Application Security Program Management with Vulnerability Manager

Transcription

1 Application Security Program Management with Vulnerability Manager Bryan Beverly June 2 nd, 2010

2 Today's Presentation The challenges of application security scanning and remediation What Vulnerability Manager can do Next steps for Vulnerability Manager Next steps for you 1

3 Denim Group Background Privately-held, professional services organization Develops secure software Helps organizations assess and mitigate risk of existing software Provides training and mentoring so clients can build trusted software Software-centric view of application security Application security experts are practicing developers Development pedigree translates to rapport with development managers Business impact: shorter time-to-fix application vulnerabilities Culture of application security innovation and contribution Released Sprajax & Vulnerability Manager to open source community OWASP national leaders & regular speakers at RSA, OWASP, CSI World class alliance partners accelerate innovation to solve client problems 2

4 My Background 13-year business application development background Lead Consultant at Denim Group Provides technical oversight for Denim Group development projects Responsible for Denim Group development lifecycle standards and processes Performs black box and white box security assessments Performs on-site security training Co-developer and technical lead for Vulnerability Manager project 3

5 Challenges with Scan-Centric Application Security Programs Too many application security programs are scan-centric Run scans, generate reports, send to development teams Not enough attention is paid to the entire process Result: Vulnerabilities are not remediated and continue to expose the organization to risk 4

6 Post-Scan Remediation is the Next Big AppSec Issue Application Scanning Technologies are Improving Various improvements provide better testing coverage Qualys 2009 Black Hat Conference Paper Presented by Qualys CTO Wolfgang Kandek Network & host vulnerabilities persist for roughly 30 days from identification Measured across 140m Qualys SaaS client scans Exploitation cycle is getting shorter down from 60 days in 2004 to 10 days WhiteHat Security Study on Application Vulnerabilities Application vulnerabilities persist much longer than network vulnerabilities Typical persistence timeframe measured in months, not days SQL Injection 38 days Insufficient Authentication 72 days Vulnerability time-to-fix metrics are not changing substantively, typically requiring weeks to months to achieve resolution 5

7 Why Do Application Vulnerabilities Persist? Must rewrite software can t just turn off service Can be straightforward XSS or SQL Injection Can be more difficult logical errors Dev teams detached from security managers Lack of organizational influence over dev efforts Interaction and tracking between groups is inconsistent and one-off The formal process of aggregating and processing application-level vulnerabilities is immature No automated way to import scanning results from multiple sources BB, WB, SaaS Sophisticated hand off to issue trackers evolving Interaction with other systems one off 6

8 The Emergence of Accelerated Software Remediation (ASR) Technologies Security and risk managers are realizing the status quo is unacceptable Application vulnerabilities exist in live environments for months A new set of technologies are emerging to address the post-scan automation of application vulnerabilities Application security vendors are developing more post-scan functionality Many are creating gated communities and vendor lock-in Most 1 st generation interactions are one-to-one with scanners & WAF s Accelerated Software Remediation Technologies reduce lifespan of application vulnerabilities: Automating import from multiple scanning systems De-duplication of vulnerabilities from dynamic & static scanners Ability to measure incremental improvement Capability to generate virtual patches to IDS/WAF 7

9 Vulnerability Manager: ThreadFix Mission: Allow organizations to centrally manage the entire range of software assurance activities Finding vulnerabilities is easy actually addressing the risk is hard Freely available under Mozilla 1.1 open source license Major Feature Areas Application Portfolio Management Vulnerability Import Real-Time Protection Generation Defect Tracking Integration Maturity Evaluation 8

10 Application Portfolio Management Many organizations do not even have a complete idea of their application attack surface Track applications, metadata and associated vulnerabilities 9

11 Vulnerability Import Import, de-duplicate and merge vulnerability data from a variety of free and commercial tools Static and dynamic analysis 10

12 Real-Time Protection Generation Generate vulnerabilityspecific rules for WAFs and IDS/IPS Automate the virtual patching process Import logs to identify vulnerabilities under active attack 11

13 Defect Tracking Integration Group vulnerabilities and send them to software development teams as defects Track defect status over time 12

14 Maturity Evaluation Evaluate application team practices via maturity models such as OpenSAMM Track practices over time 13

15 Demonstration 14

16 Current Status Technology Preview release in January 2010 Demonstrates underlying concepts Supports many major technologies Not yet recommended for production use 15

17 Future Plans Under active development heading toward 1.0alpha release Starting to see interest in customer-sponsored development Support for additional technologies scanners, IDS/IPS/WAF, defect trackers Metrics, reporting and visualization 16

18 So where do you go from here? 17

19 What you can do now! Conduct a mini-opensamm assessment to understand your current state of application vulnerability management Capture a post-scan workflow to better understand how application vulnerabilities cycle through the remediation process Measure how long your most serious app vulnerabilities persist in your production environment Analyze your static, dynamic, and manual results to understand where there is overlap and coverage gaps Understand how application vulnerabilities are consumed by development teams Understand what issue tracker they use Understand how vulns are represented and dealt with by devs 18

20 Contact Information Bryan Beverly Denim Group (210) blog.denimgroup.com vulnerabilitymanager.denimgroup.com 19