SlideShare a Scribd company logo

Enumerating Enterprise Attack Surface

Denim Group
Denim Group

Many organizations have only a passing understanding of the scope of their application portfolios and how these assets are exposed to the Internet and other potentially dangerous networks. This puts them in a risky situation where they have attack surface that is unknown and unmanaged, often resulting in serious vulnerabilities being exposed indefinitely. This presentation looks at several tools and methods that can be used to enumerate enterprise application assets – including web applications, mobile applications, and web services. The discussion covers several open source application asset identification tools and compares their effectiveness. Finally, a framework for ongoing application asset discovery and enumeration is presented so that security managers can embark on a structured program to characterize their risk exposure due to their enterprise attack surface.

Technology
1 of 45
Download to read offline
© 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. Enumerating Enterprise Attack Surface Dan Cornell | CTO
© 2019 Denim Group – All Rights Reserved Dan Cornell • Founder and CTO of Denim Group • Software developer by background • OWASP San Antonio co-leader • 20 years experience in software architecture, development, and security
© 2019 Denim Group – All Rights Reserved 2 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
© 2019 Denim Group – All Rights Reserved So You Want To Roll Out a Software Security Program? • Great! • What a software security program ISN’T • Question: “What are you doing to address software security concerns?” • Answer: “We bought scanner XYZ” • What a software security program IS • People, process, tools (naturally) • Set of activities intended to repeatedly produce appropriately-secure software 3
© 2019 Denim Group – All Rights Reserved Challenges Rolling Out Software Security Programs • Resources • Raw budget and cost issues • Level of effort issues • Resistance: requires organizational change • Apparently people hate this • Open source tools • Can help with raw budget issues • May exacerbate problems with level of effort • View the rollout as a multi-stage process • Not one magical effort • Use short-term successes and gains to fuel further change 4
© 2019 Denim Group – All Rights Reserved 5 You can’t defend unknown attack surface If everything is important then nothing is important
© 2019 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 6
© 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 7 Software You Currently Know About Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers mention it • Bad guys found it and caused an incident (oops) What? • Critical legacy systems • Notable web applications
© 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 8 Add In the Rest of the Web Applications You Actually Develop and Maintain Why Did You Miss Them? • Forgot it was there • Line of business procured through non- standard channels • Picked it up through a merger / acquisition What? • Line of business applications • Event-specific applications
© 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 9 Add In the Software You Bought from Somewhere Why Did You Miss Them? • Most scanner only really work on web applications so no vendors pester you about your non-web applications • Assume the application vendor is handling security What? • More line of business applications • Support applications • Infrastructure applications
© 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 10 MOBILE! THE CLOUD! Why Did You Miss Them? • Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office What? • Support for line of business functions • Marketing and promotion
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Two Dimensions: • Perception of Software Attack Surface • Insight into Exposed Assets 11 Perception Insight
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 12 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 13 Perception Insight Web Applications Client-Server Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 14 Perception Insight Web Applications Client-Server Applications Desktop Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 15 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 16 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 17 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 18 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 19 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 20 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 21 Perception Insight Web Applications Client-Server Applications
© 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 22 Perception Insight Web Applications
© 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 23 Perception Insight Web Applications Cloud Applications and Services
© 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 24 Perception Insight Web Applications Cloud Applications and Services Mobile Applications
© 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • When you reach this point it is called “enlightenment” • You won’t reach this point 25 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
© 2019 Denim Group – All Rights Reserved First Decision • What is considered to be in scope? • Depends on how you want to manage vulnerabilities and manage risk 26
© 2019 Denim Group – All Rights Reserved Process • Identify Application “Homes” • Enumerate Applications • Collect Metadata • Repeat as Needed 27
© 2019 Denim Group – All Rights Reserved So Where Are These Applications? • Your Datacenters • 3rd Party Datacenters • Cloud Providers 28
© 2019 Denim Group – All Rights Reserved Enumerating Applications • Technical • Network inspection • DNS and other registry inspection • Non-technical • Interviews • Other research 29
© 2019 Denim Group – All Rights Reserved IP Range Detection • IPOsint: https://github.com/j3ssie/IPOsint • ip-osint.py –t CompanyName • Data sources: • Whois • Ripe • Arin • Hurricane • Censys • securitytrails 30
© 2019 Denim Group – All Rights Reserved Network Inspection • nmap: https://nmap.org/ • Look for common web server ports: • 80, 443, 8000, 8008, 8080, 8443 • Others depending on your environment • nmap -sS -p 80,443,8000,8008,8080,8443 x.y.z.0/24 • Great for dense environments you control • Largely datacenters https://www.denimgroup.com/resources/blog/2016/03/threadfix-in-action-discovering-your-organizations-software-attack-surface-web-app-edition/ 31
© 2019 Denim Group – All Rights Reserved DNS Inspection • SubFinder: https://github.com/subfinder/subfinder • docker run -it subfinder -d target.org • Can get even more data with service-specific API keys • OWASP Amass: https://github.com/OWASP/Amass • sudo docker run amass --passive -d target.org 32
© 2019 Denim Group – All Rights Reserved Mobile Application Identification • Scumbler: https://github.com/Netflix-Skunkworks/Scumblr • Purpose of tool evolved over time • Not currently maintained – looking for maintainers 33
© 2019 Denim Group – All Rights Reserved Interviews • Line-of-business representatives • Will need to translate their definition of “application” to your definition • Think in terms of business processes and these can map to multiple applications and microservices • Tech leads • More familiar with the deployed infrastructure and other assets 34
© 2019 Denim Group – All Rights Reserved Other Research • Disaster recover plans • Accounting • Find cloud providers 35
© 2019 Denim Group – All Rights Reserved What is an ”Application” • What assets do we have? • IP addresses • Host names • Mobile apps • Business view of “applications” • Challenge: Create a consolidated view • Challenge: Correlate applications and the supporting infrastructure 36
© 2019 Denim Group – All Rights Reserved Collect Metadata • Technical: Language, Scale • Architectural: Web, Mobile • Exposure: Public, Partner, Internal • Regulatory: PCI, HIPAA, GDPR 37
© 2019 Denim Group – All Rights Reserved Value and Risk Are Not Equally Distributed • Some Applications Matter More Than Others • Value and character of data being managed • Value of the transactions being processed • Cost of downtime and breaches • Therefore All Applications Should Not Be Treated the Same • Allocate different levels of resources to assurance • Select different assurance activities • Also must often address compliance and regulatory requirements 38
© 2019 Denim Group – All Rights Reserved Do Not Treat All Applications the Same • Allocate Different Levels of Resources to Assurance • Select Different Assurance Activities • Also Must Often Address Compliance and Regulatory Requirements 39
© 2019 Denim Group – All Rights Reserved Rinse and Repeat • This list will change over time • Metadata will change • This is especially true in a world of microservices 40
© 2019 Denim Group – All Rights Reserved 41 You can’t defend unknown attack surface If everything is important then nothing is important
© 2019 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 42
© 2019 Denim Group – All Rights Reserved Questions 43
© 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. @denimgroup www.denimgroup.com 44 dan@denimgroup.com

