ProActive Security

PROACTIVE SECURITYCAGLAR SAYIN

WHO I AM

I AM CAGLAR

▸ I am basically Turkish computer engineer who focused on security

▸ I am biker, skier, sailor etc.

▸ Netsparker Web Application Scanner

▸ Norwegian Information Security Lab

▸ Sony

THE LAYOUT

LAYOUT

▸ What is ProActive Security

▸ The Steps

▸ Discovery

▸ Scoping

▸ Assessment

▸ Reporting

▸ Remediation

▸ Training and Awareness

PROACTIVE SECURITY

IT IS BEING SECURE BEFORE ACTED

▸ It is opposite of reactive secure

▸ It tries to mitigate and prevent risk

▸ It gives you chance to estimate feature

▸ Estimating feature gives you chance to do response planning

PLANS ARE NOTHING; PLANNING IS EVERYTHING.

Dwight D. Eisenhower

OTHER’S PLAN IS NOT YOURS

STEPS

THE STEPS OF PROACTIVE SECURITY

▸ Risk Assessment

▸ Impact Analysis

▸ Risk Prevention

▸ Risk Mitigation

▸ Thread Analysis

▸ Planning Response

WORK ON XYZ COMPANY

VULNERABILITY DISCOVERY

VULNERABILITY DISCOVERY

▸ Working on Our Own Test Env

▸ Attack Surface

▸ Automated Vulnerability and Attack Surface Discovery

▸ Manual Vulnerability Discovery

▸ Instant Vulnerability Discovery and DevOps Harmony

OWN ENVIRONMENT

WHY WE NEED TO WORK ON OUR OWN ENVIRONMENT

▸ We must work on a dead planet with living data on it

▸ it will be like a UAT or Integration tests

▸ Cloud services do not permit us to test on their platform

▸ It could result data lost or functional defects on application

▸ All security parameters must turned off to test specifically application.

OWN ENVIRONMENT

WORKING ON OUR OWN ENVIRONMENT

▸ Code must be frozen copy of the production env

▸ if not, it could result inconsistency on test results

▸ We should touch all features available and must be activated

▸ it will be like a UAT or Integration tests to provide test accuracy

ATTACK SURFACE ANALYSIS

ATTACK SURFACE IS TO

▸ Understand the risk areas in an application

▸ Make developers and security specialists aware of what parts of the application are open to attack,

▸ Find ways of minimising this

▸ Notice when and how the Attack Surface changes and what this means from a risk perspective.

DEVELOPERS SECURITY ENGINEERS =

BEST ATTACK SURFACE ANALYSIS


ATTACK SURFACE IN THEORY

▸ the sum of all paths for data/commands into and out of the application, and

▸ the code that protects these paths (including resource connection and authentication, authorisation, activity logging, data validation and encoding), and

▸ all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and

▸ the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).


ATTACK SURFACE IN PRACTICE

▸ Network-facing, especially internet-facing code

▸ Web forms

▸ Files from outside of the network

▸ Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions

▸ Custom APIs – protocols etc – likely to have mistakes in design and implementation

▸ Security code: anything to do with cryptography, authentication, authorization (access control) and session management


GIT DIFF MASTER MASTER~1

▸ What has changed?

▸ What are you doing different?

▸ What holes could you have opened?

AUTOMATED VULNERABILITY DISCOVERY

AUTOMATED VULNERABILITY DISCOVERY

▸ They tries a lot of payloads as much as a person can’t try

▸ This tools are developed with many people for years

▸ THEY ARE FAST and REALLY FAST

▸ THEY ARE PRACTICAL

▸ They are patient and tolerant

▸ Could be improved with targeted configuration

▸ False Positive rates are really high

MANUAL VULNERABILITY DISCOVERY

MANUAL VULNERABILITY DISCOVERY

▸ I know my application better then them

▸ There are some vulnerabilities only can be tested manually

▸ I am more intuitive

▸ I am holistic

▸ It is slow

INSTANT APPROACH

INSTANT APPROACH

INSTANT APPROACH

INSTANT APPROACH KEYWORDS

▸ Static security test which is involved in CI process or even coding phase (Checkmarx)

▸ Dynamic security test (Skipfish, Arachni)

▸ The wrapper tools to combine them

▸ BDD-Security

▸ Gauntlt

▸ Mittn

▸ Strider :)

SCOPING

SCOPING WITH TIERED TEST APPROACH

▸ Tier 4 test - 1 day

▸ Tier 3 test - 3 days

▸ Tier 2 test - 1 week

▸ Tier 1 Premium test - 3 weeks

SCOPING

TIER 4 TEST

▸ It will only take 1 day quick test

▸ It will cover automated tool test on consumer facing web application, API, API dashboard

▸ It will not cover XYZ internal dashboard

▸ It will not cover message queue, SQL db Hadoop because they are already restricted to internet.

