Application Security Program Management with Vulnerability Manager
-
date post
19-Oct-2014 -
Category
Technology
-
view
2.535 -
download
2
description
Transcript of Application Security Program Management with Vulnerability Manager
![Page 1: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/1.jpg)
Application Security Program Management
with Vulnerability Manager
Bryan Beverly
June 2nd, 2010
![Page 2: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/2.jpg)
1
Today's Presentation
• The challenges of application security scanning and remediation
• What Vulnerability Manager can do
• Next steps for Vulnerability Manager
• Next steps for you
![Page 3: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/3.jpg)
2
Denim Group Background
• Privately-held, professional services organization
– Develops secure software
– Helps organizations assess and mitigate risk of existing software
– Provides training and mentoring so clients can build trusted software
• Software-centric view of application security
– Application security experts are practicing developers
– Development pedigree translates to rapport with development managers
– Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution
– Released Sprajax & Vulnerability Manager to open source community
– OWASP national leaders & regular speakers at RSA, OWASP, CSI
– World class alliance partners accelerate innovation to solve client problems
![Page 4: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/4.jpg)
3
My Background
• 13-year business application development background
• Lead Consultant at Denim Group
• Provides technical oversight for Denim Group
development projects
• Responsible for Denim Group development lifecycle
standards and processes
• Performs black box and white box security assessments
• Performs on-site security training
• Co-developer and technical lead for Vulnerability
Manager project
![Page 5: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/5.jpg)
4
Challenges with Scan-Centric Application Security Programs
• Too many application security programs
are scan-centric
– Run scans, generate reports, send to
development teams
• Not enough attention is paid to the entire
process
• Result: Vulnerabilities are not remediated
and continue to expose the organization
to risk
![Page 6: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/6.jpg)
5
Post-Scan Remediation is the “Next” Big AppSec Issue
• Application Scanning Technologies are Improving
– Various improvements provide better testing coverage
• Qualys 2009 Black Hat Conference Paper
– Presented by Qualys CTO Wolfgang Kandek
– Network & host vulnerabilities persist for roughly 30 days from identification
– Measured across 140m Qualys’ SaaS client scans
– Exploitation cycle is getting shorter – down from 60 days in 2004 to 10 days
• WhiteHat Security Study on Application Vulnerabilities
– Application vulnerabilities persist much longer than network vulnerabilities
– Typical persistence timeframe measured in months, not days
• SQL Injection – 38 days
• Insufficient Authentication – 72 days
– Vulnerability time-to-fix metrics are not changing substantively, typically requiring
weeks to months to achieve resolution
![Page 7: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/7.jpg)
6
Why Do Application Vulnerabilities Persist?
• Must rewrite software – can’t just turn “off” service
– Can be straightforward – XSS or SQL Injection
– Can be more difficult – logical errors
• Dev teams detached from security managers
– Lack of organizational influence over dev efforts
– Interaction and tracking between groups is inconsistent and one-off
• The formal process of aggregating and processing application-level
vulnerabilities is immature
– No automated way to import scanning results from multiple sources
• BB, WB, SaaS
– Sophisticated hand off to issue trackers evolving
– Interaction with other systems “one off”
![Page 8: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/8.jpg)
7
The Emergence of Accelerated Software Remediation (ASR)
Technologies
• Security and risk managers are realizing the status quo is
unacceptable
– Application vulnerabilities exist in live environments for months
• A new set of technologies are emerging to address the post-scan
automation of application vulnerabilities
– Application security vendors are developing more post-scan functionality
• Many are creating gated communities and vendor lock-in
– Most 1st generation interactions are “one-to-one” with scanners & WAF’s
• Accelerated Software Remediation Technologies reduce lifespan of
application vulnerabilities:
– Automating import from multiple scanning systems
– “De-duplication” of vulnerabilities from dynamic & static scanners
– Ability to measure incremental improvement
– Capability to generate “virtual patches” to IDS/WAF
![Page 9: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/9.jpg)
Vulnerability Manager: “ThreadFix”
• Mission: Allow organizations to centrally manage the entire range of
software assurance activities
• Finding vulnerabilities is easy – actually addressing the risk is hard
• Freely available under Mozilla 1.1 open source license
• Major Feature Areas
– Application Portfolio Management
– Vulnerability Import
– Real-Time Protection Generation
– Defect Tracking Integration
– Maturity Evaluation
8
![Page 10: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/10.jpg)
Application Portfolio Management
• Many organizations do
not even have a
complete idea of their
application attack
surface
• Track applications,
metadata and
associated
vulnerabilities
9
![Page 11: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/11.jpg)
Vulnerability Import
• Import, de-duplicate
and merge
vulnerability data from
a variety of free and
commercial tools
• Static and dynamic
analysis
10
![Page 12: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/12.jpg)
Real-Time Protection Generation
• Generate vulnerability-
specific rules for
WAFs and IDS/IPS
• Automate the “virtual
patching” process
• Import logs to identify
vulnerabilities under
active attack
11
![Page 13: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/13.jpg)
Defect Tracking Integration
• Group vulnerabilities
and send them to
software development
teams as defects
• Track defect status
over time
12
![Page 14: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/14.jpg)
Maturity Evaluation
• Evaluate application
team practices via
maturity models such
as OpenSAMM
• Track practices over
time
13
![Page 15: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/15.jpg)
14
Demonstration
![Page 16: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/16.jpg)
15
Current Status
• “Technology Preview” release in January 2010
– Demonstrates underlying concepts
– Supports many major technologies
• Not yet recommended for production use
![Page 17: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/17.jpg)
16
Future Plans
• Under active development heading toward 1.0alpha release
• Starting to see interest in customer-sponsored development
• Support for additional technologies – scanners, IDS/IPS/WAF, defect
trackers
• Metrics, reporting and visualization
![Page 18: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/18.jpg)
17
So where do you go from here?
![Page 19: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/19.jpg)
18
What you can do now!
• Conduct a mini-OpenSAMM assessment to understand your current
state of application vulnerability management
• Capture a post-scan workflow to better understand how application
vulnerabilities cycle through the remediation process
• Measure how long your most serious app vulnerabilities persist in your
production environment
• Analyze your static, dynamic, and manual results to understand where
there is overlap and coverage gaps
• Understand how application vulnerabilities are consumed by
development teams
– Understand what issue tracker they use
– Understand how vulns are represented and dealt with by devs
![Page 20: Application Security Program Management with Vulnerability Manager](https://reader034.fdocuments.in/reader034/viewer/2022051512/5444983eb1af9f680a8b4991/html5/thumbnails/20.jpg)
19
Contact Information
Bryan Beverly
Denim Group
(210) 572-4400
www.denimgroup.com
blog.denimgroup.com
vulnerabilitymanager.denimgroup.com