CSAT Security Vulnerability Assessment Application Instructions
Web Application Vulnerability Management
-
date post
19-Oct-2014 -
Category
Technology
-
view
894 -
download
4
description
Transcript of Web Application Vulnerability Management
![Page 1: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/1.jpg)
Program
Web ApplicationVulnerability Management
Building a
![Page 2: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/2.jpg)
Web ApplicationVulnerability Management
Jason Pubal
Blogwww.intellavis.com/blog
Sociallinkedin.com/in/pubaltwitter.com/pubal
![Page 3: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/3.jpg)
Web ApplicationVulnerability Management
INTRODUCTION
PREPARATION
DAST TOOLS
VM PROCESS
METRICS
VM ON THE CHEAP
![Page 4: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/4.jpg)
Web ApplicationVulnerability Management
Risk Managementprocess of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization
Vulnerability Managementcyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities
GOAL – Identify & Reduce Risk
Understand web application specific risk exposure and bring it in-line with policies.
![Page 5: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/5.jpg)
Web ApplicationVulnerability Management
Gartner
Vulnerability Management
![Page 6: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/6.jpg)
Web ApplicationVulnerability Management
OWASP OpenSAMM
Software Assurance Maturity Model
![Page 7: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/7.jpg)
Web ApplicationVulnerability Management
BSIMM
Building Security in Maturity Model
![Page 8: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/8.jpg)
Web ApplicationVulnerability Management
Application Security Touchpoints
![Page 9: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/9.jpg)
Web ApplicationVulnerability Management
Bug Bounty Program Now in BSIMM v 5Google Facebook
What’s Missing?Recurring Vulnerability AssessmentsInfrastructure vulnerability scanning is best practices. Why not applications?
![Page 10: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/10.jpg)
Web ApplicationVulnerability Management
Software Assurance Maturity Model
Security TestingPenetration tests and other automated security tests done before deployment.
Vulnerability Management Handling security incidents and externally reported vulnerabilities.
![Page 11: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/11.jpg)
Web ApplicationVulnerability Management
Inventory Enroll Report RemediateAssessAssess
Policy
Defect Tracking
Metrics
Vulnerability Management Process
![Page 12: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/12.jpg)
Web ApplicationVulnerability Management
ProcessesDecide what you’re doing. Get stakeholder approval.
PolicyGive YOU the ability to do Vulnerability Assessments, Set Remediation Timelines, Security Coding Practices, Infrastructure Configuration Policies.
Preparation
Scanning ToolsChoose a web application vulnerability scanner that fits your program requirements.
InventoryCreate and maintain an inventory of web applications.
Introductory MaterialCreate a communications plan. Build a packet of information to give application owners as you enroll sites.
Project Management IntegrationHook into project management as a web application “go live” requirement.
![Page 13: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/13.jpg)
Web ApplicationVulnerability Management
Dynamic Application Security Testing (DAST)
Detect conditions indicative of a security vulnerability in an application in its running state
1. Spider Application2. Fuzz Inputs3. Analyze Response
![Page 14: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/14.jpg)
Web ApplicationVulnerability Management
Scanner Comparison – sectoolmarket.com
![Page 15: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/15.jpg)
Web ApplicationVulnerability Management
Recon-ngWeb reconnaissance framework. Google Dorks, IP/DNS Lookups, GPS, PunkSPIDER, Shodan, PwnedList, LinkedIn, etc…
NMAPnmap -P0 -p80,443 -sV --script=http-screenshot <ip range/subnet>
Building your Inventory - Reconnaissance
DNSMake friends with your DNS administrator
Reverse Lookups – ewhois.comReverse email lookup. Google Analytics or AdSense ID.
GoogleGoogle for you company. Go through the top 100 results. Build a list of websites.
