Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. ·...
Transcript of Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. ·...
![Page 1: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/1.jpg)
Security !Maturity
October 20, 2010October 20, 2010
![Page 2: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/2.jpg)
Security Consultant/Researcher at
Rapid7 LLC.
Past speaking engagements
BlackHat, DefCon, ShmooCon, Infosec
World, CSI, OWASP Conferences,
LinuxWorld, Comdex and BLUG
Recently became a Technical Editor
About me - Joshua “Jabra” Abraham
Recently became a Technical Editor
for Syngress (Ninja Hacking)
Contributes to BackTrack LiveCD, BeEF,
Nikto, Fierce, and PBNJ
Twitter: http://twitter.com/jabra
Blog: http://spl0it.wordpress.com
![Page 3: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/3.jpg)
Rapid7 Overview
Vulnerability Management
Open source projects
Professional ServicesNetwork Pentesting
Web Application Audits
Training
Deployment
![Page 4: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/4.jpg)
People
Process
Technologies
Understanding the Environment
Focus on two points of reference
Penetration testing (OPs side)
Deploying a secure development lifecycle (non-OPs side)
![Page 5: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/5.jpg)
How many times during a scoping call have you
heard the customer say the goal of the
Breaking through a misconception
heard the customer say the goal of the
assessment is to “Hack Us?”
![Page 6: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/6.jpg)
“Hack Us” is subjective
What do you mean by “Hack”?
How do you know when you are done?
What is the success criteria for “Hacking” the
“Hack Us” – Is NOT good enough
What is the success criteria for “Hacking” the
customer?
How do you measure the “Hack”?
![Page 7: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/7.jpg)
Agenda
The need for a better approach
Goal Oriented Overview
Examples from the FieldExamples from the Field
Maturity 101
Secure Development Lifecycle
(SDL)
Summary/Q&A
![Page 8: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/8.jpg)
The primary objective is to demonstrate risk
Difference between risk from vulnerability scanner
and a business risk (context)
Vulnerabilities are found by automated tools
Background Information
A threat does not have to be demonstrated in order to
constitute a risk.
![Page 9: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/9.jpg)
How do you know what is
MOST important?
Achieve Domain Admin access
on 1st day
Access to all data
The need for a better approach
Access to all data
Maybe get lucky and guess
right
Should not need to guess
Is data X more
valuable/important than data Y ?
![Page 10: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/10.jpg)
With Control of
The entire network
OR .. all windows systems
OR .. all *nix systems
Evil Attacker - Destructive
Evil Attack – Financially
motivated
Consultant – Penetration
tester
Which Data or Systems would you go
after?
tester
Malicious System Admin
Malicious Employee
Malicious Executive
![Page 11: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/11.jpg)
There are several technical methodologies
Define what and how to test
OWASP, OSSTMM and vulnerabilityassessment.co.uk
Industry lacks a standard process
Outline a method to facilitate the testing process
Raising the bar on penetration testing
Outline a method to facilitate the testing process
Ensure assessment/project completion
![Page 12: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/12.jpg)
Agenda
The need for a better approach
Goal Oriented Overview
Examples from the FieldExamples from the Field
Benefits of maturity
Secure Development Lifecycle
(SDL)
Summary/Q&A
![Page 13: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/13.jpg)
Evil Attackers - Blackhats
Financially Motivated
Not limited by amount of time and/or resources
Penetration Testers – Whitehats
Real-World Penetration Testing
Penetration Testers – Whitehats
Context / Goal Focused (experience, 6th sense, etc)
Demonstrate real world risks, but limited by the time of the
engagement
A snapshot of the network/ application at a point in time
![Page 14: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/14.jpg)
Emulate a Blackhat, by
using Goals as
motivation
Doesn’t decrease the
experience / 6th sense
Clear Motivation
experience / 6th sense
elements
Allows the Testing Team
to focus efforts on
critical weaknesses
![Page 15: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/15.jpg)
Non-technical methodology in which the process is
the central focus
Goals are focus points (drivers) for the assessment
Provides the best (ROI) for organizations when they
conduct a penetration assessment
Goal Oriented Penetration Testing
conduct a penetration assessment
![Page 16: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/16.jpg)
Goals can be achieved in parallel or a serial process
Each goal may have a number requirement for
unique paths verified
Discussed during scoping call
Goals 101
Automated Testing
Reconnaissance
Port Scanning
Vulnerability Scanning
Exploitation
Central Storage Engine
Correlation
Reporting
View/Modify/Delete Data
Manual Testing
Context Based
Focus Driven
Goal Oriented
![Page 17: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/17.jpg)
S – Specific
M – Measurable
A – Attainable
R – Relevant
“Hack us” is NOT
sufficient!
