2. WHO I AM
I AM CAGLAR
▸ I am basically Turkish computer engineer who focused on
security
▸ I am biker, skier, sailor etc.
▸ Netsparker Web Application Scanner
▸ Norwegian Information Security Lab
▸ Sony
3. THE LAYOUT
LAYOUT
▸ What is ProActive Security
▸ The Steps
▸ Discovery
▸ Scoping
▸ Assessment
▸ Reporting
▸ Remediation
▸ Training and Awareness
4. PROACTIVE SECURITY
IT IS BEING SECURE BEFORE ACTED
▸ It is opposite of reactive secure
▸ It tries to mitigate and prevent risk
▸ It gives you chance to estimate feature
▸ Estimating feature gives you chance to do response
planning
8. VULNERABILITY DISCOVERY
VULNERABILITY DISCOVERY
▸ Working on Our Own Test Env
▸ Attack Surface
▸ Automated Vulnerability and Attack Surface Discovery
▸ Manual Vulnerability Discovery
▸ Instant Vulnerability Discovery and DevOps Harmony
9. OWN ENVIRONMENT
WHY WE NEED TO WORK ON OUR OWN ENVIRONMENT
▸ We must work on a dead planet with living data on it
▸ it will be like a UAT or Integration tests
▸ Cloud services do not permit us to test on their platform
▸ It could result data lost or functional defects on application
▸ All security parameters must turned off to test specifically
application.
10. OWN ENVIRONMENT
WORKING ON OUR OWN ENVIRONMENT
▸ Code must be frozen copy of the production env
▸ if not, it could result inconsistency on test results
▸ We should touch all features available and must be
activated
▸ it will be like a UAT or Integration tests to provide test
accuracy
11. ATTACK SURFACE ANALYSIS
ATTACK SURFACE IS TO
▸ Understand the risk areas in an application
▸ Make developers and security specialists aware of what
parts of the application are open to attack,
▸ Find ways of minimising this
▸ Notice when and how the Attack Surface changes and
what this means from a risk perspective.
13. ATTACK SURFACE ANALYSIS
ATTACK SURFACE IN THEORY
▸ the sum of all paths for data/commands into and out of the
application, and
▸ the code that protects these paths (including resource connection
and authentication, authorisation, activity logging, data validation
and encoding), and
▸ all valuable data used in the application, including secrets and keys,
intellectual property, critical business data, personal data and PII, and
▸ the code that protects these data (including encryption and
checksums, access auditing, and data integrity and operational
security controls).
14. ATTACK SURFACE ANALYSIS
ATTACK SURFACE IN PRACTICE
▸ Network-facing, especially internet-facing code
▸ Web forms
▸ Files from outside of the network
▸ Backwards compatible interfaces with other systems – old protocols,
sometimes old code and libraries, hard to maintain and test multiple versions
▸ Custom APIs – protocols etc – likely to have mistakes in design and
implementation
▸ Security code: anything to do with cryptography, authentication,
authorization (access control) and session management
15. ATTACK SURFACE ANALYSIS
GIT DIFF MASTER MASTER~1
▸ What has changed?
▸ What are you doing different?
▸ What holes could you have opened?
16. AUTOMATED VULNERABILITY DISCOVERY
AUTOMATED VULNERABILITY DISCOVERY
▸ They tries a lot of payloads as much as a person can’t try
▸ This tools are developed with many people for years
▸ THEY ARE FAST and REALLY FAST
▸ THEY ARE PRACTICAL
▸ They are patient and tolerant
▸ Could be improved with targeted configuration
▸ False Positive rates are really high
17. MANUAL VULNERABILITY DISCOVERY
MANUAL VULNERABILITY DISCOVERY
▸ I know my application better then them
▸ There are some vulnerabilities only can be tested manually
▸ I am more intuitive
▸ I am holistic
▸ It is slow
22. INSTANT APPROACH
INSTANT APPROACH KEYWORDS
▸ Static security test which is involved in CI process or even coding
phase (Checkmarx)
▸ Dynamic security test (Skipfish, Arachni)
▸ The wrapper tools to combine them
▸ BDD-Security
▸ Gauntlt
▸ Mittn
▸ Strider :)
23. SCOPING
SCOPING WITH TIERED TEST APPROACH
▸ Tier 4 test - 1 day
▸ Tier 3 test - 3 days
▸ Tier 2 test - 1 week
▸ Tier 1 Premium test - 3 weeks
24. SCOPING
TIER 4 TEST
▸ It will only take 1 day quick test
▸ It will cover automated tool test on consumer facing web
application, API, API dashboard
▸ It will not cover XYZ internal dashboard
▸ It will not cover message queue, SQL db Hadoop because
they are already restricted to internet.
▸ It will include False Positive checks from outputs of
automated tool results
25. SCOPING
TIER 3 TEST
▸ It will only take 3 day - medium ranged test
▸ It will cover all the things in tier 4
▸ It will cover business logic assessments and some
authentication and authorisation attacks.
▸ Will cover authentication face of internal dashboard attack
26. SCOPING
TIER 2 TEST
▸ It will only take 1 weak - normal ranged test
▸ It will cover all the things in tier 3
▸ Architectural analysis is involved in this tier.
▸ API attack vectors will be prepared manually
▸ Manual wen pentest will take its place
▸ The interaction and connections between nodes will be checked. They
must be encrypted
▸ It will cover remote attacks like reflected XSS and CSRF attacks for internal
dashboard to protect employees from speared phishing attack
27. SCOPING
TIER 1 PREMIUM TEST
▸ It will take 3 weak or more
▸ It will cover all the things in tier 2
▸ It will cover thread modelling(thread vectors or threes)
▸ It will cover configuration analysis
▸ It will cover static code analysis and will combine results
with manual assessment
▸ It will cover all network tests and internal web tests.
28. PENTEST LOGS
PENETRATION TESTER ARE RESPONSIBLE FOR THEIR OWN LOGS
▸ Testers must record their own logs in their own computers.
▸ Network level logging device must store their own logs
▸ Network logging must be accountable which means we
must authenticate people and stamp their ID onto logs
29. EVIDENCE
VULNERABILITY EVIDENCE IS CONTROVERSIAL
▸ Yes it is controversial but must be concrete.
▸ Show your arguments as clean as possible.
▸ Some vulnerabilities are theoretical and can’t be
exploitable and must shown thrusting reference
35. REMEDIATION ESSENTIALS
ESSENTIALS
▸ Location of the vulnerability should effect remediation
timeframe
▸ CVSS score could be used to develop our own scoring
system as base
▸ The vulnerabilities claimed as fixed must be retested
▸ Remediation methods should be shaped by security
engineers
36. TRAINING AND AWARENESS
TRAININGS
▸ Basic security awareness and knowledge for EVERYONE
▸ System must be ready to be secure before people
▸ A Conceptual Framework to Study Socio-Technical Security
paper must be checked by Ana Ferreira, Jean-Louis
Huynen, Vincent Koenig, Gabriele Lenzini
▸ Holistic approach - Statistics from vulnerability discovery
should take care
37. TRAINING
SECURITY AWARENESS PROGRAMS
▸ Teammentor - Guide to remediation
▸ Secure development guidelines
▸ Hackaton - CTF for developers
▸ Coursera
▸ for repeated issues, Brown Bag Sessions
▸ Chosen books are free but shipping is excluded model