Date post: | 28-Jan-2018 |
Category: |
Technology |
Upload: | ibnisina-sina |
View: | 103 times |
Download: | 0 times |
PROACTIVE SECURITYCAGLAR SAYIN
WHO I AM
I AM CAGLAR
▸ I am basically Turkish computer engineer who focused on security
▸ I am biker, skier, sailor etc.
▸ Netsparker Web Application Scanner
▸ Norwegian Information Security Lab
▸ Sony
THE LAYOUT
LAYOUT
▸ What is ProActive Security
▸ The Steps
▸ Discovery
▸ Scoping
▸ Assessment
▸ Reporting
▸ Remediation
▸ Training and Awareness
PROACTIVE SECURITY
IT IS BEING SECURE BEFORE ACTED
▸ It is opposite of reactive secure
▸ It tries to mitigate and prevent risk
▸ It gives you chance to estimate feature
▸ Estimating feature gives you chance to do response planning
PLANS ARE NOTHING; PLANNING IS EVERYTHING.
Dwight D. Eisenhower
OTHER’S PLAN IS NOT YOURS
STEPS
THE STEPS OF PROACTIVE SECURITY
▸ Risk Assessment
▸ Impact Analysis
▸ Risk Prevention
▸ Risk Mitigation
▸ Thread Analysis
▸ Planning Response
WORK ON XYZ COMPANY
VULNERABILITY DISCOVERY
VULNERABILITY DISCOVERY
▸ Working on Our Own Test Env
▸ Attack Surface
▸ Automated Vulnerability and Attack Surface Discovery
▸ Manual Vulnerability Discovery
▸ Instant Vulnerability Discovery and DevOps Harmony
OWN ENVIRONMENT
WHY WE NEED TO WORK ON OUR OWN ENVIRONMENT
▸ We must work on a dead planet with living data on it
▸ it will be like a UAT or Integration tests
▸ Cloud services do not permit us to test on their platform
▸ It could result data lost or functional defects on application
▸ All security parameters must turned off to test specifically application.
OWN ENVIRONMENT
WORKING ON OUR OWN ENVIRONMENT
▸ Code must be frozen copy of the production env
▸ if not, it could result inconsistency on test results
▸ We should touch all features available and must be activated
▸ it will be like a UAT or Integration tests to provide test accuracy
ATTACK SURFACE ANALYSIS
ATTACK SURFACE IS TO
▸ Understand the risk areas in an application
▸ Make developers and security specialists aware of what parts of the application are open to attack,
▸ Find ways of minimising this
▸ Notice when and how the Attack Surface changes and what this means from a risk perspective.
DEVELOPERS SECURITY ENGINEERS =
BEST ATTACK SURFACE ANALYSIS
ATTACK SURFACE ANALYSIS
ATTACK SURFACE IN THEORY
▸ the sum of all paths for data/commands into and out of the application, and
▸ the code that protects these paths (including resource connection and authentication, authorisation, activity logging, data validation and encoding), and
▸ all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and
▸ the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).
ATTACK SURFACE ANALYSIS
ATTACK SURFACE IN PRACTICE
▸ Network-facing, especially internet-facing code
▸ Web forms
▸ Files from outside of the network
▸ Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions
▸ Custom APIs – protocols etc – likely to have mistakes in design and implementation
▸ Security code: anything to do with cryptography, authentication, authorization (access control) and session management
ATTACK SURFACE ANALYSIS
GIT DIFF MASTER MASTER~1
▸ What has changed?
▸ What are you doing different?
▸ What holes could you have opened?
AUTOMATED VULNERABILITY DISCOVERY
AUTOMATED VULNERABILITY DISCOVERY
▸ They tries a lot of payloads as much as a person can’t try
▸ This tools are developed with many people for years
▸ THEY ARE FAST and REALLY FAST
▸ THEY ARE PRACTICAL
▸ They are patient and tolerant
▸ Could be improved with targeted configuration
▸ False Positive rates are really high
MANUAL VULNERABILITY DISCOVERY
MANUAL VULNERABILITY DISCOVERY
▸ I know my application better then them
▸ There are some vulnerabilities only can be tested manually
▸ I am more intuitive
▸ I am holistic
▸ It is slow
INSTANT APPROACH
INSTANT APPROACH
INSTANT APPROACH
INSTANT APPROACH
INSTANT APPROACH
INSTANT APPROACH
INSTANT APPROACH
INSTANT APPROACH
INSTANT APPROACH
INSTANT APPROACH KEYWORDS
▸ Static security test which is involved in CI process or even coding phase (Checkmarx)
▸ Dynamic security test (Skipfish, Arachni)
▸ The wrapper tools to combine them
▸ BDD-Security
▸ Gauntlt
▸ Mittn
▸ Strider :)
SCOPING
SCOPING WITH TIERED TEST APPROACH
▸ Tier 4 test - 1 day
▸ Tier 3 test - 3 days
▸ Tier 2 test - 1 week
▸ Tier 1 Premium test - 3 weeks
SCOPING
TIER 4 TEST
▸ It will only take 1 day quick test
▸ It will cover automated tool test on consumer facing web application, API, API dashboard
▸ It will not cover XYZ internal dashboard
▸ It will not cover message queue, SQL db Hadoop because they are already restricted to internet.
