SlideShare a Scribd company logo

ProActive Security

I
Ibnisina Sina

Presentation about proactive security approaches

Technology
1 of 41
Download to read offline
PROACTIVE SECURITY CAGLAR SAYIN
WHO I AM I AM CAGLAR ▸ I am basically Turkish computer engineer who focused on security ▸ I am biker, skier, sailor etc. ▸ Netsparker Web Application Scanner ▸ Norwegian Information Security Lab ▸ Sony
THE LAYOUT LAYOUT ▸ What is ProActive Security ▸ The Steps ▸ Discovery ▸ Scoping ▸ Assessment ▸ Reporting ▸ Remediation ▸ Training and Awareness
PROACTIVE SECURITY IT IS BEING SECURE BEFORE ACTED ▸ It is opposite of reactive secure ▸ It tries to mitigate and prevent risk ▸ It gives you chance to estimate feature ▸ Estimating feature gives you chance to do response planning
PLANS ARE NOTHING; PLANNING IS EVERYTHING. Dwight D. Eisenhower OTHER’S PLAN IS NOT YOURS
STEPS THE STEPS OF PROACTIVE SECURITY ▸ Risk Assessment ▸ Impact Analysis ▸ Risk Prevention ▸ Risk Mitigation ▸ Thread Analysis ▸ Planning Response
WORK ON XYZ COMPANY
VULNERABILITY DISCOVERY VULNERABILITY DISCOVERY ▸ Working on Our Own Test Env ▸ Attack Surface ▸ Automated Vulnerability and Attack Surface Discovery ▸ Manual Vulnerability Discovery ▸ Instant Vulnerability Discovery and DevOps Harmony
OWN ENVIRONMENT WHY WE NEED TO WORK ON OUR OWN ENVIRONMENT ▸ We must work on a dead planet with living data on it ▸ it will be like a UAT or Integration tests ▸ Cloud services do not permit us to test on their platform ▸ It could result data lost or functional defects on application ▸ All security parameters must turned off to test specifically application.
OWN ENVIRONMENT WORKING ON OUR OWN ENVIRONMENT ▸ Code must be frozen copy of the production env ▸ if not, it could result inconsistency on test results ▸ We should touch all features available and must be activated ▸ it will be like a UAT or Integration tests to provide test accuracy
ATTACK SURFACE ANALYSIS ATTACK SURFACE IS TO ▸ Understand the risk areas in an application ▸ Make developers and security specialists aware of what parts of the application are open to attack, ▸ Find ways of minimising this ▸ Notice when and how the Attack Surface changes and what this means from a risk perspective.
DEVELOPERS SECURITY ENGINEERS = BEST ATTACK SURFACE ANALYSIS
ATTACK SURFACE ANALYSIS ATTACK SURFACE IN THEORY ▸ the sum of all paths for data/commands into and out of the application, and ▸ the code that protects these paths (including resource connection and authentication, authorisation, activity logging, data validation and encoding), and ▸ all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and ▸ the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).
ATTACK SURFACE ANALYSIS ATTACK SURFACE IN PRACTICE ▸ Network-facing, especially internet-facing code ▸ Web forms ▸ Files from outside of the network ▸ Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions ▸ Custom APIs – protocols etc – likely to have mistakes in design and implementation ▸ Security code: anything to do with cryptography, authentication, authorization (access control) and session management
ATTACK SURFACE ANALYSIS GIT DIFF MASTER MASTER~1 ▸ What has changed? ▸ What are you doing different? ▸ What holes could you have opened?
AUTOMATED VULNERABILITY DISCOVERY AUTOMATED VULNERABILITY DISCOVERY ▸ They tries a lot of payloads as much as a person can’t try ▸ This tools are developed with many people for years ▸ THEY ARE FAST and REALLY FAST ▸ THEY ARE PRACTICAL ▸ They are patient and tolerant ▸ Could be improved with targeted configuration ▸ False Positive rates are really high
MANUAL VULNERABILITY DISCOVERY MANUAL VULNERABILITY DISCOVERY ▸ I know my application better then them ▸ There are some vulnerabilities only can be tested manually ▸ I am more intuitive ▸ I am holistic ▸ It is slow
INSTANT APPROACH INSTANT APPROACH
INSTANT APPROACH INSTANT APPROACH
INSTANT APPROACH INSTANT APPROACH
INSTANT APPROACH INSTANT APPROACH
