Skillful, Scaleful Fullstack

Security in a state of constant

flux

with……

Eoin Keary

CTO/Founder edgescan.com

OWASP Leader/Member/Ireland Founder

OWASP Global Board Member (2009-2014)

One problem, Many solutionsDAST – Peoples front of Judea

RASP – Judean peoples front

IAST - Judean Popular People's Front

SAST - Popular Front of Judea

VA - Vulnerability Assessment / Known

Vulnerability Scanning

Web Risk

• Application Security

• Host Security

• Both / Either / Or

• It’s all software right.

Full-Stack!

Appsec VAThreat

IntelENdPoint

Market Driven Approaches to a Market Driven Problem.

Segregated Industry

• Developers Vs Security

• Admin Vs Developers

• Security Vs Admin

Convergence

Developer ←→ Security ←→ Admin

DevSecOps

AppSec + HostSec -> Fullstack

Divergence

Application Security Industry

Vs

Vulnerability Analysis Industry

Market Driven Separation Vs Risk

Do it earlier

Yadda, Yadda Yadda

Cheaper, efficient, coverage etc etc etc

10x, 20x better – 1998 IBM

20 years later – same sh1t

Agile Risk Model

Fail Early – Fail Often

“Push Left”

Continuous what?

CI -> Continuous Integration

CD -> Continuous Deployment

TDD -> Test Driven Development

Continuous Maintenance

Continuous Security

Continuous Security

“Keeping up” with development

Assisting secure deployment

Catching bugs early – Push Left

Help ensure “change” is secure

Host/Server/Framework

Building bricks – Frameworks / Components

Spring, JQuery, Jade, Angular, Hibernate

> 30 billion Open source downloads 2015

90% of application code is framework

63%* don’t monitor component security

43%* don’t have open source policy

* http://www.sonatype.com/about/2014-open-source-software-development-survey

ComponentsAs of October 2015 -Spring (3.0-3.05) – CVE-2011-2894 – Code exe

7,000,000 downloads since vuln discovered

CVSS: 6.8

Apache Xerces2 – CVE-2009-2625 – DoS

4,000,000 downloads since vuln discovered

CVSS: 5

Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM

4,000,000 downloads since vuln discovered

CVSS: 4.9

Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection

179,050 downloads since vuln discovered

CVSS: 10

“63% of vulnerabilities discovered in 2015 by edgescan were outside of software developer control – Operating System CVE, Component CVE, Misconfiguration etc ..”

- edgescan Vulnerability Statistics Report 2015

AppSec/Component Sec

• “If you're not doing component vulnerability management you’re not doing appsec…”– 90% of application code is framework

• “If you’re not doing full-stack you are not doing security…”– Hackers don’t give a S*#t

Problems?Security in a constant state of flux.

“We Can” scale..

Automation of assessment

Depth

Coverage / Breadth

Rigour

SCALE!

Automation

Event Driven

Frequent/Scheduled

Build Build Build

Automation!!• Jenkins, Hudson, Bamboo

– Event driven

– Scheduled

– Incremental

• CHEF, Puppet, Cloud(immutable)

Sounds great…. but

Automation and Integration

• Automation can detect technical

vulnerabilities

– Misuse of code

– Coding Bugs

– Implementation Mistakes

Automation and Integration

• Automation can NOT detect Logical

vulnerabilities

– Business Logic

– Backdoors (E.g. Juniper, Fortinet)

– Provide Risk measurement

– Business Context

Accuracy/Information/Context

The “Anti-Scale”

Risk/ Business Context

Information Vs Data

Human Decisions and Intel

Technical constraints

-> Chokepoints

The “Anti-Scale”New languages and programming methods

Growth of interpreted languages with no strong typing (Javascript, Ruby,…) – “hurts” SAST

Few automated tools to test APIs / RESTful APIs

Testing Window is squeezed, manual testing is doomed!?

Fighting The “Anti-Scale”Accuracy

“Rule Tuning” – DAST & SAST

Build Fails!

White Noise Suppression

Real Security Vs “Best Practice”

Updates to Rules

Scale

“Delta Analysis”

Previous Vs Current

Changes

FP’s / FN’s

SAST Integration

• Analysis without Runtime - SAST

• More than just tooling

• Management Lifecycle

– Rule Management & Tuning / False Positives

• Cant cover Vuln Taxonomy –Blindspots

SAST Blindspots• Storage and transmission of confidential

information

• Logic: Authentication, brute force attacks, effectiveness of password reset etc.

• Logic: Privilege escalation and insufficient authorization. Business Logic

• Data privacy: data retention and other compliance (e.g. ensuring credit card numbers are masked when displayed) - context

CI Integration

• Rule Tuning!!

• Technical Vulnerabilities

• Logical Vulnerabilities

• Feedback Loop

• Build Fails

• Root Cause Metrics

• All Vulns are not equal!

DAST Tool/Runtime Vulnerability Management - Pitfalls

• Coverage Depth – can be shallow

• App Complexity - enemy

• Logical vulns – poor

• “Trial and error” testing

Vulnerability Assessment (Host)

• Easy to perform, Harder to manage

• First assessment

– higher work effort

– establish coverage (Reduce FN’s)

– Weed out FP’s

• Delta Analysis – Previous Vs Current

• Vulns beyond your control

Component Security

Don’t forget….

• Unpredictable (Like Host Security).

• Requires frequent/continuous vigilance.

• Fix can be difficult and not backward

friendly

Delta-Metrics

• Vuln type - (CVE, OWASP, WASC,

SANS..)

• Tech Stack - (Code, F-work, Host etc)

• Layer - (App/Host)

• Root Cause - (Code, Patch, Config /

Deploy)

– Technical, Logical/Behavioural Vuln

Continuous Asset Profiling

• Detect Global Estate Changes

– New / Dead active IP’s

– Service Changes (Ports open / enabled).

– Perimeter Change – Firewall/ACL changes

– Rogue deployments

Fighting The “AntiScale” - Delta AnalysisMeasure of change in a target environment.

Focusing on change in risk posture compared to last assessment.

-> Closed, New, False Positives

Fighting The “Anti-Scale”-Testing like a Developer

Break testing into little pieces

Smoke / Incremental Vs full regression testing

“Early and Often”

– Continuous, on demand

– Testing duration drives testing frequency

Business & Behavioural TestingAt scale:

Can be Difficult …..

Technical Security is covered by “tuned” Automation…..

More Time to “Deep Dive”

“Future of Pentesting”

• Push towards Technical Vulnerabilities rooted out using technical methods/services …..

• Push from time chasing Top 10 (SQLI, XSS, etc) -To- Behavioural, Logical, Business flow assessment.

• Constant flux requires constant assessment.

• Point-in-time is dead?

FIN• We can scale but not everything is [easily]

scalable

• Discover Tech Vulns using Tech

• Consider full-stack, don’t let marketing dictate risk.

• Lets test to mirror DevOps

• Convergence is necessary to address issue.

@eoinkeary

eoin@bccriskadvisory.com