SlideShare una empresa de Scribd logo

Vulnerability Management and Threat Detection trends

Descargar como PPTX, PDF
Eoin Keary
Eoin Keary

More on Vulnerability Management from Daggercon 2015 Keynote.

Internet
1 de 26
Vulnerability Management and Threat Detection by the numbers Daggercon 2015
Eoin Keary CTO/Founder edgescan.com & BCC Risk Advisory OWASP Leader/Member/Ireland Founder OWASP Global Board Member (2009-2014)
One problem, Many solutions DAST – Peoples front of Judea RASP – Judean peoples front IAST - Judean Popular People's Front SAST - Popular Front of Judea
Web Risk • Application Security • Host Security • Both / Either / Or • It’s all software right? “We gotta cover all the bases, an attacker only needs to find one…..”
Bits between the Bits • A developer Introduces bugs in code.. • A Security assessment may deliver false positives/negatives.. Potential vulnerabilities in code & Potential vulnerabilities in assessment techniques.
Market Driven Approaches to a Market Driven Problem.
Agile Risk Model Fail Early – Fail Often “Push Left”
Continuous what? CI -> Continuous Integration CD -> Continuous Deployment TDD -> Test Driven Development Continuous Maintenance Continuous Security
Continuous Security “Keeping up” with development Assisting secure deployment Catching bugs early – Push Left Help ensure “change” is secure
Host/Server/Framework Building bricks – Frameworks / Components Spring, Jquery, Jade, Angular, Hibernate 13 billion Open source downloads 2014 90% of application code is framework 63%* don’t monitor component security 43%* don’t have open source policy * http://www.sonatype.com/about/2014-open-source-software-development-survey
Components Spring (3.0-3.05) – CVE-2011-2894 – Code exe 7,000,000 downloads since vuln discovered CVSS: 6.8 Apache Xerces2 – CVE-2009-2625 – DoS 4,000,000 downloads since vuln discovered CVSS: 5 Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM 4,000,000 downloads since vuln discovered CVSS: 4.9 Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection 179,050 downloads since vuln discovered CVSS: 10
“65% of vulnerabilities discovered in 2015 by edgescan were outside of software developer control – Operating System CVE, Component CVE, Misconfiguration etc ..” - edgescan Vulnerability Statistics Report 2015
AppSec/Component Sec • “If you're not doing component vulnerability management you’re not doing appsec…” – 90% of application code is framework • “If you’re not doing full-stack you are not doing security…” – Hackers don’t give a S*#t
Problems?
“We Can” scale.. Automation of assessment Depth Coverage / Breadth Rigour
SCALE! Automation Event Driven Frequent/Scheduled Build Build Build
Automation!! • Jenkins, Hudson, Bamboo – Event driven – Scheduled – Incremental • CHEF, Puppet, Phoenix (immutable) Sounds great…. but
Accuracy/Information/Context The “Anti-Scale” Risk Context Business Context Accuracy Information Vs Data Human Decisions and Intel Technical constraints -> Chokepoints
The “Anti-Scale” New languages and programming methods Growth of interpreted languages with no strong typing hurts SAST (Javascript, Ruby,…) Few automated tools to test APIs / RESTful APIs Testing Window is squeezed, manual testing is doomed!?#
Fighting The “Anti-Scale” Accuracy “Rule Tuning” – DAST & SAST Build Fails! White Noise / Supression Real Security Vs “Best Practice” Updates to Rules Scale “Delta Analysis” Previous Vs Current Changes FP’s
CI Integration
Fighting The “AntiScale” - Delta Analysis Measure of change in a target environment. Focusing on change in risk posture compared to last assessment. -> Closed, New, False Positives
Fighting The “Anti-Scale”- Testing like a Developer Break testing into little pieces Smoke / Incremental Vs full regression testing “Early and Often” – Continuous, on demand – Testing duration drives testing frequency
Business & Behavioural Testing At scale: Can be Difficult ….. Technical Security is covered….Automation More Time to “Deep Dive”
“Future of Pentesting” Technical Vulnerabilities rooted out using technical methods/services ….. Move from chasing Top 10 (SQLI, XSS, etc) -To- Behavioural, Logical, Business flow assessment
FIN • We can scale but not everything is [easily] scalable • Discover Tech Vulns using Tech • No “Fire and forget” Security • Lets test to mirror development methodologies @eoinkeary eoin@bccriskadvisory.com

Recomendados

Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOpsSeniorStoryteller
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too lateVlad Styran
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QAFest
 

Recomendados

Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOpsSeniorStoryteller
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too lateVlad Styran
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QAFest
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersFrank Victory
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous TestingTechWell
 
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...Vlad Styran
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
Texto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesTexto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesMeztli Valeriano Orozco
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudPhillip Maddux
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCTom Stiehm
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The ApplicationDaniel Miessler
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooAlex Stamos
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
 
Security as a part of quality assurance
Security as a part of quality assuranceSecurity as a part of quality assurance
Security as a part of quality assuranceBoy Baukema
 
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014Abhi Balakrishnan
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxEoin Keary
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 

Más contenido relacionado

La actualidad más candente

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersFrank Victory
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous TestingTechWell
 
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...Vlad Styran
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudPhillip Maddux
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCTom Stiehm
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The ApplicationDaniel Miessler
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooAlex Stamos
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
 
Security as a part of quality assurance
Security as a part of quality assuranceSecurity as a part of quality assurance
Security as a part of quality assuranceBoy Baukema
 
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014Abhi Balakrishnan
 

La actualidad más candente (20)

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackers
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous Testing
 
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
Texto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesTexto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de ingles
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloud
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDC
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The Application
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at Yahoo
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
 
