Upload
denim-group
View
151
Download
0
Embed Size (px)
Citation preview
© 2016 Denim Group – All Rights Reserved
Optimizing Your Application
Security Program with
Netsparker and ThreadFix
October 19, 2016
Ferruh MavitunaProduct Architect and CEO, Netsparker Ltd.
Dan CornellCTO, Denim Group
© 2016 Denim Group – All Rights Reserved
Agenda
• State of Application Security
• Netsparker Overview
• ThreadFix Overview
• ThreadFix / Netsparker Integration
1
© 2016 Denim Group – All Rights Reserved 2
© 2016 Denim Group – All Rights Reserved
Netsparker automatically finds and reports security issues in web sites and web services.
Automated Web Application Security
Netsparker DesktopWindows only software, easy to install and use.
Netsparker CloudSaaS version of Netsparker. Uses the very same engine, scalable and comes with enterprise features.
3
© 2016 Denim Group – All Rights Reserved
Netsparker Desktop
Windows Software
It simulates a real attacker to find vulnerabilities in web applications automatically.
Allows users to carry out advanced security tasks and especially useful for security consultants and in house security teams.
4
© 2016 Denim Group – All Rights Reserved
Supports Authentication
Netsparker’s Core Features
Ease of UseSupports Modern
WebProof Based
Scanning
Integrated ExploitationSupports
Mobile/Web Services
unique feature
5
© 2016 Denim Group – All Rights Reserved
Netsparker Cloud
Netsparker Cloud
Netsparker – Scalable, can scan thousands of websites within hours.
Designed for enterprises, big teams and big datasets in mind.
API for integrating with other solutions, internal products.
On-premises or managed.
ScalableDesigned forEnterprise
API
unique feature
6
© 2016 Denim Group – All Rights Reserved
Security Testing Process
7
© 2016 Denim Group – All Rights Reserved
Automated Security Testing Process
2
3
Configure Custom 404, Authentication, URL Rewrite Rules etc.1
Configure and Start the Scan
If there is a Local File Inclusion, exploit it safely to see that LFI is real and not a False Positive, if it’s SQL Injection, safely read data from the database. Repeat this for every vulnerability to eliminate false positives.
Check if the results are correct
Prioritize important issues, communicate with the developers and make necessary changes. Deploy the new version of the application and Re-test.
Take Action
8
© 2016 Denim Group – All Rights Reserved
Process with Netsparker & ThreadFix
2
3
URL Rewrite, will be discovered dynamically, Custom 404 will be handled automatically, authentication only requires you to enter URL, username and password. Supports SPA (Single Page Applications) automatically.
1
Start your scan quickly
Netsparker will give you the proof
Now you know which vulnerabilities are real, without spending any more time on them, pass them to your development team to start addressing these issues immediately.
You don’t want to leave your website exposed during this process. Now import these issues into ThreadFix and generate rules for your WAF without worrying about False Positives!
Take Action
Proof Based Scanning
Get the results with proof. If there is a SQL Injection, Netsparker will extract some data from the target web application’s database, if there is a LFI, Netsparker will give you a file from the target system etc. This applies to all direct impact vulnerabilities.
9
© 2016 Denim Group – All Rights Reserved
Proof Based ScanningFalse Positive or not?
10
© 2016 Denim Group – All Rights Reserved
A scanner you can
{ }
11
© 2016 Denim Group – All Rights Reserved
Scalability
How can you scan 1,000 applications? More importantly how can you address 10,000 issues in these applications?
12
© 2016 Denim Group – All Rights Reserved
Netsparker Cloud & ThreadFix
In 24 Hours you can find & hot-patch 10,000 vulnerabilities
Netsparker Cloud can scan thousands of websites under 24 hours.
API
Import the results to ThreadFix
Because results will be clearly flagged as CONFIRMED and 100% real, now you can just generate WAF rules without worrying about False Positives.
Congratulations you have improved the state of your web application security significantly just under 24 hours.
You still need to fix all these issues and not rely on WAF but the improvement will be huge.
13
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions based on data
• Reduce risk and provide protection via virtual patching
• Translate vulnerabilities to developers in the tools they are already using
14
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
15
© 2016 Denim Group – All Rights Reserved
Create a consolidated
view of your
applications and
vulnerabilities
16
© 2016 Denim Group – All Rights Reserved
Application Portfolio Tracking
17
© 2016 Denim Group – All Rights Reserved
Vulnerability Import
18
© 2016 Denim Group – All Rights Reserved
Vulnerability Consolidation
19
© 2016 Denim Group – All Rights Reserved
Prioritize application risk
decisions based on data
20
© 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization
21
© 2016 Denim Group – All Rights Reserved
Reporting and Metrics
22
© 2016 Denim Group – All Rights Reserved
Reduce risk and
provide protection
via virtual patching
23
© 2016 Denim Group – All Rights Reserved
WAF Virtual Patching
24
© 2016 Denim Group – All Rights Reserved
Translate vulnerabilities to
developers in the tools they
are already using
25
© 2016 Denim Group – All Rights Reserved
Defect Tracker Integration
26
© 2016 Denim Group – All Rights Reserved
Questions and Contact
ThreadFix
www.threadfix.it
Netsparker
www.netsparker.com
27