Running a High-Efficiency, High-Visibility Application Security Program with Prevoty and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
-
Upload
denim-group -
Category
Technology
-
view
151 -
download
0
Transcript of Optimizing Your Application Security Program with Netsparker and ThreadFix
![Page 1: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/1.jpg)
© 2016 Denim Group – All Rights Reserved
Optimizing Your Application
Security Program with
Netsparker and ThreadFix
October 19, 2016
Ferruh MavitunaProduct Architect and CEO, Netsparker Ltd.
Dan CornellCTO, Denim Group
![Page 2: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/2.jpg)
© 2016 Denim Group – All Rights Reserved
Agenda
• State of Application Security
• Netsparker Overview
• ThreadFix Overview
• ThreadFix / Netsparker Integration
1
![Page 3: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/3.jpg)
© 2016 Denim Group – All Rights Reserved 2
![Page 4: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/4.jpg)
© 2016 Denim Group – All Rights Reserved
Netsparker automatically finds and reports security issues in web sites and web services.
Automated Web Application Security
Netsparker DesktopWindows only software, easy to install and use.
Netsparker CloudSaaS version of Netsparker. Uses the very same engine, scalable and comes with enterprise features.
3
![Page 5: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/5.jpg)
© 2016 Denim Group – All Rights Reserved
Netsparker Desktop
Windows Software
It simulates a real attacker to find vulnerabilities in web applications automatically.
Allows users to carry out advanced security tasks and especially useful for security consultants and in house security teams.
4
![Page 6: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/6.jpg)
© 2016 Denim Group – All Rights Reserved
Supports Authentication
Netsparker’s Core Features
Ease of UseSupports Modern
WebProof Based
Scanning
Integrated ExploitationSupports
Mobile/Web Services
unique feature
5
![Page 7: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/7.jpg)
© 2016 Denim Group – All Rights Reserved
Netsparker Cloud
Netsparker Cloud
Netsparker – Scalable, can scan thousands of websites within hours.
Designed for enterprises, big teams and big datasets in mind.
API for integrating with other solutions, internal products.
On-premises or managed.
ScalableDesigned forEnterprise
API
unique feature
6
![Page 8: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/8.jpg)
© 2016 Denim Group – All Rights Reserved
Security Testing Process
7
![Page 9: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/9.jpg)
© 2016 Denim Group – All Rights Reserved
Automated Security Testing Process
2
3
Configure Custom 404, Authentication, URL Rewrite Rules etc.1
Configure and Start the Scan
If there is a Local File Inclusion, exploit it safely to see that LFI is real and not a False Positive, if it’s SQL Injection, safely read data from the database. Repeat this for every vulnerability to eliminate false positives.
Check if the results are correct
Prioritize important issues, communicate with the developers and make necessary changes. Deploy the new version of the application and Re-test.
Take Action
8
![Page 10: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/10.jpg)
© 2016 Denim Group – All Rights Reserved
Process with Netsparker & ThreadFix
2
3
URL Rewrite, will be discovered dynamically, Custom 404 will be handled automatically, authentication only requires you to enter URL, username and password. Supports SPA (Single Page Applications) automatically.
1
Start your scan quickly
Netsparker will give you the proof
Now you know which vulnerabilities are real, without spending any more time on them, pass them to your development team to start addressing these issues immediately.
You don’t want to leave your website exposed during this process. Now import these issues into ThreadFix and generate rules for your WAF without worrying about False Positives!
Take Action
Proof Based Scanning
Get the results with proof. If there is a SQL Injection, Netsparker will extract some data from the target web application’s database, if there is a LFI, Netsparker will give you a file from the target system etc. This applies to all direct impact vulnerabilities.
9
![Page 11: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/11.jpg)
© 2016 Denim Group – All Rights Reserved
Proof Based ScanningFalse Positive or not?
10
![Page 12: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/12.jpg)
© 2016 Denim Group – All Rights Reserved
A scanner you can
{ }
11
![Page 13: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/13.jpg)
© 2016 Denim Group – All Rights Reserved
Scalability
How can you scan 1,000 applications? More importantly how can you address 10,000 issues in these applications?
12
![Page 14: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/14.jpg)
© 2016 Denim Group – All Rights Reserved
Netsparker Cloud & ThreadFix
In 24 Hours you can find & hot-patch 10,000 vulnerabilities
Netsparker Cloud can scan thousands of websites under 24 hours.
API
Import the results to ThreadFix
Because results will be clearly flagged as CONFIRMED and 100% real, now you can just generate WAF rules without worrying about False Positives.
Congratulations you have improved the state of your web application security significantly just under 24 hours.
You still need to fix all these issues and not rely on WAF but the improvement will be huge.
13
![Page 15: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/15.jpg)
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions based on data
• Reduce risk and provide protection via virtual patching
• Translate vulnerabilities to developers in the tools they are already using
14
![Page 16: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/16.jpg)
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
15
![Page 17: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/17.jpg)
© 2016 Denim Group – All Rights Reserved
Create a consolidated
view of your
applications and
vulnerabilities
16
![Page 18: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/18.jpg)
© 2016 Denim Group – All Rights Reserved
Application Portfolio Tracking
17
![Page 19: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/19.jpg)
© 2016 Denim Group – All Rights Reserved
Vulnerability Import
18
![Page 20: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/20.jpg)
© 2016 Denim Group – All Rights Reserved
Vulnerability Consolidation
19
![Page 21: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/21.jpg)
© 2016 Denim Group – All Rights Reserved
Prioritize application risk
decisions based on data
20
![Page 22: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/22.jpg)
© 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization
21
![Page 23: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/23.jpg)
© 2016 Denim Group – All Rights Reserved
Reporting and Metrics
22
![Page 24: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/24.jpg)
© 2016 Denim Group – All Rights Reserved
Reduce risk and
provide protection
via virtual patching
23
![Page 25: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/25.jpg)
© 2016 Denim Group – All Rights Reserved
WAF Virtual Patching
24
![Page 26: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/26.jpg)
© 2016 Denim Group – All Rights Reserved
Translate vulnerabilities to
developers in the tools they
are already using
25
![Page 27: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/27.jpg)
© 2016 Denim Group – All Rights Reserved
Defect Tracker Integration
26
![Page 28: Optimizing Your Application Security Program with Netsparker and ThreadFix](https://reader031.fdocuments.in/reader031/viewer/2022022202/5880af571a28abf32c8b60c7/html5/thumbnails/28.jpg)
© 2016 Denim Group – All Rights Reserved
Questions and Contact
ThreadFix
www.threadfix.it
Netsparker
www.netsparker.com
27