vice Presidentand Chief Technology Officer is responsible for strategicdesign, planning, and establishment of platform road maps,new platform development initiatives, and maintenance ofthe Company’s security information event managementplatforms and proprietary assessment solutions. Gordonalso oversees the Platform Development architecture as wellas manages the Platform Development and VulnerabilityResearch organizations.Gordon started his career in 1991 as a systems engineer atNortel Networks where he designed Interactive VoiceResponse systems. Prior to joining Digital Defense, he heldseveral research and development leadership positions atAlcatel USA in Dallas Texas. Gordon is a frequent speakerat industry conferences and events.
  4. 4. Chris Wysopal | VeracodeCo-Founder and Chief Technology Officer Chris Wysopal is responsible for the security analysis capabilities of Veracode technology. Mr. Wysopal is recognized as an expert and a well known speaker in the information security field and was recently named one of InfoWorld’s Top 25 CTO’s and one of the 100 most influential people in IT by the editorial staffs of eWeek, CIO Insight and Baseline Magazine. Chris has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. He also has spoken as the keynote at West Point, to the Defense Information Systems Agency (DISA) and before the International Financial Futures and Options Exchange in London. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. 4 4
  5. 5. About Digital Defense, Inc.Founded in 1999, Digital Defense, Inc., is the premier provider of managed security riskassessment solutions protecting billions in assets for small businesses toFortune companies in over 65 counties. Our dedicated team of experts helps organizationsestablish an effective culture of security and embrace the best practices of information security.Through regular assessments, awareness education and rapid reaction to potential threats, ourclients become better prepared to reduce risk and keep their information, intellectual propertyand reputations secure.In response to market intelligence and industry demand, DDI is the first information securityprovider to launch a Vulnerability Assessment (VA)Tool “Trade-In” program. Thisinnovative offering is designed to maximize Information Security ROI for organizations throughan applied credit equal to the annual licensing maintenance fee spent on idle and inefficient VAtools. A fully managed and enterprise-wide vulnerability scanning program is now available forcompanies taking advantage of this unique solution with the applied credit worth up to 100% ofthe first year of DDI’s unparalleled VLM-Pro service. 888.273.1412
  6. 6. Agenda• Risk Management Challenges• Network Assessments – Assessing Risk Outside In• Application Assessments – Assessing Risk Inside Out• Combining Network and Application Assessments• Ongoing Research and Development
  7. 7. The Risk Game – Play Along What Picture Represents most Risk?
  8. 8. What is Risk?• Risk is Relative to an Entity• Risk Involves 1. An Entity with a Goal – Something to Gain/Lose 2. An Entity with Weaknesses/Disadvantages 3. An Environment Capable of Taking Advantage of Weaknesses Risk = Threat x Vulnerability x Cost
  9. 9. Evolution of Species – One Solution to Risk
  10. 10. Business OrganizationsAnalogous to Living Organisms• Organizations have Goals and Desires• Have Weaknesses and Limited Resources• Face Threats - Internal Flaws, Natural Disasters,Competitors, and More• Optimal Resource Allocation Depends on Environment• Organization’s Environment Continuously ChangesOrganizations Must Evolve in order to Survive and Grow
  11. 11. Risk Management Challenges• What is Value and Where is it Located?• What are the Dangers to Organization’s Value?• What are Weaknesses of Value Containers?• What Risk Level is Acceptable?