Recommended

Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 

Recommended

Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
2018 NAMIC - Practical Applications for Web Services
2018 NAMIC - Practical Applications for Web Services2018 NAMIC - Practical Applications for Web Services
2018 NAMIC - Practical Applications for Web Services
Phil Reynolds
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
2018 NAMIC Farm Forum
2018 NAMIC Farm Forum2018 NAMIC Farm Forum
2018 NAMIC Farm Forum
Phil Reynolds
 
The Coming OSS Sustainability Crisis
The Coming OSS Sustainability CrisisThe Coming OSS Sustainability Crisis
The Coming OSS Sustainability Crisis
Aaron Stannard
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
Rogue Wave Software
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 

More Related Content

What's hot

How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
The Coming OSS Sustainability Crisis
The Coming OSS Sustainability CrisisThe Coming OSS Sustainability Crisis
The Coming OSS Sustainability Crisis
Aaron Stannard
 

What's hot (20)

How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
2018 NAMIC - Practical Applications for Web Services
2018 NAMIC - Practical Applications for Web Services2018 NAMIC - Practical Applications for Web Services
2018 NAMIC - Practical Applications for Web Services
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
2018 NAMIC Farm Forum
2018 NAMIC Farm Forum2018 NAMIC Farm Forum
2018 NAMIC Farm Forum
 
The Coming OSS Sustainability Crisis
The Coming OSS Sustainability CrisisThe Coming OSS Sustainability Crisis
The Coming OSS Sustainability Crisis
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
 

