the search for intelligent life sector 2011
TRANSCRIPT
Nice To Meet You
CoFounder HoneyApps
About Me
HoneyApps
Former CISO Orbitz
Contributing Author Beautiful Security
CSO Magazine/Online Author
Vulnerability Management as a Service
16 Hot Startups - eWeek
3 Startups to Watch - Information Week
Stage 2: Where are all of my vulnerabilities?
“Back in my Yahoo days I performed hundreds of web application vulnerability assessments. To streamline the workload, I created an assessment methodology consisting of a few thousand security tests averaging 40 hours to complete per website. Yahoo had over 600 websites enterprise-wide. To assess the security of every website would have taken over 11 years to complete and the other challenge was these websites would change all the time which decayed the value of my reports.”
Jeremiah GrossmanFounder, WhiteHat Security
Vulnerability Management: A Case Study
Building the Warehouse
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Vulnerability Management: A Case Study
Building the Warehouse
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Vulnerability Management: A Case Study
Building the Warehouse
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Host Operating SystemOther Applications/VersionsIP AddressesMac AddressOpen Services/Ports
Asset:Host
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Host Operating SystemOther Applications/VersionsIP AddressesMac AddressOpen Services/Ports
Asset:Host
Vulnerability Management: A Case Study
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Host Operating SystemOther Applications/VersionsIP AddressesMac AddressOpen Services/Ports
Asset:Host
Vulnerability Management: A Case Study
Meta Data
Business Unit
Geographic Location
Development Team
Ops Team
Compliance Regulation
Security Policy
Internal IP Address
External IP Address
Network Location
Site Name
Asset Group
VERIS data
Meta Data
Business Unit
Geographic Location
Development Team
Ops Team
Compliance Regulation
Security Policy
Internal IP Address
External IP Address
Network Location
Site Name
Asset Group
VERIS data
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Host Operating SystemOther Applications/VersionsIP AddressesMac AddressOpen Services/Ports
Asset:Host
Vulnerability Management: A Case Study
Apply Internal Threat Data
IDS/IPSWAF
ApplicationFirewall
Meta Data
Business Unit
Geographic Location
Development Team
Ops Team
Compliance Regulation
Security Policy
Internal IP Address
External IP Address
Network Location
Site Name
Asset Group
VERIS data
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Host Operating SystemOther Applications/VersionsIP AddressesMac AddressOpen Services/Ports
Asset:Host
Vulnerability Management: A Case Study
Apply Internal Threat
IDS/WA
ApplicatiFirew
Meta Data
Business Unit
Geographic Location
Development Team
Ops Team
Compliance Regulation
Security Policy
Internal IP Address
External IP Address
Network Location
Site Name
Asset Group
VERIS data
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Host Operating SystemOther Applications/VersionsIP AddressesMac AddressOpen Services/Ports
Asset:Host
Vulnerability Management: A Case Study
Apply Internal Threat
IDS/WA
ApplicatiFirew
Meta Data
Business Unit
Geographic Location
Development Team
Ops Team
Compliance Regulation
Security Policy
Internal IP Address
External IP Address
Network Location
Site Name
Asset Group
VERIS data
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Host Operating SystemOther Applications/VersionsIP AddressesMac AddressOpen Services/Ports
Asset:Host
Vulnerability Management: A Case Study
Apply External Threat Data
Apply Internal Threat
IDS/WA
ApplicatiFirew
Meta Data
Business Unit
Geographic Location
Development Team
Ops Team
Compliance Regulation
Security Policy
Internal IP Address
External IP Address
Network Location
Site Name
Asset Group
VERIS data
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Host Operating SystemOther Applications/VersionsIP AddressesMac AddressOpen Services/Ports
Asset:Host
Vulnerability Management: A Case Study
Apply External Threat DataExample Data Sources
❖DataLossDB❖Verizon DBIR❖WHID❖Trustwave Global Security Report❖FS-ISAC❖SANS ISC❖Veracode State of S/W Security❖ExploitDB
Apply Internal Threat
IDS/WA
ApplicatiFirew
Vulnerability Management: A Case Study
Meta Data
Business Unit
Geographic Location
Development Team
Ops Team
Compliance Regulation
Security Policy
Internal IP Address
External IP Address
Network Location
Site Name
Asset Group
VERIS data
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Host Operating SystemOther Applications/VersionsIP AddressesMac AddressOpen Services/Ports
Asset:Host
Apply Internal Threat
IDS/WA
ApplicatiFirew
Vulnerability Management: A Case Study
Remediation Statistics
Internal Bug Tracking Reports
Denim Group Remediation Study
Build and Development Process
Meta Data
Business Unit
Geographic Location
Development Team
Ops Team
Compliance Regulation
Security Policy
Internal IP Address
External IP Address
Network Location
Site Name
Asset Group
VERIS data
WebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reflected,etc)Asset URL/URIConfirmed?Dates Found/Opened Dates ClosedDescriptionAttack Parameters
Asset:URLPlatform / CodeWeb Server VersionApplication Server VersionDatabase Version
Host Operating SystemOther Applications/VersionsIP AddressesMac AddressOpen Services/Ports
Asset:Host
My(vuln posture * other threat activity) / (other vuln posture * other threat activity)
Got MSSP?
The Alex Hutton Formula
OR
My(vuln posture * other threat activity) / (other vuln posture * other threat activity)
When Will Our Luck Run Out?
Got MSSP?
The Alex Hutton Formula
Resources Referenced
Verizon DBIR http://www.verizonbusiness.com/dbir/
Denim Group - Real Cost of S/W Remediation http://www.slideshare.net/denimgroup/real-cost-of-software-remediation
VERIS Framework https://www2.icsalabs.com/veris/
DataLoss DB http://datalossdb.org/
TrustWave Global Security Report https://www.trustwave.com/GSR
WASC Web App Security Statshttp://projects.webappsec.org/w/page/13246989/Web-Application-Security-Statistics
FS-ISAC http://www.fsisac.com/
SANS Internet Storm Centerhttp://isc.sans.org/
XForce http://xforce.iss.net/
WHID http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database/
ExploitDBhttp://www.exploit-db.com/
Veracode SOSS http://www.veracode.com/images/pdf/soss/veracode-state-of-software-security-report-volume2.pdf
Q & A
follow us
http://blog.honeyapps.com/
http://www.honeyapps.com/signuphttp://www.honeyapps.com/signup
@risk_io
@ebellis
the blog
And one more thing....
We’re Hiring! https://www.risk.io/jobs