3. One problem, Many solutions
DAST – Peoples front of Judea
RASP – Judean peoples front
IAST - Judean Popular People's Front
SAST - Popular Front of Judea
4. Web Risk
• Application Security
• Host Security
• Both / Either / Or
• It’s all software right?
“We gotta cover all the bases, an attacker only needs to
find one…..”
5. Bits between the Bits
• A developer Introduces bugs in code..
• A Security assessment may deliver false
positives/negatives..
Potential vulnerabilities in code & Potential vulnerabilities in assessment
techniques.
8. Continuous what?
CI -> Continuous Integration
CD -> Continuous Deployment
TDD -> Test Driven Development
Continuous Maintenance
Continuous Security
9. Continuous Security
“Keeping up” with development
Assisting secure deployment
Catching bugs early – Push Left
Help ensure “change” is secure
10. Host/Server/Framework
Building bricks – Frameworks / Components
Spring, Jquery, Jade, Angular, Hibernate
13 billion Open source downloads 2014
90% of application code is framework
63%* don’t monitor component security
43%* don’t have open source policy
* http://www.sonatype.com/about/2014-open-source-software-development-survey
11. Components
Spring (3.0-3.05) – CVE-2011-2894 – Code exe
7,000,000 downloads since vuln discovered
CVSS: 6.8
Apache Xerces2 – CVE-2009-2625 – DoS
4,000,000 downloads since vuln discovered
CVSS: 5
Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM
4,000,000 downloads since vuln discovered
CVSS: 4.9
Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection
179,050 downloads since vuln discovered
CVSS: 10
12. “65% of vulnerabilities discovered in 2015 by
edgescan were outside of software developer
control – Operating System CVE, Component CVE,
Misconfiguration etc ..”
- edgescan Vulnerability Statistics Report 2015
13. AppSec/Component Sec
• “If you're not doing component vulnerability
management you’re not doing appsec…”
– 90% of application code is framework
• “If you’re not doing full-stack you are not doing
security…”
– Hackers don’t give a S*#t
19. The “Anti-Scale”
New languages and programming methods
Growth of interpreted languages with no strong typing hurts
SAST (Javascript, Ruby,…)
Few automated tools to test APIs / RESTful APIs
Testing Window is squeezed, manual testing is doomed!?#
20. Fighting The “Anti-Scale”
Accuracy
“Rule Tuning” – DAST & SAST
Build Fails!
White Noise / Supression
Real Security Vs “Best Practice”
Updates to Rules
Scale
“Delta Analysis”
Previous Vs Current
Changes
FP’s
22. Fighting The “AntiScale” - Delta Analysis
Measure of change in a target environment.
Focusing on change in risk posture compared to last assessment.
-> Closed, New, False Positives
23. Fighting The “Anti-Scale”-
Testing like a Developer
Break testing into little pieces
Smoke / Incremental Vs full regression testing
“Early and Often”
– Continuous, on demand
– Testing duration drives testing frequency
24. Business & Behavioural Testing
At scale:
Can be Difficult …..
Technical Security is covered….Automation
More Time to “Deep Dive”
25. “Future of Pentesting”
Technical Vulnerabilities rooted out using
technical methods/services …..
Move from chasing Top 10 (SQLI, XSS, etc)
-To-
Behavioural, Logical, Business flow assessment
26. FIN
• We can scale but not everything is [easily] scalable
• Discover Tech Vulns using Tech
• No “Fire and forget” Security
• Lets test to mirror development methodologies
@eoinkeary
eoin@bccriskadvisory.com