crafting super-powered risk assessments by digital defense inc & veracode
DESCRIPTION
http://www.ddifrontline.com Digital Defense Inc (DDI) and Veracode present the "Crafting Super-Powered Risk Assessments" webinar and slides. The presentation covers security assessments, application security, and how to manage risk.TRANSCRIPT
Crafting Super-Powered Risk AssessmentsChris Wysopal | CTO & Co-founder, Veracode
Gordon MacKay | EVP & CTO, Digital Defense, Inc.
22
Logistics
Presentation is designed for 30 to 45 minutes with time for questions.
Please use your control panel (shown on the right) to ask questions at any time during the presentation.
Presentation is being recorded
Both presentation and slides will be made available
Gordon MacKay | Digital Defense, Inc.
Gordon MacKay, Digital Defense Executive Vice President and Chief Technology Officer is responsible for strategic design, planning, and establishment of platform road maps, new platform development initiatives, and maintenance of the Company’s security information event management platforms and proprietary assessment solutions. Gordon also oversees the Platform Development architecture as well as manages the Platform Development and Vulnerability Research organizations.
Gordon started his career in 1991 as a systems engineer at Nortel Networks where he designed Interactive Voice Response systems. Prior to joining Digital Defense, he held several research and development leadership positions at Alcatel USA in Dallas Texas. Gordon is a frequent speaker at industry conferences and events.
4
Chris Wysopal | VeracodeCo-Founder and Chief Technology Officer
Chris Wysopal is responsible for the security analysis capabilities of Veracode technology. Mr. Wysopal is recognized as an expert and a well known speaker in the information security field and was recently named one of InfoWorld’s Top 25 CTO’s and one of the 100 most influential people in IT by the editorial staffs of eWeek, CIO Insight and Baseline Magazine. Chris has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. He also has spoken as the keynote at West Point, to the Defense Information Systems Agency (DISA) and before the International Financial Futures and Options Exchange in London. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work.
4
About Digital Defense, Inc.
Founded in 1999, Digital Defense, Inc., is the premier provider of managed security risk assessment solutions protecting billions in assets for small businesses to Fortune companies in over 65 counties. Our dedicated team of experts helps organizations establish an effective culture of security and embrace the best practices of information security. Through regular assessments, awareness education and rapid reaction to potential threats, our clients become better prepared to reduce risk and keep their information, intellectual property and reputations secure.
In response to market intelligence and industry demand, DDI is the first information security provider to launch a Vulnerability Assessment (VA)Tool “Trade-In” program. This innovative offering is designed to maximize Information Security ROI for organizations through an applied credit equal to the annual licensing maintenance fee spent on idle and inefficient VA tools. A fully managed and enterprise-wide vulnerability scanning program is now available for companies taking advantage of this unique solution with the applied credit worth up to 100% of the first year of DDI’s unparalleled VLM-Pro service.
www.ddifrontline.com
888.273.1412
Agenda
• Risk Management Challenges
• Network Assessments – Assessing Risk Outside In
• Application Assessments – Assessing Risk Inside Out
• Combining Network and Application Assessments
• Ongoing Research and Development
The Risk Game – Play Along
What Picture Represents most Risk?
What is Risk?
• Risk is Relative to an Entity
• Risk Involves
1. An Entity with a Goal – Something to Gain/Lose
2. An Entity with Weaknesses/Disadvantages
3. An Environment Capable of Taking Advantage of
Weaknesses
Risk = Threat x Vulnerability x Cost Risk = Threat x Vulnerability x Cost
Evolution of Species – One Solution to Risk
Business Organizations Analogous to Living Organisms
• Organizations have Goals and Desires
• Have Weaknesses and Limited Resources
• Face Threats - Internal Flaws, Natural Disasters,
Competitors, and More
• Optimal Resource Allocation Depends on Environment
• Organization’s Environment Continuously Changes
Organizations Must Evolve in order to Survive and Grow Organizations Must Evolve in order to Survive and Grow
Risk Management Challenges
• What is Value and Where is it Located?
• What are the Dangers to Organization’s Value?
• What are Weaknesses of Value Containers?
• What Risk Level is Acceptable?
Risk Management Existing Solutions Weaknesses
• No Existing Technology/Solution Accounts for All Risk
• Often, a given solution accounts for only part of Risk
within their own Security Silo
Network Security
Application Security
Access Management
Event Monitoring
Endpoint Security
Risk Management – Network AssessmentAssessing Outside In
• Automatically Inventory Containers– Attack Surface - Fully Visible, Camouflaged, Invisible– Location - Externally Internet facing versus deep
within the Organization’s Internal Network– Other Container Details
• Allow Mapping Assets to Containers• Allow Value Assignments to Containers• Assess Weaknesses of Containers
Network AssessmentSeen From Threat’s Point of View
Client Network
Vulnerability Results
NIRV Scanner
FSP Servers
Internet
DDI Cloud-Based Vulnerability Management System
NIRV Scanner
Client Asset Containers
ExternalVulnerability Assessment
InternalVulnerability Assessment
AuthenticatedVulnerability Assessment
Network Assessment Strengths
• Hosts (Computers or Containers)• Network Map• Operating System• Open Ports, Services, Applications• Vulnerabilities within OSI Layer 2-7
– Many Known Vulnerabilities– Generic (e.g. SQL Injection)
• Misconfigurations– (e.g. Passwordless Protocols, Easily Guessable
Passwords, SNMP configuration issues, much more)
Network Assessment Challenges
• Most Compromises• Most Malware, Viruses• Most Backdoors• Most Unknown (Zero Day) Vulnerabilities• Hidden Weaknesses (e.g. no or poor use of Encryption)• Most Business Logic Issues• Most Security Architecture Weaknesses• Some Known Vulnerabilities
Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode cloud-based platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components.
