One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applications in production and IT audit organizations make sure that the resulting software meets compliance and governance requirements. In addition, each team has a different toolbox they use to meet their goals, ranging from scanning tools, defect trackers, Integrated Development Environments (IDEs), WAFs and GRC systems. Unfortunately, in most organizations the interactions between these teams is often strained and the flow of data between these disparate tools and systems is non-existent or tediously implemented manually. In today’s presentation, we will demonstrate how leading organizations are breaking down these barriers between teams and better integrating their disparate tools to enable the flow of application security data between silos to accelerate and simplify their remediation efforts. At the same time, we will show how to collect the proper data to measure the performance and illustrate the improvement of the software security program. The challenges that need to be overcome to enable teams and tools to work seamlessly with one another will be enumerated individually. Team and tool interaction patterns will also be outlined that reduce the friction that will arise while addressing application security risks. Using open source products such as OWASP ZAP, ThreadFix, Bugzilla and Eclipse, a significant amount of time will also be spent demonstrating the kinds of interactions that need to be enabled between tools. This will provide attendees with practical examples on how to replicate a powerful, integrated Application Security program within their own organizations. In addition, how to gather program-wide metrics and regularly calculate measurements such as mean-time-to-fix will also be demonstrated to enable attendees to monitor and ensure the continuing health and performance of their Application Security program.

1. AppSec USA 2014
Denver, Colorado
Building Your Application
Security Data Hub
The Imperative for Structured Vulnerability
Information
This
presenta,on
contains
informa,on
about
DHS-­‐funded
research:
Topic
Number:
H-­‐SB013.1-­‐002
-­‐
Hybrid
Analysis
Mapping
(HAM)
Proposal
Number:
HSHQDC-­‐13-­‐R-­‐00009-­‐H-­‐SB013.1-­‐002-­‐0003-­‐I

2. 2
Dan
Cornell
with
a
respectable
hair
cut,
a
nice
shirt,
and
a
coat
Biography
Dan
Cornell
• Founder
and
CTO
of
Denim
Group
• SoQware
developer
by
background
(Java,
.NET,
etc)
• OWASP
San
Antonio

3. 3
So You Want To Run an AppSec Program?

4. 4
• ApplicaWon
Security
Challenges
– Spans
MulWple
Disciplines
– ComparaWvely
New
– Scale
of
the
Problem
• ApplicaWon
Security
Data
Hub
– Sources,
Sinks,
Flows
• Program
Metrics
and
Tracking
Agenda

5. 5
Spans Multiple Disciplines
• InformaWon
Security
– ApplicaWon
Security
• Audit
and
Compliance
• Risk
Management
• (Oh
Almost
Forgot:
SoQware
Development)
• (And
.
.
.
SoQware
Development
Is
Where
Most
of
the
Magic
Has
to
Happen)

6. 6
Comparatively New Discipline
• Physical
Security:
Old
• InformaWon
Security:
Kinda
New
• ApplicaWon
Security:
Really
New
• New
Discipline
Means
Immature
Metrics
– Possibly
non-­‐existent,
certainly
not
generally-­‐
accepted
– Don’t
know
how
to
talk
about
the
problem
• New
Discipline
Means
New
Tools
– No
standards
for
interacWon

7. 7
• “Legacy”
Lines
of
Code
• QuanWty
of
ApplicaWons
• Dearth
of
Qualified
Professionals
Scale of the Problem

8. 8
We
Have
a
Huge
Mul,disciplinary
Problem
In
An
Area
We
Can’t
Properly
Characterize
Where
We’re
Horribly
Outnumbered
So . . .

9. 9
What to Do About It?
• Gather
Data
• Communicate
to
Stakeholders
• Automate
the
Heck
Out
of
Whatever
Possible
• Repeat

10. 10
So What Does This Look Like?
Applica,on
Security
Data
Hub
• Sources,
Sinks
and
Flows
• Vulnerability
Data
• DetecWon/PrevenWon
Sensors
• Developer
Tools
• Risk
Management

11. 11
Automation
In
the
Absence
of
Automa,on
You’re
Doomed
• Automate
everything
you
can
• Free
up
people
cycles
for
people-­‐only
tasks

12. 12
Open Source App Security Data Hub
ThreadFix
• Create
a
consolidated
view
of
your
applicaWons
and
vulnerabiliWes
• PrioriWze
applicaWon
risk
decisions
based
on
data
• Translate
vulnerabiliWes
to
developers
in
the
tools
they
are
already
using
• GitHub
Site:
github.com/denimgroup/threadfix