  12. 12. Risk Management Existing SolutionsWeaknesses• No Existing Technology/Solution Accounts for All Risk• Often, a given solution accounts for only part of Risk within their own Security Silo Event Endpoint Network Application Access Monitoring Security Security Security Management
  13. 13. Risk Management – Network AssessmentAssessing Outside In• Automatically Inventory Containers – Attack Surface - Fully Visible, Camouflaged, Invisible – Location - Externally Internet facing versus deep within the Organization’s Internal Network – Other Container Details• Allow Mapping Assets to Containers• Allow Value Assignments to Containers• Assess Weaknesses of Containers
  14. 14. Network Assessment Seen From Threat’s Point of View Client Asset External Containers NIRV Vulnerability Assessment Scanner Vulnerability Internal Results Vulnerability Assessment Internet NIRV Scanner Authenticated Vulnerability Assessment FSP ServersDDI Cloud-Based Vulnerability Management System Client Network
  15. 15. Network Assessment Strengths• Hosts (Computers or Containers)• Network Map• Operating System• Open Ports, Services, Applications• Vulnerabilities within OSI Layer 2-7 – Many Known Vulnerabilities – Generic (e.g. SQL Injection)• Misconfigurations – (e.g. Passwordless Protocols, Easily Guessable Passwords, SNMP configuration issues, much more)
  16. 16. Network Assessment Challenges• Most Compromises• Most Malware, Viruses• Most Backdoors• Most Unknown (Zero Day) Vulnerabilities• Hidden Weaknesses (e.g. no or poor use of Encryption)• Most Business Logic Issues• Most Security Architecture Weaknesses• Some Known Vulnerabilities
  17. 17. Veracode is the only independent provider of cloud-based application intelligence andsecurity verification services. The Veracode cloud-based platform provides the fastest,most comprehensive solution to improve the security of internally developed,purchased or outsourced software applications and third-party components.Assessment techniques include Static binary analysis Dynamic analysis Manual analysisMore information available at
  18. 18. Applications The Application layer is the most exposed to the attacker.End points/OS Even with hardened end points and networksNetwork vulnerabilities in applications can allow attackers to access dataData
  19. 19. OWASP Top Ten
  20. 20. Risky Resource ManagementInsecure Interaction Between Components Download of SQL Command Buffer Path XSS code with no Injection Injection Overflow Traversal check Unrestricted Open Untrusted Dangerous CSRF Format String upload Redirect inclusion function Integer Porous Defenses Overflow Missing Missing Hard coded Missing Authentication Authorization credentials encryption Untrusted inputs Incorrect Unnecessary Incorrect in security permission Privileges authorization decision assignment No restriction of Use of one way Broken crypto authorization hash with no salt attempts 20
  21. 21. From Risk Awareness to Risk Mitigation with an Application Security Program Identify Assess Manage Portfolio Vulnerabilities Risk
  22. 22. Identify Application PortfolioGet a handle on “application sprawl”  Involve business units, procurement and vendor management, and automated discovery  Consider regulatory impact, data leakage risk, operational risk  Create a policy
  23. 23. Assess VulnerabilitiesUnderstand vulnerabilities in your application portfolio  Leverage automated analysis techniques  Static and dynamic scanning  Engage third-party vendors and service providers
  24. 24. Multiple Analysis Techniques Improve Coverage of Vulnerability Classes Universe of application security vulnerabilities is extensive There is no “silver bullet” – each technique Automated has strengths and weaknesses Static A complete analysis includes:  Static analysis (i.e. White Box)  Dynamic analysis (i.e. Black Box) Penetration Automated Testing Dynamic  Penetration testing Automation allows manual penetration testers to focus on vulnerabilities only humans can find
  25. 25. Static Analysis Analysis of software performed without actually executing the program Full coverage of the entire source or binary In theory, having full application knowledge can reveal a wider range of bugs and vulnerabilities than the “trial and error” of dynamic analysis Impossible to identify vulnerabilities based on system configuration that exist only in the deployment environment
  26. 26. Dynamic AnalysisAnalysis of software performed against a running instance of the programMost accurately mimics how a malicious user would attack the applicationDue to the lack of internal application knowledge, discovering vulnerabilities can take longer and coverage may be limitedCannot generate and test all possible inputs in reasonable timeExposes vulnerabilities in the deployment environment
  27. 27. Managing risk is more than just a list of vulnerabilitiesHow can this be combined with other risk information?  Asset criticality  Network location  Host vulnerabilitiesCombining application scan data with network scan data is a great start. 27
  28. 28. Combining App Testing and Vuln Scanning Network vulnerability scanner knows where all the web applications are. It knows of any host vulnerabilities It may know about criticality of assets application has access to. Application testing has knowledge of vulnerabilities that network vulnerability scanners don’t know about. 28
  29. 29. DDI-Veracode Provide Evolution TowardsEnterprise Security Intelligence Digital Defense Veracode Vulnerability Management Application Assessments
  30. 30. Network and Application AssessmentEnterprise Security Intelligence • Assessed Applications Mapped to Network Discovered Containers Provide Increased Environmental Context • Improved Vulnerability Class Coverage • More Accurate Risk Assessments
  31. 31. Integration Sneak Peek
  32. 32. Integration Sneak Peek
  33. 33. What’s Next?• Correlating Application Assessment findings to Network Assessment findings (vulnerability overlaps)• Emergence of One Risk Rating per container that considers Assessed Applications and Network Assessment Findings• Advanced Analytics Sourcing data from Two Security Cloud Providers• Learn more at Veracode-DDI talk at RSA USA 2013: “SAST, DAST And Vulnerability Assessments, 1+1+1 = 4”
  34. 34. Questions? The Application Layer Contact Gordon MacKay, Digital Defense Inc. @gord_mackay Chris Wysopal, Veracode 12/19/2012 34 @weldpond