The document outlines an agenda for an event called "Code & Cannoli" taking place on January 13th, 2016. It includes a schedule of talks on vulnerability assessment and penetration testing processes. One talk discusses assessing vulnerabilities and managing them as part of a governance process. Another discusses the importance of integrating periodic testing with cyclic vulnerability assessments. The document also provides an example case study about the vulnerability and sinking of the Japanese battleship Yamato during World War II to illustrate vulnerability assessment, exploitation and management concepts.

1. Code & Cannoli
< Security >
13th January 2016
@DevMob
#CodeCannoli

2. Code & Cannoli < Security >
17:30 - 18:15 Drinks, pasta & cannoli
18:15 - 19:00 Fabrizio Cilli: "Vulnerability: Assessing and Managing –
A dive into the unexpected weaknesses”
19:00 – 20:00 Jacco van Tuijl: "Penetration Testing Process” - part 1
20:00 - 20:15 Break
20:15 - 21:15 Jacco van Tuijl: "Penetration Testing Process” - part 2
21:15 Drinks
@DevMob
#CodeCannoli

5. Vulnerability: Assessing & Managing
Assessing the exposures won’t close the circle

6. Vulnerable
A vulnerability is a weakness in an asset or group of assets. An asset’s
weakness could allow it to be exploited and harmed by one or more
threat vectors.
In the cyclic ticker of a PDCA wheel: Assessing is a phase we can
execute at will. Managing its results, is an endeavour, impacting
Governance, IT Operations, adding workload.

7. Surface and Core
We expose our business to external (Surface) attackers and internal
(Core) malicious users. The Attack Vectors are a myriad, from network
to hosts, and to their virtual counterparts.
The concept of Attack Vector is vital when it comes to evaluate the
gravity of the vulnerabilities we are assessing in our environment: And
the best way to understand it is by breaking down the CVSS score of
found vulnerability!

8. CVSS Access Vector
BaseScore= round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)-1.5)*f(Impact))
Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))
Exploitability = 20* AccessVector*AccessComplexity*Authentication
f(impact)= 0 if Impact=0, 1.176 otherwise
AccessVector = case AccessVector of
requires local access: 0.395
adjacent network accessible: 0.646
network accessible: 1.0

9. Attack Surface

10. Attack Surface

11. Cyclic checks
The best exercise to achieve a “capable” response mechanism when a
0-Day happens to be announced into the wild, is to have your test
cycle, in line with your asset base.
The limit in security operations is completeness, nothing can be
measured as absolute, given the changing environment IT OPS manage.
To react to emerging threats the identification and sanitization needs to
be fast and precise.

12. Tools or Subscriptions ?
A sound vulnerability management program does not cost in itself due
to the technology requirements, it costs as it is a part of a GRC
program, one step to obtain a smart governance and to maintain
regulatory compliance.
Cyclic checks, sync’ed with an asset manager not only require IT
Operations to be fast reacting, but the Assessment results (or reports)
to be intelligently filtered and analysed against threat intel and
frequently updated feeds.

13. Integrating Testing and Assessment
Security Programme: This unknown. Well not 100% unknown, we know
we should commit to long term integration between periodic
(application and infrastructure) tests, and cyclic vulnerability
assessments but the lack is to achieve it and maintain that
commitment.
Everything in IT is most probably identifiable as a SYSTEM, with an
INPUT, TRANSFORMATION and an OUTPUT. Penetration Testing is a
fundamental input to the Vulnerability Management Process and
together these can boost your Threat Response (and ROI).

14. Static analysis and Dynamic testing
Another element of a sound Vulnerability Management Process
especially in Enterprise environments lies in the certainty of a
qualitative analysis of algorithms, before moving application
architectures to production environment.
Let me say that it’s most likely that unsafe or lazy coding habits end
writing 0-Days, instead of saving from them. Weak code will facilitate
access to back-ends, data, and impair your vulnerability management
program adding what we call make future Zero Days.

15. Weakness Awareness
Security
Program
Integration
Get the most, stay safe!
Combining the following actions we DO get the most with a
measurable return on our security programme investment.
Achievement

16. Security Programme Investment Wheel
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Weakness
Awareness
Security ProgramIntegration
Achievement
Weakness to Achievement
Insecurity ROI
START
Investment
Returns
Effects
0% Open Attack Surface
5%
Increasing
Awareness
15%
Plans and
deployments
25% Enabling interchange
30% Achieving returns
Exposure
Factor
Effects
99%
Easily violated
by any vector
85%
Understanding
attack surface
75%
Reducing exposure
by means of special tools
50%
Integrating diverse tools
to achieve intelligence
25%
Only 0-Days and
unknow threats can hurt

17. A practical case study.
What happens when.

18. The Battleship Yamato !

19. The Battleship Yamato !
… oops … that’s the !
… ehm … let’s get back to !

20. The Battleship Yamato

21. The Battleship Yamato
Assessing:
While in home waters after the winter 1944-1945 refitting (more anti-
aircraft weapons), she was spotted and attacked by U.S. Navy carrier
planes in March 1945. She escaped with light damage, but her
vulnerability against the swarming American aircrafts was now clear.
[…]

22. The Battleship Yamato
Q1: By looking at the battleship architecture and defense, what can you
assess the Battleship to be considered “vulnerable” in your opinion?

23. The Battleship Yamato
Exploit:
[…] At 1220 on 7 Apr 1945, while still some 270 miles north of
Okinawa, after being tracked by American reconnaissance aircraft and
submarines almost the entire way, Yamato was attacked by waves and
waves of American carrier planes. […]

24. The Battleship Yamato
Q2: By what attack vector, the vulnerability could have been
exploited?

25. The Battleship Yamato
Pwnage:
[…] After an agonizing two hours, the largest battleship in the world
sank as the list reached nearly 90 degrees. […]

26. The Battleship Yamato
Q3: To adapt to the upcoming pwonage, what do you think it was
possible to do, on-the-fly? …or maybe after the inevitable happened?

27. The Battleship Yamato
Zero-Day:
[…] She then exploded twice under water; the cause of the explosion
was likely the shells from the primary and secondary magazines falling
off their shelves and detonating their fuses against the overhead. […]

28. The Battleship Yamato
Q4: What do you think was the reason for all the opponent’s forces to
concentrate a huge set of resources just against this single target ?

29. The Battleship Yamato
Loss:
Only 269 men survived the sinking super battleship. (Out of 2750
original crewlist)

30. Resilient
Definition and Substantial
meaning

31. OPEN TALK SESSION : R SAY ON TOPIC !
Few topics for you to Join the Talk [Before the third beer J] !

32. Assessment
R SAY ON …
…

33. Code Security
R SAY ON …
…

34. Code Security
R SAY ON … OWASP ASVS v.3.0

35. Disclosure
R SAY ON …
…

36. Going home by Train?
R SAY ON … http://trainwatch.u0d.de/

37. Thanks for your time !
We hope our message in a bottle left the shores !
Send your feedback with the reference #CODECANNOLI on
our Social Channels ! To get in touch use instead @DEVMOB !