SlideShare uma empresa Scribd logo

Treating Security Vulnerabilities As Software Defects

Denim Group
Denim Group

Penetration testing and code reviews are useful for identifying software security vulnerabilities, but for these vulnerabilities to actually be fixed they typically must be communicated to developers for remediation. This lunch and learn discusses real-world strategies for bundling security vulnerabilities into software defects and communicating them to development teams for maximum clarity and impact.

Tecnologia
1 de 30
Baixar para ler offline
Treating Security Vulnerabilities As Software Defects SANS What Works In AppSec 2010 Friday February 5th, 2010
Agenda • Something Most Security Vendors Won’t Tell You • The Wrong Way to Do It • A More Excellent Way • Strategies • Demo • Questions? 1
Something Most Security Vendors Won’t Tell You 2
Something Most Security Vendors Won’t Tell You Finding Vulnerabilities is Easy Fixing Vulnerabilities is Valuable 3
The Wrong Way to Do It 4
The Wrong Way to Do It Dan: What is your application security strategy A: We bought Scanner XYZ Dan: Cool! Have you started using it? A: Yes. The analyst who wanted us to buy it ran a bunch of scans when we got the license key. Dan: All right! Did you find anything? A: Oh yeah! We found all sorts of scary stuff. Dan: Well what did you do about it? A: We sent the PDF report to the development team and told them to fix the problems. Dan: Were they successful? A: I don’t know. I guess I should check in on that… 5
Why Is This Bad? • PDFs are blobs • Email is infinitely ignorable • Lumps all vulnerabilities together • No guidance for developers • Just plain rude 6
A More Excellent Way 7
A More Excellent Way • Treat (Application) Security Vulnerabilities as Software Defects • Why? – Developers have to fix the issues eventually – Developers understand defects – Even most “loosely-structured” development teams have defect tracking systems 8
What Makes a Good Security Defect? 9
What Makes a Good Security Defect? • Why do I care? • Scope • Where is it? • How do I fix it? 10
Why Do I Care? 11
Why Do I Care? • Do not rely solely on the defect to communicate this – Simply pumping defects into the defect tracking system is unlikely to be effective • Provide context • Provide steps to reproduce – Automated if possible • Transparency! 12
Scope 13
Scope • Defects that take 5 minutes to fix take far longer to administer – Especially with mature (elaborate) QA processes • Maximum time: 16 hours – http://www.joelonsoftware.com/items/2007/10/26.html • Target: 1-16 hours – Long enough to be an actual task, short enough to be predictable – Defects for technical vulnerabilities should be shorter – Defects for logical vulnerabilities can be longer 14
Where Is It? 15
Where Is It? • Providing location information removes a “barrier” to fixing • Better location information leads to quicker fix times • Dynamic analysis: attack surface location – Vulnerability type, URL, possibly parameter – (For web applications) • Static analysis: code location – Filename – Line (and hopefully column) – Include actual code if possible in case underlying codebase has changed 16
How Do I Fix It? 17
How Do I Fix It? • Prescriptive guidance is required here – Removes a reason not to fix – Leads to consistency • Does your organization have an ESAPI? Does it address this issue? 18
Why Is This Approach Better? • Defects are structured data • Defects are durable • Vulnerabilities have been portioned out into tractable chunks of “work” • We have provided prescriptive guidance • Communicates with developers via systems they already use 19
Strategies 20
Strategies • Group by location • Group by type • Group by severity 21
Grouping By Location • By file/URL or by directory • Pros: – Helpful if there is one “owner” for that area of the code – Can help to minimize requirements for QA regression testing • Cons: – Different vulnerability types require different fixes – Can be hard to keep things straight 22
Grouping By Type • By vulnerability type (XSS, SQL injection, authorization issue, etc) • Pros: – Similar vulnerabilities often have very similar fixes – Economies of assembly lines – get Henry Ford on vulnerabilities – Approach with a “punchlist” mentality • Cons: – There can be LOTS of vulnerabilities of a given type if bad coding idioms are in use 23
Grouping By Severity • High, medium, low • Pros: – Can help you game certain metric programs • Cons: – Least tied to how developers work – Different types of vulnerabilities – Cutting across functional areas 24
Strategies (continued) • Combine more than one – Group by type or severity and then by location 25
What About BIG Issues? • Serious issues can map to multiple defects • REALLY serious issues can map to enterprise change management initiatives 26
What About Non-Software Vulnerabilities? • Transition to change management systems rather than defect tracking systems 27
Demo 28
Contact Dan Cornell dan@denimgroup.com (210) 572-4400 @danielcornell Web: www.denimgroup.com Blog: blog.denimgroup.com Vuln Mgr: vulnerabilitymanager.denimgroup.com 29

Recomendados

Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updatedDenim Group
 
VSO & JIRA Project Management Tool
VSO & JIRA Project Management ToolVSO & JIRA Project Management Tool
VSO & JIRA Project Management ToolSabaragamuwa University
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 

