Presentation is loading. Please wait.

Presentation is loading. Please wait.

SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide

Published byBeryl Ray Modified over 9 years ago

Similar presentations

Presentation on theme: "SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide"— Presentation transcript:

1 SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com

2 Orbitz.com NWA Booking engine But First... some context Orbitz For Business Cheaptickets Away.com eBookers HotelClub Traveler Care GORP Travel RBS Rewards Southwest Hotels Orbitzgames.com Trip.com msn.orbitz.com AA Booking engine

3 Context Matters......and on and on and on... 100’s of Endless Applications 1000’s of Servers 1000’s of Devices 100’s of DBs Data Centers: multiple continents Call Centers - follow the sun

4 Context Matters... VA Tools Application Network & Host Database Remediation Tracking Jira Remedy...and on and on and on...

5 A Proposed Solution: A Case Study

6 Using Standards to Automate, Correlate & Measure

7 Centralizing the Data: Overview

8 Workflow: A Simple Use Case 1. NVD feed is pulled in daily

9 A Workflow Use Case 2. Whitehat connector runs on a predefined schedule.

10 A Workflow Use Case 3. Qualys connector runs on a predefined schedule

11 A Workflow Use Case 4(a). Security Admin manages and modifies asset information discovered by VA tools - CPE Note: Unexpected Benefit!

12 A Workflow Use Case 5. Vulnerability data is normalized and correlated across VA results utilizing CVE and WASC-TC. Vulns are scored using CVSS / WASC-TC plus Asset/CPE data.

13 A Workflow Use Case 6. Single click defect creation from Conduit to Jira.

14 A Workflow Use Case 7. Security defect is remediated by developer and closed in Jira.

15 A Workflow Use Case 8. Conduit issues re-test of vulnerability via Sentinel API

16 A Workflow Use Case 9. If re-test returns clean results are fed to Conduit and vulnerability is closed

17 A Workflow Use Case 10. Metrics can be viewed and filtered via tags added through asset mgmt

18 Metrics via Tag Lenses Pre-Defined Vulnerability Metrics Filtered by Asset Tags Many-to-Many Tag/Asset Relationship

19 Wheel of Pain Revisited

20 The Standards CPE: Common Platform Enumeration CVE: Common Vulnerability Enumeration CVSS: Common Vulnerability Scoring System WASC-TC: Web Application Security Consortium Threat Class Today Roadmap CCE: Common Configuration Enumeration XCCDF: Extensible Configuration Checklist Description Format

21 Additional & Emerging SCAP Standards OVAL: Open Vulnerability Assessment Language

22 Q&A Email: ebellis@orbitz.comebellis@orbitz.com Twitter: http://www.twitter.com/ebellis.com/ebellis More Info On SCAP: http://scap.nist.gov More Info On Conduit: http://www.honeyapps.com

Download ppt "SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide"

Similar presentations

Tony Rutkowski Yaana Technologies Georgia Tech Q.4/17 Rapporteur

Tony Rutkowski Yaana Technologies Georgia Tech Q.4/17 Rapporteur
Business Development Suit Presented by Thomas Mathews.

Business Development Suit Presented by Thomas Mathews.
SupportCenter Plus Product Overview. Overview 1.What is SupportCenter Plus (SCP) 2.Benefits of SCP 3.Licensing & Pricing 4.Questions.

SupportCenter Plus Product Overview. Overview 1.What is SupportCenter Plus (SCP) 2.Benefits of SCP 3.Licensing & Pricing 4.Questions.
1 Remediation Workflow Automated Email Scan Reports Patch Report Remediation Policies Remediation Tickets API Custom Report Templates.

1 Remediation Workflow Automated Scan Reports Patch Report Remediation Policies Remediation Tickets API Custom Report Templates.
September 2, 2013 VM Evolution via API Parag Baxi, Technical Account Manager.

September 2, 2013 VM Evolution via API Parag Baxi, Technical Account Manager.
MIDAS is a complete web based scheduling solution for managing your facility’s bookings and resources. MIDAS is a complete web based scheduling solution.

MIDAS is a complete web based scheduling solution for managing your facility’s bookings and resources. MIDAS is a complete web based scheduling solution.
Dan Stolts Chief Technology Strategist Microsoft Corporation Blog: Managing and Monitoring Critical Infrastructure.

Dan Stolts Chief Technology Strategist Microsoft Corporation Blog: Managing and Monitoring Critical Infrastructure.
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
HP Quality Center Overview.

HP Quality Center Overview.
© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Cisco SocialMiner: Developer Network Forum 2.

© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Cisco SocialMiner: Developer Network Forum 2.
Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.

Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.
Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA www.gilligangroupinc.com March 10, 2009.

Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Nu Project Management Office A web based tool to Manage Projects.

Nu Project Management Office A web based tool to Manage Projects.
Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.
Information System Continuous Monitoring (ISCM)

Information System Continuous Monitoring (ISCM)
8/9/2015 1:47 AM SurveyCentralOverview.ppt CSC ©Copyright 2012 Online Survey Application: CSC Survey Central System Overview November 26, 2012 Supported.

8/9/2015 1:47 AM SurveyCentralOverview.ppt CSC ©Copyright 2012 Online Survey Application: CSC Survey Central System Overview November 26, 2012 Supported.
Analyzing your OPC Data Introduction to OPCReport.NET Nathan Pocock Chief Architect & Developer Direct Line: +1 (704)

Analyzing your OPC Data Introduction to OPCReport.NET Nathan Pocock Chief Architect & Developer Direct Line: +1 (704)
Reducing the Cost and Complexity of Server Management with Microsoft Operations Manager.

Reducing the Cost and Complexity of Server Management with Microsoft Operations Manager.
Overview of Change Management ClearQuest Overview for CORUG January, 2008.

Overview of Change Management ClearQuest Overview for CORUG January, 2008.

Similar presentations

Ads by Google