Crafting Super-Powered Risk AssessmentsChris Wysopal | CTO & Co-founder, Veracode

Gordon MacKay | EVP & CTO, Digital Defense, Inc.

22

Logistics

Presentation is designed for 30 to 45 minutes with time for questions.

Please use your control panel (shown on the right) to ask questions at any time during the presentation.

Presentation is being recorded

Both presentation and slides will be made available

Gordon MacKay | Digital Defense, Inc.

Gordon MacKay, Digital Defense Executive Vice President and Chief Technology Officer is responsible for strategic design, planning, and establishment of platform road maps, new platform development initiatives, and maintenance of the Company’s security information event management platforms and proprietary assessment solutions.  Gordon also oversees the Platform Development architecture as well as manages the Platform Development and Vulnerability Research organizations. 

Gordon started his career in 1991 as a systems engineer at Nortel Networks where he designed Interactive Voice Response systems. Prior to joining Digital Defense, he held several research and development leadership positions at Alcatel USA in Dallas Texas.  Gordon is a frequent speaker at industry conferences and events.

4

Chris Wysopal | VeracodeCo-Founder and Chief Technology Officer

Chris Wysopal is responsible for the security analysis capabilities of Veracode technology. Mr. Wysopal is recognized as an expert and a well known speaker in the information security field and was recently named one of InfoWorld’s Top 25 CTO’s and one of the 100 most influential people in IT by the editorial staffs of eWeek, CIO Insight and Baseline Magazine. Chris has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. He also has spoken as the keynote at West Point, to the Defense Information Systems Agency (DISA) and before the International Financial Futures and Options Exchange in London. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work.

4

About Digital Defense, Inc.

Founded in 1999, Digital Defense, Inc., is the premier provider of managed security risk assessment solutions protecting billions in assets for small businesses to Fortune  companies in over 65 counties. Our dedicated team of experts helps organizations establish an effective culture of security and embrace the best practices of information security. Through regular assessments, awareness education and rapid reaction to potential threats, our clients become better prepared to reduce risk and keep their information, intellectual property and reputations secure.

In response to market intelligence and industry demand, DDI is the first information security provider to launch a Vulnerability Assessment (VA)Tool “Trade-In” program. This innovative offering is designed to maximize Information Security ROI for organizations through an applied credit equal to the annual licensing maintenance fee spent on idle and inefficient VA tools. A fully managed and enterprise-wide vulnerability scanning program is now available for companies taking advantage of this unique solution with the applied credit worth up to 100% of the first year of DDI’s unparalleled VLM-Pro service.

www.ddifrontline.com

888.273.1412

Agenda

• Risk Management Challenges

• Network Assessments – Assessing Risk Outside In

• Application Assessments – Assessing Risk Inside Out

• Combining Network and Application Assessments

• Ongoing Research and Development

The Risk Game – Play Along

What Picture Represents most Risk?

What is Risk?

• Risk is Relative to an Entity

• Risk Involves

1. An Entity with a Goal – Something to Gain/Lose

2. An Entity with Weaknesses/Disadvantages

3. An Environment Capable of Taking Advantage of

Weaknesses

Risk = Threat x Vulnerability x Cost Risk = Threat x Vulnerability x Cost

Evolution of Species – One Solution to Risk

Business Organizations Analogous to Living Organisms

• Organizations have Goals and Desires

• Have Weaknesses and Limited Resources

• Face Threats - Internal Flaws, Natural Disasters,

Competitors, and More

• Optimal Resource Allocation Depends on Environment

• Organization’s Environment Continuously Changes

Organizations Must Evolve in order to Survive and Grow Organizations Must Evolve in order to Survive and Grow

Risk Management Challenges

• What is Value and Where is it Located?

• What are the Dangers to Organization’s Value?

• What are Weaknesses of Value Containers?

• What Risk Level is Acceptable?

Risk Management Existing Solutions Weaknesses

• No Existing Technology/Solution Accounts for All Risk

• Often, a given solution accounts for only part of Risk

within their own Security Silo

Network Security

Application Security

Access Management

Event Monitoring

Endpoint Security

Risk Management – Network AssessmentAssessing Outside In

• Automatically Inventory Containers– Attack Surface - Fully Visible, Camouflaged, Invisible– Location - Externally Internet facing versus deep

within the Organization’s Internal Network– Other Container Details

• Allow Mapping Assets to Containers• Allow Value Assignments to Containers• Assess Weaknesses of Containers

Network AssessmentSeen From Threat’s Point of View

Client Network

Vulnerability Results

NIRV Scanner

FSP Servers

Internet

DDI Cloud-Based Vulnerability Management System

NIRV Scanner

Client Asset Containers

ExternalVulnerability Assessment

InternalVulnerability Assessment

AuthenticatedVulnerability Assessment

Network Assessment Strengths

• Hosts (Computers or Containers)• Network Map• Operating System• Open Ports, Services, Applications• Vulnerabilities within OSI Layer 2-7

– Many Known Vulnerabilities– Generic (e.g. SQL Injection)

• Misconfigurations– (e.g. Passwordless Protocols, Easily Guessable

Passwords, SNMP configuration issues, much more)

Network Assessment Challenges

• Most Compromises• Most Malware, Viruses• Most Backdoors• Most Unknown (Zero Day) Vulnerabilities• Hidden Weaknesses (e.g. no or poor use of Encryption)• Most Business Logic Issues• Most Security Architecture Weaknesses• Some Known Vulnerabilities

Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode cloud-based platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components.