INSTANT APPROACH INSTANT APPROACH KEYWORDS ▸ Static security test which is involved in CI process or even coding phase (Checkmarx) ▸ Dynamic security test (Skipfish, Arachni) ▸ The wrapper tools to combine them ▸ BDD-Security ▸ Gauntlt ▸ Mittn ▸ Strider :)
SCOPING SCOPING WITH TIERED TEST APPROACH ▸ Tier 4 test - 1 day ▸ Tier 3 test - 3 days ▸ Tier 2 test - 1 week ▸ Tier 1 Premium test - 3 weeks
SCOPING TIER 4 TEST ▸ It will only take 1 day quick test ▸ It will cover automated tool test on consumer facing web application, API, API dashboard ▸ It will not cover XYZ internal dashboard ▸ It will not cover message queue, SQL db Hadoop because they are already restricted to internet. ▸ It will include False Positive checks from outputs of automated tool results
SCOPING TIER 3 TEST ▸ It will only take 3 day - medium ranged test ▸ It will cover all the things in tier 4 ▸ It will cover business logic assessments and some authentication and authorisation attacks. ▸ Will cover authentication face of internal dashboard attack
SCOPING TIER 2 TEST ▸ It will only take 1 weak - normal ranged test ▸ It will cover all the things in tier 3 ▸ Architectural analysis is involved in this tier. ▸ API attack vectors will be prepared manually ▸ Manual wen pentest will take its place ▸ The interaction and connections between nodes will be checked. They must be encrypted ▸ It will cover remote attacks like reflected XSS and CSRF attacks for internal dashboard to protect employees from speared phishing attack
SCOPING TIER 1 PREMIUM TEST ▸ It will take 3 weak or more ▸ It will cover all the things in tier 2 ▸ It will cover thread modelling(thread vectors or threes) ▸ It will cover configuration analysis ▸ It will cover static code analysis and will combine results with manual assessment ▸ It will cover all network tests and internal web tests.
PENTEST LOGS PENETRATION TESTER ARE RESPONSIBLE FOR THEIR OWN LOGS ▸ Testers must record their own logs in their own computers. ▸ Network level logging device must store their own logs ▸ Network logging must be accountable which means we must authenticate people and stamp their ID onto logs
EVIDENCE VULNERABILITY EVIDENCE IS CONTROVERSIAL ▸ Yes it is controversial but must be concrete. ▸ Show your arguments as clean as possible. ▸ Some vulnerabilities are theoretical and can’t be exploitable and must shown thrusting reference
REPORTING REPORTING ESSENTIALS ▸ Testing Team details ▸ Network Details ▸ Scope of test ▸ Executive Summary ▸ Technical Summary
REPORTING STEPS MUST BE EXPLAINED IN TECHNICAL REPORT ▸ Reconnaissance & Enumeration ▸ Scanning ▸ Obtaining Access ▸ Maintaining Access ▸ Erasing Evidence
REPORTING MY OPINIONS ▸ Nobody reads reports ▸ They must be precise and concise ▸ They must be more interactive ▸ Check out Dradis and Faraday
APPSEC PIPELINE APPSEC PIPELINE
APPSEC PIPELINE APPSEC PIPELINE
REMEDIATION ESSENTIALS ESSENTIALS ▸ Location of the vulnerability should effect remediation timeframe ▸ CVSS score could be used to develop our own scoring system as base ▸ The vulnerabilities claimed as fixed must be retested ▸ Remediation methods should be shaped by security engineers
TRAINING AND AWARENESS TRAININGS ▸ Basic security awareness and knowledge for EVERYONE ▸ System must be ready to be secure before people ▸ A Conceptual Framework to Study Socio-Technical Security paper must be checked by Ana Ferreira, Jean-Louis Huynen, Vincent Koenig, Gabriele Lenzini ▸ Holistic approach - Statistics from vulnerability discovery should take care
TRAINING SECURITY AWARENESS PROGRAMS ▸ Teammentor - Guide to remediation ▸ Secure development guidelines ▸ Hackaton - CTF for developers ▸ Coursera ▸ for repeated issues, Brown Bag Sessions ▸ Chosen books are free but shipping is excluded model
THANKS
THANKS THANKS ▸ Thank you ▸ Thank OWASP ▸ Thank insights of Carnegie Mellon University ▸ Thanks pentest-standard.org ▸ Thanks vulnerabilityassessment.co.uk
MORE FOR MORE ▸ For more about business cases and management situations

