8. 2016 – First 100 days
• 83,000 impacted by breach at Gyft Inc
• 7,000,000 Minecraft
• 55,000,000 Records - COMELEC
• Hyatt data beach 250 hotels in 50 countries
• Neiman Marcus – 5,200 accounts
• TaxSlayer – 8,800 customers
9. Old Vulnerabilities
99.9% of the exploited vulnerabilities in had been
compromised more than a year after the associated CVE
was published. - “Zero day’s” are overrated.
13. Continuous Security
“Keeping up” with development.
Assisting secure deployment.
Catching bugs early – Push Left.
Help ensure “change” is secure
14. Host/Server/Framework
> 30 billion Open source downloads 2015
90% of application code is framework
63%* don’t monitor component security
43%* don’t have open source policy
* http://www.sonatype.com/about/2014-open-source-software-development-survey
15. AppSec/Component Sec
• “If you're not doing component vulnerability
management you’re not doing appsec…”
– 90% of application code is framework
• “If you’re not doing full-stack you are not doing
security…”
– Hackers don’t give a S*#t
19. Thoughts – Patching & Component
Management
“Of all the vulnerabilities discovered in 2015, 63% could
have been mitigated via patch, configuration and
component management combined.”
edgescan Vulnerability Statistics Report 2015
25. Automation and Integration
• Automation can detect technical
vulnerabilities
– Misuse of code
– Coding Bugs
– Implementation Mistakes
26. Automation and Integration
• Automation can NOT detect Logical
vulnerabilities
– Business Logic
– Backdoors (E.g. Juniper, Fortinet)
– Provide Risk measurement
– Business Context
28. The “Anti-Scale”
New languages and programming methods
Growth of interpreted languages with no strong typing
(Javascript, Ruby,…) – “hurts” SAST
Few automated tools to test APIs / RESTful APIs
Testing Window is squeezed, manual testing is
doomed!?
29. Fighting The “Anti-Scale”
Accuracy
“Rule Tuning” – DAST & SAST
Build Fails!
White Noise Suppression
Real Security Vs “Best Practice”
Updates to Rules
Scale
“Delta Analysis”
Previous Vs Current
Changes
FP’s / FN’s
30. SAST Integration
• Analysis without Runtime - SAST
• More than just tooling
• Management Lifecycle
– Rule Management & Tuning / False Positives
• Cant cover Vuln Taxonomy –Blindspots
31. SAST Blindspots
• Storage and transmission of confidential
information
• Logic: Authentication, brute force attacks,
effectiveness of password reset etc.
• Logic: Privilege escalation and insufficient
authorization. Business Logic
• Data privacy: data retention and other compliance
(e.g. ensuring credit card numbers are masked
when displayed) - context
33. Vulnerability Assessment (Host)
• Easy to perform, Harder to manage
• First assessment
– higher work effort
– establish coverage (Reduce FN’s)
– Weed out FP’s
• Delta Analysis – Previous Vs Current
34. Component Security
Don’t forget….
• Unpredictable (Like Host Security).
• Requires frequent/continuous vigilance.
• Fix can be difficult and not backward
friendly
36. Continuous Asset Profiling
• Detect Global Estate Changes
– New / Dead active IP’s
– Service Changes (Ports open / enabled).
– Perimeter Change – Firewall/ACL changes
– Rogue deployments
37. Fighting The “AntiScale” - Delta Analysis
Measure of change in a target environment.
Focusing on change in risk posture compared to last assess
-> Closed, New, False Positives
38. Fighting The “Anti-Scale”-
Testing like a Developer
Break testing into little pieces
Smoke / Incremental Vs full regression
testing
“Early and Often”
– Continuous, on demand
– Testing duration drives testing frequency
39. Business & Behavioural Testing
At scale:
Can be Difficult …..
Technical Security is covered by “tuned”
Automation…..
More Time to “Deep Dive”
40. “Future of Pentesting”
• Push towards Technical Vulnerabilities rooted
out using technical methods/services …..
• Push from time chasing Top 10 (SQLI, XSS,
etc) -To- Behavioural, Logical, Business flow
assessment.
• Constant flux requires constant assessment.
• Point-in-time is dead?
41. FIN
• We can scale but not everything is [easily]
scalable
• Discover Tech Vulns using Tech
• Consider full-stack, don’t let marketing dictate risk.
• Lets test to mirror DevOps
• Convergence is necessary to address issue.
@eoinkeary
eoin@bccriskadvisory.com