SlideShare ist ein Scribd-Unternehmen logo

The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching

Denim Group
Denim Group

Organizations often have to deploy arbitrary applications on their infrastructure without thorough security testing. These applications can contain serious security vulnerabilities that can be detected and exploited remotely and in an automated manner. The applications themselves and the infrastructure they are deployed on are then at risk of exploitation. Configuration changes or vendor-provided software updates and patches are typically used to address infrastructure vulnerabilities. However, application-level vulnerabilities often require coding changes to be fully addressed. Virtual patching is a technique where targeted rules are created for web application firewalls (WAFs) or other IDS/IPS technologies to help mitigate specific known application vulnerabilities. This allows applications to be “virtually” patched prior to actual code-level patches being applied. These virtual patches are most often applicable to vulnerabilities that have a strong detection signature such as SQL injection and cross-site scripting (XSS) because the detection rules can be targeted to detect these signatures, but limited only to specific parts of the application attack surface where the application is known to be vulnerable. This presentation examines the automatic creation of virtual patches from automated web application security scanner results and explores scenarios where this approach might be successfully employed. It discusses theoretical approaches to the problem and provides specific demonstrations using Open Source tools such as the skipfish and w3af scanners and Snort and mod_security protection technologies. Finally, it looks at opportunities to apply these techniques to protect arbitrary applications deployed into arbitrary infrastructures so that short-term protection against common web application attacks can be consistently applied while minimizing false blocking of legitimate traffic.

