Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Ferruh Mavituna, CEO
Scaling-Up &
Automating Web
Application Security
Netsparker
Scaling-Up and Automating Web Application Security
Discover
Scaling-Up and Automating Web Application Security
• Public Websites
• Mission Critical
• Temporary (i.e. short-term marke...
Scaling-Up and Automating Web Application Security
• Process
• Internal asset management
• Introducing a process & policy
...
Scaling-Up and Automating Web Application Security
Identify
Scaling-Up and Automating Web Application Security
• Configuration Issues
• TLS, Web Server, Unnecessary features…
• Known...
Scaling-Up and Automating Web Application Security
Automate
Scaling-Up and Automating Web Application Security
• Automation excels at
• Scaling
• Being consistent
• Enforcing checks
...
Scaling-Up and Automating Web Application Security
“Automate what can
be automated”
Scaling-Up and Automating Web Application Security
Automation
Challenges
Scaling-Up and Automating Web Application Security
• Authenticated Scans
• URL Rewrite
• Custom 404 Pages
• Form Values
Pr...
Scaling-Up and Automating Web Application Security
• False Positive
• Correlating Results
• Hot-patching vulnerabilities i...
Scaling-Up and Automating Web Application Security
• How many of the identified vulnerabilities are real?
• What’s the rea...
Scaling-Up and Automating Web Application Security
“Automation without
accuracy cannot scale”
Scaling-Up and Automating Web Application Security
• How is it done manually?
• Can it be automated?
Elimination of False ...
Scaling-Up and Automating Web Application Security
“If it’s exploitable it
cannot be a false
positive”
Scaling-Up and Automating Web Application Security
• Securing thousands of web applications is possible
• Automate what ca...
Upcoming SlideShare
Loading in …5
×

Scaling-up and Automating Web Application Security Tech Talk

872 views

Published on

These are the slides for the Tech Talk that Netsparker's CEO Ferruh Mavituna delivered at Infosecurity Europe in London.

During the presentation, Ferruh first talks about the three stages of the vulnerability detection process:

Discovery
Identify
Automate

Then he explained the pre-scan and post-scan challenges of automating the vulnerability detection process, such as; configuring authenticated scans, URL Rewrites, manually verifying false positives and much more. Ferruh also explains how today’s technology allows us to overcome most of these challenges and as he says Automate what can be automated.

You can watch the presentation here: https://www.netsparker.com/blog/web-security/infosecurity-europe-tech-talk-automating-web-security/

Published in: Internet
  • Be the first to comment

Scaling-up and Automating Web Application Security Tech Talk

  1. 1. Ferruh Mavituna, CEO Scaling-Up & Automating Web Application Security Netsparker
  2. 2. Scaling-Up and Automating Web Application Security Discover
  3. 3. Scaling-Up and Automating Web Application Security • Public Websites • Mission Critical • Temporary (i.e. short-term marketing websites) • Managed by 3rd party • Internal Websites • Mission Critical • Developed in house • Developed by a 3rd party • Hardware Management Interfaces • Staging Websites • Actively Developed • 3rd party & will be deployed Discover & Prioritize
  4. 4. Scaling-Up and Automating Web Application Security • Process • Internal asset management • Introducing a process & policy • Automated Discovery • Effectively smart “port scanning” Discover & Prioritize
  5. 5. Scaling-Up and Automating Web Application Security Identify
  6. 6. Scaling-Up and Automating Web Application Security • Configuration Issues • TLS, Web Server, Unnecessary features… • Known Vulnerabilities and Out-of-date Dependencies • Known vulnerabilities in known applications and dependencies • Out-of-date JS libraries, modules, dependencies, frameworks… • Unknown Vulnerabilities (zero-days) • SQL Injection, CSRF, XSS, LFI, RFI and similar vulnerabilities that are not known yet • Lack of Security Best Practice and Proactive Measures • CSP, HSTS, Information Disclosure, Insecure Endpoints, Leaking data to 3rd party resources etc. Identify Vulnerabilities
  7. 7. Scaling-Up and Automating Web Application Security Automate
  8. 8. Scaling-Up and Automating Web Application Security • Automation excels at • Scaling • Being consistent • Enforcing checks • Finding majority of vulnerabilities • Eliminating human-errors on repeated checks • Limitations of automation • Logical issues • Extremely design specific & platform specific issues • Discovering all the flows & processes in websites Automation
  9. 9. Scaling-Up and Automating Web Application Security “Automate what can be automated”
  10. 10. Scaling-Up and Automating Web Application Security Automation Challenges
  11. 11. Scaling-Up and Automating Web Application Security • Authenticated Scans • URL Rewrite • Custom 404 Pages • Form Values Pre-scan Challenges
  12. 12. Scaling-Up and Automating Web Application Security • False Positive • Correlating Results • Hot-patching vulnerabilities in WAF level Post-scan Challenges
  13. 13. Scaling-Up and Automating Web Application Security • How many of the identified vulnerabilities are real? • What’s the real risk? • How long would it take to review all vulnerabilities to see which are False Positives? • What kind of technical expertise do you need to accomplish this? 10,000 Issues have been identified, Now what?
  14. 14. Scaling-Up and Automating Web Application Security “Automation without accuracy cannot scale”
  15. 15. Scaling-Up and Automating Web Application Security • How is it done manually? • Can it be automated? Elimination of False Positives
  16. 16. Scaling-Up and Automating Web Application Security “If it’s exploitable it cannot be a false positive”
  17. 17. Scaling-Up and Automating Web Application Security • Securing thousands of web applications is possible • Automate what can be automated • Use the right tools for the job • Understand what automation can and cannot do • Plan for the long term • Challenge the norm Conclusion

×