4. Web Application
Vulnerability Management
GOAL – Identify & Reduce Risk
Vulnerability Management
cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities
Risk Management
process of identifying vulnerabilities and threats to the information resources used by
an organization in achieving business objectives, and deciding what
countermeasures, if any, to take in reducing risk to an acceptable level, based on the
value of the information resource to the organization
Understand web application specific risk
exposure and bring it in-line with
policies.
9. Web Application
Vulnerability Management
What’s Missing?
Recurring Vulnerability Assessments
Infrastructure vulnerability scanning is best practices. Why not applications?
Bug Bounty Program Now in BSIMM v 5
Google
Facebook
10. Web Application
Vulnerability Management
Software Assurance Maturity Model
Security Testing
Penetration tests and other automated security tests done before deployment.
Vulnerability Management
Handling security incidents and externally reported vulnerabilities.
12. Web Application
Vulnerability Management
Policy
Preparation
Give YOU the ability to do Vulnerability Assessments, Set Remediation
Timelines, Security Coding Practices, Infrastructure Configuration Policies.
Processes
Decide what you’re doing. Get stakeholder approval.
Inventory
Create and maintain an inventory of web applications.
Project Management Integration
Hook into project management as a web application “go live” requirement.
Introductory Material
Create a communications plan. Build a packet of information to give application owners
as you enroll sites.
Scanning Tools
Choose a web application vulnerability scanner that fits your program requirements.
13. Web Application
Vulnerability Management
Dynamic Application Security Testing (DAST)
Detect conditions indicative of a security vulnerability in an
application in its running state
1. Spider Application
2. Fuzz Inputs
3. Analyze Response
15. Web Application
Vulnerability Management
Building your Inventory - Reconnaissance
Google
Google for you company. Go through the top 100 results. Build a list of websites.
NMAP
nmap -P0 -p80,443 -sV --script=http-screenshot <ip range/subnet>
Recon-ng
Web reconnaissance framework.
Google Dorks, IP/DNS Lookups, GPS, PunkSPIDER, Shodan, PwnedList, LinkedIn, etc…
DNS
Make friends with your DNS administrator
Reverse Lookups – ewhois.com
Reverse email lookup. Google Analytics or AdSense ID.
20. Web Application
Vulnerability Management
Not Infrastructure Vulnerability Management
Not a cookie cutter patch
Development team has to take time away from building new functionality.
Legacy Applications
What if we are no longer actively developing the application?
What if we don’t even employ developers who use that language?
Software Defects
Infrastructure folks have been doing patch management for years. Software developers
have fixing “bugs.” Frame the vulnerability as a code defect
Determine Level of Effort
Each fix is it’s own software development project.
Technical vs. Logical Vulnerabilities
A technical fix is usually straightforward and repetitive. Logical fixes can require
significant redesign.
21. Web Application
Vulnerability Management
Common Mistakes
Send PDF Report of 100 Vulnerabilities to Dev Team!
Avoid Bystander Apathy
Use Development Team’s Defect Tracking Tool
No Approval or Notification
Knocking over an application that no one knew you were scanning could have
detrimental political effects.
Not Considering Business Context in Risk Ratings
Only looking at the automated tool’s risk ranking is not sufficient. Take the applications
business criticality into consideration.
Forcing Developers to Use New Tools & Processes
Communicating with development teams using their existing tools and processes helps
to decrease friction between security and development organizations.
23. Web Application
Vulnerability Management
Metrics
Consistently Measured
Anyone should be able to look at the data and come up with the same metric using a
specific formula or method. Metrics that rely on subjective judgment are not good.
Cheap to Gather
Metrics ought to be computed at a frequency commensurate with the process’s rate of
change. We want to analyze security effectiveness on a day-to-day or week-by-week
basis. Figuring out how to automate metric generation is key.
Expressed as a Number or Percentage
Not with qualitative labels like high, medium, or low.
Expressed Using at Least One Unit of Measure
Defects, hours, or dollars. Defects per Application. Defects over Time.
Contextually Specific
The metric needs to be relevant enough to decision makers that they can take action. If
no one cares, it is not worth gathering.
24. Web Application
Vulnerability Management
Metrics
Security Testing Coverage
Percentage of applications in the organization that have been subjected to security testing.
Vulnerabilities per Application
Number of vulnerabilities that a potential attacker without prior knowledge might find.
You could also count by business unit or critically.
Company Top 10 Vulnerabilities
Like OWASP top 10, but organization specific
Mean-Time to Mitigate Vulnerabilities
Average time taken to mitigate vulnerabilities identified in an organization’s
technologies. This speaks to organization performance and the window in which the
vulnerability might be exploited.