Upload File

scap: automating our way out of the vulnerability wheel of pain appsec dc 11.13.2009 ed bellis vp,...

  • Home
  • Documents
  • SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide [email protected]
22
SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide [email protected]

Upload: beryl-ray

Post on 15-Jan-2016

219 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

SCAP:Automating Our Way Out Of The Vulnerability Wheel Of Pain

AppSec DC 11.13.2009

Ed Bellis VP, CISO

Orbitz Worldwide

[email protected]

mailto:[email protected]
Page 2: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

Orbitz.com NWA Booking engine

But First... some context

Orbitz For Business

Cheaptickets Away.com

eBookersHotelClub

Traveler CareGORP Travel

RBS Rewards

Southwest Hotels

Orbitzgames.com

Trip.com

msn.orbitz.com

AA Booking engine

Page 3: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

Context Matters...

...and on and on and on...

100’s of Endless Applications

1000’s of Servers

1000’s of Devices

100’s of DBs

Data Centers: multiple continents

Call Centers - follow the sun

Page 4: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

Context Matters...VA Tools

Application

Network & Host

Database

Remediation Tracking

Jira

Remedy

...and on and on and on...

Page 5: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

A Proposed Solution: A Case Study

Page 6: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

Using Standards to Automate, Correlate & Measure

Page 7: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

Centralizing the Data: Overview

Page 8: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

Workflow: A Simple Use Case

1. NVD feed ispulled in daily

Page 9: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

A Workflow Use Case

2. Whitehat connectorruns on a predefined

schedule.

Page 10: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

A Workflow Use Case

3. Qualys connectorruns on a

predefined schedule

Page 11: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

A Workflow Use Case

4(a). Security Admin manages and modifies

asset informationdiscovered byVA tools - CPE

Note: Unexpected Benefit!

Page 12: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

A Workflow Use Case

5. Vulnerability data isnormalized and

correlated across VAresults utilizing

CVE and WASC-TC.Vulns are scored

using CVSS / WASC-TCplus Asset/CPE data.

Page 13: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

A Workflow Use Case

6. Single click defect creation from Conduit to

Jira.

Page 14: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

A Workflow Use Case

7. Security defect is remediated by developer

and closed in Jira.

Page 15: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

A Workflow Use Case

8. Conduit issues re-testof vulnerability via Sentinel API

Page 16: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

A Workflow Use Case9. If re-test returns cleanresults are fed to Conduitand vulnerability is closed

Page 17: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

A Workflow Use Case

10. Metrics can be viewedand filtered via tags added

through asset mgmt

Page 18: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

Metrics via Tag LensesPre-Defined Vulnerability Metrics

Filtered by Asset Tags

Many-to-Many Tag/Asset Relationship

Page 19: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

Wheel of Pain

Revisited

Page 20: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

The Standards

CPE: Common Platform EnumerationCVE: Common Vulnerability EnumerationCVSS: Common Vulnerability Scoring SystemWASC-TC: Web Application Security Consortium Threat Class

Today

Roadmap

CCE: Common Configuration EnumerationXCCDF: Extensible Configuration Checklist Description Format

Page 21: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

Additional & Emerging SCAP Standards

OVAL: Open Vulnerability Assessment Language

Page 22: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

Q&A

Email: [email protected]: http://www.twitter.com/ebellis

More Info On SCAP:http://scap.nist.gov

More Info On Conduit:http://www.honeyapps.com

mailto:[email protected]
http://www.twitter.com/ebellis
http://nist.scap.gov/
http://conduit.honeyapps.com/

Bellis v. United States

Travel Port Orbitz Complaint 4 13 11

Van Bael & Bellis on Belgian Business Law01 Van Bael & Bellis Van Bael & Bellis on Belgian Business Law July 2017 Chaussée de La Hulpe 166 Terhulpsesteenweg B-1170 Brussels – Belgium

Tendencias del Turismo Individual 2011-Antonio Pitta-Orbitz

Guia De Bellis Antiquitatis

Orbitz, TripAdvisor, KAYAK,Priceline | Company Showdown

DE BELLIS FICTIONALIS INTRODUCTION

Enabling Microservice @ Orbitz - GOTO Chicago 2016

Horisontaalsest geeniülekandest seeneriigis Bellis Kullman

Utell Orbitz Webex

Orbitz Change Ppt

Enabling Microservices @Orbitz - DockerCon 2015

De Bellis Fantasticus

Bellis | Jardim das Margaridas

Accelerate 2012 chicago - orbitz

Utell-Orbitz Webex.pdf

Inhaltsverzeichnis der Tabulaturbeilagen 1998-2019de Bellis Ms. / Anonym Pavaniglia in trippola AL 04-2017 81 de Bellis Ms. / Anonym Ruggiero AL 04-2017 83 de Bellis Ms. / Anonym Sarabanda

Enabling Hybrid Workflows with Docker/Mesos @Orbitz

2015 Allied MEMBERS · Orbitz Worldwide David Bahlman P: (443) 664-2929 F: (443) 664-2929 [email protected] 10112 Queens Circle Ocean City, MD 21842 Online travel company (agent)

pyraclostrobine + boscalid Bellis

DockerCon SF 2015: Enabling Microservices @Orbitz

Bellis Decision

Hadoop and Hive at Orbitz, Hadoop World 2010

BELLIS - ledlightdanmark.b-cdn.net

Capital Structure of Orbitz

De Bellis Antiquitatis v2.2 Plus

Bellis 1K BASF - SEP2018

Real World Machine Learning at Orbitz, Strata 2011

Palaganas vs Palaganas, Llorente vs CA, Vda de Perez vs Tolete, Bellis vs Bellis

EXPEDIA-ORBITZ MERGER

Gibbs - Bellis

Expect more Bellis - agricentre.basf.co.uk · Bellis contains pyraclostrobin (a QoI inhibitor) and boscalid (SDHI carboxamide). A maximum of four applications of Bellis (or other

ORBITZ WORLDWIDE, INC

DE BELLIS NAPOLEONICIS (DBN)

Utell orbitz webex v2