Technologie
1 von 36
Downloaden Sie, um offline zu lesen
The Self Healing Cloud Protecting Applications and Infrastructure with Automated Virtual Patching Dan Cornell CTO, Denim Group @danielcornell © Copyright 2011 Denim Group - All Rights Reserved
Bio: Dan Cornell • Founder and CTO, Denim Group • Software developer by background (Java, .NET) • OWASP – San Antonio Chapter Leader – Open Review Project Leader – Chair of the Global Membership Committee • Speaking – RSA, SOURCE Boston – OWASP AppSec, Portugal Summit, AppSecEU Dublin – ROOTS in Norway © Copyright 2011 Denim Group - All Rights Reserved 1
Denim Group Background • Secure software services and products company – Builds secure software – Helps organizations assess and mitigate risk of in-house developed and third party software – Provides classroom training and e-Learning so clients can build software securely • Software-centric view of application security – Application security experts are practicing developers – Development pedigree translates to rapport with development managers – Business impact: shorter time-to-fix application vulnerabilities • Culture of application security innovation and contribution – Develops open source tools to help clients mature their software security programs • Remediation Resource Center, ThreadFix, Sprajax – OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI – World class alliance partners accelerate innovation to solve client problems © Copyright 2011 Denim Group - All Rights Reserved 2
The Cloud! © Copyright 2011 Denim Group - All Rights Reserved 3
An Apology • Did anyone attend this talk because it had the word “cloud” in the title? • If so … I’m sorry – Marketing made me do it – But this really does apply to certain aspects of “the cloud” – I promise… • At least we didn’t mention Advanced Persistent Threats – Yet… © Copyright 2011 Denim Group - All Rights Reserved 4
Who Is Your Worst Enemy? © Copyright 2011 Denim Group - All Rights Reserved 5
The Problem • Code with automatically-identifiable security vulnerabilities gets deployed • Trolling attackers find vulnerabilities and exploit them • Profit? © Copyright 2011 Denim Group - All Rights Reserved 6
A Proposed Solution 1. Identify newly- deployed code 2. Identify vulnerabilities 3. Block traffic that would exploit those vulnerabilities © Copyright 2011 Denim Group - All Rights Reserved 7
Other Potential Solutions • Run a web application firewall (WAF) – You do not have one – Code changes too frequently for WAF training – WAF blocked legitimate transactions and is back in training mode • Find the vulnerabilities and fix the code – Prioritization of new features over security fixes – Code deployments take too long • Do not introduce the vulnerabilities in the first place – Very funny… © Copyright 2011 Denim Group - All Rights Reserved 8
Step 1: Identify Newly-Deployed Code • Wait to be notified about new application deployments by the development teams • Scan your network space for new servers and applications • Monitor files and directories © Copyright 2011 Denim Group - All Rights Reserved 9
Step 2: Identify Vulnerabilities • Manual testing • Automated scanning • Manual-assisted scanning © Copyright 2011 Denim Group - All Rights Reserved 10
Step 3: Block Traffic That Would Exploit Vulnerabilities • Generate virtual patches to block traffic to identified vulnerabilities © Copyright 2011 Denim Group - All Rights Reserved 11
ThreadFix – Consolidating vulnerability data so managers can speak intelligently about the status and trends of security within their organization © Copyright 2011 Denim Group - All Rights Reserved 12
Virtual Patching • Connect vulnerability scanners to IDS/IPS/WAF systems • Map data from sensors back to data about vulnerabilities © Copyright 2011 Denim Group - All Rights Reserved 13
Solution Specifics • Code Change Detection: Watch for filesystem changes – Could wire up to diffs of nmap scans but this was easier given test environment • Vulnerability Detection: Automated skipfish and w3af scans – Open source technologies: anyone can replicate – Ability to run unattended • Blocking Traffic: Rules for snort and mod_security – Open source technologies: anyone can replicate – Rule compatibility © Copyright 2011 Denim Group - All Rights Reserved 14
Skipfish Vulnerability Data © Copyright 2011 Denim Group - All Rights Reserved 15
w3af Vulnerability Data © Copyright 2011 Denim Group - All Rights Reserved 16
IBM Rational AppScan Vulnerability Data © Copyright 2011 Denim Group - All Rights Reserved 17
Vulnerability Data • Normalize what is provided by the scanners • De-duplicate the results – Allows for use of multiple scanning technologies • (vulnerability_type, vulnerable_url, injection_point) – Typically needed for injection-type vulnerabilities: SQL injection, XSS • (vulnerability_type, vulnerable_url) – Sufficient for some vulnerabilities: Predictable resource location, directory listing © Copyright 2011 Denim Group - All Rights Reserved 18
Vulnerability Data – What Else Do We Need? • Standardized access to payload information would be nice • Current rules have potential for false blocks – SQL injection: Is the problem based on the code mis-handling „ or “ © Copyright 2011 Denim Group - All Rights Reserved 19
Virtual Patches - Snort © Copyright 2011 Denim Group - All Rights Reserved 20
Virtual Patches – mod_security © Copyright 2011 Denim Group - All Rights Reserved 21
Virtual Patches - Formats • Two approaches 1. (vulnerability_type, vulnerability_location) 2. (vulnerability_signature , vulnerability_location) (1) “There is a reflected XSS vulnerability in login.php for the username parameter” versus (2) “Watch out for HTML-ish characters in login.php for the username parameter” • The snort and mod_security rules follow approach (2) • Integration with commercial solutions may use approach (1) © Copyright 2011 Denim Group - All Rights Reserved 22
Standard for Virtual Patch Success • If the scanner shuts up the vulnerability is considered “fixed” • Tweak the detection payloads until this is the case for all scanners • Watch out for overly-aggressive signatures • But that won’t stop Advanced Persistent Threats! – True – But that wasn‟t really the goal at the current time © Copyright 2011 Denim Group - All Rights Reserved 23
Test Environment Scanner / Rule Generator IDS/IPS/WAF Sensor Target Application / Infrastructure © Copyright 2011 Denim Group - All Rights Reserved 24
Demo! © Copyright 2011 Denim Group - All Rights Reserved 25
Results • Snort • mod_security – No rules – Compared to Core Ruleset (CRS) • Why compare to the Core Ruleset? © Copyright 2011 Denim Group - All Rights Reserved 26
Snort Results Snort v. 2.9.0.5 All Vulns Skipfish w3af Total Normal 20 10 30 Threadfix 10 ? 10 © Copyright 2011 Denim Group - All Rights Reserved 27
mod_security Results – Raw Raw Total Skipfish w3af Total Normal 32 14 46 CRS 44 10 54 Threadfix 11 2 13 CRS+Threadfix 18 6 24 © Copyright 2011 Denim Group - All Rights Reserved 28
mod_security Results – All Vulnerability Types 60 50 40 Skipfish 30 w3af Total 20 10 0 Normal CRS Threadfix CRS+Threadfix © Copyright 2011 Denim Group - All Rights Reserved 29
mod_security Results – Focus on Injection 40 35 30 25 Skipfish 20 w3af Total 15 10 5 0 Normal CRS Threadfix CRS+Threadfix © Copyright 2011 Denim Group - All Rights Reserved 30
Trivia and Analysis • IDS/IPS/WAF has an impact on the scanning process – Snort breaks w3af scanning – mod_security CRS introduces some false positives into skipfish scanning • mod_security CRS is quite good – And getting better all the time: SQL Injection Challenge – http://blog.spiderlabs.com/2011/06/announcing-the-modsecurity-sql-injection-challenge.html • Virtual patching appears to win for injection flaws © Copyright 2011 Denim Group - All Rights Reserved 31
Where Is This Useful? • Environments where you have little or no control over deployed code – XaaS – PaaS, IaaS – 99% of all corporate data centers • Environments where you have a large “application security debt” – Actual code fixes: take time and can be hard to get on the schedule © Copyright 2011 Denim Group - All Rights Reserved 32
What Are The Problems? • Current vulnerability data formats only allow for coarse-grained virtual patches – Can lead to false blocks • Virtual patches likely will not stop well-informed, determined attackers – See the results of the mod_security SQL Injection Challenge © Copyright 2011 Denim Group - All Rights Reserved 33
Next Steps • MOAR DATA!!! – Target applications – Live traffic • Develop import support for more scanner technologies • Create virtual patch signatures for new vulnerability classes – “Borrow” emerging CSRF protection from mod_security CRS? – There are limitations on what can be done but we are not there yet • Create virtual patches for new IDS/IPS/WAF technologies © Copyright 2011 Denim Group - All Rights Reserved 34
Questions Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 35