Recommended

Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
Software Engineering Risk Management Software Application
Software Engineering Risk Management Software ApplicationSoftware Engineering Risk Management Software Application
Software Engineering Risk Management Software Applicationguestfea9c55
 

Recommended

Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
Software Engineering Risk Management Software Application
Software Engineering Risk Management Software ApplicationSoftware Engineering Risk Management Software Application
Software Engineering Risk Management Software Applicationguestfea9c55
 
Incident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVaultIncident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVaultJermund Ottermo
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Adam Baldwin
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 
Risk assessment Presentation by Affygility Solutions
Risk assessment Presentation by Affygility SolutionsRisk assessment Presentation by Affygility Solutions
Risk assessment Presentation by Affygility SolutionsDean Calhoun
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudProtectWise
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingPriyanka Aash
 
More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...Daniel Kanchev
 
Information Security Life Cycle
Information Security Life CycleInformation Security Life Cycle
Information Security Life Cyclevulsec123
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocRene Aguero
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017FRSecure
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOpsDays Tel Aviv
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 

More Related Content

What's hot

Incident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVaultIncident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVaultJermund Ottermo
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Adam Baldwin
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 
Risk assessment Presentation by Affygility Solutions
Risk assessment Presentation by Affygility SolutionsRisk assessment Presentation by Affygility Solutions
Risk assessment Presentation by Affygility SolutionsDean Calhoun
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudProtectWise
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingPriyanka Aash
 
More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...Daniel Kanchev
 
Information Security Life Cycle
Information Security Life CycleInformation Security Life Cycle
Information Security Life Cyclevulsec123
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocRene Aguero
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017FRSecure
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 

What's hot (18)

Incident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVaultIncident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVault
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
 
Risk assessment Presentation by Affygility Solutions
Risk assessment Presentation by Affygility SolutionsRisk assessment Presentation by Affygility Solutions
Risk assessment Presentation by Affygility Solutions
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
 
More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...
 
Information Security Life Cycle
Information Security Life CycleInformation Security Life Cycle
Information Security Life Cycle
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 

Similar to ProActive Security

Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOpsDays Tel Aviv
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
Devops (start walking in the same direction) by ops
Devops (start walking in the same direction) by opsDevops (start walking in the same direction) by ops
Devops (start walking in the same direction) by opsDemis Rizzotto
 
Application security testing in the age of Agile development - by Julio Cesar...
Application security testing in the age of Agile development - by Julio Cesar...Application security testing in the age of Agile development - by Julio Cesar...
Application security testing in the age of Agile development - by Julio Cesar...Blaze Information Security
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurityidsecconf
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentChristopher Frenz
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsPivotPointSecurity
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesChris Nickerson
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside OutUlisses Albuquerque
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 

Similar to ProActive Security (20)

Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
 
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
Testing 101
Testing 101Testing 101
Testing 101
 
Devops (start walking in the same direction) by ops
Devops (start walking in the same direction) by opsDevops (start walking in the same direction) by ops
Devops (start walking in the same direction) by ops
 
Application security testing in the age of Agile development - by Julio Cesar...
Application security testing in the age of Agile development - by Julio Cesar...Application security testing in the age of Agile development - by Julio Cesar...
Application security testing in the age of Agile development - by Julio Cesar...
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurity
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application Development
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision Points
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment Services
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management II
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside Out
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 