Recomendados

Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updatedDenim Group
 
VSO & JIRA Project Management Tool
VSO & JIRA Project Management ToolVSO & JIRA Project Management Tool
VSO & JIRA Project Management ToolSabaragamuwa University
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingDenim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Denim Group
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Mais conteúdo relacionado

Mais de Denim Group

Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingDenim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Denim Group
 

Mais de Denim Group (20)

Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 

Último

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Treating Security Vulnerabilities As Software Defects

  • 1. Treating Security Vulnerabilities As Software Defects SANS What Works In AppSec 2010 Friday February 5th, 2010
  • 2. Agenda • Something Most Security Vendors Won’t Tell You • The Wrong Way to Do It • A More Excellent Way • Strategies • Demo • Questions? 1
  • 3. Something Most Security Vendors Won’t Tell You 2
  • 4. Something Most Security Vendors Won’t Tell You Finding Vulnerabilities is Easy Fixing Vulnerabilities is Valuable 3
  • 5. The Wrong Way to Do It 4
  • 6. The Wrong Way to Do It Dan: What is your application security strategy A: We bought Scanner XYZ Dan: Cool! Have you started using it? A: Yes. The analyst who wanted us to buy it ran a bunch of scans when we got the license key. Dan: All right! Did you find anything? A: Oh yeah! We found all sorts of scary stuff. Dan: Well what did you do about it? A: We sent the PDF report to the development team and told them to fix the problems. Dan: Were they successful? A: I don’t know. I guess I should check in on that… 5
  • 7. Why Is This Bad? • PDFs are blobs • Email is infinitely ignorable • Lumps all vulnerabilities together • No guidance for developers • Just plain rude 6
  • 9. A More Excellent Way • Treat (Application) Security Vulnerabilities as Software Defects • Why? – Developers have to fix the issues eventually – Developers understand defects – Even most “loosely-structured” development teams have defect tracking systems 8
  • 10. What Makes a Good Security Defect? 9
  • 11. What Makes a Good Security Defect? • Why do I care? • Scope • Where is it? • How do I fix it? 10
  • 12. Why Do I Care? 11
  • 13. Why Do I Care? • Do not rely solely on the defect to communicate this – Simply pumping defects into the defect tracking system is unlikely to be effective • Provide context • Provide steps to reproduce – Automated if possible • Transparency! 12
  • 14. Scope 13
  • 15. Scope • Defects that take 5 minutes to fix take far longer to administer – Especially with mature (elaborate) QA processes • Maximum time: 16 hours – http://www.joelonsoftware.com/items/2007/10/26.html • Target: 1-16 hours – Long enough to be an actual task, short enough to be predictable – Defects for technical vulnerabilities should be shorter – Defects for logical vulnerabilities can be longer 14
  • 17. Where Is It? • Providing location information removes a “barrier” to fixing • Better location information leads to quicker fix times • Dynamic analysis: attack surface location – Vulnerability type, URL, possibly parameter – (For web applications) • Static analysis: code location – Filename – Line (and hopefully column) – Include actual code if possible in case underlying codebase has changed 16
  • 18. How Do I Fix It? 17
  • 19. How Do I Fix It? • Prescriptive guidance is required here – Removes a reason not to fix – Leads to consistency • Does your organization have an ESAPI? Does it address this issue? 18
  • 20. Why Is This Approach Better? • Defects are structured data • Defects are durable • Vulnerabilities have been portioned out into tractable chunks of “work” • We have provided prescriptive guidance • Communicates with developers via systems they already use 19
  • 22. Strategies • Group by location • Group by type • Group by severity 21
  • 23. Grouping By Location • By file/URL or by directory • Pros: – Helpful if there is one “owner” for that area of the code – Can help to minimize requirements for QA regression testing • Cons: – Different vulnerability types require different fixes – Can be hard to keep things straight 22
  • 24. Grouping By Type • By vulnerability type (XSS, SQL injection, authorization issue, etc) • Pros: – Similar vulnerabilities often have very similar fixes – Economies of assembly lines – get Henry Ford on vulnerabilities – Approach with a “punchlist” mentality • Cons: – There can be LOTS of vulnerabilities of a given type if bad coding idioms are in use 23
  • 25. Grouping By Severity • High, medium, low • Pros: – Can help you game certain metric programs • Cons: – Least tied to how developers work – Different types of vulnerabilities – Cutting across functional areas 24
  • 26. Strategies (continued) • Combine more than one – Group by type or severity and then by location 25
  • 27. What About BIG Issues? • Serious issues can map to multiple defects • REALLY serious issues can map to enterprise change management initiatives 26
  • 28. What About Non-Software Vulnerabilities? • Transition to change management systems rather than defect tracking systems 27
  • 29. Demo 28
  • 30. Contact Dan Cornell dan@denimgroup.com (210) 572-4400 @danielcornell Web: www.denimgroup.com Blog: blog.denimgroup.com Vuln Mgr: vulnerabilitymanager.denimgroup.com 29