Empfohlen

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software RemediationDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 

Empfohlen

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software RemediationDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfDenim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Alex Gorbachev
 
Machine Learning The Key Ingredient to Self-Driving Data Center
Machine Learning The Key Ingredient to Self-Driving Data CenterMachine Learning The Key Ingredient to Self-Driving Data Center
Machine Learning The Key Ingredient to Self-Driving Data CenterSergey A. Razin
 

Weitere ähnliche Inhalte

Was ist angesagt?

Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfDenim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 

Was ist angesagt? (20)

Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 

Andere mochten auch

Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Alex Gorbachev
 
Machine Learning The Key Ingredient to Self-Driving Data Center
Machine Learning The Key Ingredient to Self-Driving Data CenterMachine Learning The Key Ingredient to Self-Driving Data Center
Machine Learning The Key Ingredient to Self-Driving Data CenterSergey A. Razin
 
Self-Driving Data Center (Apply Machine Learning to the Cloud)
Self-Driving Data Center (Apply Machine Learning to the Cloud)Self-Driving Data Center (Apply Machine Learning to the Cloud)
Self-Driving Data Center (Apply Machine Learning to the Cloud)Sergey A. Razin
 
Self-Tuning Data Centers
Self-Tuning Data CentersSelf-Tuning Data Centers
Self-Tuning Data CentersReza Rahimi
 
SMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning ApproachSMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning ApproachReza Rahimi
 
Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFixDenim Group
 
Introduction to Machine Learning for Oracle Database Professionals
Introduction to Machine Learning for Oracle Database ProfessionalsIntroduction to Machine Learning for Oracle Database Professionals
Introduction to Machine Learning for Oracle Database ProfessionalsAlex Gorbachev
 
