Weitere ähnliche Inhalte Ähnlich wie Optimizing Your Application Security Program with Netsparker and ThreadFix (20) Mehr von Denim Group (20) Kürzlich hochgeladen (20) Optimizing Your Application Security Program with Netsparker and ThreadFix1. © 2016 Denim Group – All Rights Reserved
Optimizing Your Application
Security Program with
Netsparker and ThreadFix
October 19, 2016
Ferruh Mavituna
Product Architect and CEO, Netsparker Ltd.
Dan Cornell
CTO, Denim Group
2. © 2016 Denim Group – All Rights Reserved
Agenda
• State of Application Security
• Netsparker Overview
• ThreadFix Overview
• ThreadFix / Netsparker Integration
1
4. © 2016 Denim Group – All Rights Reserved
Netsparker automatically finds and reports security
issues in web sites and web services.
Automated Web
Application Security
Netsparker Desktop
Windows only software, easy to install and use.
Netsparker Cloud
SaaS version of Netsparker. Uses the very same
engine, scalable and comes with enterprise features.
3
5. © 2016 Denim Group – All Rights Reserved
Netsparker Desktop
Windows Software
It simulates a real attacker to find
vulnerabilities in web applications
automatically.
Allows users to carry out advanced
security tasks and especially useful for
security consultants and in house
security teams.
4
6. © 2016 Denim Group – All Rights Reserved
Supports
Authentication
Netsparker’s Core Features
Ease of Use
Supports Modern
Web
Proof Based
Scanning
Integrated Exploitation
Supports
Mobile/Web Services
uniquefeature
5
7. © 2016 Denim Group – All Rights Reserved
Netsparker Cloud
Netsparker Cloud
Netsparker – Scalable, can scan
thousands of websites within hours.
Designed for enterprises, big teams and
big datasets in mind.
API for integrating with other solutions,
internal products.
On-premises or managed.
Scalable
Designed for
Enterprise
API
uniquefeature
6
8. © 2016 Denim Group – All Rights Reserved
Security Testing
Process
7
9. © 2016 Denim Group – All Rights Reserved
Automated Security Testing Process
2
3
Configure Custom 404, Authentication, URL
Rewrite Rules etc.1
Configure and Start the Scan
If there is a Local File Inclusion, exploit it safely to see that LFI is real and
not a False Positive, if it’s SQL Injection, safely read data from the
database. Repeat this for every vulnerability to eliminate false positives.
Check if the results are correct
Prioritize important issues, communicate with the developers and make
necessary changes. Deploy the new version of the application and Re-
test.
Take Action
8
10. © 2016 Denim Group – All Rights Reserved
Process with Netsparker & ThreadFix
2
3
URL Rewrite, will be discovered dynamically, Custom 404 will be
handled automatically, authentication only requires you to enter URL,
username and password. Supports SPA (Single Page Applications)
automatically.
1
Start your scan quickly
Netsparker will give you the proof
Now you know which vulnerabilities are real, without spending any more
time on them, pass them to your development team to start addressing
these issues immediately.
You don’t want to leave your website exposed during this process. Now
import these issues into ThreadFix and generate rules for your WAF
without worrying about False Positives!
Take Action
Proof Based
Scanning
Get the results with proof. If there is a SQL Injection, Netsparker will
extract some data from the target web application’s database, if there
is a LFI, Netsparker will give you a file from the target system etc. This
applies to all direct impact vulnerabilities.
9
11. © 2016 Denim Group – All Rights Reserved
Proof Based Scanning
False Positive or not?
10
12. © 2016 Denim Group – All Rights Reserved
A scanner you can
{ }
11
13. © 2016 Denim Group – All Rights Reserved
Scalability
How can you scan 1,000 applications? More importantly how can you address 10,000 issues in
these applications?
12
14. © 2016 Denim Group – All Rights Reserved
Netsparker Cloud & ThreadFix
In 24 Hours you can find & hot-patch
10,000 vulnerabilities
Netsparker Cloud can scan thousands of
websites under 24 hours.
API
Import the results to ThreadFix
Because results will be clearly flagged as
CONFIRMED and 100% real, now you can
just generate WAF rules without
worrying about False Positives.
Congratulations you have improved the state of your web application security
significantly just under 24 hours.
You still need to fix all these issues and not rely on WAF but the improvement will
be huge.
13
15. © 2016 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions based on data
• Reduce risk and provide protection via virtual
patching
• Translate vulnerabilities to developers in the tools
they are already using
14
16. © 2016 Denim Group – All Rights Reserved
ThreadFix Overview
15
17. © 2016 Denim Group – All Rights Reserved
Create a consolidated
view of your
applications and
vulnerabilities
16
18. © 2016 Denim Group – All Rights Reserved
Application Portfolio Tracking
17
19. © 2016 Denim Group – All Rights Reserved
Vulnerability Import
18
20. © 2016 Denim Group – All Rights Reserved
Vulnerability Consolidation
19
21. © 2016 Denim Group – All Rights Reserved
Prioritize application risk
decisions based on data
20
22. © 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization
21
23. © 2016 Denim Group – All Rights Reserved
Reporting and Metrics
22
24. © 2016 Denim Group – All Rights Reserved
Reduce risk and
provide protection
via virtual patching
23
25. © 2016 Denim Group – All Rights Reserved
WAF Virtual Patching
24
26. © 2016 Denim Group – All Rights Reserved
Translate vulnerabilities to
developers in the tools they
are already using
25
27. © 2016 Denim Group – All Rights Reserved
Defect Tracker Integration
26
28. © 2016 Denim Group – All Rights Reserved
Questions and Contact
ThreadFix
www.threadfix.it
Netsparker
www.netsparker.com
27