do you have a scanner or a scanning program? · do you have a scanner or a scanning program? about...
TRANSCRIPT
![Page 1: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/1.jpg)
Do You Have a Scanneror a Scanning Program?
![Page 2: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/2.jpg)
About Me
Dan CornellFounder and CTO of Denim GroupSoftware developer by background (Java, .NET, etc)OWASP San Antonio15 years experience in software architecture, development and security
![Page 3: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/3.jpg)
Static or Dynamic? (Or Both?)
Desktop, Enterprise or Cloud(Or All the Above?)
3
Who Has Purchased an Automated Scanner?
![Page 4: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/4.jpg)
Who Here Is HappyWith Their Scanner?
Yes
No
Kind Of
Not Sure
4
![Page 5: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/5.jpg)
Why or Why Not?
Why or Why Not?
5
![Page 6: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/6.jpg)
Successful Software Security Programs
Common GoalReduce Risk by…
● Reliably Creating Acceptably Secure Software
Obligatory “People, Process, Technology” ReferenceAnybody got a good Sun Tzu quote?
I’d settle for a von Clausewitz…
Or perhaps we need to look at Dalai Lama quotes (topic for a different day)
Common ActivitiesImplementation must be tied to the specific organization
6
![Page 7: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/7.jpg)
What Part Does Scanning Play?
OpenSAMM - Automated scanning is part of both the “Security Testing” and “Code Review” Security Practices within the Verification Business Function
Dynamic scanning and static scanning, respectively
Common starting point for many organizations embarking on software security programs
There are lots of commercial and freely available products that can be used in support of this activity
RED FLAG:Q: What are you doing for software security?A: We bought [Vendor Scanner XYZ]
*** BEWARE FOSTERING A CHECKBOX CULTURE ***
7
![Page 8: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/8.jpg)
Scanning Program: Anti-Patterns
“Dude With a Scanner” approachCan also be implemented as the “lady with a scanner” approach
“SaaS and Forget” approach
8
![Page 9: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/9.jpg)
Scanner Program Metrics
Breadth
Depth
Frequency
![Page 10: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/10.jpg)
Is Your ScannerMissing Something?
Breadth “Misses”Inadequate application portfolio
Applications not being scanned
Depth “Misses”Ineffective crawling ignores application attack surface
False negatives resulting in ignorance of legitimate vulnerabilities
Excessive false positives causing results to be ignored
Frequency “Misses”Applications not being scanned often enough
10
![Page 11: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/11.jpg)
Security Testing: Better Patterns
Breadth-First ScanningYou want a scanning program, not a scanner
Deep Assessment of Critical Applications
Automated scanning, manual scan review and assessment
Understand that scanning is a means to an end
Not an end in and of itself
Start of vulnerability management
11
![Page 12: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/12.jpg)
What Goes Into a Good Scanning Program?
Solid Understanding of Attack Surface
Realistic Concept of Scanner Effectiveness
Disciplined History of Scanning
Prioritized Testing Efforts
12
![Page 13: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/13.jpg)
What Is Your Software Attack Surface?
13
Software You Currently Know About
Why?• Lots of value flows through it• Auditors hassle you about it• Formal SLAs with customers mention it• Bad guys found it and caused an
incident (oops)
What?• Critical legacy systems• Notable web applications
![Page 14: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/14.jpg)
What Is Your Software Attack Surface?
14
Add In the Rest of the Web Applications You Actually Develop and Maintain
Why Did You Miss Them?• Forgot it was there• Line of business procured through non-
standard channels• Picked it up through a merger /
acquisition
What?• Line of business applications• Event-specific applications
![Page 15: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/15.jpg)
What Is Your Software Attack Surface?
15
Add In the Software You Bought from Somewhere
Why Did You Miss Them?• Most scanner only really work on web
applications so no vendors pester you about your non-web applications
• Assume the application vendor is handling security
What?• More line of business applications• Support applications• Infrastructure applications
![Page 16: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/16.jpg)
What Is Your Software Attack Surface?
16
MOBILE!THE CLOUD!
