CONFidence 2015: Automated Security scanning - Frank Breedijk, Glenn ten Cate

CONFIDENCE CONFERENCE

Analyzing Security Findigns the Easy Way6 years later…

SECCUBUS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0

International License.


Frank Breedijk• Security Officer at Schuberg Philis• (Official) Security dude since 2000• Author of Seccubus

Coordinates:• [email protected] • https://www.linkedin.com/in/seccubus• @Seccubus on Twitter

Glenn ten Cate• Mission Critical Engineer Security at Schuberg Philis• Security Dude• Author of Security Knowledge Framework

Coordinates:• gtencate@schubergphilis• https://nl.linkedin.com/pub/glenn-ten-cate/3b/11a/

117

WHO ARE WE?


Frustration

Being challanged

To make my life easier

WHY DID I START THE SECCUBUS PROJECT?

Y ? A CC NC ND image by Tehmina Goskarhttps://www.flickr.com/photos/13114254@N00/119475590/


C. Lueless

Mission:• Mission: Perform a bi-weekly vulnerability scan of all

our public IP addresses

B. Rightlad

A STORY ABOUT TWO GUYS

These and all non-attributed photos of Frank Breedijk are taken by Jan Jacob Bos


C. LUELESS – TAKES A CLASSIC APPROACH


GETTING UP WAY TO EARLY…


… STARTING THE SCANNER IN THE MAINTENANCE WINDOW…


… WAITING …


… ANALYSIS


Scanners are written for consultants, not operations

Scanners need to make a tradeoff between false positives and false negatives

Most scanners produce an awfull lot of output

Scanning takes time, tools are poorly automated

WHAT IS C. LUELESS’ PROBLEM?


B. RIGHTLAD CHOOSES SECCUBUS


CONFIGURATION IN THE MORNING


… GO HOME …


… RELAX …


… THE SCAN RUNS AT NIGHT …

Image: Orion's Umbra, a CC NC image from jahdakinebrah's photostream


… IN THE MORNING …


… ANALYZE AND REMEDIATE


WHAT HAPPENED UNDER THE HOOD?

Do-scan

Nessus/scan Nessus

.nessus files

nessus2ivilIvil file

Load ivilDatabase


ALL ABOUT STATUS

New

Open

No issue


Is the work in balance with the profit?

BALANCE

A fine balance a CC NC ND Image by Anish B Georgehttps://www.flickr.com/photos/22199070@N00/3311106984/


TWO WEEKS LATER

Image: 1/365, a CC NC ND image from cubedude27's photostream








… WAITING …


… ANALYSIS


WAS IT REALLY WORTH IT?




… GO HOME …


… RELAX …



Image: Half Moon, a CC NC ND image from za3tooor's photostream






ALL ABOUT STATUS

New

Open

No issue

ChangedGone

ClosedMasked


Don’t bother users with non-actionable findings

OK IS OK…

Woo a CC NC SA image by Rick Harrisonhttps://www.flickr.com/photos/81851211@N00/2682663297/


ANOTHER TWO WEEKS PASS…

Image: Cosas hechas, a CC ND image from srgblog's photostream








… WAITING …


… ANALYSIS




… GO HOME …


… RELAX …



Image: Himalayan Moonrise, a CC NC ND image from swamysk's photostream






Succubus

In-Seccubus

Seccubus

WHAT IS IN A NAME?


Monthly Seccubus runs means:

Scans are scheduled via crontab

Only the findings that need attention get it

Less errors due to less repetitave work.

The amount of effort is proportional to the amount of changes

Risk is proportional to the amount of changes

SO…


COMPARE

Image: Apples & Oranges - They Don't Compare, a CC image from thebusybrain's

photostream


REDUCE

Image: Slimmer, a CC NC ND image from mkmabus's photostream


6 YEARS AGO…


ULTIMATE GOAL

Image: StuttgargoalRobin, a CC image from dankamminga's photostream


Name Seccubus chosen here at Confidence

Added new scanners

Wrote a new GUI

SECCUBUS HAS EVOLVEDMedusa

SSLyze


Intermediate Vulnerability Information Language

Intermediate format that allows tools to interface and exchange findings

A LITTLE IVIL GOES A LONG WAY

Image: EVIL a CC NC SA image from krazydad's photostream


It does not try to capture everything

It does not try to fit each case

The specification is not 63 pages

Simple to read

Simple to write

Simple to use

Simple License (MIT)

Easy to integrate new tools into Seccubus

IVIL


Joined Schuberg Philis 2 years ago

Main focus: Web Application Security

We need to integrate this into our pipeline

ENTER GLENN

Enter here a CC NC ND image by Anne Petersenhttps://www.flickr.com/photos/60258967@N00/4183985730/


Breaches are moving from layer 3 to layer 7

There’s only so many security dudes to drive the tools

Integrate into continuous delivery

WHY?


Google’s web application security scanner

Open Source

Noisy

Not very subtile

Not production safe!

FIRST WIN: SKIPFISH

Skip w/ fish a CC NC ND image by AlBakkerhttps://www.flickr.com/photos/45213160@N00/206944920/


Open source

Like Burp but free (as in speech)

Actively developed and maintained

OWASP Flag Ship Project

SECOND WIN: OWASP ZAP

IEEE Scrum a CC NC SA image by Jim Carsonhttps://www.flickr.com/photos/44124442504@N01/2208956607/


Help developers write better code

Enable Security by Design• Knowledge system for risk analysis

Code Securely• Code examples

Check code before commit• OWASP Application Security Verification Standard

Newly adopted as OWASP Project

SECURITY KNOWLEDGE FRAMEWORK

Moving Hacks a CC NC SA image by Brian Sawyerhttps://www.flickr.com/photos/45609637@N00/229360390/


Coding• Perl• Angular

Requirements• What do you want

Testers• Challenge the quality of our crack ;)

Documentation• Help us get new users

Users

SECCUBUS CAN USE YOUR HELP

Image: Hang On, a CC NC ND image from brraveheart's photostream


First public preview of new interface

SNEAK PREVIEW

"Celebs" a cc by nc sa licensed photo by Nick Sherman: http://flickr.com/photos/nicksherman/4145966095/


New user interface (RSN)

Start/schedule scans from the GUI

Integration with Security Knowledge Framework

Add user/rights management

Track issues as well as findings

Reporting

More???

ROADMAP

Albany NY 1950 a CC image by davidhttps://www.flickr.com/photos/23465812@N00/6877290919/


www.seccubus.com

QUESTIONS

Image: What now?, a CC ND image from laurenclose's photostream


Frank Breedijk• Security Officer at Schuberg Philis• (Official) Security dude since 2000• Author of Seccubus

Coordinates:• [email protected] • https://www.linkedin.com/in/seccubus• @Seccubus on Twitter

Glenn ten Cate• Mission Critical Engineer Security at Schuberg Philis• Security Dude• Author of Security Knowledge Framework

Coordinates:• gtencate@schubergphilis• https://nl.linkedin.com/pub/glenn-ten-cate/3b/11a/

117

WHO ARE WE?

Software

CONFidence 2015: Automated Security scanning - Frank Breedijk, Glenn ten Cate