Recently uploaded

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 

Recently uploaded (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

ProActive Security

  • 2. WHO I AM I AM CAGLAR ▸ I am basically Turkish computer engineer who focused on security ▸ I am biker, skier, sailor etc. ▸ Netsparker Web Application Scanner ▸ Norwegian Information Security Lab ▸ Sony
  • 3. THE LAYOUT LAYOUT ▸ What is ProActive Security ▸ The Steps ▸ Discovery ▸ Scoping ▸ Assessment ▸ Reporting ▸ Remediation ▸ Training and Awareness
  • 4. PROACTIVE SECURITY IT IS BEING SECURE BEFORE ACTED ▸ It is opposite of reactive secure ▸ It tries to mitigate and prevent risk ▸ It gives you chance to estimate feature ▸ Estimating feature gives you chance to do response planning
  • 5. PLANS ARE NOTHING; PLANNING IS EVERYTHING. Dwight D. Eisenhower OTHER’S PLAN IS NOT YOURS
  • 6. STEPS THE STEPS OF PROACTIVE SECURITY ▸ Risk Assessment ▸ Impact Analysis ▸ Risk Prevention ▸ Risk Mitigation ▸ Thread Analysis ▸ Planning Response
  • 8. VULNERABILITY DISCOVERY VULNERABILITY DISCOVERY ▸ Working on Our Own Test Env ▸ Attack Surface ▸ Automated Vulnerability and Attack Surface Discovery ▸ Manual Vulnerability Discovery ▸ Instant Vulnerability Discovery and DevOps Harmony
  • 9. OWN ENVIRONMENT WHY WE NEED TO WORK ON OUR OWN ENVIRONMENT ▸ We must work on a dead planet with living data on it ▸ it will be like a UAT or Integration tests ▸ Cloud services do not permit us to test on their platform ▸ It could result data lost or functional defects on application ▸ All security parameters must turned off to test specifically application.
  • 10. OWN ENVIRONMENT WORKING ON OUR OWN ENVIRONMENT ▸ Code must be frozen copy of the production env ▸ if not, it could result inconsistency on test results ▸ We should touch all features available and must be activated ▸ it will be like a UAT or Integration tests to provide test accuracy
  • 11. ATTACK SURFACE ANALYSIS ATTACK SURFACE IS TO ▸ Understand the risk areas in an application ▸ Make developers and security specialists aware of what parts of the application are open to attack, ▸ Find ways of minimising this ▸ Notice when and how the Attack Surface changes and what this means from a risk perspective.
  • 12. DEVELOPERS SECURITY ENGINEERS = BEST ATTACK SURFACE ANALYSIS
  • 13. ATTACK SURFACE ANALYSIS ATTACK SURFACE IN THEORY ▸ the sum of all paths for data/commands into and out of the application, and ▸ the code that protects these paths (including resource connection and authentication, authorisation, activity logging, data validation and encoding), and ▸ all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and ▸ the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).
  • 14. ATTACK SURFACE ANALYSIS ATTACK SURFACE IN PRACTICE ▸ Network-facing, especially internet-facing code ▸ Web forms ▸ Files from outside of the network ▸ Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions ▸ Custom APIs – protocols etc – likely to have mistakes in design and implementation ▸ Security code: anything to do with cryptography, authentication, authorization (access control) and session management
  • 15. ATTACK SURFACE ANALYSIS GIT DIFF MASTER MASTER~1 ▸ What has changed? ▸ What are you doing different? ▸ What holes could you have opened?
  • 16. AUTOMATED VULNERABILITY DISCOVERY AUTOMATED VULNERABILITY DISCOVERY ▸ They tries a lot of payloads as much as a person can’t try ▸ This tools are developed with many people for years ▸ THEY ARE FAST and REALLY FAST ▸ THEY ARE PRACTICAL ▸ They are patient and tolerant ▸ Could be improved with targeted configuration ▸ False Positive rates are really high
  • 17. MANUAL VULNERABILITY DISCOVERY MANUAL VULNERABILITY DISCOVERY ▸ I know my application better then them ▸ There are some vulnerabilities only can be tested manually ▸ I am more intuitive ▸ I am holistic ▸ It is slow
