Weitere ähnliche Inhalte Ähnlich wie Using Collaboration to Make Application Vulnerability Management a Team Sport (20) Mehr von Denim Group (12) Kürzlich hochgeladen (20) Using Collaboration to Make Application Vulnerability Management a Team Sport1. © 2020 Denim Group – All Rights Reserved
Building a world where technology is trusted.
Dan Cornell | CTO
Kyle Pippin | ThreadFix Product Manager
Using Collaboration to
Make Application
Vulnerability Management a
Team Sport
May 28, 2020
2. © 2020 Denim Group – All Rights Reserved
1
Advisory
Services
Assessment
Services
Remediation
Services
Vulnerability Resolution
Platform
Building a world where technology is trusted
How we can help:
Denim Group is solely focused on helping build
resilient software that will withstand attacks.
• Since 2001, helping secure software
• Development background
• Tools + services model
3. © 2020 Denim Group – All Rights Reserved
Agenda
• Application Vulnerability Management
Challenges
• ThreadFix Overview
• Security Team Collaboration
• Security and Development Team
Collaboration
• Questions
2
4. © 2020 Denim Group – All Rights Reserved
Application Vulnerability
Management Challenges
5. © 2020 Denim Group – All Rights Reserved
An Observation
• Traditional vulnerability
management seems to do this
better
• Organizations more mature
• Server patches are
typically more
straightforward than
custom software changes
[But lots of servers still don’t get
patched…]
4
6. © 2020 Denim Group – All Rights Reserved
This is Hard
• Lots of players
involved
• Application
Security
• Development
• GRC
5
7. © 2020 Denim Group – All Rights Reserved
This is Hard
• Everyone has different
incentives and goals
• Development: Features,
functions, timelines
• Application Security:
address risk
• GRC: Address risk,
reach/maintain
compliance, implement
controls
6
8. © 2020 Denim Group – All Rights Reserved
This is Hard
• Access to Developers’ time is
a zero-sum game
• If you’re fixing security
bugs, you’re not developing
features
• If you’re developing
features, you’re not fixing
security bugs
• Viewing it like this creates
winners. And losers…
7
9. © 2020 Denim Group – All Rights Reserved
Typical Outcome
• Application security “requires” that certain
vulnerabilities get fixed
• Development teams try to put this off as long
as possible
• The group with the best executive support
gets their way
• But everyone is actually a loser
8
10. © 2020 Denim Group – All Rights Reserved
Stop Fighting
9
11. © 2020 Denim Group – All Rights Reserved
Start Playing on the Same Team
10
12. © 2020 Denim Group – All Rights Reserved
Critical Elements of Teamwork
• Respect
• Roles
• Communication
11
13. © 2020 Denim Group – All Rights Reserved
Critical Elements of Teamwork
• Respect
• Roles
• Communication (and Collaboration)
12
14. © 2020 Denim Group – All Rights Reserved
ThreadFix Overview
15. © 2020 Denim Group – All Rights Reserved
ThreadFix Origin Story
16. © 2020 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your applications and
vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are
already using
• Provide access to powerful analytics
• Drive efficiency with automation and orchestration
15
44% Reduction
in Time-To-Fix
Vulnerabilities
Up To 5x Increase in
AppSec Assessment
Productivity
17. © 2020 Denim Group – All Rights Reserved
ThreadFix Data Flow
16
18. © 2020 Denim Group – All Rights Reserved
ThreadFix Pipeline
17
i.o.
SecurityCenter
De-Dupe
Merge
Correlate
History
Settings
Policy
False Positives
Risk Triage
Consolidate
Remediation
Profiles
Templates
Actionable
Tracked
Insights
Verification
HotSpots
Alerting
Findings & Vulnerability Management Pipeline
Automated/Orchestrated
Pre-Processing
Reduce Vulns to Manage
Manage by Policy & Settings
Single Portal
for:
ITAO’s
Dev’s
SME’s
SecChamps
Dev’s &
SME’s
Work in daily
tools, and
existing
workflows
Security
Program &
Policy
Managemen
t and
reporting
Tableau
Business
Object
Power BI
Archer
Custom
Reporting
External
System
Integration
Manua
l
19. © 2020 Denim Group – All Rights Reserved
Who Benefits and How?
