Appsec Basics, concepts, Risk, Sustainable Risk Management. SaaS, Continuous Vulnerability Assessment. Fullstack Assessment with edgescan.com. OWASP web security. Systems development security, Agile security assessment.

1. “Application Security Life
Cycle Management”.

2. Eoin Keary
@eoinkeary
linkedin.com/eoinkeary
• CTO BCC Risk Advisory / edgescan.com
• OWASP GLOBAL BOARD MEMBER (2009-2014)

3. OWASP
“The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-
for-profit charitable organization focused on improving the security of software. Our
mission is to make software security visible, so that individuals and
organizations worldwide can make informed decisions about true software security
risks.”
Publications:
• OWASP Top 10
• OWASP Testing Guide
• OWASP Code Review Guide
• OWASP Application Security Verification Standard (ASVS).

4. Risks to Web Applications

5. A1 - Injection
Description: Injection flaws, such as SQL, OS, and LDAP
injection occur when untrusted data is sent to an
interpreter as part of a command or query.
Impact: The attacker’s hostile data can trick the
interpreter into executing unintended commands or
accessing data without proper authorization.

6. A3 – Cross Site Scripting (XSS)
Description: XSS flaws occur whenever an application
takes untrusted data and sends it to a web browser
without proper validation or escaping.
Impact: XSS allows attackers to execute scripts in the
victim’s browser which can hijack user sessions, deface
web sites, or redirect the user to malicious sites

7. Demo

8. Why Application Security?

9. Threat Actors: Attacker Profiles
Organised Crime – Dedicated. Motivated by profit
Hacktivisim – political, social motivations
“Script kiddies” - curious
Automated scanners/worms – systems used to identify “soft
targets”
Cyber Terrorism – Political motivations
Nation States: Cyber Espionage/APT
Insiders

10. HACKED

11. “(Cyber crime is the) second cause of economic crime experienced by the
financial services sector”
2014 Cyber Crime
• $445 Billion Global
“556 million adults across the world have first-hand experience of cybercrime
-- more than the entire population of the European Union.”
Globally,
every second,
18 adults
become
victims of
cybercrime
- Symantec
“The loss of industrial information and intellectual property
through cyber espionage constitutes the greatest transfer of
wealth in history”
Almost 1 trillion USD was spent in 2014
protecting against cybercrime
Jimmy, I didn’t click it – My
mum
“One
hundred
BILLION
dollars” -
Dr Evil

12. • Banking Malware
– increased by 58 per cent last year compared to the year
before
– Smartphone botnet:
• One “botnet” generated between $1,600 to $9,000 per day, the
report said.
– booming market for exploit kits, malware packaged for
sale and made to be very easy to use
DriDex, Carbanak, Zeus, SpyEye, Citadel, RedKit Exploit Kit, Neutrino Exploit Kit, Sweet Orange
Exploit Kit, CrimePack Exploit Kit  €135 - €500 each!
Increasing Threat

13. - PWC GISS 2015

14. edgescan™ Statistics - 2015
39% of web applications have a crypto flaw
18% of web applications have an XSS flaw
3% of web applications have a SQLI flaw
5% of web applications have an Cmd Injection flaw
Most vulnerable Server: Apache™
7% of Apache servers have a critical vulnerability
0.39
0.18
0.03
0.05
Crypto
XSS
SQL Injection
Cmd Injection
0% 10% 20% 30% 40% 50%
Vulnerability Density

15. • Trend towards Services based Security & Vulnerability Management
• All vulnerabilities are not equal:
Fixing “the right” vulns not all vulns
• SDLC integration: Prevent Vs React
Do More with Less

16. The OWASP Foundation
http://www.owasp.orgTwo weeks of ethical
hacking
Ten man-years of
development
Business
Logic Flaws
Code
Flaws
Security
Errors

17. Metrics: We can measure what problems we have
Measure: We cant improve what we cant measure
Priority: If we can measure we can prioritise
Delta: If we can measure we can detect change
Apply: We can apply our (limited) budget on the right things
Improve: We can improve where it matters……
Value: Demonstrate value to our business
Answer the question: “Are we secure?” < a little better?
Vulnerability Management

18. We know they are bad for us, but who cares, right?
If we eat too many we may get a heart attack? …sound familiar
We also write [in]secure code and deploy insecure systems until we get hacked
The Cheeseburger approach: “Cheeseburger risk’ is the kind of risk you
deliberately take even knowing the consequences, until those consequences
actually come to pass.”
Cheeseburger Security
Cheeseburger Security - Awareness

