SlideShare a Scribd company logo
1 of 38
Download to read offline
Vulnerability Management in
                 an Application Security World



                         Dan Cornell
                         Global Membership Committee
                         Denim Group
                         dan@denimgroup.com
AppSec DC                (210) 572-4400
                         Twitter: @danielcornell
November 12th, 2009




                      The OWASP Foundation
                      http://www.owasp.org
Agenda
 Background
 A Little Bit of Theatre
 You Found Vulnerabilities – Now What?
 Vulnerability Management – The Security Perspective
 Defect Management – The Development Perspective
 Making it Work
 Case Studies
 Demo
 Questions

                                               OWASP    2
Background

Dan Cornell
  OWASP: Sprajax, Open Review, San Antonio Chapter,
   Global Membership Committee
  Principal at Denim Group www.denimgroup.com
  Software Developer: MCSD, Java 2 Certified
   Programmer
Denim Group
  Application Development and Remediation
      Java and .NET
  Application Security
      Assessments, penetration tests, code reviews, training,
       process consulting
                                                         OWASP   3
A Little Bit of Theatre




                          OWASP   4
A Little Bit of Theatre

This is a one-act play entitled: “We Found Some
 Vulnerabilities”

Need a volunteer




                                        OWASP      5
Audience Composition?

Software Developer
Infrastructure Security
Application Security
Project Manager
Other
All of It




                           OWASP   6
You Found Vulnerabilities – Now What?




                                   OWASP   7
You Found Vulnerabilities – Now What?

 Security Industry is too focused on finding vulnerabilities
    Especially in application security this typically isn’t hard
 Finding vulnerabilities is of some value
 Fixing vulnerabilities is of great value
 Mark Curphey: Are You a Builder or a Breaker
    http://securitybuddha.com/2008/09/10/are-you-a-builder-or-a-breaker/


 Organization’s goal is to understand their risk exposure
  and bring that in-line with their policies
 Finding vulnerabilities is only the first step on that road


                                                               OWASP        8
Vulnerability Management – The Security
Perspective




                                   OWASP   9
Vulnerability Management – The Security
Perspective
Steps:
    Policy
    Baseline
    Prioritize
    Shield
    Mitigate
    Maintain
 For more information see:
  http://www.gartner.com/DisplayDocument?doc_cd=127481




                                                         OWASP   10
So How Are We Doing?

 Policy
    Does your organization have policies for Application Security?
    Or is your policy “Use SSL and do the OWASP Top 10”?
 Baseline
    What are your organization’s testing strategies?
    Hopefully not “Run scanner XYZ the day before an application
     goes into production”
    Also – do you actually know how many applications you have in
     production?
 Prioritize
    How do you determine the business risk?
    Critical, High, Medium, Low often does not account for enough
     context
    To defend everything is to defend nothing            OWASP       11
So How Are We Doing? (continued)

 Shield
    Have you deployed technologies to help protect you in the
     interim?
    WAFs, IDS/IPF
 Mitigate
    Do your developers know what the actual problems are?
    Do your developers know how to fix them?
    When are these vulnerabilities going to be addressed and when
     do they go into production?
    Did the application development team actually fix the
     vulnerabilities when they said they did?
 Maintain
    Web applications are dynamic – what is the ongoing testing
     strategy?
                                                         OWASP       12
Process




          OWASP   13
Defect Management – The Developer
Perspective




                                    OWASP   14
Defect Management – The Developer Perspective

Every day has 8 hours
  12 if pizza and Jolt Cola are made available
A given defect is going to require X hours to fix
 (+/- 50%)
Tell me which defects you want me to fix and I
 will be done when I am done (+/- 50%)




                                                  OWASP   15
Why is Vulnerability Management Hard for
Application-Level Vulnerabilities
Actual business risk is challenging to determine
People who find the problems do not typically
 know how to fix them
  Or at the very least they are not going to be the
   people who fix them
People who have to fix the problems often do
 not understand them




                                                OWASP   16
Why is Vulnerability Management Hard for
Application-Level Vulnerabilities
Infrastructure fixes are typically cookie-cutter,
 Application fixes are much more varied
   Patches and configuration settings
   Versus a full custom software development effort
Software development teams are already
 overtaxed
Applications no longer under active development
 may not have development environments,
 deployment procedures, etc


