The document discusses application security program management and Vulnerability Manager. It describes the challenges of application security scanning and remediation, including that vulnerabilities often persist for months. Vulnerability Manager aims to address this by automating the import of scan data, generating virtual patches, and integrating with defect tracking systems. The presentation demonstrates Vulnerability Manager's core features and future plans to further develop the tool and metrics for measuring security maturity.

1. Application Security Program Management
with Vulnerability Manager
Bryan Beverly
June 2nd, 2010

2. Today's Presentation
• The challenges of application security scanning and remediation
• What Vulnerability Manager can do
• Next steps for Vulnerability Manager
• Next steps for you
1

3. Denim Group Background
• Privately-held, professional services organization
– Develops secure software
– Helps organizations assess and mitigate risk of existing software
– Provides training and mentoring so clients can build trusted software
• Software-centric view of application security
– Application security experts are practicing developers
– Development pedigree translates to rapport with development managers
– Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution
– Released Sprajax & Vulnerability Manager to open source community
– OWASP national leaders & regular speakers at RSA, OWASP, CSI
– World class alliance partners accelerate innovation to solve client problems
2

4. My Background
• 13-year business application development background
• Lead Consultant at Denim Group
• Provides technical oversight for Denim Group
development projects
• Responsible for Denim Group development lifecycle
standards and processes
• Performs black box and white box security assessments
• Performs on-site security training
• Co-developer and technical lead for Vulnerability
Manager project
3

5. Challenges with Scan-Centric Application Security Programs
• Too many application security programs
are scan-centric
– Run scans, generate reports, send to
development teams
• Not enough attention is paid to the entire
process
• Result: Vulnerabilities are not remediated
and continue to expose the organization
to risk
4

6. Post-Scan Remediation is the “Next” Big AppSec Issue
• Application Scanning Technologies are Improving
– Various improvements provide better testing coverage
• Qualys 2009 Black Hat Conference Paper
– Presented by Qualys CTO Wolfgang Kandek
– Network & host vulnerabilities persist for roughly 30 days from identification
– Measured across 140m Qualys’ SaaS client scans
– Exploitation cycle is getting shorter – down from 60 days in 2004 to 10 days
• WhiteHat Security Study on Application Vulnerabilities
– Application vulnerabilities persist much longer than network vulnerabilities
– Typical persistence timeframe measured in months, not days
• SQL Injection – 38 days
• Insufficient Authentication – 72 days
– Vulnerability time-to-fix metrics are not changing substantively, typically requiring
weeks to months to achieve resolution
5

7. Why Do Application Vulnerabilities Persist?
• Must rewrite software – can’t just turn “off” service
– Can be straightforward – XSS or SQL Injection
– Can be more difficult – logical errors
• Dev teams detached from security managers
– Lack of organizational influence over dev efforts
– Interaction and tracking between groups is inconsistent and one-off
• The formal process of aggregating and processing application-level
vulnerabilities is immature
– No automated way to import scanning results from multiple sources
• BB, WB, SaaS
– Sophisticated hand off to issue trackers evolving
– Interaction with other systems “one off”
6

8. The Emergence of Accelerated Software Remediation (ASR)
Technologies
• Security and risk managers are realizing the status quo is
unacceptable
– Application vulnerabilities exist in live environments for months
• A new set of technologies are emerging to address the post-scan
automation of application vulnerabilities
– Application security vendors are developing more post-scan functionality
• Many are creating gated communities and vendor lock-in
– Most 1st generation interactions are “one-to-one” with scanners & WAF’s
• Accelerated Software Remediation Technologies reduce lifespan of
application vulnerabilities:
– Automating import from multiple scanning systems
– “De-duplication” of vulnerabilities from dynamic & static scanners
– Ability to measure incremental improvement
– Capability to generate “virtual patches” to IDS/WAF
7

9. Vulnerability Manager: “ThreadFix”
• Mission: Allow organizations to centrally manage the entire range of
software assurance activities
• Finding vulnerabilities is easy – actually addressing the risk is hard
• Freely available under Mozilla 1.1 open source license
• Major Feature Areas
– Application Portfolio Management
– Vulnerability Import
– Real-Time Protection Generation
– Defect Tracking Integration
– Maturity Evaluation
8

10. Application Portfolio Management
• Many organizations do
not even have a
complete idea of their
application attack
surface
• Track applications,
metadata and
associated
vulnerabilities
9

11. Vulnerability Import
• Import, de-duplicate
and merge
vulnerability data from
a variety of free and
commercial tools
• Static and dynamic
analysis
10

12. Real-Time Protection Generation
• Generate vulnerability-
specific rules for
WAFs and IDS/IPS
• Automate the “virtual
patching” process
• Import logs to identify
vulnerabilities under
active attack
11

13. Defect Tracking Integration
• Group vulnerabilities
and send them to
software development
teams as defects
• Track defect status
over time
12

14. Maturity Evaluation
• Evaluate application
team practices via
maturity models such
as OpenSAMM
• Track practices over
time
13

15. Demonstration
14

16. Current Status
• “Technology Preview” release in January 2010
– Demonstrates underlying concepts
– Supports many major technologies
• Not yet recommended for production use
15

17. Future Plans
• Under active development heading toward 1.0alpha release
• Starting to see interest in customer-sponsored development
• Support for additional technologies – scanners, IDS/IPS/WAF, defect
trackers
• Metrics, reporting and visualization
16

18. So where do you go from here?
17

19. What you can do now!
• Conduct a mini-OpenSAMM assessment to understand your current
state of application vulnerability management
• Capture a post-scan workflow to better understand how application
vulnerabilities cycle through the remediation process
• Measure how long your most serious app vulnerabilities persist in your
production environment
• Analyze your static, dynamic, and manual results to understand where
there is overlap and coverage gaps
• Understand how application vulnerabilities are consumed by
development teams
– Understand what issue tracker they use
– Understand how vulns are represented and dealt with by devs
18

20. Contact Information
Bryan Beverly
bryan@denimgroup.com
Denim Group
(210) 572-4400
www.denimgroup.com
blog.denimgroup.com
vulnerabilitymanager.denimgroup.com
19