Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
-
Upload
digital-defense-inc -
Category
Technology
-
view
554 -
download
1
description
Transcript of Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
![Page 1: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/1.jpg)
Crafting Super-Powered Risk AssessmentsChris Wysopal | CTO & Co-founder, Veracode
Gordon MacKay | EVP & CTO, Digital Defense, Inc.
![Page 2: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/2.jpg)
22
Logistics
Presentation is designed for 30 to 45 minutes with time for questions.
Please use your control panel (shown on the right) to ask questions at any time during the presentation.
Presentation is being recorded
Both presentation and slides will be made available
![Page 3: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/3.jpg)
Gordon MacKay | Digital Defense, Inc.
Gordon MacKay, Digital Defense Executive Vice President and Chief Technology Officer is responsible for strategic design, planning, and establishment of platform road maps, new platform development initiatives, and maintenance of the Company’s security information event management platforms and proprietary assessment solutions. Gordon also oversees the Platform Development architecture as well as manages the Platform Development and Vulnerability Research organizations.
Gordon started his career in 1991 as a systems engineer at Nortel Networks where he designed Interactive Voice Response systems. Prior to joining Digital Defense, he held several research and development leadership positions at Alcatel USA in Dallas Texas. Gordon is a frequent speaker at industry conferences and events.
![Page 4: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/4.jpg)
4
Chris Wysopal | VeracodeCo-Founder and Chief Technology Officer
Chris Wysopal is responsible for the security analysis capabilities of Veracode technology. Mr. Wysopal is recognized as an expert and a well known speaker in the information security field and was recently named one of InfoWorld’s Top 25 CTO’s and one of the 100 most influential people in IT by the editorial staffs of eWeek, CIO Insight and Baseline Magazine. Chris has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. He also has spoken as the keynote at West Point, to the Defense Information Systems Agency (DISA) and before the International Financial Futures and Options Exchange in London. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work.
4
![Page 5: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/5.jpg)
About Digital Defense, Inc.
Founded in 1999, Digital Defense, Inc., is the premier provider of managed security risk assessment solutions protecting billions in assets for small businesses to Fortune companies in over 65 counties. Our dedicated team of experts helps organizations establish an effective culture of security and embrace the best practices of information security. Through regular assessments, awareness education and rapid reaction to potential threats, our clients become better prepared to reduce risk and keep their information, intellectual property and reputations secure.
In response to market intelligence and industry demand, DDI is the first information security provider to launch a Vulnerability Assessment (VA)Tool “Trade-In” program. This innovative offering is designed to maximize Information Security ROI for organizations through an applied credit equal to the annual licensing maintenance fee spent on idle and inefficient VA tools. A fully managed and enterprise-wide vulnerability scanning program is now available for companies taking advantage of this unique solution with the applied credit worth up to 100% of the first year of DDI’s unparalleled VLM-Pro service.
www.ddifrontline.com
888.273.1412
![Page 6: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/6.jpg)
Agenda
• Risk Management Challenges
• Network Assessments – Assessing Risk Outside In
• Application Assessments – Assessing Risk Inside Out
• Combining Network and Application Assessments
• Ongoing Research and Development
![Page 7: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/7.jpg)
The Risk Game – Play Along
What Picture Represents most Risk?
![Page 8: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/8.jpg)
What is Risk?
• Risk is Relative to an Entity
• Risk Involves
1. An Entity with a Goal – Something to Gain/Lose
2. An Entity with Weaknesses/Disadvantages
3. An Environment Capable of Taking Advantage of
Weaknesses
Risk = Threat x Vulnerability x Cost Risk = Threat x Vulnerability x Cost
![Page 9: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/9.jpg)
Evolution of Species – One Solution to Risk
![Page 10: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/10.jpg)
Business Organizations Analogous to Living Organisms
• Organizations have Goals and Desires
• Have Weaknesses and Limited Resources
• Face Threats - Internal Flaws, Natural Disasters,
Competitors, and More
• Optimal Resource Allocation Depends on Environment
• Organization’s Environment Continuously Changes
Organizations Must Evolve in order to Survive and Grow Organizations Must Evolve in order to Survive and Grow
![Page 11: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/11.jpg)
Risk Management Challenges
• What is Value and Where is it Located?
• What are the Dangers to Organization’s Value?
• What are Weaknesses of Value Containers?
• What Risk Level is Acceptable?
![Page 12: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/12.jpg)
Risk Management Existing Solutions Weaknesses
• No Existing Technology/Solution Accounts for All Risk
• Often, a given solution accounts for only part of Risk
within their own Security Silo
Network Security
Application Security
Access Management
Event Monitoring
Endpoint Security
![Page 13: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/13.jpg)
Risk Management – Network AssessmentAssessing Outside In
• Automatically Inventory Containers– Attack Surface - Fully Visible, Camouflaged, Invisible– Location - Externally Internet facing versus deep
within the Organization’s Internal Network– Other Container Details
• Allow Mapping Assets to Containers• Allow Value Assignments to Containers• Assess Weaknesses of Containers
![Page 14: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/14.jpg)
Network AssessmentSeen From Threat’s Point of View
Client Network
Vulnerability Results
NIRV Scanner
FSP Servers
Internet
DDI Cloud-Based Vulnerability Management System
NIRV Scanner
Client Asset Containers
ExternalVulnerability Assessment
InternalVulnerability Assessment
AuthenticatedVulnerability Assessment
![Page 15: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/15.jpg)
Network Assessment Strengths
• Hosts (Computers or Containers)• Network Map• Operating System• Open Ports, Services, Applications• Vulnerabilities within OSI Layer 2-7
– Many Known Vulnerabilities– Generic (e.g. SQL Injection)
• Misconfigurations– (e.g. Passwordless Protocols, Easily Guessable
Passwords, SNMP configuration issues, much more)
![Page 16: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/16.jpg)
Network Assessment Challenges
• Most Compromises• Most Malware, Viruses• Most Backdoors• Most Unknown (Zero Day) Vulnerabilities• Hidden Weaknesses (e.g. no or poor use of Encryption)• Most Business Logic Issues• Most Security Architecture Weaknesses• Some Known Vulnerabilities
![Page 17: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/17.jpg)
Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode cloud-based platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components.
