This document summarizes a presentation on web security given by Eoin Keary. The key points made are: 1) Traditional penetration testing is not sufficient for continuous security and the arms race with attackers. Continuous monitoring and testing is needed. 2) Many vulnerabilities come from third party code and dependencies that are not adequately tested or managed. 3) It is difficult for organizations to manage vulnerabilities at scale across many applications without enterprise vulnerability management. 4) Too many reported vulnerabilities can overwhelm developers, so prioritization and explaining issues simply is important.

1. Web Security – Everything we know
is (Still) wrong (2017)
IT Summit – Nov 8th

2. Eoin Keary
• CEO edgescan.com
• OWASP GLOBAL BOARD MEMBER – 2009-2015
• OWASP Project Lead

3. edgescan
• Fullstack vulnerability management
• Continuous
• False Positive Free/Expert Validation
• 1000’s of systems every month
• Leader in “Gartner Peer Insights” Report
• PCI ASV Certified

4. 4© 2012 WhiteHat Security, Inc.
HACKED

5. “(Cyber crime is the) second cause of economic crime experienced
by the financial services sector” – PwC
“556 million adults across the world have first-hand experience of
cybercrime -- more than the entire population of the European
Union.”
Globally,
every
second, 18
adults
become
victims of
cybercrime
- Symantec “The loss of industrial information and intellectual property through
cyber espionage constitutes the greatest transfer of wealth in
history” - Gen. Keith Alexander
Cyber crime damage costs to hit $6 trillion
annually by 2021
Eoin, I didn’t click it – My
Grandma
“One
hundred
BILLION
dollars” -
Dr Evil
2017 – so far
Trump – administration details leaked
Clash of Clans – 1,000,000
Cellebrite – 900 GB of Data
SWIFT – Fake Trade Documents - 3 banks – India
CoPilot – GPS – 220,000 Records
Sentara HealthCare – 5,000 Patient records
Deep Root Analytics – 198,000,000 records
Equifax – 143,000,000+ Records!
Human attack surface to reach 6 billion people
by 2022.

6. Its (not) the $$$$
Information
security spend
Security incidents
(business impact)

7. “There’s Money in them there
webapps”
“Web applications abound in many larger
companies, and remain a popular (54% of
breaches) and successful (39% of
records) attack vector.”
- Verizon Data Breach Investigations Report

8. Accountability in the Cloud
Application
App Server/DB/Web
Computing
Network
Storage
Application
App Server/DB/Web
Computing
Network
Storage
SaaS
PaaS
Cloud
Provider
Cloud
Consumer
Accountable
Accountable
54% of breaches are via the application Layer
*
* Few exceptions
You can outsource
hosted services
but you cannot
outsource
accountability

9. But we are approaching this problem completely
wrong and have been for years…..

10. Problem # 1
Asymmetric Arms Race

11. A traditional end of cycle / Annual pentest only
gives minimal security…..

12. There are too many variables and too little time
to ensure “real security”.

13. An inconvenient truth
Two weeks of
ethical hacking
Ten man-years of
development
Business
Logic Flaws
Code
Flaws
Security
Errors

14. Make this more difficult: Lets change the application code once a month.
Keeping Pace with:
DevSecOps
New Vulnerabilities
Continuous patching requirements
New Deployments (Services, Systems)
Continuous Testing

15. "Risk comes from not knowing what you're
doing." - Warren Buffet

16. Automated Review
A fool with a tool, is still a fool”…..?
In two weeks:
Consultant “tune tools”
Use multiple tools – verify issues
Customize Attack Vectors to technology stack
Achieve 80-90 application functionality coverage
How experienced is the consultant?
Are they as good as the bad guys?
They certainly need to be, they only have 2 weeks, right!!?
Code may be pushed to live soon after the test.
Potential window of Exploitation could be until the next pen test.
6 mths, 9 mths, 1 year?