▸ It will include False Positive checks from outputs of automated tool results
SCOPING
TIER 3 TEST
▸ It will only take 3 day - medium ranged test
▸ It will cover all the things in tier 4
▸ It will cover business logic assessments and some authentication and authorisation attacks.
▸ Will cover authentication face of internal dashboard attack
SCOPING
TIER 2 TEST
▸ It will only take 1 weak - normal ranged test
▸ It will cover all the things in tier 3
▸ Architectural analysis is involved in this tier.
▸ API attack vectors will be prepared manually
▸ Manual wen pentest will take its place
▸ The interaction and connections between nodes will be checked. They must be encrypted
▸ It will cover remote attacks like reflected XSS and CSRF attacks for internal dashboard to protect employees from speared phishing attack
SCOPING
TIER 1 PREMIUM TEST
▸ It will take 3 weak or more
▸ It will cover all the things in tier 2
▸ It will cover thread modelling(thread vectors or threes)
▸ It will cover configuration analysis
▸ It will cover static code analysis and will combine results with manual assessment
▸ It will cover all network tests and internal web tests.
PENTEST LOGS
PENETRATION TESTER ARE RESPONSIBLE FOR THEIR OWN LOGS
▸ Testers must record their own logs in their own computers.
▸ Network level logging device must store their own logs
▸ Network logging must be accountable which means we must authenticate people and stamp their ID onto logs
EVIDENCE
VULNERABILITY EVIDENCE IS CONTROVERSIAL
▸ Yes it is controversial but must be concrete.
▸ Show your arguments as clean as possible.
▸ Some vulnerabilities are theoretical and can’t be exploitable and must shown thrusting reference
REPORTING
REPORTING ESSENTIALS
▸ Testing Team details
▸ Network Details
▸ Scope of test
▸ Executive Summary
▸ Technical Summary
REPORTING
STEPS MUST BE EXPLAINED IN TECHNICAL REPORT
▸ Reconnaissance & Enumeration
▸ Scanning
▸ Obtaining Access
▸ Maintaining Access
▸ Erasing Evidence
REPORTING
MY OPINIONS
▸ Nobody reads reports
▸ They must be precise and concise
▸ They must be more interactive
▸ Check out Dradis and Faraday
APPSEC PIPELINE
APPSEC PIPELINE
APPSEC PIPELINE
APPSEC PIPELINE
REMEDIATION ESSENTIALS
ESSENTIALS
▸ Location of the vulnerability should effect remediation timeframe
▸ CVSS score could be used to develop our own scoring system as base
▸ The vulnerabilities claimed as fixed must be retested
▸ Remediation methods should be shaped by security engineers
TRAINING AND AWARENESS
TRAININGS
▸ Basic security awareness and knowledge for EVERYONE
▸ System must be ready to be secure before people
▸ A Conceptual Framework to Study Socio-Technical Security paper must be checked by Ana Ferreira, Jean-Louis Huynen, Vincent Koenig, Gabriele Lenzini
▸ Holistic approach - Statistics from vulnerability discovery should take care
TRAINING
SECURITY AWARENESS PROGRAMS
▸ Teammentor - Guide to remediation
▸ Secure development guidelines
▸ Hackaton - CTF for developers
▸ Coursera
▸ for repeated issues, Brown Bag Sessions
▸ Chosen books are free but shipping is excluded model
THANKS
THANKS
THANKS
▸ Thank you
▸ Thank OWASP
▸ Thank insights of Carnegie Mellon University
▸ Thanks pentest-standard.org
▸ Thanks vulnerabilityassessment.co.uk
MORE
FOR MORE
▸ For more about business cases and management situations