• Security Team
• Run more efficient and effective application security programs
(200-500% increase in testing throughput, up to 35% reduction in
findings that require triage)
• Development Teams
• Direct testing and receive results via tools and platforms already in use
(Jenkins, JIRA, etc)
• Risk-management (GRC) Team
• Faster resolution of key vulnerabilities (up to 44% reduction in mean-
time-to-fix)
18
20. © 2020 Denim Group – All Rights Reserved
Security Team Collaboration
21. © 2020 Denim Group – All Rights Reserved
Security Decisions
• Which vulnerabilities will you
fix?
• Hard enough for an
application
• Even harder across your
portfolio
• What is your remediation
“budget?”
• How do you justify more?
20
22. © 2020 Denim Group – All Rights Reserved
Critical Decisions
• Is this vulnerability a true or false positive?
• How serious is this vulnerability, actually?
• Which of these do we need to fix?
21
23. © 2020 Denim Group – All Rights Reserved
Critical Communications
• “This is better/worse than it seems (and why)”
• “This has an impact on GRC concerns”
• “I need help making a decision about this
issue”
22
24. © 2020 Denim Group – All Rights Reserved
ThreadFix Demo
• Vulnerability comments for triage
• Vulnerability comments for compliance
• Vulnerability statuses for workflow
25. © 2020 Denim Group – All Rights Reserved
Additional Resources
• Blog post: Effective
Security Team
Collaboration
https://threadfix.it/resources/applied-threadfix-
effective-security-team-collaboration/
24
26. © 2020 Denim Group – All Rights Reserved
Security and Development Team
Collaboration
27. © 2020 Denim Group – All Rights Reserved
Developers Don’t Speak PDF
28. © 2020 Denim Group – All Rights Reserved
(They Don’t Speak Excel Either)
27
29. © 2020 Denim Group – All Rights Reserved
Effective Dev/Sec Collaboration
• Talk to developers in the tools they’re
already using: Defect Trackers (ALM, etc)
• Empathy and understanding
• Take advantage of sunk-cost investments
• 44% reduction in Mean-Time-To-Fix
28
30. © 2020 Denim Group – All Rights Reserved
Bundling Strategies
• Turning vulnerabilities into defects
• 1:1 approach?
• More time spent administering defects than fixing
issues
• Bundling
• By vulnerability type
• By severity (more mature applications)
• Other approaches
29
31. © 2020 Denim Group – All Rights Reserved
ThreadFix Demo
• Bundling vulnerabilities to create defects
• Tracking development team progress
32. © 2020 Denim Group – All Rights Reserved
Additional Resources
• Blog post: Security
Teams Collaborating
with Development
Teams
https://threadfix.it/resources/applied-
threadfix-effective-security-team-
collaboration/
31
33. © 2020 Denim Group – All Rights Reserved
Additional Resources
• Videos: Introduction to ThreadFix Tagging
https://threadfix.it/resources/introduction-to-tagging/
https://threadfix.it/resources/introduction-to-tagging-part-2/
32
35. © 2020 Denim Group – All Rights Reserved
Additional Resources
36. © 2020 Denim Group – All Rights Reserved
Security Champions Webinar
• When champions spend time on security
stuff they’re not doing development stuff
• Pushing security expertise out into
development teams helps
https://www.denimgroup.com/resources/webinar/security-champions-pushing-security-expertise-to-the-edges-of-your-organization/
37. © 2020 Denim Group – All Rights Reserved
Building a world where technology is trusted.
Building a world where technology is trusted.
@denimgroup
www.denimgroup.com