SCAP:Automating Our Way Out Of The Vulnerability Wheel Of Pain
AppSec DC 11.13.2009
Ed Bellis VP, CISO
Orbitz Worldwide
Orbitz.com NWA Booking engine
But First... some context
Orbitz For Business
Cheaptickets Away.com
eBookersHotelClub
Traveler CareGORP Travel
RBS Rewards
Southwest Hotels
Orbitzgames.com
Trip.com
msn.orbitz.com
AA Booking engine
Context Matters...
...and on and on and on...
100’s of Endless Applications
1000’s of Servers
1000’s of Devices
100’s of DBs
Data Centers: multiple continents
Call Centers - follow the sun
Context Matters...VA Tools
Application
Network & Host
Database
Remediation Tracking
Jira
Remedy
...and on and on and on...
A Proposed Solution: A Case Study
Using Standards to Automate, Correlate & Measure
Centralizing the Data: Overview
Workflow: A Simple Use Case
1. NVD feed ispulled in daily
A Workflow Use Case
2. Whitehat connectorruns on a predefined
schedule.
A Workflow Use Case
3. Qualys connectorruns on a
predefined schedule
A Workflow Use Case
4(a). Security Admin manages and modifies
asset informationdiscovered byVA tools - CPE
Note: Unexpected Benefit!
A Workflow Use Case
5. Vulnerability data isnormalized and
correlated across VAresults utilizing
CVE and WASC-TC.Vulns are scored
using CVSS / WASC-TCplus Asset/CPE data.
A Workflow Use Case
6. Single click defect creation from Conduit to
Jira.
A Workflow Use Case
7. Security defect is remediated by developer
and closed in Jira.
A Workflow Use Case
8. Conduit issues re-testof vulnerability via Sentinel API
A Workflow Use Case9. If re-test returns cleanresults are fed to Conduitand vulnerability is closed
A Workflow Use Case
10. Metrics can be viewedand filtered via tags added
through asset mgmt
Metrics via Tag LensesPre-Defined Vulnerability Metrics
Filtered by Asset Tags
Many-to-Many Tag/Asset Relationship
Wheel of Pain
Revisited
The Standards
CPE: Common Platform EnumerationCVE: Common Vulnerability EnumerationCVSS: Common Vulnerability Scoring SystemWASC-TC: Web Application Security Consortium Threat Class
Today
Roadmap
CCE: Common Configuration EnumerationXCCDF: Extensible Configuration Checklist Description Format
Additional & Emerging SCAP Standards
OVAL: Open Vulnerability Assessment Language
Q&A
Email: [email protected]: http://www.twitter.com/ebellis
More Info On SCAP:http://scap.nist.gov
More Info On Conduit:http://www.honeyapps.com