13. 13
Supported Technologies
List of Supported Tools / Technologies:
Dynamic
Scanners
Acune&x
Arachni
Burp
Suite
HP
WebInspect
IBM
Security
AppScan
Standard
IBM
Security
AppScan
Enterprise
Mavituna
Security
Netsparker
NTO
Spider
OWASP
Zed
AAack
Proxy
Tenable
Nessus
Skipfish
w3aF
Sta,c
Scanners
FindBugs
IBM
Security
AppScan
Source
HP
For&fy
SCA
MicrosoK
CAT.NET
Brakeman
SaaS
Tes,ng
PlaHorms
WhiteHat
Veracode
QualysGuard
WAS
IDS/IPS
and
WAF
DenyAll
F5
Imperva
Mod_Security
Snort
Defect
Trackers
Atlassian
JIRA
MicrosoK
Team
Founda&on
Server
Mozilla
Bugzilla
Known
Vulnerable
Component
Scanner
Dependency
Check

14. 14
Supported Technologies

15. 15
Vulnerability Management
• Vulnerability
DetecWon
• Vulnerability
MiWgaWon
• Vulnerability
RemediaWon

16. 16
Vulnerability Detection
SAST
DAST
IAST
Known
Vulnerable
Component
Automated
Threat
Modeling
Code
Review
PenetraWon
TesWng
Manual
Data
Hub

17. 17
What is a Unique Vulnerability?
• (CWE,
RelaWve
URL)
– Predictable
resource
locaWon
– Directory
lisWng
misconfiguraWon
• (CWE,
RelaWve
URL,
InjecWon
Point)
– SQL
injecWon
– Cross-­‐site
ScripWng
(XSS)
• InjecWon
points
– Parameters
–
GET/POST
– Cookies
– Other
headers

18. 18
Why Common Weakness Enumeration?
• Every
tool
has
their
own
“spin”
on
naming
vulnerabiliWes
• OWASP
Top
10
/
WASC
24
are
helpful
but
not
comprehensive
• CWE
is
exhausWve
(though
a
bit
sprawling
at
Wmes)
• Reasonably
well-­‐adopted
standard
• Many
tools
have
mappings
to
CWE
for
their
results
• Main
site:
hgp://cwe.mitre.org/

19. 19
Fill ThreadFix Up With Vulnerability Data
• Manual
file
upload
• REST
API
– hgps://github.com/denimgroup/threadfix/wiki/Threadfix-­‐
REST-­‐Interface
• Command
Line
Interface
(CLI)
– hgps://github.com/denimgroup/threadfix/wiki/Command-­‐
Line-­‐Interface
– JAR
can
also
be
used
as
a
Java
REST
client
library
• Jenkins
plugin
– Contributed
from
the
ThreadFix
community
(yeah!)
– hgps://github.com/automaWondominaWon/threadfix-­‐plugin

20. 20
ThreadFix Jenkins Configuration
20

21. 21
What Does ThreadFix Do With Scan Results
• Diff
against
previous
scans
with
same
technology
– What
vulnerabiliWes
are
new?
– What
vulnerabiliWes
went
away?
– What
vulnerabiliWes
resurfaced?
• Findings
marked
as
false
posiWve
are
remembered
across
scans
– Hopefully
saving
analyst
Wme
• Normalize
and
merge
with
other
scanners’
findings
– SAST
to
SAST
– DAST
to
DAST
– SAST
to
DAST
via
Hybrid
Analysis
Mapping
(HAM)

22. 22
Demo: Vulnerability Merge

23. 23
Know What Would Make My Life Easier?
Standard
Vulnerability
Data
Format
Couple
of
current
efforts:
• SSVL
– Based
on
lessons
learned
from
ThreadFix
– hgps://github.com/OWASP/SSVL
• OWASP
DEF
– OWASP
effort
– hgps://www.owasp.org/index.php/OWASP_Data_Exchange_Format_Project
• Working
to
unify
these

24. 24
Hybrid Analysis Mapping (HAM)
• IniWal
research
funded
by
the
US
Department
of
Homeland
Security
(DHS)
Science
and
Technology
(S&T)
Directorate
via
a
Phase
1
and
(now)
Phase
2
Small
Business
InnovaWon
Research
(SBIR)
contract
– Acronyms!
• IniWal
goal:
SAST
to
DAST
merging
• Results:
That,
plus
other
stuff

