Do You Have a Scanner Or Do You Have a Scanning Program?
Transcript of Do You Have a Scanner Or Do You Have a Scanning Program?
![Page 1: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/1.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Do You Have a Scanner!Or Do You Have a Scanning Program?!!Dan Cornell!@danielcornell
![Page 2: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/2.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Denim Group Background
• Professional services firm that builds & secures enterprise applications – External application assessments
• Web, mobile, and cloud – Software development lifecycle development (SDLC) consulting
• Classroom and e-Learning for PCI compliance • Secure development services:
– Secure .NET and Java application development – Post-assessment remediation
• Deep penetration in Energy, Financial Services, Banking, Insurance, Healthcare and Defense market sectors
• Customer base spans Fortune 500 • Contributes to industry best practices through the Open Web
Application Security Project (OWASP)
2
![Page 3: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/3.jpg)
© Copyright 2013 Denim Group - All Rights Reserved 3
Dan Cornell • Dan Cornell, founder and CTO of Denim Group
• Software developer by background (Java, .NET, etc)
• OWASP San Antonio
• 15 years experience in software architecture, development and security
• Heads Denim Group’s application security team
![Page 4: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/4.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Who Here Has Purchased an Automated Scanner? • Static or Dynamic? (Or Both?)
• Desktop, Enterprise or Cloud (Or All the Above?)
4
![Page 5: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/5.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Who Here Is Happy With Their Scanner?
• Yes
• No
• Kind Of
• Not Sure
5
![Page 6: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/6.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Why or Why Not?
6
![Page 7: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/7.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Successful Software Security Programs • Common Goal
– Reduce Risk by… • Reliably Creating Acceptably Secure Software
• Obligatory “People, Process, Technology” Reference – Anybody got a good Sun Tzu quote? – I’d settle for a von Clausewitz… – Or perhaps we need to look at Dalai Lama quotes (topic for a different day)
• Common Activities – Implementation must be tied to the specific organization
7
![Page 8: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/8.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Software Assurance Maturity Model (OpenSAMM) • Open framework to help organizations formulate and implement a
strategy for software security that is tailored to the specific risks racing the organization
• Useful for: – Evaluating an organization’s existing software security practices – Building a balanced software security program in well-defined iterations – Demonstrating concrete improvements to a security assurance program – Defining and measuring security-related activities within an organization
• Main website:
– http://www.opensamm.org/
8
![Page 9: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/9.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
SAMM Business Functions
• Start with the core activities tied to any organization performing software development
• Named generically, but should resonate with any developer or manager
This slide content © Pravir Chandra
![Page 10: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/10.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
SAMM Security Practices • From each of the Business Functions, three Security Practices are defined • The Security Practices cover all areas relevant to software security
assurance • Each one is a ‘silo’ for improvement
This slide content © Pravir Chandra
![Page 11: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/11.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Check Out This One...
This slide content © Pravir Chandra
![Page 12: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/12.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
What Part Does Scanning Play? • Automated scanning is part of both the “Security Testing” and “Code
Review” Security Practices within the Verification Business Function – Dynamic scanning and static scanning, respectively
• Common starting point for many organizations embarking on software security programs
– There are lots of commercial and freely available products that can be used in support of this activity
RED FLAG: Q: What are you doing for software security? A: We bought [Vendor Scanner XYZ] *** BEWARE FOSTERING A CHECKBOX CULTURE ***
12
![Page 13: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/13.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Scanning Program: Anti-Patterns • “Dude With a Scanner” approach
– Can also be implemented as the “lady with a scanner” approach
• “SaaS and Forget” approach
13
![Page 14: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/14.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Is Your Scanner Missing Something? • Breadth “Misses”
– Inadequate application portfolio – Applications not being scanned
or not being scanned frequently enough
• Depth “Misses” – Ineffective crawling ignores
application attack surface – False negatives resulting in
ignorance of legitimate vulnerabilities
– Excessive false positives causing results to be ignored
14
![Page 15: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/15.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Security Testing: Better Patterns • Breadth-First Scanning
– You want a scanning program, not a scanner
• Deep Assessment of Critical Applications – Automated scanning, manual
scan review and assessment • Understand that scanning is a
means to an end – Not an end in and of itself – Start of vulnerability management
15
![Page 16: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/16.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
What Goes Into a Good Scanning Program? • Solid Understanding of Attack Surface • Realistic Concept of Scanner Effectiveness • Disciplined History of Scanning
• Prioritized Testing Efforts
16
![Page 17: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/17.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
What Is Your Software Attack Surface?
17
Software You Currently Know About
Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers mention it • Bad guys found it and caused an
incident (oops)
What? • Critical legacy systems • Notable web applications
![Page 18: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/18.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
What Is Your Software Attack Surface?
18
Add In the Rest of the Web Applications You Actually Develop and Maintain
Why Did You Miss Them? • Forgot it was there • Line of business procured through non-
standard channels • Picked it up through a merger /
acquisition
What? • Line of business applications • Event-specific applications
![Page 19: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/19.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
What Is Your Software Attack Surface?
19
Add In the Software You Bought from Somewhere
Why Did You Miss Them? • Most scanner only really work on web
applications so no vendors pester you about your non-web applications
• Assume the application vendor is handling security
What? • More line of business applications • Support applications • Infrastructure applications
![Page 20: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/20.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
What Is Your Software Attack Surface?
20
MOBILE! THE CLOUD!
