scap: automating our way out of the vulnerability wheel of pain

Report

Tags:

Post on 09-Jan-2016

25 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain. AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com. But First... some context. Trip.com. eBookers. HotelClub. Orbitz.com. Orbitz For Business. NWA Booking engine. Away.com. Cheaptickets. - PowerPoint PPT Presentation

TRANSCRIPT

SCAP:Automating Our Way Out Of The Vulnerability Wheel Of Pain

AppSec DC 11.13.2009

Ed Bellis VP, CISO

Orbitz Worldwide

ebellis@orbitz.com

mailto:ebellis@orbitz.com

Orbitz.com NWA Booking engine

But First... some context

Orbitz For Business

Cheaptickets Away.com

eBookersHotelClub

Traveler CareGORP Travel

RBS Rewards

Southwest Hotels

Orbitzgames.com

Trip.com

msn.orbitz.com

AA Booking engine

Context Matters...

...and on and on and on...

100’s of Endless Applications

1000’s of Servers

1000’s of Devices

100’s of DBs

Data Centers: multiple continents

Call Centers - follow the sun

Context Matters...VA Tools

Application

Network & Host

Database

Remediation Tracking

Jira

Remedy

...and on and on and on...

A Proposed Solution: A Case Study

Using Standards to Automate, Correlate & Measure

Centralizing the Data: Overview

Workflow: A Simple Use Case

1. NVD feed ispulled in daily

A Workflow Use Case

2. Whitehat connectorruns on a predefined

schedule.

A Workflow Use Case

3. Qualys connectorruns on a

predefined schedule

A Workflow Use Case

4(a). Security Admin manages and modifies

asset informationdiscovered byVA tools - CPE

Note: Unexpected Benefit!

A Workflow Use Case

5. Vulnerability data isnormalized and

correlated across VAresults utilizing

CVE and WASC-TC.Vulns are scored

using CVSS / WASC-TCplus Asset/CPE data.

A Workflow Use Case

6. Single click defect creation from Conduit to

Jira.

A Workflow Use Case

7. Security defect is remediated by developer

and closed in Jira.

A Workflow Use Case

8. Conduit issues re-testof vulnerability via Sentinel API

A Workflow Use Case9. If re-test returns cleanresults are fed to Conduitand vulnerability is closed

A Workflow Use Case

10. Metrics can be viewedand filtered via tags added

through asset mgmt

Metrics via Tag LensesPre-Defined Vulnerability Metrics

Filtered by Asset Tags

Many-to-Many Tag/Asset Relationship

Wheel of Pain

Revisited

The Standards

CPE: Common Platform EnumerationCVE: Common Vulnerability EnumerationCVSS: Common Vulnerability Scoring SystemWASC-TC: Web Application Security Consortium Threat Class

Today

Roadmap

CCE: Common Configuration EnumerationXCCDF: Extensible Configuration Checklist Description Format

Additional & Emerging SCAP Standards

OVAL: Open Vulnerability Assessment Language

Q&A

Email: ebellis@orbitz.comTwitter: http://www.twitter.com/ebellis

More Info On SCAP:http://scap.nist.gov

More Info On Conduit:http://www.honeyapps.com

mailto:ebellis@orbitz.com
http://www.twitter.com/ebellis
http://nist.scap.gov/
http://conduit.honeyapps.com/

top related

scap survey student council alliance of the philippines...
Documents
materiai scap 4
Documents
cvi scap migration guide
Documents
apresentação scap
Technology
automating vulnerability assessments with vuls vulnerability...
Documents
design specification sheet- scap
Documents
technical introduction to scap
Documents
nist and disa scap adoption and integration - nvd and disa...
Documents
automating enterprise it management by leveraging security...
Documents
netiq secure configuration manager scap module ...the scap...
Documents
scap/cap - la county
Documents
nist and disa scap adoption and integration ·...
Documents
anais scap 2012
Documents
cit2002 scap-talk
Documents
lux scap hum1
Documents
prenosila i dizala - scap
Documents
scap for opensuse
Software
scap primer presentation
Documents
scap reference
Documents
automating security and compliance for hybrid...
Documents