The document outlines the importance of understanding and enumerating an organization's software attack surface to effectively manage security vulnerabilities. It emphasizes the need for a software security program that encompasses people, processes, and tools, while also addressing challenges such as resource allocation and organizational resistance. The strategy involves identifying, categorizing, and continuously monitoring applications based on their significance to prioritize security efforts.

1. © 2019 Denim Group – All Rights Reserved
Building a world where technology is trusted.
Enumerating Enterprise
Attack Surface
Dan Cornell | CTO

2. © 2019 Denim Group – All Rights Reserved
Dan Cornell
• Founder and CTO of Denim
Group
• Software developer by
background
• OWASP San Antonio co-leader
• 20 years experience in software
architecture, development, and
security

3. © 2019 Denim Group – All Rights Reserved
2
Advisory
Services
Assessment
Services
Remediation
Services
Vulnerability Resolution
Platform
Building a world where technology is trusted
How we can help:
Denim Group is solely focused on helping build resilient
software that will withstand attacks.
• Since 2001, helping secure software
• Development background
• Tools + services model

4. © 2019 Denim Group – All Rights Reserved
So You Want To Roll Out a
Software Security Program?
• Great!
• What a software security program ISN’T
• Question: “What are you doing to address software
security concerns?”
• Answer: “We bought scanner XYZ”
• What a software security program IS
• People, process, tools (naturally)
• Set of activities intended to repeatedly produce
appropriately-secure software
3

5. © 2019 Denim Group – All Rights Reserved
Challenges Rolling Out
Software Security Programs
• Resources
• Raw budget and cost issues
• Level of effort issues
• Resistance: requires organizational change
• Apparently people hate this
• Open source tools
• Can help with raw budget issues
• May exacerbate problems with level of effort
• View the rollout as a multi-stage process
• Not one magical effort
• Use short-term successes and gains to fuel further change
4

6. © 2019 Denim Group – All Rights Reserved 5
You can’t defend unknown
attack surface
If everything is important
then nothing is important

7. © 2019 Denim Group – All Rights Reserved
[Translation]
Find out what applications you
have in your organization
Decide the relative importance of
applications and treat them
differently based on this
6

8. © 2019 Denim Group – All Rights Reserved
What Is Your Software
Attack Surface?
7
Software You
Currently Know
About
Why?
• Lots of value flows through it
• Auditors hassle you about it
• Formal SLAs with customers mention it
• Bad guys found it and caused an
incident (oops)
What?
• Critical legacy systems
• Notable web applications

9. © 2019 Denim Group – All Rights Reserved
What Is Your Software
Attack Surface?
8
Add In the Rest
of the Web
Applications You
Actually Develop
and Maintain
Why Did You Miss Them?
• Forgot it was there
• Line of business procured through non-
standard channels
• Picked it up through a merger /
acquisition
What?
• Line of business applications
• Event-specific applications

10. © 2019 Denim Group – All Rights Reserved
What Is Your Software
Attack Surface?
9
Add In the
Software You
Bought from
Somewhere
Why Did You Miss Them?
• Most scanner only really work on web
applications so no vendors pester you
about your non-web applications
• Assume the application vendor is
handling security
What?
• More line of business applications
• Support applications
• Infrastructure applications

11. © 2019 Denim Group – All Rights Reserved
What Is Your Software
Attack Surface?
10
MOBILE!
THE CLOUD!
Why Did You Miss Them?
• Any jerk with a credit card and the ability
to submit an expense report is now runs
their own private procurement office
What?
• Support for line of business functions
• Marketing and promotion

12. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Two Dimensions:
• Perception of Software Attack Surface
• Insight into Exposed Assets
11
Perception
Insight

13. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• As perception of the problem of attack
surface widens the scope of the problem
increases
12
Perception
Insight
Web
Applications

14. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• As perception of the problem of attack
surface widens the scope of the problem
increases
13
Perception
Insight
Web
Applications
Client-Server
Applications

15. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• As perception of the problem of attack
surface widens the scope of the problem
increases
14
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications

16. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• As perception of the problem of attack
surface widens the scope of the problem
increases
15
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications
Cloud
Applications
and Services

17. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• As perception of the problem of attack
surface widens the scope of the problem
increases
16
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications
Cloud
Applications
and Services
Mobile
Applications

18. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Discovery activities increase insight
17
Perception
Insight
Web
Applications

19. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Discovery activities increase insight
18
Perception
Insight
Web
Applications

20. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Discovery activities increase insight
19
Perception
Insight
Web
Applications

21. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Over time you end up with a progression
20
Perception
Insight
Web
Applications

22. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Over time you end up with a progression
21
Perception
Insight
Web
Applications
Client-Server
Applications

23. © 2019 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The
Security Officer’s Journey
• Over time you end up with a progression
22
Perception
Insight
Web
Applications