Security as a part of quality assurance
Security as a part of quality assuranceSecurity as a part of quality assurance
Security as a part of quality assurance
 
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
 

Similar a Vulnerability Management and Threat Detection trends

Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxEoin Keary
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftEoin Keary
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxlior mazor
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous DeploymentBrian Henerey
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security WebcastVlad Styran
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Eoin Keary
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
 
Paging, Alerting, Chaos Eng Overview
Paging, Alerting, Chaos Eng OverviewPaging, Alerting, Chaos Eng Overview
Paging, Alerting, Chaos Eng Overviewmatthewbrahms
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 

Similar a Vulnerability Management and Threat Detection trends (20)

Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant flux
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous Deployment
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
 
Paging, Alerting, Chaos Eng Overview
Paging, Alerting, Chaos Eng OverviewPaging, Alerting, Chaos Eng Overview
Paging, Alerting, Chaos Eng Overview
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 

Más de Eoin Keary

IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptxEoin Keary
 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdfEoin Keary
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfEoin Keary
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEoin Keary
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Eoin Keary
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeEoin Keary
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Eoin Keary
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelEoin Keary
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbersEoin Keary
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017Eoin Keary
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerationsEoin Keary
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5Eoin Keary
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27Eoin Keary
 

Más de Eoin Keary (20)

IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptx
 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats Report
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of change
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
 

Último

Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 

Último (20)

Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 

Vulnerability Management and Threat Detection trends

  • 1. Vulnerability Management and Threat Detection by the numbers Daggercon 2015
  • 2. Eoin Keary CTO/Founder edgescan.com & BCC Risk Advisory OWASP Leader/Member/Ireland Founder OWASP Global Board Member (2009-2014)
  • 3. One problem, Many solutions DAST – Peoples front of Judea RASP – Judean peoples front IAST - Judean Popular People's Front SAST - Popular Front of Judea
  • 4. Web Risk • Application Security • Host Security • Both / Either / Or • It’s all software right? “We gotta cover all the bases, an attacker only needs to find one…..”
  • 5. Bits between the Bits • A developer Introduces bugs in code.. • A Security assessment may deliver false positives/negatives.. Potential vulnerabilities in code & Potential vulnerabilities in assessment techniques.
  • 6. Market Driven Approaches to a Market Driven Problem.
  • 7. Agile Risk Model Fail Early – Fail Often “Push Left”
  • 8. Continuous what? CI -> Continuous Integration CD -> Continuous Deployment TDD -> Test Driven Development Continuous Maintenance Continuous Security
  • 9. Continuous Security “Keeping up” with development Assisting secure deployment Catching bugs early – Push Left Help ensure “change” is secure
  • 10. Host/Server/Framework Building bricks – Frameworks / Components Spring, Jquery, Jade, Angular, Hibernate 13 billion Open source downloads 2014 90% of application code is framework 63%* don’t monitor component security 43%* don’t have open source policy * http://www.sonatype.com/about/2014-open-source-software-development-survey
  • 11. Components Spring (3.0-3.05) – CVE-2011-2894 – Code exe 7,000,000 downloads since vuln discovered CVSS: 6.8 Apache Xerces2 – CVE-2009-2625 – DoS 4,000,000 downloads since vuln discovered CVSS: 5 Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM 4,000,000 downloads since vuln discovered CVSS: 4.9 Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection 179,050 downloads since vuln discovered CVSS: 10
  • 12. “65% of vulnerabilities discovered in 2015 by edgescan were outside of software developer control – Operating System CVE, Component CVE, Misconfiguration etc ..” - edgescan Vulnerability Statistics Report 2015
  • 13. AppSec/Component Sec • “If you're not doing component vulnerability management you’re not doing appsec…” – 90% of application code is framework • “If you’re not doing full-stack you are not doing security…” – Hackers don’t give a S*#t
  • 15. “We Can” scale.. Automation of assessment Depth Coverage / Breadth Rigour
  • 17. Automation!! • Jenkins, Hudson, Bamboo – Event driven – Scheduled – Incremental • CHEF, Puppet, Phoenix (immutable) Sounds great…. but
  • 18. Accuracy/Information/Context The “Anti-Scale” Risk Context Business Context Accuracy Information Vs Data Human Decisions and Intel Technical constraints -> Chokepoints
  • 19. The “Anti-Scale” New languages and programming methods Growth of interpreted languages with no strong typing hurts SAST (Javascript, Ruby,…) Few automated tools to test APIs / RESTful APIs Testing Window is squeezed, manual testing is doomed!?#
  • 20. Fighting The “Anti-Scale” Accuracy “Rule Tuning” – DAST & SAST Build Fails! White Noise / Supression Real Security Vs “Best Practice” Updates to Rules Scale “Delta Analysis” Previous Vs Current Changes FP’s
  • 22. Fighting The “AntiScale” - Delta Analysis Measure of change in a target environment. Focusing on change in risk posture compared to last assessment. -> Closed, New, False Positives
  • 23. Fighting The “Anti-Scale”- Testing like a Developer Break testing into little pieces Smoke / Incremental Vs full regression testing “Early and Often” – Continuous, on demand – Testing duration drives testing frequency
  • 24. Business & Behavioural Testing At scale: Can be Difficult ….. Technical Security is covered….Automation More Time to “Deep Dive”
  • 25. “Future of Pentesting” Technical Vulnerabilities rooted out using technical methods/services ….. Move from chasing Top 10 (SQLI, XSS, etc) -To- Behavioural, Logical, Business flow assessment
  • 26. FIN • We can scale but not everything is [easily] scalable • Discover Tech Vulns using Tech • No “Fire and forget” Security • Lets test to mirror development methodologies @eoinkeary eoin@bccriskadvisory.com