▸ It will include False Positive checks from outputs of automated tool results

SCOPING

TIER 3 TEST

▸ It will only take 3 day - medium ranged test

▸ It will cover all the things in tier 4

▸ It will cover business logic assessments and some authentication and authorisation attacks.

▸ Will cover authentication face of internal dashboard attack

SCOPING

TIER 2 TEST

▸ It will only take 1 weak - normal ranged test


▸ Architectural analysis is involved in this tier.

▸ API attack vectors will be prepared manually

▸ Manual wen pentest will take its place

▸ The interaction and connections between nodes will be checked. They must be encrypted

▸ It will cover remote attacks like reflected XSS and CSRF attacks for internal dashboard to protect employees from speared phishing attack

SCOPING

TIER 1 PREMIUM TEST

▸ It will take 3 weak or more


▸ It will cover thread modelling(thread vectors or threes)

▸ It will cover configuration analysis

▸ It will cover static code analysis and will combine results with manual assessment

▸ It will cover all network tests and internal web tests.

PENTEST LOGS

PENETRATION TESTER ARE RESPONSIBLE FOR THEIR OWN LOGS

▸ Testers must record their own logs in their own computers.

▸ Network level logging device must store their own logs

▸ Network logging must be accountable which means we must authenticate people and stamp their ID onto logs

EVIDENCE

VULNERABILITY EVIDENCE IS CONTROVERSIAL

▸ Yes it is controversial but must be concrete.

▸ Show your arguments as clean as possible.

▸ Some vulnerabilities are theoretical and can’t be exploitable and must shown thrusting reference

REPORTING

REPORTING ESSENTIALS

▸ Testing Team details

▸ Network Details

▸ Scope of test

▸ Executive Summary

▸ Technical Summary

REPORTING

STEPS MUST BE EXPLAINED IN TECHNICAL REPORT

▸ Reconnaissance & Enumeration

▸ Scanning

▸ Obtaining Access

▸ Maintaining Access

▸ Erasing Evidence

REPORTING

MY OPINIONS

▸ Nobody reads reports

▸ They must be precise and concise

▸ They must be more interactive

▸ Check out Dradis and Faraday

APPSEC PIPELINE

APPSEC PIPELINE

REMEDIATION ESSENTIALS

ESSENTIALS

▸ Location of the vulnerability should effect remediation timeframe

▸ CVSS score could be used to develop our own scoring system as base

▸ The vulnerabilities claimed as fixed must be retested

▸ Remediation methods should be shaped by security engineers

TRAINING AND AWARENESS

TRAININGS

▸ Basic security awareness and knowledge for EVERYONE

▸ System must be ready to be secure before people

▸ A Conceptual Framework to Study Socio-Technical Security paper must be checked by Ana Ferreira, Jean-Louis Huynen, Vincent Koenig, Gabriele Lenzini

▸ Holistic approach - Statistics from vulnerability discovery should take care

TRAINING

SECURITY AWARENESS PROGRAMS

▸ Teammentor - Guide to remediation

▸ Secure development guidelines

▸ Hackaton - CTF for developers

▸ Coursera

▸ for repeated issues, Brown Bag Sessions

▸ Chosen books are free but shipping is excluded model

THANKS

THANKS

THANKS

▸ Thank you

▸ Thank OWASP

▸ Thank insights of Carnegie Mellon University

▸ Thanks pentest-standard.org

▸ Thanks vulnerabilityassessment.co.uk

http://pentest-standard.org

http://vulnerabilityassessment.co.uk

MORE

FOR MORE

▸ For more about business cases and management situations

ProActive Security

Technology

Transcript of ProActive Security