Infosecurity Europe Talk covering off all that is good bad and ugly about Vulnerability Management.

1. Full-stack Vulnerability Management at Scale &
The Future of Security Assessment
Eoin Keary
CTO edgescan™

2. Eoin Keary
CTO/Founder edgescan.com
OWASP Leader/Member/Ireland Founder
OWASP Global Board Member (2009-2015)

3. Web Risk
• Application Security
• Host Security
• Both / Either / Or
• It’s all software right.

4. Full-Stack!

5. Web Applications
App Server
SSL/TLS
Databases
Services
Operating Systems
Networks
Full Stack Security

6. Appsec VA
Threat
Intel
ENdPoint
One Problem – “silos of solutions”

7. 2015 - Year in Review

8. 2016 – First 100 days
• 83,000 impacted by breach at Gyft Inc
• 7,000,000 Minecraft
• 55,000,000 Records - COMELEC
• Hyatt data beach 250 hotels in 50 countries
• Neiman Marcus – 5,200 accounts
• TaxSlayer – 8,800 customers

9. Old Vulnerabilities
99.9% of the exploited vulnerabilities in had been
compromised more than a year after the associated CVE
was published. - “Zero day’s” are overrated.

10. Segregated Industry
• Developers Vs Security
• Admin Vs Developers
• Security Vs Admin

11. Divergence
Application Security Vs Vulnerability Analysis
Market Driven Separation Vs Risk
Convergence
Developer ←→ Security ←→ Admin
DevSecOps
AppSec + HostSec -> Fullstack

12. Agile Risk Model
Fail Early – Fail Often
“Push Left”

13. Continuous Security
“Keeping up” with development.
Assisting secure deployment.
Catching bugs early – Push Left.
Help ensure “change” is secure

14. Host/Server/Framework
> 30 billion Open source downloads 2015
90% of application code is framework
63%* don’t monitor component security
43%* don’t have open source policy
* http://www.sonatype.com/about/2014-open-source-software-development-survey

15. AppSec/Component Sec
• “If you're not doing component vulnerability
management you’re not doing appsec…”
– 90% of application code is framework
• “If you’re not doing full-stack you are not doing
security…”
– Hackers don’t give a S*#t

16. Security by Numbers
Likelihood of a vulnerability being discovered – Web Applications

17. Security by Numbers
Likelihood of a vulnerability being discovered (root cause) – Hosting Layer

18. Security by Numbers
edgescan Vulnerability Statistics Report 2015

19. Thoughts – Patching & Component
Management
“Of all the vulnerabilities discovered in 2015, 63% could
have been mitigated via patch, configuration and
component management combined.”
edgescan Vulnerability Statistics Report 2015

20. Problems?
Security in a constant state of flux.

21. “We Can” scale..
Automation of assessment
Depth
Coverage / Breadth
Rigour

22. SCALE!
Automation
Event Driven
Frequent/Scheduled
Build Build Build

23. Levelling the Playing Field

24. Automation!!
• Jenkins, Hudson, Bamboo
– Event driven
– Scheduled
– Incremental
• CHEF, Puppet, Cloud(immutable)
Sounds great…. but

25. Automation and Integration
• Automation can detect technical
vulnerabilities
– Misuse of code
– Coding Bugs
– Implementation Mistakes

26. Automation and Integration
• Automation can NOT detect Logical
vulnerabilities
– Business Logic
– Backdoors (E.g. Juniper, Fortinet)
– Provide Risk measurement
– Business Context

27. Accuracy/Information/Context
The “Anti-Scale”
Risk/ Business Context
Information Vs Data
Human Decisions and Intel
Technical constraints
-> Chokepoints

28. The “Anti-Scale”
New languages and programming methods
Growth of interpreted languages with no strong typing
(Javascript, Ruby,…) – “hurts” SAST
Few automated tools to test APIs / RESTful APIs
Testing Window is squeezed, manual testing is
doomed!?

29. Fighting The “Anti-Scale”
Accuracy
“Rule Tuning” – DAST & SAST
Build Fails!
White Noise Suppression
Real Security Vs “Best Practice”
Updates to Rules
Scale
“Delta Analysis”
Previous Vs Current
Changes
FP’s / FN’s

30. SAST Integration
• Analysis without Runtime - SAST
• More than just tooling
• Management Lifecycle
– Rule Management & Tuning / False Positives
• Cant cover Vuln Taxonomy –Blindspots

31. SAST Blindspots
• Storage and transmission of confidential
information
• Logic: Authentication, brute force attacks,
effectiveness of password reset etc.
• Logic: Privilege escalation and insufficient
authorization. Business Logic
• Data privacy: data retention and other compliance
(e.g. ensuring credit card numbers are masked
when displayed) - context

32. DAST Tool/Runtime Vulnerability
Management - Pitfalls
• Coverage Depth – can be shallow
• App Complexity - enemy
• Logical vulns – poor
• “Trial and error” testing

33. Vulnerability Assessment (Host)
• Easy to perform, Harder to manage
• First assessment
– higher work effort
– establish coverage (Reduce FN’s)
– Weed out FP’s
• Delta Analysis – Previous Vs Current

34. Component Security
Don’t forget….
• Unpredictable (Like Host Security).
• Requires frequent/continuous vigilance.
• Fix can be difficult and not backward
friendly

35. Delta-Metrics
• Vuln type - (CVE, OWASP, WASC,
SANS..)
• Tech Stack - (Code, F-work, Host etc)
• Layer - (App/Host)
• Root Cause - (Code, Patch, Config /
Deploy)
– Technical, Logical/Behavioural Vuln

36. Continuous Asset Profiling
• Detect Global Estate Changes
– New / Dead active IP’s
– Service Changes (Ports open / enabled).
– Perimeter Change – Firewall/ACL changes
– Rogue deployments

37. Fighting The “AntiScale” - Delta Analysis
Measure of change in a target environment.
Focusing on change in risk posture compared to last assess
-> Closed, New, False Positives

38. Fighting The “Anti-Scale”-
Testing like a Developer
Break testing into little pieces
Smoke / Incremental Vs full regression
testing
“Early and Often”
– Continuous, on demand
– Testing duration drives testing frequency

39. Business & Behavioural Testing
At scale:
Can be Difficult …..
Technical Security is covered by “tuned”
Automation…..
More Time to “Deep Dive”

40. “Future of Pentesting”
• Push towards Technical Vulnerabilities rooted
out using technical methods/services …..
• Push from time chasing Top 10 (SQLI, XSS,
etc) -To- Behavioural, Logical, Business flow
assessment.
• Constant flux requires constant assessment.
• Point-in-time is dead?

41. FIN
• We can scale but not everything is [easily]
scalable
• Discover Tech Vulns using Tech
• Consider full-stack, don’t let marketing dictate risk.
• Lets test to mirror DevOps
• Convergence is necessary to address issue.
@eoinkeary
eoin@bccriskadvisory.com