Speakers: Frank Breedijk, Glenn ten Cate
Language: English
Seccubus automates vulnerability scanning with: Nessus, OpenVAS, NMap, SSLyze, Burp, Medusa, SkipFish and SSLlabs.
Anyone who has ever used a vulnerability scanner like Nessus or OpenVAS will be familiar with one of their biggest drawbacks. They a very valuable tools, but unfortunately they are also very noisy. The time needed to report on the findings of a scan is often two or three times the time needed to do the actual scan. Seccubus was created to more effectively analyze the results of regular vulnerability scans. It was designed with defenders in mind who have to scan the same infrastructure regularly.
CONFidence: http://confidence.org.pl/pl/
4. CONFIDENCE
CONFERENCE
C. Lueless
Mission:
• Mission: Perform a bi-weekly vulnerability scan of all our
public IP addresses
B. Rightlad
A STORY ABOUT TWO GUYS
These and all non-attributed photos of Frank Breedijk
are taken by Jan Jacob Bos
10. CONFIDENCE
CONFERENCE
Scanners are written for consultants, not
operations
Scanners need to make a tradeoff between
false positives and false negatives
Most scanners produce an awfull lot of output
Scanning takes time, tools are poorly
automated
WHAT IS C. LUELESS’ PROBLEM?
20. CONFIDENCE
CONFERENCE
Is the work in balance with the profit?
BALANCE
A fine balance a CC NC ND Image by Anish B George
https://www.flickr.com/photos/22199070@N00/3311106984/
35. CONFIDENCE
CONFERENCE
Don’t bother users with non-actionable findings
OK IS OK…
Woo a CC NC SA image by Rick Harrison
https://www.flickr.com/photos/81851211@N00/2682663297/
49. CONFIDENCE
CONFERENCE
Monthly Seccubus runs means:
Scans are scheduled via crontab
Only the findings that need attention get it
Less errors due to less repetitave work.
The amount of effort is proportional to the amount of changes
Risk is proportional to the amount of changes
SO…
56. CONFIDENCE
CONFERENCE
It does not try to capture everything
It does not try to fit each case
The specification is not 63 pages
Simple to read
Simple to write
Simple to use
Simple License (MIT)
Easy to integrate new tools into Seccubus
IVIL
57. CONFIDENCE
CONFERENCE
Joined Schuberg Philis 2 years ago
Main focus: Web Application Security
We need to integrate this into our pipeline
ENTER GLENN
Enter here a CC NC ND image by Anne Petersen
https://www.flickr.com/photos/60258967@N00/4183985730/
59. CONFIDENCE
CONFERENCE
Google’s web application security scanner
Open Source
Noisy
Not very subtile
Not production safe!
FIRST WIN: SKIPFISH
Skip w/ fish a CC NC ND image by AlBakker
https://www.flickr.com/photos/45213160@N00/206944920/
60. CONFIDENCE
CONFERENCE
Open source
Like Burp but free (as in speech)
Actively developed and maintained
OWASP Flag Ship Project
SECOND WIN: OWASP ZAP
IEEE Scrum a CC NC SA image by Jim Carson
https://www.flickr.com/photos/44124442504@N01/2208956607/
61. CONFIDENCE
CONFERENCE
Help developers write better code
Enable Security by Design
• Knowledge system for risk analysis
Code Securely
• Code examples
Check code before commit
• OWASP Application Security Verification Standard
Newly adopted as OWASP Project
SECURITY KNOWLEDGE FRAMEWORK
Moving Hacks a CC NC SA image by Brian Sawyer
https://www.flickr.com/photos/45609637@N00/229360390/
62. CONFIDENCE
CONFERENCE
Coding
• Perl
• Angular
Requirements
• What do you want
Testers
• Challenge the quality of our crack ;)
Documentation
• Help us get new users
Users
SECCUBUS CAN USE YOUR HELP
Image: Hang On, a CC NC ND image from
brraveheart's photostream
63. CONFIDENCE
CONFERENCE
First public preview of
new interface
SNEAK PREVIEW
"Celebs" a cc by nc sa licensed photo by Nick Sherman:
http://flickr.com/photos/nicksherman/4145966095/
64.
65.
66.
67. CONFIDENCE
CONFERENCE
New user interface (RSN)
Start/schedule scans from the GUI
Integration with Security Knowledge
Framework
Add user/rights management
Track issues as well as findings
Reporting
More???
ROADMAP
Albany NY 1950 a CC image by david
https://www.flickr.com/photos/23465812@N00/6877290919/