Why Did You Miss Them?• Any jerk with a credit card and the
ability to submit an expense report is now runs their own private procurement office
What?• Support for line of business functions• Marketing and promotion
![Page 17: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/17.jpg)
Attack Surface: The Security Officer’s Journey
Two Dimensions:Perception of Software Attack Surface
Insight into Exposed Assets
17
Perception
Insight
![Page 18: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/18.jpg)
As perception of the problem of attack surface widens the scope of the problem increases
Attack Surface: The Security Officer’s Journey
18
Perception
Insight
Web Applications
![Page 19: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/19.jpg)
As perception of the problem of attack surface widens the scope of the problem increases
Attack Surface: The Security Officer’s Journey
19
Perception
Insight
Web Applications
Client-Server Applications
![Page 20: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/20.jpg)
As perception of the problem of attack surface widens the scope of the problem increases
Attack Surface: The Security Officer’s Journey
20
Perception
Insight
Web Applications
Client-Server Applications
Desktop Applications
![Page 21: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/21.jpg)
As perception of the problem of attack surface widens the scope of the problem increases
Attack Surface: The Security Officer’s Journey
21
Perception
Insight
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
![Page 22: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/22.jpg)
As perception of the problem of attack surface widens the scope of the problem increases
Attack Surface: The Security Officer’s Journey
22
Perception
Insight
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
![Page 23: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/23.jpg)
Discovery activities increase insight
Attack Surface: The Security Officer’s Journey
23
Perception
Insight
Web Applications
![Page 24: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/24.jpg)
Discovery activities increase insight
Attack Surface: The Security Officer’s Journey
24
Perception
Insight
Web Applications
![Page 25: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/25.jpg)
Discovery activities increase insight
Attack Surface: The Security Officer’s Journey
25
Perception
Insight
Web Applications
![Page 26: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/26.jpg)
Over time you end up with a progression
Attack Surface: The Security Officer’s Journey
26
Perception
Insight
Web Applications
![Page 27: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/27.jpg)
Over time you end up with a progression
Attack Surface: The Security Officer’s Journey
27
Perception
Insight
Web Applications
Client-Server Applications
![Page 28: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/28.jpg)
Desktop Applications
Client-Server Applications
Over time you end up with a progression
Attack Surface: The Security Officer’s Journey
28
Perception
Insight
Web Applications
![Page 29: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/29.jpg)
Desktop Applications
Client-Server Applications
Over time you end up with a progression
Attack Surface: The Security Officer’s Journey
29
Perception
Insight
Web Applications
Cloud Applications and Services
![Page 30: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/30.jpg)
Desktop Applications
Client-Server Applications
Over time you end up with a progression
Attack Surface: The Security Officer’s Journey
30
Perception
Insight
Web Applications
Cloud Applications and Services
Mobile Applications
![Page 31: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/31.jpg)
When you reach this point it is called “enlightenment”You won’t reach this point
Attack Surface: The Security Officer’s Journey
31
Perception
Insight
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
![Page 32: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/32.jpg)
An Application Test
What Goes Into An Application Test?
32
![Page 33: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/33.jpg)
Dynamic Analysis
What Goes Into An Application Test?
33
Static Analysis
![Page 34: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/34.jpg)
Automated Application Scanning
What Goes Into An Application Test?
34
Static Analysis
Manual Application Testing
![Page 35: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/35.jpg)
Automated Application Scanning
What Goes Into An Application Test?
35
Automated Static Analysis
Manual Application Testing
Manual Static Analysis
![Page 36: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/36.jpg)
Un
au
then
ticated
Au
tom
ated S
can
What Goes Into An Application Test?
36
Automated Static Analysis
Blin
d
Pen
etration
Testin
g
Manual Static Analysis
Au
then
ticated
Au
tom
ated S
canIn
form
ed
Man
ual Testin
g
![Page 37: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/37.jpg)
Un
au
then
ticated
Au
tom
ated S
can
What Goes Into An Application Test?
37
Au
tom
ated
So
urce C
od
e S
cann
ing
Blin
d
Pen
etration
Testin
g
Man
ual S
ou
rce C
od
e Review
Au
then
ticated
Au
tom
ated S
canIn
form
ed
Man
ual Testin
g
Au
tom
ated
Bin
ary An
alysis
Ma
nu
al B
ina
ry A
na
lysis
![Page 38: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/38.jpg)
Value and Risk Are Not Equally Distributed
Some Applications Matter More Than OthersValue and character of data being managed
Value of the transactions being processed
Cost of downtime and breaches
Therefore All Applications Should Not Be Treated the SameAllocate different levels of resources to assurance
Select different assurance activities
Also must often address compliance and regulatory requirements
38
![Page 39: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/39.jpg)
Do Not Treat All Applications the Same
Allocate Different Levels of Resources to AssuranceSelect Different Assurance Activities
Also Must Often Address Compliance and Regulatory Requirements
39
![Page 40: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/40.jpg)
Free / Open Source vulnerability management and aggregation platform:Allows software security teams to reduce the time to remediate software vulnerabilities
Enables managers to speak intelligently about the status / trends of software security within their organization.
Features/Benefits:Imports dynamic, static and manual testing results into a centralized platform
Removes duplicate findings across testing platforms to provide a prioritized list of security faults
Eases communication across development, security and QA teams
Exports prioritized list into defect tracker of choice to streamline software remediation efforts
Auto generates web application firewall rules to protect data during vulnerability remediation
Empowers managers with vulnerability trending reports to pinpoint team issues and illustrate application security progress
Benchmark security practice improvement against industry standards
Freely available under the Mozilla Public License (MPL) 2.0Download available at: www.denimgroup.com/threadfixCode available at: https://code.google.com/p/threadfix/
40
The ThreadFix Approach
![Page 41: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/41.jpg)
ThreadFix Demonstration
Building Your Application Portfolio
Storing Scanning Results Over Time
ReportingTrending
Vulnerability Remediation Progress
Scanner Benchmarking
Portfolio Status
41
![Page 42: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/42.jpg)
Build Your Application Portfolio
Characterize the Effectiveness of Efforts Made to Date
Build a Plan for Coverage
Monitor Progress
42
Steps for Improvement
![Page 43: Do You Have a Scanner or a Scanning Program? · Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group ... Anybody got a good Sun Tzu quote?](https://reader034.vdocument.in/reader034/viewer/2022042018/5e75de4b98dcbe4a331e727d/html5/thumbnails/43.jpg)
43
Dan CornellPrincipal and [email protected] @danielcornell+1 (210) 572-4400
www.denimgroup.comblog.denimgroup.com
Questions?