SlideShare uma empresa Scribd logo

Enumerating Enterprise Attack Surface

Denim Group
Denim Group

Many organizations have only a passing understanding of the scope of their application portfolios and how these assets are exposed to the Internet and other potentially dangerous networks. This puts them in a risky situation where they have an attack surface that is unknown and unmanaged, often resulting in serious vulnerabilities being exposed indefinitely. This presentation looks at several tools and methods that can be used to enumerate enterprise application assets – including web applications, mobile applications, and web services. The discussion covers several open source application asset identification tools and compares their effectiveness. Finally, a framework for ongoing application asset discovery and enumeration is presented so that security managers can embark on a structured program to characterize their risk exposure due to their enterprise attack surface.

Tecnologia
1 de 50
Baixar para ler offline
© 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. Enumerating Enterprise Attack Surface Dan Cornell | CTO
© 2019 Denim Group – All Rights Reserved Dan Cornell • Founder and CTO of Denim Group • Software developer by background • OWASP San Antonio co-leader • 20 years experience in software architecture, development, and security
© 2019 Denim Group – All Rights Reserved 2 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
© 2019 Denim Group – All Rights Reserved Attack Surface 3
© 2019 Denim Group – All Rights Reserved Attack Surface? 4
© 2019 Denim Group – All Rights Reserved Attack Surface • For the purposes of this presentation…talking about application attack surface • Web applications • Web services • Mobile applications • And so on… 5
© 2019 Denim Group – All Rights Reserved Other Materials 6 https://www.slideshare.net/denimgroup/monitoring-application-attack-surface-to-integrate-security-into-devops-pipelines Application Attack Surface https://www.slideshare.net/denimgroup/reducing-attack-surface-in-budget-constrained-environments Reducing Attack Surface
© 2019 Denim Group – All Rights Reserved So You Want To Roll Out a Software Security Program? • Great! • What a software security program ISN’T • Question: “What are you doing to address software security concerns?” • Answer: “We bought scanner XYZ” • What a software security program IS • People, process, tools (naturally) • Set of activities intended to repeatedly produce appropriately-secure software 7
© 2019 Denim Group – All Rights Reserved Challenges Rolling Out Software Security Programs • Resources • Raw budget and cost issues • Level of effort issues • Resistance: requires organizational change • Apparently people hate this • Open source tools • Can help with raw budget issues • May exacerbate problems with level of effort • View the rollout as a multi-stage process • Not one magical effort • Use short-term successes and gains to fuel further change 8
© 2019 Denim Group – All Rights Reserved But for many organizations, the first challenge they need to overcome is the reality that… 9
© 2019 Denim Group – All Rights Reserved 10 You can’t defend unknown attack surface If everything is important then nothing is important
© 2019 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 11
© 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 12 Software You Currently Know About Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers mention it • Bad guys found it and caused an incident (oops) What? • Critical legacy systems • Notable web applications
© 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 13 Add In the Rest of the Web Applications You Actually Develop and Maintain Why Did You Miss Them? • Forgot it was there • Line of business procured through non- standard channels • Picked it up through a merger / acquisition What? • Line of business applications • Event-specific applications
© 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 14 Add In the Software You Bought from Somewhere Why Did You Miss Them? • Most scanner only really work on web applications so no vendors pester you about your non-web applications • Assume the application vendor is handling security What? • More line of business applications • Support applications • Infrastructure applications
© 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 15 MOBILE! THE CLOUD! Why Did You Miss Them? • Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office What? • Support for line of business functions • Marketing and promotion
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Two Dimensions: • Perception of Software Attack Surface • Insight into Exposed Assets 16 Perception Insight
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 17 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 18 Perception Insight Web Applications Client-Server Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 19 Perception Insight Web Applications Client-Server Applications Desktop Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 20 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 21 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 22 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 23 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 24 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 25 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 26 Perception Insight Web Applications Client-Server Applications