Why Did You Miss Them? • Any jerk with a credit card and the ability
to submit an expense report is now runs their own private procurement office
What? • Support for line of business functions • Marketing and promotion
![Page 21: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/21.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Attack Surface: The Security Officer’s Journey • Two Dimensions:
– Perception of Software Attack Surface – Insight into Exposed Assets
21
Perception
Insi
ght
![Page 22: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/22.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• As perception of the problem of attack surface widens the scope of the problem increases
Attack Surface: The Security Officer’s Journey
22
Perception
Insi
ght
Web Applications
![Page 23: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/23.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• As perception of the problem of attack surface widens the scope of the problem increases
Attack Surface: The Security Officer’s Journey
23
Perception
Insi
ght
Web Applications
Client-Server Applications
![Page 24: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/24.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• As perception of the problem of attack surface widens the scope of the problem increases
Attack Surface: The Security Officer’s Journey
24
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
![Page 25: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/25.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• As perception of the problem of attack surface widens the scope of the problem increases
Attack Surface: The Security Officer’s Journey
25
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
![Page 26: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/26.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• As perception of the problem of attack surface widens the scope of the problem increases
Attack Surface: The Security Officer’s Journey
26
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
![Page 27: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/27.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• Discovery activities increase insight
Attack Surface: The Security Officer’s Journey
27
Perception
Insi
ght
Web Applications
![Page 28: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/28.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• Discovery activities increase insight
Attack Surface: The Security Officer’s Journey
28
Perception
Insi
ght
Web Applications
![Page 29: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/29.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• Discovery activities increase insight
Attack Surface: The Security Officer’s Journey
29
Perception
Insi
ght
Web Applications
![Page 30: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/30.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• Over time you end up with a progression
Attack Surface: The Security Officer’s Journey
30
Perception
Insi
ght
Web Applications
![Page 31: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/31.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• Over time you end up with a progression
Attack Surface: The Security Officer’s Journey
31
Perception
Insi
ght
Web Applications
Client-Server Applications
![Page 32: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/32.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Desktop Applications
Client-Server Applications
• Over time you end up with a progression
Attack Surface: The Security Officer’s Journey
32
Perception
Insi
ght
Web Applications
![Page 33: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/33.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Desktop Applications
Client-Server Applications
• Over time you end up with a progression
Attack Surface: The Security Officer’s Journey
33
Perception
Insi
ght
Web Applications
Cloud Applications and Services
![Page 34: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/34.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Desktop Applications
Client-Server Applications
• Over time you end up with a progression
Attack Surface: The Security Officer’s Journey
34
Perception
Insi
ght
Web Applications
Cloud Applications and Services
Mobile Applications
![Page 35: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/35.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
• When you reach this point it is called “enlightenment” • You won’t reach this point
Attack Surface: The Security Officer’s Journey
35
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
![Page 36: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/36.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
An Application Test
What Goes Into An Application Test?
36
![Page 37: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/37.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Dynamic Analysis
What Goes Into An Application Test?
37
Static Analysis
![Page 38: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/38.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Automated Application Scanning
What Goes Into An Application Test?
38
Static Analysis
Manual Application Testing
![Page 39: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/39.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Automated Application Scanning
What Goes Into An Application Test?
39
Automated Static Analysis
Manual Application Testing
Manual Static Analysis
![Page 40: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/40.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Una
uthe
ntic
ated
A
utom
ated
Sca
n
What Goes Into An Application Test?
40
Automated Static Analysis
Blin
d Pe
netr
atio
n Te
stin
g
Manual Static Analysis
Aut
hent
icat
ed
Aut
omat
ed S
can
Info
rmed
M
anua
l Tes
ting
![Page 41: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/41.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Una
uthe
ntic
ated
A
utom
ated
Sca
n
What Goes Into An Application Test?
41
Aut
omat
ed
Sour
ce C
ode
Scan
ning
Blin
d Pe
netr
atio
n Te
stin
g
Man
ual S
ourc
e C
ode
Rev
iew
Aut
hent
icat
ed
Aut
omat
ed S
can
Info
rmed
M
anua
l Tes
ting
Aut
omat
ed
Bin
ary
Ana
lysi
s M
anua
l Bin
ary
Ana
lysi
s
![Page 42: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/42.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Value and Risk Are Not Equally Distributed • Some Applications Matter More Than Others
– Value and character of data being managed – Value of the transactions being processed – Cost of downtime and breaches
• Therefore All Applications Should Not Be Treated the Same – Allocate different levels of resources to assurance – Select different assurance activities – Also must often address compliance and regulatory requirements
42
![Page 43: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/43.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Do Not Treat All Applications the Same • Allocate Different Levels of Resources to Assurance • Select Different Assurance Activities
• Also Must Often Address Compliance and Regulatory Requirements
43
![Page 44: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/44.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix Demonstration • Building Your Application Portfolio
• Storing Scanning Results Over Time
• Reporting – Trending – Vulnerability Remediation Progress – Scanner Benchmarking – Portfolio Status
44
![Page 45: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/45.jpg)
© Copyright 2013 Denim Group - All Rights Reserved
Steps for Improvement • Build Your Application Portfolio
• Characterize the Effectiveness of Efforts Made to Date
• Build a Plan for Coverage
• Monitor Progress
45
![Page 46: Do You Have a Scanner Or Do You Have a Scanning Program?](https://reader030.fdocuments.net/reader030/viewer/2022021305/6207332e49d709492c2eed1a/html5/thumbnails/46.jpg)
© Copyright 2013 Denim Group - All Rights Reserved 46
Questions / Contact Information
Dan Cornell Principal and CTO [email protected] Twitter @danielcornell (210) 572-4400
www.denimgroup.com blog.denimgroup.com