• Home

  • Technology

  • Elevate Your Application Security Program with Burp Suite and ThreadFix
38
© 2017 Denim Group – All Rights Reserved Elevate Your Application Security Program with BurpSuite Pro and ThreadFix July 18th, 2017 Dan Cornell, CTO, Denim Group Dafydd Stuttard, Director, PortSwigger Web Security

Elevate Your Application Security Program with Burp Suite and ThreadFix

Embed Size (px)

Citation preview

Page 1: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Elevate Your Application Security Program with BurpSuite Pro and ThreadFix

July 18th, 2017

Dan Cornell, CTO, Denim Group

Dafydd Stuttard, Director, PortSwigger Web Security

Page 2: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Agenda

1

Page 3: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Agenda

• BurpSuite Pro Background and Demo• ThreadFix Background• BurpSuite Pro and ThreadFix Together

2

Page 4: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

BurpSuite Pro Background and Demo

3

Page 5: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

ThreadFix Background

4

Page 6: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

ThreadFix Overview• Create a consolidated view of your applications

and vulnerabilities

• Prioritize application risk decisions based on data

• Translate vulnerabilities to developers in the tools they are already using

5

Page 7: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

ThreadFix Overview

6

Page 8: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Create a consolidated view of your applications

and vulnerabilities

7

Page 9: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Application Portfolio Tracking

8

Page 10: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Vulnerability Consolidation

9

Page 11: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Prioritize application risk decisions based on data

10

Page 12: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Vulnerability Prioritization

11

Page 13: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Prioritization with Hotspot

12

Page 14: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Reporting and Metrics

13

Page 15: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Translate vulnerabilities to developers in the tools they are already using

14

Page 16: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Defect Tracker Integration

15

Page 17: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

BurpSuite Pro and ThreadFix Together

16

Page 18: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Hybrid Analysis Mapping• Merge BurpSuite Pro scan results with the

results of SAST

• Soon: Better imports of Burp Infiltrator for IAST/HAM-like capabilities

17

Page 19: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

ThreadFix ScanAgent

• Drive BurpSuite Pro automated scanning from ThreadFix• One-time scans• Scheduled scans• CI/CD integration

18

Page 20: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Secure DevOps with ThreadFix

• What does your pipeline look like?

http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu http://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally

https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html

19

Page 21: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

AppSec Testing for DevOps

• Configuring Testing Policies

• AppSec Testing for DevOps in Action

20

Page 22: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Policy Configuration• Testing

• Synchronous• Asynchronous

• Decision• Reporting

Blog Post: Effective Application Security Testing in DevOps Pipelineshttp://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/

https://www.denimgroup.com/resources/effective-application-security-for-devops/

21

Page 23: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Testing Configuration

22

Page 24: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Testing Configuration

23

Page 25: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Decision Configuration

24

Page 26: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Decision Configuration

25

Page 27: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Reporting Configuration

26

Page 28: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Reporting Configuration

27

Page 29: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Reporting Configuration

28

Page 30: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Reporting Configuration

29

Page 31: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Testing in Action

30

Page 32: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Testing in Action

31

Page 33: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Testing in Action

32

Page 34: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Testing in Action

33

Page 35: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Testing in Action

34

Page 36: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Testing in Action

35

Page 37: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

Testing in Action

36

Page 38: Elevate Your Application Security Program with Burp Suite and ThreadFix

© 2017 Denim Group – All Rights Reserved

@denimgroupwww.threadfix.it

www.denimgroup.com

@Burp_Suitewww.portswigger.net

37


Bath Burp Issue 6

Bath Burp Issue 6

Documents
Bath Burp Issue 10

Bath Burp Issue 10

Documents
Managing Your Application Security Program with the ThreadFix Ecosystem

Managing Your Application Security Program with the ThreadFix Ecosystem

Technology
Clear AppSec Visibility with AppSpider and ThreadFix

Clear AppSec Visibility with AppSpider and ThreadFix

Technology
Using ThreadFix to Manage Application Vulnerabilities

Using ThreadFix to Manage Application Vulnerabilities

Technology
Zap vs burp

Zap vs burp

Software
Automation of Web Application Scanning with Burp …...Why Burp Suite? 5 Burp Suite - GUI proxy server for manual analyse of HTTP and Websocket protocols › Everyone in our team uses

Automation of Web Application Scanning with Burp …...Why Burp Suite? 5 Burp Suite - GUI proxy server for manual analyse of HTTP and Websocket protocols › Everyone in our team uses

Documents
Bath Burp Issue 5

Bath Burp Issue 5

Documents
Bath Burp 9

Bath Burp 9

Documents
ThreadFix 2.2 Preview Webinar with Dan Cornell

ThreadFix 2.2 Preview Webinar with Dan Cornell

Software
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Management for Applications

ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Management for Applications

Technology
Pentesting Using Burp Suite

Pentesting Using Burp Suite

Documents
Extending Burp with Python

Extending Burp with Python

Documents
Pen Testing With Burp Suite

Pen Testing With Burp Suite

Documents
Saluting the Salubrious Burp: The Burp that Healed, by Pieter Uys

Saluting the Salubrious Burp: The Burp that Healed, by Pieter Uys

Documents
Application Security Management with ThreadFix

Application Security Management with ThreadFix

Software
Optimizing Your Application Security Program with Netsparker and ThreadFix

Optimizing Your Application Security Program with Netsparker and ThreadFix

Technology
Burp Suite Starter

Burp Suite Starter

Technology
Burp Scanner Help

Burp Scanner Help

Documents
Running a Comprehensive Application Security Program with Checkmarx and ThreadFix 

Running a Comprehensive Application Security Program with Checkmarx and ThreadFix 

Technology
Burp Suite Pro - Hack In Paris · Burp Suite Pro Real-life tips & tricks Nicolas Grégoire. ... Magic combo: Nikto Burp FuzzDB ... Misc Custom Logger, Burp Notes,

Burp Suite Pro - Hack In Paris · Burp Suite Pro Real-life tips & tricks Nicolas Grégoire. ... Magic combo: Nikto Burp FuzzDB ... Misc Custom Logger, Burp Notes,

Documents
Burp Rag Tabs

Burp Rag Tabs

Documents
Definitive Guide to PENETRATION TESTING - Core Sentinel · Burp Suite. Burp is a web application intercepting proxy which is Burp is a web application intercepting proxy which is

Definitive Guide to PENETRATION TESTING - Core Sentinel · Burp Suite. Burp is a web application intercepting proxy which is Burp is a web application intercepting proxy which is

Documents
Introduction to burp suite

Introduction to burp suite

Software
Burp Suite Extension Writing Workshop - Devils Lab Extension Writing... · » Introduction to Burp Suite » Burp features: • scoping, proxy settings, repeater mode and other options

Burp Suite Extension Writing Workshop - Devils Lab Extension Writing... · » Introduction to Burp Suite » Burp features: • scoping, proxy settings, repeater mode and other options

Documents
Bath Burp Issue 4

Bath Burp Issue 4

Documents
Burp Suite

Burp Suite

Documents
Mocking HTTP APIs With Burp - Shea Polansky · Burp Intruder Repeater Window Help Repeater Options URL Burp Suite Community Edition v1.7.35 - Temporary Project Alerts it H u b—

Mocking HTTP APIs With Burp - Shea Polansky · Burp Intruder Repeater Window Help Repeater Options URL Burp Suite Community Edition v1.7.35 - Temporary Project Alerts it H u b—

Documents
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources

ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources

Technology
ThreadFix 2.1 and Your Application Security Program

ThreadFix 2.1 and Your Application Security Program

Software