© 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 27 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 28 Perception Insight Web Applications Cloud Applications and Services
© 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 29 Perception Insight Web Applications Cloud Applications and Services Mobile Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • When you reach this point it is called “enlightenment” • You won’t reach this point 30 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
© 2019 Denim Group – All Rights Reserved First Decision • What is considered to be in scope? • Depends on how you want to manage vulnerabilities and manage risk 31
© 2019 Denim Group – All Rights Reserved Process • Identify Application “Homes” • Enumerate Applications • Collect Metadata • Repeat as Needed 32
© 2019 Denim Group – All Rights Reserved So Where Are These Applications? • Your Datacenters • 3rd Party Datacenters • Cloud Providers 33
© 2019 Denim Group – All Rights Reserved Enumerating Applications • Technical • Network inspection • DNS and other registry inspection • Non-technical • Interviews • Other research 34
© 2019 Denim Group – All Rights Reserved IP Range Detection • IPOsint: https://github.com/j3ssie/IPOsint • ip-osint.py –t CompanyName • Data sources: • Whois • Ripe • Arin • Hurricane • Censys • securitytrails 35
© 2019 Denim Group – All Rights Reserved Network Inspection • nmap: https://nmap.org/ • Look for common web server ports: • 80, 443, 8000, 8008, 8080, 8443 • Others depending on your environment • nmap -sS -p 80,443,8000,8008,8080,8443 x.y.z.0/24 • Great for dense environments you control • Largely datacenters https://www.denimgroup.com/resources/blog/2016/03/threadfix-in-action-discovering-your-organizations-software-attack-surface-web-app-edition/ 36
© 2019 Denim Group – All Rights Reserved DNS Inspection • SubFinder: https://github.com/subfinder/subfinder • docker run -it subfinder -d target.org • Can get even more data with service-specific API keys • OWASP Amass: https://github.com/OWASP/Amass • sudo docker run amass --passive -d target.org 37
© 2019 Denim Group – All Rights Reserved Mobile Application Identification • Scumbler: https://github.com/Netflix-Skunkworks/Scumblr • Purpose of tool evolved over time • Not currently maintained – looking for maintainers 38
© 2019 Denim Group – All Rights Reserved Interviews • Line-of-business representatives • Will need to translate their definition of “application” to your definition • Think in terms of business processes and these can map to multiple applications and microservices • Tech leads • More familiar with the deployed infrastructure and other assets 40
© 2019 Denim Group – All Rights Reserved Other Research • Disaster recover plans • If someone wants to make sure it is up, you probably want to make sure it is secure • Accounting • Find cloud providers via billing records 41
© 2019 Denim Group – All Rights Reserved What is an ”Application” • What assets do we have? • IP addresses • Host names • Mobile apps • Business view of “applications” • Challenge: Create a consolidated view • Challenge: Correlate applications and the supporting infrastructure 42
© 2019 Denim Group – All Rights Reserved Collect Metadata • Technical: Language, Scale • Architectural: Web, Mobile • Exposure: Public, Partner, Internal • Regulatory: PCI, HIPAA, GDPR 43
© 2019 Denim Group – All Rights Reserved Value and Risk Are Not Equally Distributed • Some Applications Matter More Than Others • Value and character of data being managed • Value of the transactions being processed • Cost of downtime and breaches • Therefore All Applications Should Not Be Treated the Same • Allocate different levels of resources to assurance • Select different assurance activities • Also must often address compliance and regulatory requirements 44
© 2019 Denim Group – All Rights Reserved Do Not Treat All Applications the Same • Allocate Different Levels of Resources to Assurance • Select Different Assurance Activities • Also Must Often Address Compliance and Regulatory Requirements 45
© 2019 Denim Group – All Rights Reserved Rinse and Repeat • This list will change over time • Metadata will change • This is especially true in a world of microservices 46
© 2019 Denim Group – All Rights Reserved 47 You can’t defend unknown attack surface If everything is important then nothing is important
© 2019 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 48
© 2019 Denim Group – All Rights Reserved Questions 49
© 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. @denimgroup www.denimgroup.com 50 dan@denimgroup.com

Recomendados

Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Rui Miguel Feio
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 

Recomendados

Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Rui Miguel Feio
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingDenim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program Denim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 

Mais conteúdo relacionado

Semelhante a Enumerating Enterprise Attack Surface

Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingDenim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program Denim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 