Assessment techniques includeStatic binary analysis
Dynamic analysis
Manual analysis
More information available at www.veracode.com
![Page 18: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/18.jpg)
Network
End points/OS
Data
ApplicationsThe Application layer is the most exposed to the attacker.
Even with hardened end points and networks vulnerabilities in applications can allow attackers to access data
![Page 19: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/19.jpg)
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request
Forgery (CSRF)
A6: Security Misconfigurat
ion
A7: Failure to Restrict URL
Access
A8: Insecure Cryptographic
Storage
A9: Insufficient Transport Layer
Protection
A10: Unvalidated Redirects and
Forwards
OWASP Top Ten
http://www.owasp.org/index.php/Top_10
![Page 20: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/20.jpg)
20
Insecure Interaction Between ComponentsSQL
InjectionCommand Injection
XSS Unrestricted upload
CSRF Open Redirect
Risky Resource Management
Buffer Overflow
Path Traversal
Download of code with no
check
Untrusted inclusion
Dangerous function
Format String
Integer Overflow
Missing Authentication
Missing Authorization
Hard coded credentials
Missing encryption
Untrusted inputs in security
decision
Unnecessary Privileges
Incorrect authorization
Incorrect permission assignment
Broken crypto
No restriction of authorization
attempts
Use of one way hash with no
salt
Porous Defenses
![Page 21: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/21.jpg)
IdentifyPortfolio
AssessVulnerabilities
ManageRisk
From Risk Awareness to Risk Mitigation with
an Application Security Program
![Page 22: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/22.jpg)
Identify Application PortfolioGet a handle on
“application sprawl”Involve business units,
procurement and vendor management, and automated discovery
Consider regulatory impact, data leakage risk, operational risk
Create a policy
![Page 23: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/23.jpg)
Assess Vulnerabilities
Understand vulnerabilities in your application portfolioLeverage automated analysis
techniquesStatic and dynamic scanningEngage third-party vendors and
service providers
![Page 24: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/24.jpg)
Multiple Analysis Techniques Improve Coverage of Vulnerability
Classes Universe of application security vulnerabilities is extensive
There is no “silver bullet” – each technique has strengths and weaknesses
A complete analysis includes: Static analysis (i.e. White Box) Dynamic analysis (i.e. Black Box) Penetration testing
Automation allows manual penetration testers to focus on vulnerabilities only humans can find
Automated Static
Automated
Dynamic
Penetration
Testing
![Page 25: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/25.jpg)
Static AnalysisAnalysis of software performed
without actually executing the program
Full coverage of the entire source or binary
In theory, having full application knowledge can reveal a wider range of bugs and vulnerabilities than the “trial and error” of dynamic analysis
Impossible to identify vulnerabilities based on system configuration that exist only in the deployment environment
![Page 26: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/26.jpg)
Dynamic AnalysisAnalysis of software performed
against a running instance of the program
Most accurately mimics how a malicious user would attack the application
Due to the lack of internal application knowledge, discovering vulnerabilities can take longer and coverage may be limited
Cannot generate and test all possible inputs in reasonable time
Exposes vulnerabilities in the deployment environment
![Page 27: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/27.jpg)
Managing risk is more than just a list of vulnerabilities
27
How can this be combined with other risk information?Asset criticalityNetwork locationHost vulnerabilities
Combining application scan data with network scan data is a great start.
![Page 28: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/28.jpg)
Combining App Testing and Vuln Scanning
Network vulnerability scanner knows where all the web applications are.
It knows of any host vulnerabilitiesIt may know about criticality of assets
application has access to.Application testing has knowledge of
vulnerabilities that network vulnerability scanners don’t know about.
28
![Page 29: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/29.jpg)
DDI-Veracode Provide Evolution Towards Enterprise Security Intelligence
Digital Defense VeracodeVulnerability Management Application Assessments
![Page 30: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/30.jpg)
Network and Application AssessmentEnterprise Security Intelligence
• Assessed Applications Mapped to Network Discovered Containers Provide Increased Environmental Context
• Improved Vulnerability Class Coverage
• More Accurate Risk Assessments
![Page 31: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/31.jpg)
Integration Sneak Peek
![Page 32: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/32.jpg)
Integration Sneak Peek
![Page 33: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/33.jpg)
What’s Next?
• Correlating Application Assessment findings to Network Assessment findings (vulnerability overlaps)
• Emergence of One Risk Rating per container that considers Assessed Applications and Network Assessment Findings
• Advanced Analytics Sourcing data from Two Security Cloud Providers
• Learn more at Veracode-DDI talk at RSA USA 2013: “SAST, DAST And Vulnerability Assessments, 1+1+1 = 4”
![Page 34: Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode](https://reader033.fdocuments.in/reader033/viewer/2022061120/546c44aeb4af9f7a2c8b5009/html5/thumbnails/34.jpg)
The Application Layer
04/08/2023 34
Questions?
ContactGordon MacKay, Digital Defense [email protected]@gord_mackay
Chris Wysopal, [email protected]@weldpond