Hard to Port! - Event Schedule & Agenda Builder App |...
Transcript of Hard to Port! - Event Schedule & Agenda Builder App |...
![Page 1: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/1.jpg)
Hard to Port!
A Snapshot of the Vulnerability Landscape in 2015
![Page 2: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/2.jpg)
Contents
• Who am I?• Why are we here?• How do we measure risk?• Where did you get these numbers?• 2015 Overview• Some thoughts!• Hard to what?• End
![Page 3: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/3.jpg)
Who am I - Rahim JinaPresentDirector at edgescan™
PastHead of Security – Fonality, Los Angeles.Security Consultant – Evil Big 4, Dublin.
OWASPParticipator & Contributor since 2008
Application Security &Application Development : 11 Years
![Page 4: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/4.jpg)
Why are we here?
![Page 5: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/5.jpg)
How do we measure risk?
Continuous Testing
Full Stack –WebApps and Servers
Human verification of all vulnerabilities
Analytics and Metrics
Delta Analysis
Track improvement or decline
![Page 6: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/6.jpg)
Why do an annual report?
“You cant improve what you cant measure”
What is most effective at reducing Risk?
What is the major Root Cause?
Are most Risks at the Application layer?
Are most Risks at the Server Layer*?
Quick wins to be more secure?
Average time to fix a high risk?
What does improvement look like?
* “Server Layer” is also software!!
![Page 7: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/7.jpg)
Where did you get these numbers?
• December 2014 – November 2015• Assessing 000’s of Assets• Assets = Web applications & hosts
3.5
19
11.5 11
13.5
5.5
14.5
10.5
8
3
1 2 3 4 5 6 7 8 9 1 0
INDUSTRY SPLIT
![Page 8: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/8.jpg)
2015 - Year in Review
![Page 9: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/9.jpg)
2015 – Overview
![Page 10: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/10.jpg)
Security by NumbersLikelihood of a vulnerability being discovered – Web Applications
![Page 11: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/11.jpg)
Security by Numbers
Likelihood of a vulnerability being discovered (root cause) – Hosting Layer
![Page 12: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/12.jpg)
Security by Numbers
![Page 13: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/13.jpg)
Security by Numbers
Risk Density
![Page 14: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/14.jpg)
Security by Numbers
Time-To-Remediationfor discovered Critical/High Risk issues
BEST CASE WORST CASE
![Page 15: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/15.jpg)
Security by Numbers
2 out of every 3 servers contained high-medium risk SSL/TLS
cryptography weakness
![Page 16: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/16.jpg)
Thoughts - Headers
HTTP Security Headers
Strict-Transport-Security Content-Security-Policy
X-Content-Type-Options X-XSS-Protection
Public-Key-PinsX-Frame-Options
![Page 17: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/17.jpg)
Thoughts - Component security
Who wrote your code?
Who wrote the other code used by your code?
Who wrote the other code in the code used by your code?
Who wrote the code in the other code in the code used by your code?
![Page 18: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/18.jpg)
Application Code
COTS (Commercial off the shelf
Outsourced development Sub-
Contractors
Bespoke outsourced
development
Bespoke Internal
development
Third Party API’s
Third Party Components
& Systems
Degrees of trustMore LESS
Thoughts - Software Food Chain
GithubSpecial
Random College Project
![Page 19: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/19.jpg)
Thoughts - Component security
Building bricks – Frameworks / Components
(Spring, JQuery, Jade, Angular, Hibernate)
90% of application code is framework
63%* don’t monitor component security
* http://www.sonatype.com/about/2014-open-source-software-development-survey
![Page 20: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/20.jpg)
Thoughts - Components
As of October 2015 -Spring (3.0-3.05) – CVE-2011-2894 – Code exe
7,000,000 downloads since vuln discovered
CVSS: 6.8
Apache Xerces2 – CVE-2009-2625 – DoS
4,000,000 downloads since vuln discovered
CVSS: 5
Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM
4,000,000 downloads since vuln discovered
CVSS: 4.9
Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection
179,050 downloads since vuln discovered
CVSS: 10
![Page 21: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/21.jpg)
Thoughts – Patching & Component Management
“Of all the vulnerabilities discovered in 2015, 63% could have been mitigated via patch, configuration and component management combined.”
![Page 22: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/22.jpg)
Thoughts – Patching & Component Management
Do you test for "dependency“ issues?
Does your patch management policy cover application dependencies?
What about layer 7!
Check out: https://github.com/jeremylong/DependencyCheck
![Page 23: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/23.jpg)
Thoughts – Pushing Left
Customers who fared the ‘best’ were queried on their SDLC practices and utilised some or all of these throughout their SDLC and OPS:
![Page 24: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/24.jpg)
Thoughts – Pushing Left
Fail Early – Fail Often!
![Page 25: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/25.jpg)
Thoughts – Pushing Left
• Continuous Testing & DAST
• Continuous Integration & SAST
• Threat Modelling
• Dedicated security teams
• SecDevOps
• Continuous Asset Profiling & Monitoring → Component Management
![Page 26: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/26.jpg)
Continuous Security Assessment Approach:
time
Thoughts – Pushing Left
![Page 27: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/27.jpg)
Wrap-Up
• Organisational trends towards SecDevOps• DAST and SAST integration into the build
process• Security needs to be more than point-in-
time• Component Security is being overlooked• Maintenance and component security are
key -Full-Stack Patching!• Continuous testing for continuous
development
![Page 28: Hard to Port! - Event Schedule & Agenda Builder App | Schedschd.ws/hosted_files/appseccalifornia2016/8b/AppSec-HardtoPort-A... · OWASP Participator & Contributor since 2008 Application](https://reader036.fdocuments.net/reader036/viewer/2022081323/5aee19cd7f8b9a572b8c42af/html5/thumbnails/28.jpg)
www.edgescan.com
© BCC Risk Advisory Ltd 2016.
Thanks
[email protected]@rahimjina
edgescan™ 2015 Vulnerability Stats Report:
https://edgescan.com/2015-edgescan-stats-report.pdf