![Page 16: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/16.jpg)
Web ApplicationVulnerability Management
Inventory Enroll Report RemediateAssessAssess
Policy
Defect Tracking
Metrics
Vulnerability Management Process
![Page 17: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/17.jpg)
Web ApplicationVulnerability Management
Enrollment Process
![Page 18: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/18.jpg)
Web ApplicationVulnerability Management
Inventory Enroll Report RemediateAssessAssess
Policy
Defect Tracking
Metrics
![Page 19: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/19.jpg)
Web ApplicationVulnerability Management
Remediation Process
![Page 20: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/20.jpg)
Web ApplicationVulnerability Management
Software DefectsInfrastructure folks have been doing patch management for years. Software developers have fixing “bugs.” Frame the vulnerability as a code defect
Legacy ApplicationsWhat if we are no longer actively developing the application?What if we don’t even employ developers who use that language?
Not Infrastructure Vulnerability Management
Determine Level of EffortEach fix is it’s own software development project.
Technical vs. Logical VulnerabilitiesA technical fix is usually straightforward and repetitive. Logical fixes can require significant redesign.
Not a cookie cutter patchDevelopment team has to take time away from building new functionality.
![Page 21: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/21.jpg)
Web ApplicationVulnerability Management
Not Considering Business Context in Risk RatingsOnly looking at the automated tool’s risk ranking is not sufficient. Take the applications business criticality into consideration.
No Approval or NotificationKnocking over an application that no one knew you were scanning could have detrimental political effects.
Common Mistakes
Forcing Developers to Use New Tools & Processes Communicating with development teams using their existing tools and processes helps to decrease friction between security and development organizations.
Send PDF Report of 100 Vulnerabilities to Dev Team!Avoid Bystander ApathyUse Development Team’s Defect Tracking Tool
![Page 22: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/22.jpg)
Web ApplicationVulnerability Management
Inventory Enroll Report RemediateAssessAssess
Policy
Defect Tracking
Metrics
![Page 23: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/23.jpg)
Web ApplicationVulnerability Management
Expressed as a Number or PercentageNot with qualitative labels like high, medium, or low.
Cheap to GatherMetrics ought to be computed at a frequency commensurate with the process’s rate of change. We want to analyze security effectiveness on a day-to-day or week-by-week basis. Figuring out how to automate metric generation is key.
Metrics
Expressed Using at Least One Unit of MeasureDefects, hours, or dollars. Defects per Application. Defects over Time.
Contextually SpecificThe metric needs to be relevant enough to decision makers that they can take action. If no one cares, it is not worth gathering.
Consistently MeasuredAnyone should be able to look at the data and come up with the same metric using a specific formula or method. Metrics that rely on subjective judgment are not good.
![Page 24: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/24.jpg)
Web ApplicationVulnerability Management
Company Top 10 VulnerabilitiesLike OWASP top 10, but organization specific
Vulnerabilities per ApplicationNumber of vulnerabilities that a potential attacker without prior knowledge might find. You could also count by business unit or critically.
Metrics
Mean-Time to Mitigate VulnerabilitiesAverage time taken to mitigate vulnerabilities identified in an organization’s technologies. This speaks to organization performance and the window in which the vulnerability might be exploited.
Security Testing CoveragePercentage of applications in the organization that have been subjected to security testing.
![Page 25: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/25.jpg)
Web ApplicationVulnerability Management
![Page 26: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/26.jpg)
Web ApplicationVulnerability Management
Vulnerability AggregationThreadFix – Open Source
Defect TrackingJIRA - $10, 10 usersBugzilla – Open Source
On the CheapWeb Application Vulnerability ScannerBurpSuite - $299, single licenseOWASP Zed Attack Proxy (ZAP) – Open Source
![Page 27: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/27.jpg)
Web ApplicationVulnerability Management
Jason Pubal
Blogwww.intellavis.com/blog
Sociallinkedin.com/in/pubaltwitter.com/pubal
![Page 28: Web Application Vulnerability Management](https://reader033.fdocuments.net/reader033/viewer/2022061109/54449873b1af9f700a8b497d/html5/thumbnails/28.jpg)
THANK YOU