Assessment techniques includeStatic binary analysis
Dynamic analysis
Manual analysis
More information available at www.veracode.com
Network
End points/OS
Data
ApplicationsThe Application layer is the most exposed to the attacker.
Even with hardened end points and networks vulnerabilities in applications can allow attackers to access data
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request
Forgery (CSRF)
A6: Security Misconfigurat
ion
A7: Failure to Restrict URL
Access
A8: Insecure Cryptographic
Storage
A9: Insufficient Transport Layer
Protection
A10: Unvalidated Redirects and
Forwards
OWASP Top Ten
http://www.owasp.org/index.php/Top_10
20
Insecure Interaction Between ComponentsSQL
InjectionCommand Injection
XSS Unrestricted upload
CSRF Open Redirect
Risky Resource Management
Buffer Overflow
Path Traversal
Download of code with no
check
Untrusted inclusion
Dangerous function
Format String
Integer Overflow
Missing Authentication
Missing Authorization
Hard coded credentials
Missing encryption
Untrusted inputs in security
decision
Unnecessary Privileges
Incorrect authorization
Incorrect permission assignment
Broken crypto
No restriction of authorization
attempts
Use of one way hash with no
salt
Porous Defenses
IdentifyPortfolio
AssessVulnerabilities
ManageRisk
From Risk Awareness to Risk Mitigation with
an Application Security Program
Identify Application PortfolioGet a handle on
“application sprawl”Involve business units,
procurement and vendor management, and automated discovery
Consider regulatory impact, data leakage risk, operational risk
Create a policy
Assess Vulnerabilities
Understand vulnerabilities in your application portfolioLeverage automated analysis
techniquesStatic and dynamic scanningEngage third-party vendors and
service providers
Multiple Analysis Techniques Improve Coverage of Vulnerability
Classes Universe of application security vulnerabilities is extensive
There is no “silver bullet” – each technique has strengths and weaknesses
A complete analysis includes: Static analysis (i.e. White Box) Dynamic analysis (i.e. Black Box) Penetration testing
Automation allows manual penetration testers to focus on vulnerabilities only humans can find
Automated Static
Automated
Dynamic
Penetration
Testing
Static AnalysisAnalysis of software performed
without actually executing the program
Full coverage of the entire source or binary
In theory, having full application knowledge can reveal a wider range of bugs and vulnerabilities than the “trial and error” of dynamic analysis
Impossible to identify vulnerabilities based on system configuration that exist only in the deployment environment
Dynamic AnalysisAnalysis of software performed
against a running instance of the program
Most accurately mimics how a malicious user would attack the application
Due to the lack of internal application knowledge, discovering vulnerabilities can take longer and coverage may be limited
Cannot generate and test all possible inputs in reasonable time
Exposes vulnerabilities in the deployment environment
Managing risk is more than just a list of vulnerabilities
27
How can this be combined with other risk information?Asset criticalityNetwork locationHost vulnerabilities
Combining application scan data with network scan data is a great start.
Combining App Testing and Vuln Scanning
Network vulnerability scanner knows where all the web applications are.
It knows of any host vulnerabilitiesIt may know about criticality of assets
application has access to.Application testing has knowledge of
vulnerabilities that network vulnerability scanners don’t know about.
28
DDI-Veracode Provide Evolution Towards Enterprise Security Intelligence
Digital Defense VeracodeVulnerability Management Application Assessments
Network and Application AssessmentEnterprise Security Intelligence
• Assessed Applications Mapped to Network Discovered Containers Provide Increased Environmental Context
• Improved Vulnerability Class Coverage
• More Accurate Risk Assessments
Integration Sneak Peek
Integration Sneak Peek
What’s Next?
• Correlating Application Assessment findings to Network Assessment findings (vulnerability overlaps)
• Emergence of One Risk Rating per container that considers Assessed Applications and Network Assessment Findings
• Advanced Analytics Sourcing data from Two Security Cloud Providers
• Learn more at Veracode-DDI talk at RSA USA 2013: “SAST, DAST And Vulnerability Assessments, 1+1+1 = 4”
The Application Layer
04/08/2023 34
Questions?
ContactGordon MacKay, Digital Defense [email protected]@gord_mackay
Chris Wysopal, [email protected]@weldpond