19. Application
Code
COTS (Commercial
off the shelf
Outsourced
development
Sub-Contractors
Bespoke
outsourced
development
Bespoke Internal
development
Third Party API’s
Third Party
Components &
Systems
Degrees of trust
You may not let some of the people who have developed your code into your offices!!
More Less
Software Food-chain

20. System Topology: Host/Server/Framework
Building bricks – Frameworks / Components
Spring, Jquery, Jade, Angular, Hibernate
13 billion Open source downloads 2014
90% of application code is Open source
63%* don’t monitor component security
43%* don’t have open source policy
* http://www.sonatype.com/about/2014-open-source-software-development-survey

21. Components
Spring (3.0-3.05) – CVE-2011-2894 – Code exe
7,000,000 downloads since vuln discovered
CVSS: 6.8
Apache Xerces2 – CVE-2009-2625 – DoS
4,000,000 downloads since vuln discovered
CVSS: 5
Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM
4,000,000 downloads since vuln discovered
CVSS: 4.9
Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection
179,050 downloads since vuln discovered
CVSS: 10

22. “65% of vulnerabilities discovered in 2015 by edgescan were
outside of software development control – Operating System
CVE, Component CVE, Misconfiguration etc ..” - edgescan
Vulnerability Statistics Report 2015

23. “We Can” scale security in the SDLC..
Automation of assessment:
Depth
Coverage / Breadth
Rigour

24. Automation!!
• Jenkins, Hudson, Bamboo
– Event driven
– Scheduled
– Incremental
– Sounds great…. but

25. Accuracy/Information/Context
The “AntiScale”
Risk Context
Business Context
Accuracy
Information Vs Data
Human Decisions and Intel
Technical constraints
-> Chokepoints

26. The “AntiScale”
New languages and programming methods
Growth of interpreted languages with no strong typing
hurts SAST (Javascript, Ruby,…)
Few automated tools to test APIs / RESTful APIs
Testing Window is squeezed, manual testing is doomed!?#

27. AppSec/Component Sec
• “If you're not doing component vulnerability
management you’re not doing appsec…”
– 90% of application code is Open source
• “If you’re not doing full-stack you are not
doing security…”

28. Fighting The “AntiScale”
Accuracy
“Rule Tuning” – DAST & SAST
Build Fails!
White Noise
Real Security Vs “Best Practice”
Updates to Rules
Scale
“Delta Analysis”
Previous Vs Current
Changes
FP’s

29. CI Integration

30. Fighting The “AntiScale” - Delta Analysis
Measure of change in a target environment.
Focusing on change in risk posture compared to last assessment.
-> Closed, New, False Positives

31. Fighting The “AntiScale”;Testing like a
Developer
Break testing into little pieces
– Continuous, on demand
– Testing duration drives testing
frequency
Smoke / Incremental Vs full regression testing
– “Early and Often”

32. edgescan™

34. Onboarding of Assets:
We assess the assets to undergo continuous management.
This in effect includes tuning our assessment tools, rules, approach in order to achieve high asset
assessment coverage and rigour.
We also assess the asset to help make sure the assessment techniques used are production safe.
Technical & Logical Security Assessment.
We assess the assets for both technical vulnerabilities and logical weaknesses.
Our edgescan Advanced license includes behavioural testing and tests which cannot be delivered using
automation.
Our testing covers over 90,000+ CVE’s and also goes beyond the OWAPS Top 10 etc.
Expert Manual Verification & Risk Rating
Our expert analysts verify all discovered vulnerabilities for accuracy.
False Positive Free: Manual verification by our expert security analysts ensures that all application and
network vulnerabilities found are verified as real and ranked by security risk.
This procedure allows for a false positive free vulnerability intelligence for all assets.
Trending / Metrics / Reporting
The edgescan online portal provides 24/7 visibility of security metrics, trending data, key performance
indicators (KPI's) and enables users to generate custom reports to manage and remediate cybersecurity risk.
Our fully extensible API and JIRA integration provides users with the ability to integrate edgescan
vulnerability intelligence into any GRC or bug tracking system.
Continuous Vulnerability Visibility and Intelligence
edgescan provides continuous/on-demand vulnerability management as a managed service. Helping you
identify and fix security weaknesses. - edgescan intelligence

35. Business & Behavioural Testing
At scale:
Can be Difficult to scale…..
Technical Security is covered….Automation
More Time to “Deep Dive”

36. FIN
• We can scale but not everything is [easily] scalable
• Discover Tech Vulns using Tech
• No “Fire and forget” Security
• Lets test to mirror development methodologies
@eoinkeary
eoin@bccriskadvisory.com

37. Thanks for Listening