  • 22. INSTANT APPROACH INSTANT APPROACH KEYWORDS ▸ Static security test which is involved in CI process or even coding phase (Checkmarx) ▸ Dynamic security test (Skipfish, Arachni) ▸ The wrapper tools to combine them ▸ BDD-Security ▸ Gauntlt ▸ Mittn ▸ Strider :)
  • 23. SCOPING SCOPING WITH TIERED TEST APPROACH ▸ Tier 4 test - 1 day ▸ Tier 3 test - 3 days ▸ Tier 2 test - 1 week ▸ Tier 1 Premium test - 3 weeks
  • 24. SCOPING TIER 4 TEST ▸ It will only take 1 day quick test ▸ It will cover automated tool test on consumer facing web application, API, API dashboard ▸ It will not cover XYZ internal dashboard ▸ It will not cover message queue, SQL db Hadoop because they are already restricted to internet. ▸ It will include False Positive checks from outputs of automated tool results
  • 25. SCOPING TIER 3 TEST ▸ It will only take 3 day - medium ranged test ▸ It will cover all the things in tier 4 ▸ It will cover business logic assessments and some authentication and authorisation attacks. ▸ Will cover authentication face of internal dashboard attack
  • 26. SCOPING TIER 2 TEST ▸ It will only take 1 weak - normal ranged test ▸ It will cover all the things in tier 3 ▸ Architectural analysis is involved in this tier. ▸ API attack vectors will be prepared manually ▸ Manual wen pentest will take its place ▸ The interaction and connections between nodes will be checked. They must be encrypted ▸ It will cover remote attacks like reflected XSS and CSRF attacks for internal dashboard to protect employees from speared phishing attack
  • 27. SCOPING TIER 1 PREMIUM TEST ▸ It will take 3 weak or more ▸ It will cover all the things in tier 2 ▸ It will cover thread modelling(thread vectors or threes) ▸ It will cover configuration analysis ▸ It will cover static code analysis and will combine results with manual assessment ▸ It will cover all network tests and internal web tests.
  • 28. PENTEST LOGS PENETRATION TESTER ARE RESPONSIBLE FOR THEIR OWN LOGS ▸ Testers must record their own logs in their own computers. ▸ Network level logging device must store their own logs ▸ Network logging must be accountable which means we must authenticate people and stamp their ID onto logs
  • 29. EVIDENCE VULNERABILITY EVIDENCE IS CONTROVERSIAL ▸ Yes it is controversial but must be concrete. ▸ Show your arguments as clean as possible. ▸ Some vulnerabilities are theoretical and can’t be exploitable and must shown thrusting reference
  • 30. REPORTING REPORTING ESSENTIALS ▸ Testing Team details ▸ Network Details ▸ Scope of test ▸ Executive Summary ▸ Technical Summary
  • 31. REPORTING STEPS MUST BE EXPLAINED IN TECHNICAL REPORT ▸ Reconnaissance & Enumeration ▸ Scanning ▸ Obtaining Access ▸ Maintaining Access ▸ Erasing Evidence
  • 32. REPORTING MY OPINIONS ▸ Nobody reads reports ▸ They must be precise and concise ▸ They must be more interactive ▸ Check out Dradis and Faraday
  • 35. REMEDIATION ESSENTIALS ESSENTIALS ▸ Location of the vulnerability should effect remediation timeframe ▸ CVSS score could be used to develop our own scoring system as base ▸ The vulnerabilities claimed as fixed must be retested ▸ Remediation methods should be shaped by security engineers
  • 36. TRAINING AND AWARENESS TRAININGS ▸ Basic security awareness and knowledge for EVERYONE ▸ System must be ready to be secure before people ▸ A Conceptual Framework to Study Socio-Technical Security paper must be checked by Ana Ferreira, Jean-Louis Huynen, Vincent Koenig, Gabriele Lenzini ▸ Holistic approach - Statistics from vulnerability discovery should take care
  • 37. TRAINING SECURITY AWARENESS PROGRAMS ▸ Teammentor - Guide to remediation ▸ Secure development guidelines ▸ Hackaton - CTF for developers ▸ Coursera ▸ for repeated issues, Brown Bag Sessions ▸ Chosen books are free but shipping is excluded model
  • 38.
  • 40. THANKS THANKS ▸ Thank you ▸ Thank OWASP ▸ Thank insights of Carnegie Mellon University ▸ Thanks pentest-standard.org ▸ Thanks vulnerabilityassessment.co.uk
  • 41. MORE FOR MORE ▸ For more about business cases and management situations