Similar to Enumerating Enterprise Attack Surface

Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
How to (Permanently) Fix the Most Common DevOps Security Blunders
How to (Permanently) Fix the Most Common DevOps Security BlundersHow to (Permanently) Fix the Most Common DevOps Security Blunders
How to (Permanently) Fix the Most Common DevOps Security Blunders
DevOps.com
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Government and Education Webinar: Successfully Migrating Applications to the ...
Government and Education Webinar: Successfully Migrating Applications to the ...Government and Education Webinar: Successfully Migrating Applications to the ...
Government and Education Webinar: Successfully Migrating Applications to the ...
SolarWinds
 
Ibm business partner connect 2015 long fong yee v1 (read-only)
Ibm business partner connect 2015 long fong yee v1 (read-only)Ibm business partner connect 2015 long fong yee v1 (read-only)
Ibm business partner connect 2015 long fong yee v1 (read-only)
Fong Yee Long
 

Similar to Enumerating Enterprise Attack Surface (20)

Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
 
How to (Permanently) Fix the Most Common DevOps Security Blunders
How to (Permanently) Fix the Most Common DevOps Security BlundersHow to (Permanently) Fix the Most Common DevOps Security Blunders
How to (Permanently) Fix the Most Common DevOps Security Blunders
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Government and Education Webinar: Successfully Migrating Applications to the ...
Government and Education Webinar: Successfully Migrating Applications to the ...Government and Education Webinar: Successfully Migrating Applications to the ...
Government and Education Webinar: Successfully Migrating Applications to the ...
 
Ibm business partner connect 2015 long fong yee v1 (read-only)
Ibm business partner connect 2015 long fong yee v1 (read-only)Ibm business partner connect 2015 long fong yee v1 (read-only)
Ibm business partner connect 2015 long fong yee v1 (read-only)
 

More from Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 

More from Denim Group (10)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Enumerating Enterprise Attack Surface