Dynatrace: New Approach to Digital Performance Management - Gartner Symposium...
Dynatrace: New Approach to Digital Performance Management - Gartner Symposium...Dynatrace: New Approach to Digital Performance Management - Gartner Symposium...
Dynatrace: New Approach to Digital Performance Management - Gartner Symposium...Michael Allen
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at ScaleRaffael Marty
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Alex Pinto
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedRaffael Marty
 
Seminar on cloud computing by Prashant Gupta
Seminar on cloud computing by Prashant GuptaSeminar on cloud computing by Prashant Gupta
Seminar on cloud computing by Prashant GuptaPrashant Gupta
 

Andere mochten auch (15)

Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
 
Machine Learning The Key Ingredient to Self-Driving Data Center
Machine Learning The Key Ingredient to Self-Driving Data CenterMachine Learning The Key Ingredient to Self-Driving Data Center
Machine Learning The Key Ingredient to Self-Driving Data Center
 
Self-Driving Data Center (Apply Machine Learning to the Cloud)
Self-Driving Data Center (Apply Machine Learning to the Cloud)Self-Driving Data Center (Apply Machine Learning to the Cloud)
Self-Driving Data Center (Apply Machine Learning to the Cloud)
 
Self-Tuning Data Centers
Self-Tuning Data CentersSelf-Tuning Data Centers
Self-Tuning Data Centers
 
SMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning ApproachSMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning Approach
 
Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix
 
Introduction to Machine Learning for Oracle Database Professionals
Introduction to Machine Learning for Oracle Database ProfessionalsIntroduction to Machine Learning for Oracle Database Professionals
Introduction to Machine Learning for Oracle Database Professionals
 
Dynatrace: New Approach to Digital Performance Management - Gartner Symposium...
Dynatrace: New Approach to Digital Performance Management - Gartner Symposium...Dynatrace: New Approach to Digital Performance Management - Gartner Symposium...
Dynatrace: New Approach to Digital Performance Management - Gartner Symposium...
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 
Seminar on cloud computing by Prashant Gupta
Seminar on cloud computing by Prashant GuptaSeminar on cloud computing by Prashant Gupta
Seminar on cloud computing by Prashant Gupta
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing ppt
 
cloud computing ppt
cloud computing pptcloud computing ppt
cloud computing ppt
 

Ähnlich wie The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching

Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalRobin Lutchansky
 
Dan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software RemediationDan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software RemediationSource Conference
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?Denim Group
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixDenim Group
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Product positioning ss_v.1.03
Product positioning ss_v.1.03Product positioning ss_v.1.03
Product positioning ss_v.1.03Nimit Shishodia
 

Ähnlich wie The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching (20)

Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
Dan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software RemediationDan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software Remediation
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
Product positioning ss_v.1.03
Product positioning ss_v.1.03Product positioning ss_v.1.03
Product positioning ss_v.1.03
 

Mehr von Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingDenim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Denim Group
 

Mehr von Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 

Kürzlich hochgeladen

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Kürzlich hochgeladen (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching

  • 1. The Self Healing Cloud Protecting Applications and Infrastructure with Automated Virtual Patching Dan Cornell CTO, Denim Group @danielcornell © Copyright 2011 Denim Group - All Rights Reserved
  • 2. Bio: Dan Cornell • Founder and CTO, Denim Group • Software developer by background (Java, .NET) • OWASP – San Antonio Chapter Leader – Open Review Project Leader – Chair of the Global Membership Committee • Speaking – RSA, SOURCE Boston – OWASP AppSec, Portugal Summit, AppSecEU Dublin – ROOTS in Norway © Copyright 2011 Denim Group - All Rights Reserved 1
  • 3. Denim Group Background • Secure software services and products company – Builds secure software – Helps organizations assess and mitigate risk of in-house developed and third party software – Provides classroom training and e-Learning so clients can build software securely • Software-centric view of application security – Application security experts are practicing developers – Development pedigree translates to rapport with development managers – Business impact: shorter time-to-fix application vulnerabilities • Culture of application security innovation and contribution – Develops open source tools to help clients mature their software security programs • Remediation Resource Center, ThreadFix, Sprajax – OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI – World class alliance partners accelerate innovation to solve client problems © Copyright 2011 Denim Group - All Rights Reserved 2
  • 4. The Cloud! © Copyright 2011 Denim Group - All Rights Reserved 3
  • 5. An Apology • Did anyone attend this talk because it had the word “cloud” in the title? • If so … I’m sorry – Marketing made me do it – But this really does apply to certain aspects of “the cloud” – I promise… • At least we didn’t mention Advanced Persistent Threats – Yet… © Copyright 2011 Denim Group - All Rights Reserved 4
  • 6. Who Is Your Worst Enemy? © Copyright 2011 Denim Group - All Rights Reserved 5
  • 7. The Problem • Code with automatically-identifiable security vulnerabilities gets deployed • Trolling attackers find vulnerabilities and exploit them • Profit? © Copyright 2011 Denim Group - All Rights Reserved 6
  • 8. A Proposed Solution 1. Identify newly- deployed code 2. Identify vulnerabilities 3. Block traffic that would exploit those vulnerabilities © Copyright 2011 Denim Group - All Rights Reserved 7
  • 9. Other Potential Solutions • Run a web application firewall (WAF) – You do not have one – Code changes too frequently for WAF training – WAF blocked legitimate transactions and is back in training mode • Find the vulnerabilities and fix the code – Prioritization of new features over security fixes – Code deployments take too long • Do not introduce the vulnerabilities in the first place – Very funny… © Copyright 2011 Denim Group - All Rights Reserved 8
  • 10. Step 1: Identify Newly-Deployed Code • Wait to be notified about new application deployments by the development teams • Scan your network space for new servers and applications • Monitor files and directories © Copyright 2011 Denim Group - All Rights Reserved 9
  • 11. Step 2: Identify Vulnerabilities • Manual testing • Automated scanning • Manual-assisted scanning © Copyright 2011 Denim Group - All Rights Reserved 10
  • 12. Step 3: Block Traffic That Would Exploit Vulnerabilities • Generate virtual patches to block traffic to identified vulnerabilities © Copyright 2011 Denim Group - All Rights Reserved 11
  • 13. ThreadFix – Consolidating vulnerability data so managers can speak intelligently about the status and trends of security within their organization © Copyright 2011 Denim Group - All Rights Reserved 12
  • 14. Virtual Patching • Connect vulnerability scanners to IDS/IPS/WAF systems • Map data from sensors back to data about vulnerabilities © Copyright 2011 Denim Group - All Rights Reserved 13
  • 15. Solution Specifics • Code Change Detection: Watch for filesystem changes – Could wire up to diffs of nmap scans but this was easier given test environment • Vulnerability Detection: Automated skipfish and w3af scans – Open source technologies: anyone can replicate – Ability to run unattended • Blocking Traffic: Rules for snort and mod_security – Open source technologies: anyone can replicate – Rule compatibility © Copyright 2011 Denim Group - All Rights Reserved 14
  • 16. Skipfish Vulnerability Data © Copyright 2011 Denim Group - All Rights Reserved 15
  • 17. w3af Vulnerability Data © Copyright 2011 Denim Group - All Rights Reserved 16
  • 18. IBM Rational AppScan Vulnerability Data © Copyright 2011 Denim Group - All Rights Reserved 17