Assessment techniques includeStatic binary analysis

Dynamic analysis

Manual analysis

More information available at www.veracode.com

Network

End points/OS

Data

ApplicationsThe Application layer is the most exposed to the attacker.

Even with hardened end points and networks vulnerabilities in applications can allow attackers to access data

A1: Injection

A2: Cross-Site Scripting (XSS)

A3: Broken Authentication

and Session Management

A4: Insecure Direct Object References

A5: Cross Site Request

Forgery (CSRF)

A6: Security Misconfigurat

ion

A7: Failure to Restrict URL

Access

A8: Insecure Cryptographic

Storage

A9: Insufficient Transport Layer

Protection

A10: Unvalidated Redirects and

Forwards

OWASP Top Ten

http://www.owasp.org/index.php/Top_10

20

Insecure Interaction Between ComponentsSQL

InjectionCommand Injection

XSS Unrestricted upload

CSRF Open Redirect

Risky Resource Management

Buffer Overflow

Path Traversal

Download of code with no

check

Untrusted inclusion

Dangerous function

Format String

Integer Overflow

Missing Authentication

Missing Authorization

Hard coded credentials

Missing encryption

Untrusted inputs in security

decision

Unnecessary Privileges

Incorrect authorization

Incorrect permission assignment

Broken crypto

No restriction of authorization

attempts

Use of one way hash with no

salt

Porous Defenses

IdentifyPortfolio

AssessVulnerabilities

ManageRisk

From Risk Awareness to Risk Mitigation with

an Application Security Program

Identify Application PortfolioGet a handle on

“application sprawl”Involve business units,

procurement and vendor management, and automated discovery

Consider regulatory impact, data leakage risk, operational risk

Create a policy

Assess Vulnerabilities

Understand vulnerabilities in your application portfolioLeverage automated analysis

techniquesStatic and dynamic scanningEngage third-party vendors and

service providers

Multiple Analysis Techniques Improve Coverage of Vulnerability

Classes Universe of application security vulnerabilities is extensive

There is no “silver bullet” – each technique has strengths and weaknesses

A complete analysis includes: Static analysis (i.e. White Box) Dynamic analysis (i.e. Black Box) Penetration testing

Automation allows manual penetration testers to focus on vulnerabilities only humans can find

Automated Static

Automated

Dynamic

Penetration

Testing

Static AnalysisAnalysis of software performed

without actually executing the program

Full coverage of the entire source or binary

In theory, having full application knowledge can reveal a wider range of bugs and vulnerabilities than the “trial and error” of dynamic analysis

Impossible to identify vulnerabilities based on system configuration that exist only in the deployment environment

Dynamic AnalysisAnalysis of software performed

against a running instance of the program

Most accurately mimics how a malicious user would attack the application

Due to the lack of internal application knowledge, discovering vulnerabilities can take longer and coverage may be limited

Cannot generate and test all possible inputs in reasonable time

Exposes vulnerabilities in the deployment environment

Managing risk is more than just a list of vulnerabilities

27

How can this be combined with other risk information?Asset criticalityNetwork locationHost vulnerabilities

Combining application scan data with network scan data is a great start.

Combining App Testing and Vuln Scanning

Network vulnerability scanner knows where all the web applications are.

It knows of any host vulnerabilitiesIt may know about criticality of assets

application has access to.Application testing has knowledge of

vulnerabilities that network vulnerability scanners don’t know about.

28

DDI-Veracode Provide Evolution Towards Enterprise Security Intelligence

Digital Defense VeracodeVulnerability Management Application Assessments

Network and Application AssessmentEnterprise Security Intelligence

• Assessed Applications Mapped to Network Discovered Containers Provide Increased Environmental Context

• Improved Vulnerability Class Coverage

• More Accurate Risk Assessments

Integration Sneak Peek

Integration Sneak Peek

What’s Next?

• Correlating Application Assessment findings to Network Assessment findings (vulnerability overlaps)

• Emergence of One Risk Rating per container that considers Assessed Applications and Network Assessment Findings

• Advanced Analytics Sourcing data from Two Security Cloud Providers

• Learn more at Veracode-DDI talk at RSA USA 2013: “SAST, DAST And Vulnerability Assessments, 1+1+1 = 4”

The Application Layer

04/08/2023 34

Questions?

ContactGordon MacKay, Digital Defense Inc.gordon.mackay@ddifrontline.com@gord_mackay

Chris Wysopal, Veracodecwysopal@veracode.com@weldpond