S.M.A.R.T.E.R. Goals
PM technique
Saves Time!
SMARTER Goals
R – Relevant
T – Time-Bound
E – Evaluate
R – Reevaluate
Saves Time!
Customers should
demand that
consultants use a Goal
Oriented Approach
![Page 18: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/18.jpg)
What type of data is
most sensitive?
What data would put
the organization on the
front-page of the New
Scoping
front-page of the New
York Times?
Data-classifications
should be provided to
the Testing Team
Goals can be data-
centric (but not always!)
![Page 19: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/19.jpg)
Success criteria
Demonstrating a
specific number of
unique paths
Clear-view that
Leveraging Unique Paths
Clear-view that
weaknesses exist in many
areas of environment
Will a penetration test
find all unique paths?
Not necessarily
Hit a point of diminishing
returns
![Page 20: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/20.jpg)
Agenda
The need for a better approach
Goal Oriented Overview
Examples from the FieldExamples from the Field
Benefits of maturity
Secure Development Lifecycle (SDL)
Summary/Q&A
![Page 21: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/21.jpg)
Identify all of the externally accessible IPs
Gain access to
Internal network (remotely) –
Via network or application based vulnerability
Via social engineering
External Network Penetration
Assessment – Sample Goals
Via social engineering
Production MSSQL database
Achieve and maintain undetected access for 24 hours
![Page 22: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/22.jpg)
Found a system external that contained network
diagrams (test.company.com)
Diagram of All internal and external systems!
Detailed how the network was configured
External Network Penetration
Assessment – Customer X
Contained several root passwords for the internal
network!
Publicly accessible + No authentication needed
Used Fierce v2 to find it - Enjoy -
http://trac.assembla.com/fierce
![Page 23: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/23.jpg)
Gain access to:
A user’s account (bypass authentication)
An administrator’s account (priv escalation )
The application’s backend database
Achieve and maintain undetected access for 24 hours
Application Assessment – Sample Goals
Achieve and maintain undetected access for 24 hours
to internal network
Network/Application based attack
Application based attack (social engineering)
![Page 24: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/24.jpg)
SQLninja and SQLmap failed me.
This is pretty sad!
How long would it take to develop a PoC to pull data
from the database?
Application Assessment – Customer X
... Approximately 6 hours.
Had a working PoC.
![Page 25: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/25.jpg)
Application Assessment – Customer Y
![Page 26: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/26.jpg)
Gain physical access to the network
Gain access to the:
Corporate wireless
Production MSSQL database
Domain controller (within the PCI environment) as an
Internal Network Penetration
Assessment – Sample Goals
Domain controller (within the PCI environment) as an
administrator
Achieve and maintain undetected access for 24 hours
![Page 27: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/27.jpg)
How it works!
Recon
• Gather list of employee names
• Social Networking (facebook, linkedin, hoovers, lead411)
Prepare
• Construct Email addresses based on email scheme
• Create email for email attackPrepare Email
• Create email for email attack
Send out email
• Setup Metasploit for connections
• Send out Phishing Attacks
![Page 28: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/28.jpg)
![Page 29: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/29.jpg)
![Page 30: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/30.jpg)
![Page 31: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/31.jpg)
![Page 32: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/32.jpg)
![Page 33: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/33.jpg)
Pass-The-Hash + Token
Impersonation
ARP Spoofing
Unclear-text protocols
Weak passwords
Internal Network Penetration
Assessment – Customer X
Weak passwords
Unpatched systems
Workstation Network
was easy
PCI Network was well
protected
![Page 34: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/34.jpg)
Added Admin Account
onto PCI Network
Domain Controller
Inter-Domain Trust
Internal Network Penetration
Assessment – Customer X
![Page 35: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/35.jpg)
Agenda
The need for a better approach
Goal Oriented Overview
Examples from the FieldExamples from the Field
Maturity 101
Secure Development Lifecycle
(SDL)
Summary/Q&A
![Page 36: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/36.jpg)
Goal Oriented Pentesting
Explain the Process
(Goal Oriented 101)
Result of the
penetration testing
Value security testing Value security testing
Value of internal
understanding the
environment
![Page 37: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/37.jpg)
Understanding the Environment
Technologies
People
Process
![Page 38: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/38.jpg)
If you don't understand the environment,
you probably won't be getting the most value
Understanding the Environment
out of your security assessment
![Page 39: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/39.jpg)
Demonstrates risk in
areas of weaknesses
(known areas of focus -
critical systems
(unknown areas of focus -
Which is more scary?
