-
Web Security Everything we know is (Still) wrong (2017)
IT Summit Nov 8th
-
Eoin Keary
CEO edgescan.com
OWASP GLOBAL BOARD MEMBER 2009-2015
OWASP Project Lead
-
edgescan
Fullstack vulnerability management
Continuous
False Positive Free/Expert Validation
1000s of systems every month
Leader in Gartner Peer Insights Report
PCI ASV Certified
-
4 2012 WhiteHat Security, Inc.
HACKED
-
(Cyber crime is the) second cause of economic crime experienced
by the financial services sector PwC
556 million adults across the world have first-hand experience
of cybercrime -- more than the entire population of the European
Union.
Globally, every second, 18 adults become victims of cybercrime-
Symantec The loss of industrial information and intellectual
property through
cyber espionage constitutes the greatest transfer of wealth in
history - Gen. Keith Alexander
Cyber crime damage costs to hit $6 trillion annually by 2021
Eoin, I didnt click it My Grandma
One hundred BILLION dollars -Dr Evil
2017 so farTrump administration details leakedClash of Clans
1,000,000Cellebrite 900 GB of DataSWIFT Fake Trade Documents - 3
banks IndiaCoPilot GPS 220,000 RecordsSentara HealthCare 5,000
Patient recordsDeep Root Analytics 198,000,000 recordsEquifax
143,000,000+ Records!
Human attack surface to reach 6 billion people by 2022.
-
Its (not) the $$$$Information
security spend
Security incidents
(business impact)
-
Theres Money in them there webapps
Web applications abound in many larger companies, and remain a
popular (54% of breaches) and successful (39% of
records) attack vector.
- Verizon Data Breach Investigations Report
-
Accountability in the CloudApplication
App Server/DB/Web
Computing
Network
Storage
Application
App Server/DB/Web
Computing
Network
Storage
SaaS
PaaS
Cloud Provider
Cloud Consumer
Acc
ou
nta
ble
Acco
un
table
54% of breaches are via the application Layer
*
* Few exceptions
You can outsource hosted services but you cannot outsource
accountability
-
But we are approaching this problem completely wrong and have
been for years..
-
Problem # 1
Asymmetric Arms Race
-
A traditional end of cycle / Annual pentest only gives minimal
security..
-
There are too many variables and too little time to ensure real
security.
-
An inconvenient truth
Two weeks of ethical hacking
Ten man-years of development
Business Logic Flaws
Code Flaws
Security Errors
-
Make this more difficult: Lets change the application code once
a month.
Keeping Pace with: DevSecOpsNew VulnerabilitiesContinuous
patching requirementsNew Deployments (Services, Systems)
Continuous Testing
-
"Risk comes from not knowing what you're doing." - Warren
Buffet
-
Automated Review
A fool with a tool, is still a fool..?
In two weeks:
Consultant tune toolsUse multiple tools verify issuesCustomize
Attack Vectors to technology stackAchieve 80-90 application
functionality coverage
How experienced is the consultant?
Are they as good as the bad guys?They certainly need to be, they
only have 2 weeks, right!!?
Code may be pushed to live soon after the test.Potential window
of Exploitation could be until the next pen test.
6 mths, 9 mths, 1 year?
-
Some of the problem has moved (back) to the client.
Some Client Side vulnerabilities cant be tested via HTTP
parameter testing.
Many tools cant adequately assess certain technologies
Node/Angular APIs Flex/Flash/Air Native Mobile Web Apps Data
Storage, leakage, malware. DOM XSS JQuery, CSS, Attribute, Element,
URL fragments Uploaded client-side/Javascript malware
(Gzip/deflate/Hex encoded etc). Logical/Business Logic
Vulnerabilities.
Scanning in not enough anymore. Intelligence is required.
Orchestration is required.
Tools Alone They dont work well without strong operations and
orchestration
-
We need an Onion
SDL Design review
Threat Modeling
Code review/SAST
Negative use/abuse cases/Fuzzing/DAST
Live/Ongoing - Continuous/Frequent monitoring / Testing
Manual Validation
Vulnerability Intelligence & Priority
Dependency Management .
Situational Awareness / Alerting
We need more than Automated Scanning.
-
Problem # 2
You are what you eat
-
Software food chain
20
Application Code
COTS (Commercial off
the shelf
Outsourced development Sub-
Contractors
Bespoke outsourced
development
Bespoke Internal development
Third Party APIs
Third Party Components & Systems
Degrees of trust
You may not let some of the people who have developed your code
into your offices!!
More Less
-
2016- Open Source Security Statistics.
23% of the Components in the Average Software Application
Contain Known Vulnerabilities
60% of businesses do not keep a complete inventory (bill of
materials) of components being used in their applications.
- edgescan statistics November 2016
-
Struts - application development framework : downloaded 2
million times in the last year.
Remote Code Execution attack CVE-2017-9805
Struts 2.1.2 - 2.3.33, 2.5 - 2.5.12
https://cwiki.apache.org/confluence/display/WW/S2-052
2.1.2 9 years old
2.3.33 July 2017
2.5.x May 2017
https://struts.apache.org/downloads.html
-
Do we test for "dependency issues?
NO
Does your patch management policy cover application
dependencies?
-
Problem # 3
Bite off more than we chew
-
How can we manage vulnerabilities on a large scale.
-
We cant improve what we cant measure
-
Say 300 web applications:
300 Annual Penetration tests
10s of different penetration testers?
300 reports
How do we consume this Data?
-
Enterprise Vulnerability Intelligence:
Consolidation of vulnerability data.
Continuous active monitoring & Visibility
Vulnerability Management Alerting
Situational Awareness
-
Problem # 4
Information flooding
(Melting a developers brain, White noise and compliance)
-
Doing things right != Doing the right things.
Not all bugs/vulnerabilities are equal(is HttpOnly important if
there is no XSS?)
Contextualize Risk(is XSS /SQLi always High Risk?)
Do developers need to fix everything?- Limited time
- Finite Resources- Task Priority
- Pass internal audit?
White Noise
-
Compliance - GDPR
Theres Compliance:
EU
directive:http://register.consilium.europa.eu/pdf/en/12/st05/st05853.en12.pdf
Article 23,24 & 79, - Administrative sanctionsThe
supervisory authority shall impose a fine up to 250 000 EUR, or in
case of an enterprise up to 0.5 % of its annual worldwide turnover,
to anyone who, intentionally or negligently does not protect
personal data
-
Clear and Present Danger!!
and theres Compliance
-
Problem #5
Explain issues in Developer speak (AKA English)
-
Is Cross-Site Scripting the same as SQL injection?
Both are injection attacks -> code and data being confused by
system.
LDAP Injection, Command Injection, Log Injection, XSS, SQLI etc
etc
Think old phone systems, Captain Crunch (John Draper).
Signaling data and voice data on same logical connection Phone
Phreaking
-
XSS causes the browser to execute user supplied input as code.
The input breaks out of the "Data" context and becomes execution
context.
SQLI causes the database or source code calling the database to
confuse data [context] and ANSI SQL [ execution context].
Command injection mixes up data [context] and the command
[context].
-
So.
We need to understand what we are protecting against.
We need to understand that a pentest alone is a loosing
battle.
You can only improve what you can measure
Not all bugs are created equal.
Bugs are Bugs. Explain security issues to developers in Dev
speak
-
Thanks for listening!!
[email protected]
@eoinkeary
@edgescan
www.edgescan.com