                                               OWASP   17
Making It Work




                 OWASP   18
Making It Work

Application security vulnerabilities must be
 treated as software defects
Use risk and effort to prioritize




                                           OWASP   19
Application Vulnerabilities as Software
Defects
Track them in your defect management system
 (bug tracker)
Select defects to address for each development
 cycle or release
  Serious vulnerabilities may require out-of-cycle
   releases




                                                OWASP   20
Risk and Effort

Risk crossed with remediation effort
Risk: STRIDE and DREAD (there are others)

Effort: Development hours and other resources




                                        OWASP    21
Risk Calculation Exercise

Quantitative risk can be hard to calculate

Weighted Cost = Likelihood of occurrence x Cost
 of occurrence

What is the chance (%) that Amazon.com will
 have a publicly-accessible SQL injection
 vulnerability exploited within the next year?
What would the financial damage be to
 Amazon.com if a publicly-accessible SQL
 injection vulnerability was exploited?    OWASP   22
STRIDE

Spoofing Identity
Tampering with Data
Repudiation
Information Disclosure
Denial of Service
Elevation or Privilege




                          OWASP   23
DREAD

 Damage Potential
 Reproducibility
 Exploitability
 Affected Users
 Discoverability

 Assign levels: 1, 2, 3 with 3 being the most severe
 Average the level of all 5 factors
 Key: Define your DREAD levels up-front and apply
  consistently
    Organization-wide DREAD baseline
    Application-specific DREAD standards
                                                  OWASP   24
Level of Effort Calculation

 Varies widely by type of vulnerability and number of
  vulnerabilities

 Logical Vulnerabilities versus Technical Vulnerabilities
    Technical Vulnerabilities tend to be based on coding issues
        Injection flaws, XSS, configuration issues
    Logical Vulnerabilities are specific to the application
        Depend on business logic and business context
        Authentication, authorization, trust


 Don’t guess - build a Work Breakdown Structure (WBS)


                                                               OWASP   25
Estimating Technical Vulnerabilities

Go back to “coding” phase of SDLC

Time per fix x Number of issues
  Grouping similar vulnerabilities into a smaller number
   of defects can aid communication


Verification typically straightforward
  Application should behave as it always did, except
   that it now handles problem inputs correctly
  In some cases, the application depends on the
   vulnerable behavior
                                                OWASP       26
Estimating Logical Vulnerabilities

 May have to go farther back in the SDLC
    Coding
    Architecture/Design
    Even Requirements


 Fix strategies are more varied than technical
  vulnerabilities

 Change may require more broad change management
  initiatives
    Interaction between applications and systems within your
     organization
    Interaction between applications and systems in other
     organizations                                        OWASP   27
Great Remediation Resource: OWASP ESAPI

Enterprise Security API
http://www.owasp.org/index.php/ESAPI
Provide developers with an easy-to-understand
 API allowing them to code securely
Encoding functions are great for remediating
 technical flaws
Framework has components that help remediate
 logical flaws



                                       OWASP     28
Case Studies




               OWASP   29
Case Studies

Authentication FUBAR
Legacy Nightmares
When Tools Fail




                        OWASP   30
Authentication FUBAR

Situation
  Several public-facing flagship applications under
   moderate ongoing development
Vulnerabilities
  Various SQL injection and XSS
  Authorization problems
  Pervasive poor deployment practices (backup files,
   configuration issues)
  Verbose HTML comments with sensitive information
  Major, fundamental issue with Authentication
      Along the line of using SSNs to authenticate users to a
       system
                                                         OWASP
      Connected to many partner organizations
                                                                 31
Authentication FUBAR (continued)

Approach
  Fix the serious SQL injection and publicly-accessible
   XSS immediately in an out-of-cycle release
  Address authorization problems and some other
   issues during next planned release
  Major full lifecycle, change management initiative to
   address Authentication issue
  Defer remaining issues as “nice to fix”




                                                OWASP      32
Legacy Nightmares

 Situation
    10 year old application with hundreds of pages
    Has been on end-of-life status for 5 years
    NO active development
 Vulnerabilities
    Hundreds of SQL injection, XSS
    Authorization issues
 Approach
    Sit in the corner and cry softly for a few minutes
    Identify most critical SQL injection and XSS issues for code-level
     fixes
    Fix authorization issues
    Rely on WAF to address remaining issues
                                                            OWASP         33
When Tools Fail