25. 25
Demo: Merging Static and Dynamic Scanner Results

26. 26
Demo: Merging Static and Dynamic Scanner Results

27. 27
Merging Static and Dynamic Results Is Cool
…But
I
want
more
• Problem:
Many
DAST
scanners
handle
applicaWons
with
RESTful
URLs
poorly
• Problem:
Many
applicaWons
have
“hidden”
landing
pages
and
parameters
that
will
not
be
found
by
standard
crawling
• Problem:
DAST
scanner
results
can
be
hard
for
developers
to
act
on
• What
else
can
we
do
with
this
agack
surface
model
/
database?
– Clean
up
scanner
results
– Enumerate
applicaWon
agack
surface
– Map
dynamic
results
to
specific
lines
of
code

28. 28
Demo: De-Duplicate Dynamic RESTful Scanner Results

29. 29
Demo: De-Duplicate Dynamic RESTful Scanner Results

30. 30
Demo: Application Attack Surface (CLI)

31. 31
Demo: Seed Scanner with Attack Surface

32. 32
Vulnerability Mitigation
Data
Hub
WAF/IDS/IPS
Sensor

33. 33
Demo: Generating Virtual Patches

34. 34
Demo: Importing Sensor Logs

35. 35
Vulnerability Remediation
Security
Approaching
Development
Teams…
• PDFs
• Excel
spreadsheets
• “Log
into
this
new
system”

36. 36
Vulnerability Remediation
An
Alternate
Approach
• Help
‘em
Out
• Take
Advantage
of
the
Tools
and
Processes
They
Are
Already
Using

37. 37
Vulnerability Remediation
Data
Hub
This
is
also
called
“bug
tracking”
by
less-­‐fancy
people
ApplicaWon
Lifecycle
Management
Integrated
Development
Environment

38. 38
Mapping Vulnerabilities to Defects
• 1:1 mapping is (usually) a horrible idea
– 500
XSS
turned
into
500
defects?
– If
it
takes
longer
to
administer
the
bug
than
it
does
to
fix
the
code…
• Cluster like vulnerabilities
– Using
the
same
libraries
/
funcWons
– Cut-­‐and-­‐paste
remediaWon
code
– Be
careful
about
context-­‐specific
encoding
• Combine by severity
– Especially
if
they
are
cause
for
an
out-­‐of-­‐cycle
release
• Which developer “owns” the code?

39. 39
Defect Tracker Integration
• Bundle
mulWple
vulnerabiliWes
into
a
defect
– Using
standard
filtering
criteria
• ThreadFix
periodically
updates
defect
status
from
the
tracker

40. 40
Demo: Defect Tracker Integration

41. 41
IDE Plug Ins
• Import
vulnerability
data
to
integrated
development
environments
(IDEs)
• StaWc
(SAST)
scanners
– Easy
• Dynamic
(DAST)
scanners
– Possible
using
Hybrid
Analysis
Mapping
(HAM)

42. 42
Demo: Maping Vulnerabilities in IDE

43. 43
• Nobody
Likes
Uncertainty
• Measurement
Is
Key
Risk Management
43

44. 44
Risk Management
Data
Hub
GRC

45. 45
Vulnerability Filtering
• Filter
vulnerability
data
– Scanner,
scanner
count
– Vulnerability
type
– Path,
parameter
– Severity
– Status
– Aging
• Save
filters
for
future
use

46. 46
Demo: Vulnerability Filtering

47. 47
Reporting
• Trending
• Progress
by
Vulnerability
– For
program
benchmarking
• Porpolio
Report
– For
resource
prioriWzaWon
• Comparison
– For
scanner/technology
benchmarking

48. 48
What to Look For?
Metrics
That
Can
Help
• Vulnerability
Prevalence
• Vulnerability
ResoluWon
Rate
• Mean
Time
To
Fix
(MTTF)
48

49. 49
Demo: Reporting

50. 50
So What Have We Covered?
• ApplicaWon
Security
Is
Hard
– Lots
of
people
and
systems
involved
• Data
Trumps
FUD
• AutomaWon
Is
CriWcal
50

51. 51
ThreadFix Links
• Main
ThreadFix
website:
www.threadfix.org
– General
informaWon,
downloads
• ThreadFix
GitHub
site:
github.com/denimgroup/threadfix
– Code,
issue
tracking
• ThreadFix
GitHub
wiki:
hgps://github.com/denimgroup/threadfix/wiki
– Project
documentaWon
• ThreadFix
Google
Group:
hgps://groups.google.com/forum/?fromgroups#!forum/threadfix
– Community
support,
general
discussion

52. 52
Contact
Questions / Contact Information
Dan
Cornell
dan@denimgroup.com
Twiger
@danielcornell
(210)
572-­‐4400