Presentation is loading. Please wait.

Presentation is loading. Please wait.

Blending Automated and Manual Testing Making Application Vulnerability Management Pay Dividends.

Published byOsborn Dean Modified over 8 years ago

Similar presentations

Presentation on theme: "Blending Automated and Manual Testing Making Application Vulnerability Management Pay Dividends."— Presentation transcript:

1 Blending Automated and Manual Testing Making Application Vulnerability Management Pay Dividends

2 My Background Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San Antonio @danielcornell

3 My Background Steve Springett, Application Security Architect for Axway Software developer by background Leader of OWASP Dependency-Track Contributor to OWASP Dependency-Check @stevespringett

4 Goal: Continuous Security Prerequisites – Standardization – Continuous Integration – Continuous Delivery Compliments – Continuous Acceptance

5 Standardization All projects use same build system All projects built the same way Automated onboarding for new projects Per-project build expertise not required

6 Metrics Artifacts Continuous Integration Continuous Integration Factory Source Code (SCM)

7 Deliverables Continuous Delivery Continuous Delivery Factory Artifacts

8 Security Metrics Continuous Security Continuous Security Factory Source Code (SCM) Deliverables

9 Automated Security Metrics Static Analysis Findings Dynamic Analysis Findings Component Analysis Findings Attack Surface Analysis Findings

10 Continuous Security Pipe Jenkins CI ThreadFix Defect Tracker SCM False Positive

11 Target Application

12 12 ThreadFix Accelerate Software Remediation ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.

13 ThreadFix Open Source (MPL) application vulnerability management platform Create a consolidated view of your applications and vulnerabilities Prioritize application risk decisions based on data Translate vulnerabilities to developers in the tools they are already using

14 ThreadFix Community Edition Main ThreadFix website: www.threadfix.orgwww.threadfix.org – General information, downloads ThreadFix GitHub site: www.github.com/denimgroup/threadfixwww.github.com/denimgroup/threadfix – Code, issue tracking ThreadFix GitHub wiki: https://github.com/denimgroup/threadfix/wiki https://github.com/denimgroup/threadfix/wiki – Project documentation ThreadFix Google Group: https://groups.google.com/forum/?fromgroups#!forum/threadfix https://groups.google.com/forum/?fromgroups#!forum/threadfix – Community support, general discussion

15 Vulnerability Aggregation Automated Manual

16 Access to Vulnerability Data Tradeoffs – The more places the vulnerability data lives, the more likely a compromise – Withholding information from people who need it makes remediation more challenging

17 Managing All Vulnerability Data Manual activities – Penetration Testing – Code Reviews 3 rd Party Data Sources – Customer-performed Testing – External auditor-performed Results

18 SSVL and Manual Results SSVL Data Format: – https://github.com/owasp/ssvl https://github.com/owasp/ssvl SSVL Conversion Tool: – https://github.com/denimgroup/threadfix/wiki/SSVL-Converter https://github.com/denimgroup/threadfix/wiki/SSVL-Converter

19 RESTful API to Vulnerability Data Custom R&D Monitoring Dashboard Custom Dashboards

20 Key Performance Indicators Don’t go overboard – Use only what is needed Progress and velocity Per team comparison Min/max/avg time to close per severity By CWE

21 Lessons Learned Always automate static analysis Always automate attack surface analysis Always automate component analysis Always automate dynamic analysis Always perform manual dynamic analysis Use native tools & workflow for static analysis

22 Lessons Learned Provide as much visibility as possible – Varying degrees of detail – Multiple delivery vehicles Set clear pass/fail criteria for Security Bars – Provide custom dashboard to provide status and advanced warning

23 Additional Advice Automation is not better than manual – It’s faster and more efficient – Both are necessary Don’t forget manual assessments – Threat Modeling – Secure Design/Architecture and Code Review – Penetration Testing

24 Finally Vulnerabilities in CI / CD / CS Infrastructure – Threat Model – Secure Architecture Review – Patch Management – Configuration Management – Key Management – Always use TLS

25 Q & A

Download ppt "Blending Automated and Manual Testing Making Application Vulnerability Management Pay Dividends."

Similar presentations

OWASP CLASP Overview.

OWASP CLASP Overview.
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
I.T. DIGIT TestCentre Vulnerability assessment service Gabriel BABIANO DIGIT.A.3 29/11/2012.

I.T. DIGIT TestCentre Vulnerability assessment service Gabriel BABIANO DIGIT.A.3 29/11/2012.
<<replace with Customer Logo>>

<<replace with Customer Logo>>
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Visual Studio Team System (VSTS). Richard Hundhausen Author of software development books Microsoft Regional Director Microsoft MVP (VSTS) MCT, MCSD,

Visual Studio Team System (VSTS). Richard Hundhausen Author of software development books Microsoft Regional Director Microsoft MVP (VSTS) MCT, MCSD,
Information Security Maintenance

Information Security Maintenance
HIGH PERFORMANCE CONTINUOUS DELIVERY VERSIONING AND RELEASE MANAGEMENT ALIGNED.

HIGH PERFORMANCE CONTINUOUS DELIVERY VERSIONING AND RELEASE MANAGEMENT ALIGNED.
Metrics Project and Process Metrics. Why do we measure? Assessing project status Allows us to track risks Before they go critical Adjust workflow See.

Metrics Project and Process Metrics. Why do we measure? Assessing project status Allows us to track risks Before they go critical Adjust workflow See.
SwE 434. Rational Quality Manager Rational Quality Manager is a collaborative, Web-based tool that offers comprehensive test planning, test construction,

SwE 434. Rational Quality Manager Rational Quality Manager is a collaborative, Web-based tool that offers comprehensive test planning, test construction,
Software Project Transition Planning

Software Project Transition Planning
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Vulnerability Assessments

Vulnerability Assessments
SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.

SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Copyright © Panaya Oracle ® E-Business Suite Testing: How to Get Your Business Users On-Board Amir Farhi Director, Product Marketing.

Copyright © Panaya Oracle ® E-Business Suite Testing: How to Get Your Business Users On-Board Amir Farhi Director, Product Marketing.
VoIP Security Assessment Service Mark D. Collier Chief Technology Officer

VoIP Security Assessment Service Mark D. Collier Chief Technology Officer
> Blueprint Kickoff >. Introductions Customer Vision & Success Criteria Apigee Accelerator Overview Blueprint Schedule Roles & Responsibilities Communications.

> Blueprint Kickoff >. Introductions Customer Vision & Success Criteria Apigee Accelerator Overview Blueprint Schedule Roles & Responsibilities Communications.

Similar presentations

Ads by Google