Known areas of focus
Unknown areas of focus
Security Testing
(unknown areas of focus -
trust relationships,
stepping stones)
![Page 40: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/40.jpg)
Agenda
The need for a better approach
Goal Oriented Overview
Examples from the FieldExamples from the Field
Maturity 101
Secure Development Lifecycle
(SDL)
Summary/Q&A
![Page 41: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/41.jpg)
Proactive Approach
Reduce and limit the
impact of vulns
Incorporate security
into the development
Implementing Secure Development
Lifecycle (SDL)
into the development
process
![Page 42: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/42.jpg)
Development process
Resources Requirement
Process changes
Training
New
Effect of SDL
New
policies/standards/guideli
nes
Third-party review
![Page 43: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/43.jpg)
Rate of application
development
Lines of code ? # new
web apps over next 6-12
months?
Is it worth doing?
months?
What type of data
(stored, processed or
transmitted)?
Importance of the
application(s) to the
business?
![Page 44: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/44.jpg)
SDL Requirements
Understanding
Buy-in
Requirements and
Motivations
Training
![Page 45: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/45.jpg)
SDL – Technologies
What types of applications
are being developed ? (web
apps, mobile etc.)
What types of data do they
store, process and
Technologies
People
store, process and
transmit?
What
languages/frameworks are
being used?
Process
![Page 46: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/46.jpg)
SDL – People
Who/Where are the
developers?
How many
Dev/QA/Release teams are
there?
Technologies
People
there?
Who is involved during
development, testing,
production?
Who is involved in the
transition between dev
stages?
Process
![Page 47: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/47.jpg)
SDL – Process
What is the process for
building new custom apps?
What development
method is used?(
Agile/Scrum, Waterfall,
Technologies
People
Agile/Scrum, Waterfall,
etc.)
What are the stages of
development? Process
![Page 48: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/48.jpg)
SDL – Process
What are the requirements
before a product is ready
to move from one stage to
the next?
Formal review occur before
Technologies
People
Formal review occur before
moving into production?
Process
![Page 49: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/49.jpg)
Agenda
The need for a better approach
Goal Oriented Overview
Examples from the FieldExamples from the Field
Maturity 101
Secure Development Lifecycle
(SDL)
Summary/Q&A
![Page 50: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/50.jpg)
Understanding the Environment is very important to a
creating a successful security program!
Goal Oriented Penetration Testing - Strategic and
Practical Methodology for Improving the ROI of any
security assessment
Summary
security assessment
Leverages project management ideals
Goals are not the only element of testing, only a place to
start
Slides will be posted online!
http://spl0it.org/files/talks/rss10/Security_Immaturity.pdf
![Page 51: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/51.jpg)
How are you handling these problems from a
(client or consultant) perspective ?
Questions/Comments/Rants/Feedback
Discussion/QA
![Page 52: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/52.jpg)
http://spl0it.wordpress.com/2009/11/16/goal-
oriented-pentesting-the-new-process-for-penetration-
testing/
http://spl0it.wordpress.com/2009/11/17/goal-
oriented-pentesting-%E2%80%93-the-new-process-for-
References
oriented-pentesting-%E2%80%93-the-new-process-for-
penetration-testing-part-2/
M. Howard and D. LeBlanc. Writing Secure Code.
Microsoft Press, 2nd edition, 2002.
http://en.wikipedia.org/wiki/SMART_criteria
![Page 53: Security !Maturityspl0it.org/files/talks/rss10/Security_Immaturity.pdf · 2010. 10. 21. · Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon,](https://reader033.fdocuments.in/reader033/viewer/2022060903/609f45a88f788f0c0b5efc46/html5/thumbnails/53.jpg)
Joshua “Jabra” Abraham
Company: http://www.rapid7.com
Blog: http://spl0it.wordpress.com
Twitter: http://twitter.com/jabra
Comments/Questions?
Jabra_aT_spl0it_d0t_org
Jabra_aT_rapid7_d0t_com