Download - Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2
![Page 1: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/1.jpg)
Vulnerability Management by the numbers and dumb robots!
![Page 2: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/2.jpg)
Rahim Jina• Director BCC Risk Advisory• OWASP Contributor• edgescan.com• Ex-Head of Security of
Fonality• Ex-Big 4 Consultant
• CTO BCC Risk Advisory• OWASP GLOBAL BOARD
MEMBER• Architect edgescan.com
Eoin Keary
![Page 3: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/3.jpg)
RISK
![Page 4: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/4.jpg)
Automation
+
![Page 5: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/5.jpg)
Automation
![Page 6: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/6.jpg)
Automation
![Page 7: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/7.jpg)
Fraud – Technical Vulns
![Page 8: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/8.jpg)
“(Cyber crime is the) second cause of economic crime experienced by the financial services sector” – PwC
2012 Cyber Crime• US $20.7 billion in direct losses • Global $110 billion in direct losses• Global $338 billion + downtime
“556 million adults across the world have first-hand experience of cybercrime -- more than the entire population of the European Union.”
Globally, every second, 18 adults become victims of cybercrime- Symantec
“The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history” - Keith Alexander
Almost 1 trillion USD was spent in 2012 protecting against cybercrime
“Jimmy, I didn’t click it” – My Grandma
“One hundred BILLION dollars” - Dr Evil
![Page 9: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/9.jpg)
Fraud – Logic Vulns
“40% of applications tested by BCC Risk Advisory in the last 12 months had a critical business logic vulnerability”
![Page 10: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/10.jpg)
Example 1 – Loan Calculator & Approval
![Page 11: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/11.jpg)
Example 1 – Loan Calculator & Approval
$20,000
![Page 12: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/12.jpg)
Example 2 – Coupon Abuse
Stacking Trust the Machine
DISC10
![Page 13: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/13.jpg)
Example 2 – Coupon Stacking
90%
![Page 14: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/14.jpg)
Example 3 – Flight Booking
![Page 15: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/15.jpg)
Example 3 – Flight Booking
![Page 16: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/16.jpg)
Example 4 – e-Auction
![Page 17: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/17.jpg)
Example 4 – e-Auction
![Page 18: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/18.jpg)
Example 5 – e-Dating
![Page 19: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/19.jpg)
Example 5 – e-Dating
![Page 20: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/20.jpg)
What’s your point?
• Robots don’t understand true love• SIMPLE• COMMON• LEGALITIES
![Page 21: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/21.jpg)
Really, what’s your point?
• There is no big button• Automation helps but is only part of the
solution• Continuous testing & assessment• Pure blackbox tests are dumb• Onion Approach
SECURE NOW
HACK NOW
![Page 22: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/22.jpg)
“We need an Onion”
SDL Design reviewThreat ModelingCode review/SAST
Negative use/abuse cases/Fuzzing/DAST
Live/ Continuous/Frequent monitoring / Testing Ongoing Manual Validation
Vulnerability management & PriorityDependency Management ….
Robots are good at detecting known unknownsHumans are good at detecting unknown unknowns
![Page 23: Bcc risk advisory irisscon 2013 - vulnerability management by the numbers and dumb robots!-2](https://reader035.vdocument.in/reader035/viewer/2022062707/558613b2d8b42a8d428b461b/html5/thumbnails/23.jpg)
www.bccriskadvisory.com
© BCC Risk Advisory Ltd 2013. All rights reserved.
Thanks for Listening
Some websites were harmed during the making of this presentation