 Situation
    Thick-client application with a local database
    Connects to web services and ERP
 Vulnerabilities
    Code scanner identified many SQL injection vulnerabilities
     affecting the local database
    Code scanner identified some quality issues that could impact
     security
    Manual code inspection identified some frightening design issues
     affecting attack surface
 Approach
    Ignore local SQL injection issues for now
    Ignore quality issues for now
    Address design issues before the initial release     OWASP         34
Recommendations

 Policy
     Have actual policies for secure software development and risk
      acceptance
         Must go beyond OWASP Top 10 or SANS 25
         Tool classifications can be incorporated into these standards, but the
          standards must be business-focused rather than technology-focused
     Pennies spent on prevention save dollars spent on cures
 Baseline
     Know your application portfolio
     Have an ongoing program of controls in place
         Static testing
         Dynamic testing
 Prioritize
     Involve development teams
     Determine business risk
     Determine fix level of effort
                                                                         OWASP     35
Recommendations (continued)

 Shield
    Consider using adding signatures to WAFs or web-relevant
     IDS/IPS systems
    Understand that these do not address the underlying problem
 Mitigate
    Features > Performance > Security
       (unfortunate fact of life in many cases)
    Communicate the business risk and compliance implications
    Work into development schedules as resources are available
    Consider out-of-cycle releases for serious vulnerabilities
 Maintain
    Web applications are dynamic and attacks evolve – this is an
     ongoing process
                                                          OWASP     36
Demo




       OWASP   37
Questions?

Dan Cornell
dan@denimgroup.com
Twitter: @danielcornell

(210) 572-4400

Web: www.denimgroup.com
Blog: denimgroup.typepad.com




                               OWASP   38

More Related Content

What's hot

The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 

What's hot (20)

The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 

Viewers also liked

Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerDenim Group
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSukumar Nayak
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security ElementsEurotech
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 

Viewers also liked (15)

Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security Elements
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
Overview of IoT and Security issues
Overview of IoT and Security issuesOverview of IoT and Security issues
Overview of IoT and Security issues
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 

Similar to Vulnerability Management In An Application Security World: AppSecDC

Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingPhil Agcaoili
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
Owasp top 10 2013 - rc1
Owasp top 10   2013 - rc1Owasp top 10   2013 - rc1
Owasp top 10 2013 - rc1Ajay Ohri
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10   2013 - rc1[1]529 owasp top 10   2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec80
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10   2013 - rc1[1]529 owasp top 10   2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec0306
 

Similar to Vulnerability Management In An Application Security World: AppSecDC (20)

Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter Meeting
 
Owasp o
Owasp oOwasp o
Owasp o
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Dependency check
Dependency checkDependency check
Dependency check
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Owasp top 10 2013 - rc1
Owasp top 10   2013 - rc1Owasp top 10   2013 - rc1
Owasp top 10 2013 - rc1
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10   2013 - rc1[1]529 owasp top 10   2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10   2013 - rc1[1]529 owasp top 10   2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 

More from Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
 AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 

More from Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
 AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Recently uploaded

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 

Recently uploaded (20)