  • 19. Vulnerability Data • Normalize what is provided by the scanners • De-duplicate the results – Allows for use of multiple scanning technologies • (vulnerability_type, vulnerable_url, injection_point) – Typically needed for injection-type vulnerabilities: SQL injection, XSS • (vulnerability_type, vulnerable_url) – Sufficient for some vulnerabilities: Predictable resource location, directory listing © Copyright 2011 Denim Group - All Rights Reserved 18
  • 20. Vulnerability Data – What Else Do We Need? • Standardized access to payload information would be nice • Current rules have potential for false blocks – SQL injection: Is the problem based on the code mis-handling „ or “ © Copyright 2011 Denim Group - All Rights Reserved 19
  • 21. Virtual Patches - Snort © Copyright 2011 Denim Group - All Rights Reserved 20
  • 22. Virtual Patches – mod_security © Copyright 2011 Denim Group - All Rights Reserved 21
  • 23. Virtual Patches - Formats • Two approaches 1. (vulnerability_type, vulnerability_location) 2. (vulnerability_signature , vulnerability_location) (1) “There is a reflected XSS vulnerability in login.php for the username parameter” versus (2) “Watch out for HTML-ish characters in login.php for the username parameter” • The snort and mod_security rules follow approach (2) • Integration with commercial solutions may use approach (1) © Copyright 2011 Denim Group - All Rights Reserved 22
  • 24. Standard for Virtual Patch Success • If the scanner shuts up the vulnerability is considered “fixed” • Tweak the detection payloads until this is the case for all scanners • Watch out for overly-aggressive signatures • But that won’t stop Advanced Persistent Threats! – True – But that wasn‟t really the goal at the current time © Copyright 2011 Denim Group - All Rights Reserved 23
  • 25. Test Environment Scanner / Rule Generator IDS/IPS/WAF Sensor Target Application / Infrastructure © Copyright 2011 Denim Group - All Rights Reserved 24
  • 26. Demo! © Copyright 2011 Denim Group - All Rights Reserved 25
  • 27. Results • Snort • mod_security – No rules – Compared to Core Ruleset (CRS) • Why compare to the Core Ruleset? © Copyright 2011 Denim Group - All Rights Reserved 26
  • 28. Snort Results Snort v. 2.9.0.5 All Vulns Skipfish w3af Total Normal 20 10 30 Threadfix 10 ? 10 © Copyright 2011 Denim Group - All Rights Reserved 27
  • 29. mod_security Results – Raw Raw Total Skipfish w3af Total Normal 32 14 46 CRS 44 10 54 Threadfix 11 2 13 CRS+Threadfix 18 6 24 © Copyright 2011 Denim Group - All Rights Reserved 28
  • 30. mod_security Results – All Vulnerability Types 60 50 40 Skipfish 30 w3af Total 20 10 0 Normal CRS Threadfix CRS+Threadfix © Copyright 2011 Denim Group - All Rights Reserved 29
  • 31. mod_security Results – Focus on Injection 40 35 30 25 Skipfish 20 w3af Total 15 10 5 0 Normal CRS Threadfix CRS+Threadfix © Copyright 2011 Denim Group - All Rights Reserved 30
  • 32. Trivia and Analysis • IDS/IPS/WAF has an impact on the scanning process – Snort breaks w3af scanning – mod_security CRS introduces some false positives into skipfish scanning • mod_security CRS is quite good – And getting better all the time: SQL Injection Challenge – http://blog.spiderlabs.com/2011/06/announcing-the-modsecurity-sql-injection-challenge.html • Virtual patching appears to win for injection flaws © Copyright 2011 Denim Group - All Rights Reserved 31
  • 33. Where Is This Useful? • Environments where you have little or no control over deployed code – XaaS – PaaS, IaaS – 99% of all corporate data centers • Environments where you have a large “application security debt” – Actual code fixes: take time and can be hard to get on the schedule © Copyright 2011 Denim Group - All Rights Reserved 32
  • 34. What Are The Problems? • Current vulnerability data formats only allow for coarse-grained virtual patches – Can lead to false blocks • Virtual patches likely will not stop well-informed, determined attackers – See the results of the mod_security SQL Injection Challenge © Copyright 2011 Denim Group - All Rights Reserved 33
  • 35. Next Steps • MOAR DATA!!! – Target applications – Live traffic • Develop import support for more scanner technologies • Create virtual patch signatures for new vulnerability classes – “Borrow” emerging CSRF protection from mod_security CRS? – There are limitations on what can be done but we are not there yet • Create virtual patches for new IDS/IPS/WAF technologies © Copyright 2011 Denim Group - All Rights Reserved 34
  • 36. Questions Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 35