24. © 2019 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The
Security Officer’s Journey
• Over time you end up with a progression
23
Perception
Insight
Web
Applications
Cloud
Applications
and Services

25. © 2019 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The
Security Officer’s Journey
• Over time you end up with a progression
24
Perception
Insight
Web
Applications
Cloud
Applications
and Services
Mobile
Applications

26. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• When you reach this point it is called
“enlightenment”
• You won’t reach this point
25
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications
Cloud
Applications
and Services
Mobile
Applications

27. © 2019 Denim Group – All Rights Reserved
First Decision
• What is considered to be in scope?
• Depends on how you want to manage
vulnerabilities and manage risk
26

28. © 2019 Denim Group – All Rights Reserved
Process
• Identify Application “Homes”
• Enumerate Applications
• Collect Metadata
• Repeat as Needed
27

29. © 2019 Denim Group – All Rights Reserved
So Where Are These Applications?
• Your Datacenters
• 3rd Party Datacenters
• Cloud Providers
28

30. © 2019 Denim Group – All Rights Reserved
Enumerating Applications
• Technical
• Network inspection
• DNS and other registry inspection
• Non-technical
• Interviews
• Other research
29

31. © 2019 Denim Group – All Rights Reserved
IP Range Detection
• IPOsint: https://github.com/j3ssie/IPOsint
• ip-osint.py –t CompanyName
• Data sources:
• Whois
• Ripe
• Arin
• Hurricane
• Censys
• securitytrails
30

32. © 2019 Denim Group – All Rights Reserved
Network Inspection
• nmap: https://nmap.org/
• Look for common web server ports:
• 80, 443, 8000, 8008, 8080, 8443
• Others depending on your environment
• nmap -sS -p 80,443,8000,8008,8080,8443 x.y.z.0/24
• Great for dense environments you control
• Largely datacenters
https://www.denimgroup.com/resources/blog/2016/03/threadfix-in-action-discovering-your-organizations-software-attack-surface-web-app-edition/
31

33. © 2019 Denim Group – All Rights Reserved
DNS Inspection
• SubFinder: https://github.com/subfinder/subfinder
• docker run -it subfinder -d target.org
• Can get even more data with service-specific
API keys
• OWASP Amass: https://github.com/OWASP/Amass
• sudo docker run amass --passive -d target.org
32

34. © 2019 Denim Group – All Rights Reserved
Mobile Application Identification
• Scumbler: https://github.com/Netflix-Skunkworks/Scumblr
• Purpose of tool evolved over time
• Not currently maintained – looking for
maintainers
33

35. © 2019 Denim Group – All Rights Reserved
Interviews
• Line-of-business representatives
• Will need to translate their definition of
“application” to your definition
• Think in terms of business processes and
these can map to multiple applications and
microservices
• Tech leads
• More familiar with the deployed infrastructure
and other assets
34

36. © 2019 Denim Group – All Rights Reserved
Other Research
• Disaster recover plans
• Accounting
• Find cloud providers
35

37. © 2019 Denim Group – All Rights Reserved
What is an ”Application”
• What assets do we have?
• IP addresses
• Host names
• Mobile apps
• Business view of “applications”
• Challenge: Create a consolidated view
• Challenge: Correlate applications and the
supporting infrastructure
36

38. © 2019 Denim Group – All Rights Reserved
Collect Metadata
• Technical: Language, Scale
• Architectural: Web, Mobile
• Exposure: Public, Partner, Internal
• Regulatory: PCI, HIPAA, GDPR
37

39. © 2019 Denim Group – All Rights Reserved
Value and Risk Are Not
Equally Distributed
• Some Applications Matter More Than Others
• Value and character of data being managed
• Value of the transactions being processed
• Cost of downtime and breaches
• Therefore All Applications Should Not Be
Treated the Same
• Allocate different levels of resources to assurance
• Select different assurance activities
• Also must often address compliance and
regulatory requirements
38

40. © 2019 Denim Group – All Rights Reserved
Do Not Treat All Applications
the Same
• Allocate Different Levels of Resources to
Assurance
• Select Different Assurance Activities
• Also Must Often Address Compliance and
Regulatory Requirements
39

41. © 2019 Denim Group – All Rights Reserved
Rinse and Repeat
• This list will change over time
• Metadata will change
• This is especially true in a world of
microservices
40

42. © 2019 Denim Group – All Rights Reserved 41
You can’t defend unknown
attack surface
If everything is important
then nothing is important

43. © 2019 Denim Group – All Rights Reserved
[Translation]
Find out what applications you
have in your organization
Decide the relative importance of
applications and treat them
differently based on this
42

44. © 2019 Denim Group – All Rights Reserved
Questions
43

45. © 2019 Denim Group – All Rights Reserved
Building a world where technology is trusted.
@denimgroup
www.denimgroup.com
44
dan@denimgroup.com