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 

Vulnerability Management In An Application Security World: AppSecDC

  • 1. Vulnerability Management in an Application Security World Dan Cornell Global Membership Committee Denim Group dan@denimgroup.com AppSec DC (210) 572-4400 Twitter: @danielcornell November 12th, 2009 The OWASP Foundation http://www.owasp.org
  • 2. Agenda  Background  A Little Bit of Theatre  You Found Vulnerabilities – Now What?  Vulnerability Management – The Security Perspective  Defect Management – The Development Perspective  Making it Work  Case Studies  Demo  Questions OWASP 2
  • 3. Background Dan Cornell OWASP: Sprajax, Open Review, San Antonio Chapter, Global Membership Committee Principal at Denim Group www.denimgroup.com Software Developer: MCSD, Java 2 Certified Programmer Denim Group Application Development and Remediation  Java and .NET Application Security  Assessments, penetration tests, code reviews, training, process consulting OWASP 3
  • 4. A Little Bit of Theatre OWASP 4
  • 5. A Little Bit of Theatre This is a one-act play entitled: “We Found Some Vulnerabilities” Need a volunteer OWASP 5
  • 6. Audience Composition? Software Developer Infrastructure Security Application Security Project Manager Other All of It OWASP 6
  • 7. You Found Vulnerabilities – Now What? OWASP 7
  • 8. You Found Vulnerabilities – Now What?  Security Industry is too focused on finding vulnerabilities  Especially in application security this typically isn’t hard  Finding vulnerabilities is of some value  Fixing vulnerabilities is of great value  Mark Curphey: Are You a Builder or a Breaker  http://securitybuddha.com/2008/09/10/are-you-a-builder-or-a-breaker/  Organization’s goal is to understand their risk exposure and bring that in-line with their policies  Finding vulnerabilities is only the first step on that road OWASP 8
  • 9. Vulnerability Management – The Security Perspective OWASP 9
  • 10. Vulnerability Management – The Security Perspective Steps: Policy Baseline Prioritize Shield Mitigate Maintain  For more information see: http://www.gartner.com/DisplayDocument?doc_cd=127481 OWASP 10
  • 11. So How Are We Doing?  Policy  Does your organization have policies for Application Security?  Or is your policy “Use SSL and do the OWASP Top 10”?  Baseline  What are your organization’s testing strategies?  Hopefully not “Run scanner XYZ the day before an application goes into production”  Also – do you actually know how many applications you have in production?  Prioritize  How do you determine the business risk?  Critical, High, Medium, Low often does not account for enough context  To defend everything is to defend nothing OWASP 11
  • 12. So How Are We Doing? (continued)  Shield  Have you deployed technologies to help protect you in the interim?  WAFs, IDS/IPF  Mitigate  Do your developers know what the actual problems are?  Do your developers know how to fix them?  When are these vulnerabilities going to be addressed and when do they go into production?  Did the application development team actually fix the vulnerabilities when they said they did?  Maintain  Web applications are dynamic – what is the ongoing testing strategy? OWASP 12
  • 13. Process OWASP 13
  • 14. Defect Management – The Developer Perspective OWASP 14
  • 15. Defect Management – The Developer Perspective Every day has 8 hours 12 if pizza and Jolt Cola are made available A given defect is going to require X hours to fix (+/- 50%) Tell me which defects you want me to fix and I will be done when I am done (+/- 50%) OWASP 15
  • 16. Why is Vulnerability Management Hard for Application-Level Vulnerabilities Actual business risk is challenging to determine People who find the problems do not typically know how to fix them Or at the very least they are not going to be the people who fix them People who have to fix the problems often do not understand them OWASP 16
  • 17. Why is Vulnerability Management Hard for Application-Level Vulnerabilities Infrastructure fixes are typically cookie-cutter, Application fixes are much more varied Patches and configuration settings Versus a full custom software development effort Software development teams are already overtaxed Applications no longer under active development may not have development environments, deployment procedures, etc OWASP 17
  • 18. Making It Work OWASP 18
  • 19. Making It Work Application security vulnerabilities must be treated as software defects Use risk and effort to prioritize OWASP 19
  • 20. Application Vulnerabilities as Software Defects Track them in your defect management system (bug tracker) Select defects to address for each development cycle or release Serious vulnerabilities may require out-of-cycle releases OWASP 20
  • 21. Risk and Effort Risk crossed with remediation effort Risk: STRIDE and DREAD (there are others) Effort: Development hours and other resources OWASP 21
  • 22. Risk Calculation Exercise Quantitative risk can be hard to calculate Weighted Cost = Likelihood of occurrence x Cost of occurrence What is the chance (%) that Amazon.com will have a publicly-accessible SQL injection vulnerability exploited within the next year? What would the financial damage be to Amazon.com if a publicly-accessible SQL injection vulnerability was exploited? OWASP 22