Semelhante a Enumerating Enterprise Attack Surface (20)

Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 

Mais de Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT SystemsDenim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesDenim Group
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Denim Group
 

Mais de Denim Group (11)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 

Último

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Último (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Enumerating Enterprise Attack Surface

  • 1. © 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. Enumerating Enterprise Attack Surface Dan Cornell | CTO
  • 2. © 2019 Denim Group – All Rights Reserved Dan Cornell • Founder and CTO of Denim Group • Software developer by background • OWASP San Antonio co-leader • 20 years experience in software architecture, development, and security
  • 3. © 2019 Denim Group – All Rights Reserved 2 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
  • 4. © 2019 Denim Group – All Rights Reserved Attack Surface 3
  • 5. © 2019 Denim Group – All Rights Reserved Attack Surface? 4
  • 6. © 2019 Denim Group – All Rights Reserved Attack Surface • For the purposes of this presentation…talking about application attack surface • Web applications • Web services • Mobile applications • And so on… 5
  • 7. © 2019 Denim Group – All Rights Reserved Other Materials 6 https://www.slideshare.net/denimgroup/monitoring-application-attack-surface-to-integrate-security-into-devops-pipelines Application Attack Surface https://www.slideshare.net/denimgroup/reducing-attack-surface-in-budget-constrained-environments Reducing Attack Surface
  • 8. © 2019 Denim Group – All Rights Reserved So You Want To Roll Out a Software Security Program? • Great! • What a software security program ISN’T • Question: “What are you doing to address software security concerns?” • Answer: “We bought scanner XYZ” • What a software security program IS • People, process, tools (naturally) • Set of activities intended to repeatedly produce appropriately-secure software 7
  • 9. © 2019 Denim Group – All Rights Reserved Challenges Rolling Out Software Security Programs • Resources • Raw budget and cost issues • Level of effort issues • Resistance: requires organizational change • Apparently people hate this • Open source tools • Can help with raw budget issues • May exacerbate problems with level of effort • View the rollout as a multi-stage process • Not one magical effort • Use short-term successes and gains to fuel further change 8
  • 10. © 2019 Denim Group – All Rights Reserved But for many organizations, the first challenge they need to overcome is the reality that… 9
  • 11. © 2019 Denim Group – All Rights Reserved 10 You can’t defend unknown attack surface If everything is important then nothing is important
  • 12. © 2019 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 11
  • 13. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 12 Software You Currently Know About Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers mention it • Bad guys found it and caused an incident (oops) What? • Critical legacy systems • Notable web applications
  • 14. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 13 Add In the Rest of the Web Applications You Actually Develop and Maintain Why Did You Miss Them? • Forgot it was there • Line of business procured through non- standard channels • Picked it up through a merger / acquisition What? • Line of business applications • Event-specific applications
  • 15. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 14 Add In the Software You Bought from Somewhere Why Did You Miss Them? • Most scanner only really work on web applications so no vendors pester you about your non-web applications • Assume the application vendor is handling security What? • More line of business applications • Support applications • Infrastructure applications
  • 16. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 15 MOBILE! THE CLOUD! Why Did You Miss Them? • Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office What? • Support for line of business functions • Marketing and promotion
  • 17. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Two Dimensions: • Perception of Software Attack Surface • Insight into Exposed Assets 16 Perception Insight
  • 18. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 17 Perception Insight Web Applications
  • 19. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 18 Perception Insight Web Applications Client-Server Applications
  • 20. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 19 Perception Insight Web Applications Client-Server Applications Desktop Applications
  • 21. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 20 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services
  • 22. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 21 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
  • 23. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 22 Perception Insight Web Applications
  • 24. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 23 Perception Insight Web Applications