  • 1. © 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. Enumerating Enterprise Attack Surface Dan Cornell | CTO
  • 2. © 2019 Denim Group – All Rights Reserved Dan Cornell • Founder and CTO of Denim Group • Software developer by background • OWASP San Antonio co-leader • 20 years experience in software architecture, development, and security
  • 3. © 2019 Denim Group – All Rights Reserved 2 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
  • 4. © 2019 Denim Group – All Rights Reserved So You Want To Roll Out a Software Security Program? • Great! • What a software security program ISN’T • Question: “What are you doing to address software security concerns?” • Answer: “We bought scanner XYZ” • What a software security program IS • People, process, tools (naturally) • Set of activities intended to repeatedly produce appropriately-secure software 3
  • 5. © 2019 Denim Group – All Rights Reserved Challenges Rolling Out Software Security Programs • Resources • Raw budget and cost issues • Level of effort issues • Resistance: requires organizational change • Apparently people hate this • Open source tools • Can help with raw budget issues • May exacerbate problems with level of effort • View the rollout as a multi-stage process • Not one magical effort • Use short-term successes and gains to fuel further change 4
  • 6. © 2019 Denim Group – All Rights Reserved 5 You can’t defend unknown attack surface If everything is important then nothing is important
  • 7. © 2019 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 6
  • 8. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 7 Software You Currently Know About Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers mention it • Bad guys found it and caused an incident (oops) What? • Critical legacy systems • Notable web applications
  • 9. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 8 Add In the Rest of the Web Applications You Actually Develop and Maintain Why Did You Miss Them? • Forgot it was there • Line of business procured through non- standard channels • Picked it up through a merger / acquisition What? • Line of business applications • Event-specific applications
  • 10. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 9 Add In the Software You Bought from Somewhere Why Did You Miss Them? • Most scanner only really work on web applications so no vendors pester you about your non-web applications • Assume the application vendor is handling security What? • More line of business applications • Support applications • Infrastructure applications
  • 11. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 10 MOBILE! THE CLOUD! Why Did You Miss Them? • Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office What? • Support for line of business functions • Marketing and promotion
  • 12. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Two Dimensions: • Perception of Software Attack Surface • Insight into Exposed Assets 11 Perception Insight
  • 13. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 12 Perception Insight Web Applications
  • 14. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 13 Perception Insight Web Applications Client-Server Applications
  • 15. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 14 Perception Insight Web Applications Client-Server Applications Desktop Applications
  • 16. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 15 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services
  • 17. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 16 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
  • 18. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 17 Perception Insight Web Applications
  • 19. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 18 Perception Insight Web Applications
  • 20. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 19 Perception Insight Web Applications
  • 21. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 20 Perception Insight Web Applications
  • 22. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 21 Perception Insight Web Applications Client-Server Applications
  • 23. © 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 22 Perception Insight Web Applications
  • 24. © 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 23 Perception Insight Web Applications Cloud Applications and Services
  • 25. © 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 24 Perception Insight Web Applications Cloud Applications and Services Mobile Applications
  • 26. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • When you reach this point it is called “enlightenment” • You won’t reach this point 25 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
  • 27. © 2019 Denim Group – All Rights Reserved First Decision • What is considered to be in scope? • Depends on how you want to manage vulnerabilities and manage risk 26
  • 28. © 2019 Denim Group – All Rights Reserved Process • Identify Application “Homes” • Enumerate Applications • Collect Metadata • Repeat as Needed 27
  • 29. © 2019 Denim Group – All Rights Reserved So Where Are These Applications? • Your Datacenters • 3rd Party Datacenters • Cloud Providers 28
  • 30. © 2019 Denim Group – All Rights Reserved Enumerating Applications • Technical • Network inspection • DNS and other registry inspection • Non-technical • Interviews • Other research 29
  • 31. © 2019 Denim Group – All Rights Reserved IP Range Detection • IPOsint: https://github.com/j3ssie/IPOsint • ip-osint.py –t CompanyName • Data sources: • Whois • Ripe • Arin • Hurricane • Censys • securitytrails 30
  • 32. © 2019 Denim Group – All Rights Reserved Network Inspection • nmap: https://nmap.org/ • Look for common web server ports: • 80, 443, 8000, 8008, 8080, 8443 • Others depending on your environment • nmap -sS -p 80,443,8000,8008,8080,8443 x.y.z.0/24 • Great for dense environments you control • Largely datacenters https://www.denimgroup.com/resources/blog/2016/03/threadfix-in-action-discovering-your-organizations-software-attack-surface-web-app-edition/ 31
  • 33. © 2019 Denim Group – All Rights Reserved DNS Inspection • SubFinder: https://github.com/subfinder/subfinder • docker run -it subfinder -d target.org • Can get even more data with service-specific API keys • OWASP Amass: https://github.com/OWASP/Amass • sudo docker run amass --passive -d target.org 32
  • 34. © 2019 Denim Group – All Rights Reserved Mobile Application Identification • Scumbler: https://github.com/Netflix-Skunkworks/Scumblr • Purpose of tool evolved over time • Not currently maintained – looking for maintainers 33
  • 35. © 2019 Denim Group – All Rights Reserved Interviews • Line-of-business representatives • Will need to translate their definition of “application” to your definition • Think in terms of business processes and these can map to multiple applications and microservices • Tech leads • More familiar with the deployed infrastructure and other assets 34
  • 36. © 2019 Denim Group – All Rights Reserved Other Research • Disaster recover plans • Accounting • Find cloud providers 35
  • 37. © 2019 Denim Group – All Rights Reserved What is an ”Application” • What assets do we have? • IP addresses • Host names • Mobile apps • Business view of “applications” • Challenge: Create a consolidated view • Challenge: Correlate applications and the supporting infrastructure 36
  • 38. © 2019 Denim Group – All Rights Reserved Collect Metadata • Technical: Language, Scale • Architectural: Web, Mobile • Exposure: Public, Partner, Internal • Regulatory: PCI, HIPAA, GDPR 37
  • 39. © 2019 Denim Group – All Rights Reserved Value and Risk Are Not Equally Distributed • Some Applications Matter More Than Others • Value and character of data being managed • Value of the transactions being processed • Cost of downtime and breaches • Therefore All Applications Should Not Be Treated the Same • Allocate different levels of resources to assurance • Select different assurance activities • Also must often address compliance and regulatory requirements 38
  • 40. © 2019 Denim Group – All Rights Reserved Do Not Treat All Applications the Same • Allocate Different Levels of Resources to Assurance • Select Different Assurance Activities • Also Must Often Address Compliance and Regulatory Requirements 39
  • 41. © 2019 Denim Group – All Rights Reserved Rinse and Repeat • This list will change over time • Metadata will change • This is especially true in a world of microservices 40
  • 42. © 2019 Denim Group – All Rights Reserved 41 You can’t defend unknown attack surface If everything is important then nothing is important
  • 43. © 2019 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 42
  • 44. © 2019 Denim Group – All Rights Reserved Questions 43
  • 45. © 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. @denimgroup www.denimgroup.com 44 dan@denimgroup.com