  • 23. STRIDE Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation or Privilege OWASP 23
  • 24. DREAD  Damage Potential  Reproducibility  Exploitability  Affected Users  Discoverability  Assign levels: 1, 2, 3 with 3 being the most severe  Average the level of all 5 factors  Key: Define your DREAD levels up-front and apply consistently  Organization-wide DREAD baseline  Application-specific DREAD standards OWASP 24
  • 25. Level of Effort Calculation  Varies widely by type of vulnerability and number of vulnerabilities  Logical Vulnerabilities versus Technical Vulnerabilities  Technical Vulnerabilities tend to be based on coding issues  Injection flaws, XSS, configuration issues  Logical Vulnerabilities are specific to the application  Depend on business logic and business context  Authentication, authorization, trust  Don’t guess - build a Work Breakdown Structure (WBS) OWASP 25
  • 26. Estimating Technical Vulnerabilities Go back to “coding” phase of SDLC Time per fix x Number of issues Grouping similar vulnerabilities into a smaller number of defects can aid communication Verification typically straightforward Application should behave as it always did, except that it now handles problem inputs correctly In some cases, the application depends on the vulnerable behavior OWASP 26
  • 27. Estimating Logical Vulnerabilities  May have to go farther back in the SDLC  Coding  Architecture/Design  Even Requirements  Fix strategies are more varied than technical vulnerabilities  Change may require more broad change management initiatives  Interaction between applications and systems within your organization  Interaction between applications and systems in other organizations OWASP 27
  • 28. Great Remediation Resource: OWASP ESAPI Enterprise Security API http://www.owasp.org/index.php/ESAPI Provide developers with an easy-to-understand API allowing them to code securely Encoding functions are great for remediating technical flaws Framework has components that help remediate logical flaws OWASP 28
  • 29. Case Studies OWASP 29
  • 30. Case Studies Authentication FUBAR Legacy Nightmares When Tools Fail OWASP 30
  • 31. Authentication FUBAR Situation Several public-facing flagship applications under moderate ongoing development Vulnerabilities Various SQL injection and XSS Authorization problems Pervasive poor deployment practices (backup files, configuration issues) Verbose HTML comments with sensitive information Major, fundamental issue with Authentication  Along the line of using SSNs to authenticate users to a system OWASP  Connected to many partner organizations 31
  • 32. Authentication FUBAR (continued) Approach Fix the serious SQL injection and publicly-accessible XSS immediately in an out-of-cycle release Address authorization problems and some other issues during next planned release Major full lifecycle, change management initiative to address Authentication issue Defer remaining issues as “nice to fix” OWASP 32
  • 33. Legacy Nightmares  Situation  10 year old application with hundreds of pages  Has been on end-of-life status for 5 years  NO active development  Vulnerabilities  Hundreds of SQL injection, XSS  Authorization issues  Approach  Sit in the corner and cry softly for a few minutes  Identify most critical SQL injection and XSS issues for code-level fixes  Fix authorization issues  Rely on WAF to address remaining issues OWASP 33
  • 34. When Tools Fail  Situation  Thick-client application with a local database  Connects to web services and ERP  Vulnerabilities  Code scanner identified many SQL injection vulnerabilities affecting the local database  Code scanner identified some quality issues that could impact security  Manual code inspection identified some frightening design issues affecting attack surface  Approach  Ignore local SQL injection issues for now  Ignore quality issues for now  Address design issues before the initial release OWASP 34
  • 35. Recommendations  Policy  Have actual policies for secure software development and risk acceptance  Must go beyond OWASP Top 10 or SANS 25  Tool classifications can be incorporated into these standards, but the standards must be business-focused rather than technology-focused  Pennies spent on prevention save dollars spent on cures  Baseline  Know your application portfolio  Have an ongoing program of controls in place  Static testing  Dynamic testing  Prioritize  Involve development teams  Determine business risk  Determine fix level of effort OWASP 35
  • 36. Recommendations (continued)  Shield  Consider using adding signatures to WAFs or web-relevant IDS/IPS systems  Understand that these do not address the underlying problem  Mitigate  Features > Performance > Security  (unfortunate fact of life in many cases)  Communicate the business risk and compliance implications  Work into development schedules as resources are available  Consider out-of-cycle releases for serious vulnerabilities  Maintain  Web applications are dynamic and attacks evolve – this is an ongoing process OWASP 36
  • 37. Demo OWASP 37
  • 38. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell (210) 572-4400 Web: www.denimgroup.com Blog: denimgroup.typepad.com OWASP 38