  • 25. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 24 Perception Insight Web Applications
  • 26. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 25 Perception Insight Web Applications
  • 27. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 26 Perception Insight Web Applications Client-Server Applications
  • 28. © 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 27 Perception Insight Web Applications
  • 29. © 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 28 Perception Insight Web Applications Cloud Applications and Services
  • 30. © 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 29 Perception Insight Web Applications Cloud Applications and Services Mobile Applications
  • 31. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • When you reach this point it is called “enlightenment” • You won’t reach this point 30 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
  • 32. © 2019 Denim Group – All Rights Reserved First Decision • What is considered to be in scope? • Depends on how you want to manage vulnerabilities and manage risk 31
  • 33. © 2019 Denim Group – All Rights Reserved Process • Identify Application “Homes” • Enumerate Applications • Collect Metadata • Repeat as Needed 32
  • 34. © 2019 Denim Group – All Rights Reserved So Where Are These Applications? • Your Datacenters • 3rd Party Datacenters • Cloud Providers 33
  • 35. © 2019 Denim Group – All Rights Reserved Enumerating Applications • Technical • Network inspection • DNS and other registry inspection • Non-technical • Interviews • Other research 34
  • 36. © 2019 Denim Group – All Rights Reserved IP Range Detection • IPOsint: https://github.com/j3ssie/IPOsint • ip-osint.py –t CompanyName • Data sources: • Whois • Ripe • Arin • Hurricane • Censys • securitytrails 35
  • 37. © 2019 Denim Group – All Rights Reserved Network Inspection • nmap: https://nmap.org/ • Look for common web server ports: • 80, 443, 8000, 8008, 8080, 8443 • Others depending on your environment • nmap -sS -p 80,443,8000,8008,8080,8443 x.y.z.0/24 • Great for dense environments you control • Largely datacenters https://www.denimgroup.com/resources/blog/2016/03/threadfix-in-action-discovering-your-organizations-software-attack-surface-web-app-edition/ 36
  • 38. © 2019 Denim Group – All Rights Reserved DNS Inspection • SubFinder: https://github.com/subfinder/subfinder • docker run -it subfinder -d target.org • Can get even more data with service-specific API keys • OWASP Amass: https://github.com/OWASP/Amass • sudo docker run amass --passive -d target.org 37
  • 39. © 2019 Denim Group – All Rights Reserved Mobile Application Identification • Scumbler: https://github.com/Netflix-Skunkworks/Scumblr • Purpose of tool evolved over time • Not currently maintained – looking for maintainers 38
  • 40. © 2019 Denim Group – All Rights Reserved Interviews • Line-of-business representatives • Will need to translate their definition of “application” to your definition • Think in terms of business processes and these can map to multiple applications and microservices • Tech leads • More familiar with the deployed infrastructure and other assets 40
  • 41. © 2019 Denim Group – All Rights Reserved Other Research • Disaster recover plans • If someone wants to make sure it is up, you probably want to make sure it is secure • Accounting • Find cloud providers via billing records 41
  • 42. © 2019 Denim Group – All Rights Reserved What is an ”Application” • What assets do we have? • IP addresses • Host names • Mobile apps • Business view of “applications” • Challenge: Create a consolidated view • Challenge: Correlate applications and the supporting infrastructure 42
  • 43. © 2019 Denim Group – All Rights Reserved Collect Metadata • Technical: Language, Scale • Architectural: Web, Mobile • Exposure: Public, Partner, Internal • Regulatory: PCI, HIPAA, GDPR 43
  • 44. © 2019 Denim Group – All Rights Reserved Value and Risk Are Not Equally Distributed • Some Applications Matter More Than Others • Value and character of data being managed • Value of the transactions being processed • Cost of downtime and breaches • Therefore All Applications Should Not Be Treated the Same • Allocate different levels of resources to assurance • Select different assurance activities • Also must often address compliance and regulatory requirements 44
  • 45. © 2019 Denim Group – All Rights Reserved Do Not Treat All Applications the Same • Allocate Different Levels of Resources to Assurance • Select Different Assurance Activities • Also Must Often Address Compliance and Regulatory Requirements 45
  • 46. © 2019 Denim Group – All Rights Reserved Rinse and Repeat • This list will change over time • Metadata will change • This is especially true in a world of microservices 46
  • 47. © 2019 Denim Group – All Rights Reserved 47 You can’t defend unknown attack surface If everything is important then nothing is important
  • 48. © 2019 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 48
  • 49. © 2019 Denim Group – All Rights Reserved Questions 49
  • 50. © 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. @denimgroup www.denimgroup.com 50 dan@denimgroup.com