17. Some of the problem has moved (back) to the client.
Some “Client Side” vulnerabilities can’t be tested via HTTP parameter testing.
Many tools can’t adequately assess certain technologies
• Node/Angular
• API’s
• Flex/Flash/Air
• Native Mobile Web Apps – Data Storage, leakage, malware.
• DOM XSS – JQuery, CSS, Attribute, Element, URL fragments
• Uploaded client-side/Javascript malware (Gzip/deflate/Hex encoded etc).
• Logical/Business Logic Vulnerabilities.
Scanning in not enough anymore. Intelligence is required. Orchestration is required.
Tools Alone – They don’t work well without strong operations and orchestration

18. “We need an Onion”
SDL – Design review
Threat Modeling
Code review/SAST
Negative use/abuse cases/Fuzzing/DAST
Live/Ongoing - Continuous/Frequent monitoring / Testing
Manual Validation
Vulnerability Intelligence & Priority
Dependency Management ….
Situational Awareness / Alerting
We need more than Automated Scanning.

19. Problem # 2
You are what you eat

20. Software food chain
20
Application
Code
COTS
(Commercial off
the shelf
Outsourced
development Sub-
Contractors
Bespoke
outsourced
development
Bespoke Internal
development
Third Party
API’s
Third Party
Components
& Systems
Degrees of trust
You may not let some of the people who have developed your code into your offices!!
More Less

21. 2016- Open Source Security Statistics.
• 23% of the Components in the Average
Software Application Contain Known
Vulnerabilities
• 60% of businesses do not keep a complete
inventory (bill of materials) of components
being used in their applications.
- edgescan statistics November 2016

22. Struts - application development framework :
downloaded 2 million times in the last year. –
Remote Code Execution attack CVE-2017-9805
Struts 2.1.2 - 2.3.33, 2.5 - 2.5.12
https://cwiki.apache.org/confluence/display/WW/S2-052
2.1.2 – 9 years old
2.3.33 – July 2017
2.5.x – May 2017
https://struts.apache.org/downloads.html

23. Do we test for "dependency“ issues?
NO
Does your patch management policy cover
application dependencies?

24. Problem # 3
Bite off more than we chew

25. How can we manage vulnerabilities on a large
scale….

27. “We can’t improve what we can’t measure”

28. Say 300 web applications:
300 Annual Penetration tests
10’s of different penetration testers?
300 reports
How do we consume this Data?

29. Enterprise Vulnerability Intelligence:
Consolidation of vulnerability data.
Continuous active monitoring & Visibility
Vulnerability Management Alerting
Situational Awareness

30. Problem # 4
Information flooding
(Melting a developers brain, White noise and
“compliance”)

31. Doing things right != Doing the right things.
“Not all bugs/vulnerabilities are equal”
(is HttpOnly important if there is no XSS?)
Contextualize Risk
(is XSS /SQLi always High Risk?)
Do developers need to fix everything?
- Limited time
- Finite Resources
- Task Priority
- Pass internal audit?
White Noise

32. Compliance - GDPR
There’s Compliance:
EU directive:
http://register.consilium.europa.eu/pdf/en/12/st05/st05853.
en12.pdf
Article 23,24 & 79, - Administrative sanctions
“The supervisory authority shall impose a fine up to 250 000
EUR, or in case of an enterprise up to 0.5 % of its annual
worldwide turnover, to anyone who, intentionally or
negligently does not protect personal data”

33. Clear and Present Danger!!
…and there’s Compliance

34. Problem #5
Explain issues in “Developer speak” (AKA English)

35. Is Cross-Site Scripting the same as SQL injection?
Both are injection attacks -> code and data
being confused by system.
LDAP Injection, Command Injection, Log Injection, XSS, SQLI etc etc
Think old phone systems, Captain Crunch (John Draper).
Signaling data and voice data on same logical connection – Phone Phreaking

36. XSS causes the browser to execute user
supplied input as code. The input breaks out of
the "Data" context and becomes execution
context.
SQLI causes the database or source code
calling the database to confuse data [context]
and ANSI SQL [ execution context].
Command injection mixes up data [context]
and the command [context].

37. So….
We need to understand what we are protecting against.
We need to understand that a pentest alone is a loosing battle.
You can only improve what you can measure
Not all bugs are created equal.
Bugs are Bugs. Explain security issues to developers in “Dev speak”

38. Thanks for listening!!
eoin@bccriskadvisory.com
@eoinkeary
@edgescan
www.edgescan.com