SlideShare une entreprise Scribd logo

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together

Denim Group
Denim Group

Developers want to write code and security testers want to break it and both groups have specialized tools supporting these goals. The problem is – security testers need to know more about application code to do better testing and developers need to be able to quickly address problems found by security testers. This presentation looks at both groups and their respective toolsets and explores ways they can help each other out. Two different interactions are examined: • How can knowledge of code make application scanning better? • How can application scan results be mapped back to specific lines of code? Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code. The end result is a combination of testing and remediation workflows that help both security testers and software developers be more effective. Particular attention is give to Java/JSP applications and Java/Spring applications and how teams using these frameworks can best benefit from these interactions.

Technologie
1  sur  37
Télécharger pour lire hors ligne
! Hybrid Analysis Mapping:! Making Security and Development Tools Play Nice Together! ! Dan Cornell! CTO, Denim Group! @danielcornell This presentation contains information about DHS-funded research: Topic Number: H-SB013.1-002 - Hybrid Analysis Mapping (HAM) Proposal Number: HSHQDC-13-R-00009-H-SB013.1-002-0003-I © Copyright 2014 Denim Group - All Rights Reserved
Dan Cornell •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio •  15 years experience in software architecture, development and security •  Heads Denim Group’s application security team © Copyright 2014 Denim Group - All Rights Reserved 2
Denim Group Overview •  Headquarters in San Antonio, TX –  Remote offices: San Francisco, Seattle, New York City, Dallas and Austin –  Founded in 2001, 90 employees, profitable since inception –  Inc. Magazine 5000 Fastest Growing Company (5 consecutive years) •  Secure software services and products company –  Builds secure software –  Helps organizations assess and mitigate risk of existing software –  Provides e-Learning and classroom training so clients can build secure software •  Customer base spans Fortune 500 and DoD –  Market Focus: Financial Services, Banking, Insurance, Healthcare, and U.S. Air Force •  Software-centric view of application security –  Application security experts are practicing developers delivering a rare combination of expertise in today’s industry –  Development pedigree translates to rapport with development managers –  Business impact: shorter time-to-fix application vulnerabilities © Copyright 2014 Denim Group - All Rights Reserved 3
Development and Security •  Have different goals •  Use different tools •  MUST WORK TOGETHER © Copyright 2014 Denim Group - All Rights Reserved 4
Development •  Features, functions timelines –  Get it done! •  Manage workload: Defect tracking systems •  Write code: Integrated Development Environment (IDE) © Copyright 2014 Denim Group - All Rights Reserved 5
Security •  Policies, standards, risks –  Keep the world safe! •  Network and infrastructure tools/paradigms adapted for applications –  Network scanners -> Application scanners –  Network firewalls -> Web application firewalls © Copyright 2014 Denim Group - All Rights Reserved 6
Problems with Security Tools (if you are in Security) •  Code analysis (static) tools can be challenging –  Often require coding experience to use effectively –  Provide LOTS of results (often including false positives) •  Application scanning (dynamic) tools have their own challenges –  Have to be properly configured to get good coverage –  Have to learn about the application © Copyright 2014 Denim Group - All Rights Reserved 7
Problems with Security Tools (if you are a Developer) •  Developers Don’t Speak PDF –  Developers also don’t speak Excel •  Taking action based on dynamic scan results can be challenging –  What code needs to be changed and how? © Copyright 2014 Denim Group - All Rights Reserved 8
How Do We Make Things Better? •  Developers need to learn more about security –  To better understand what impact their actions have on their organization’s security posture •  Security teams need to learn more about development –  What tools do they use? –  How do they manage their workload •  These interactions need to become more natural © Copyright 2014 Denim Group - All Rights Reserved 9
So What? •  Genesis of this presentation was some DHS-funded research –  Looking into “Hybrid Analysis Mapping” (HAM) via their SBIR program •  Looking into better integration between dynamic and static scanners –  Found interesting applications above and beyond our original goals © Copyright 2014 Denim Group - All Rights Reserved 10
Hybrid Analysis Mapping – Phase 1 Goal •  Determine the feasibility of developing a system that can reliably and efficiently correlate and merge the results of automated static and dynamic security scans of web applications. HP Fortify SCA © Copyright 2014 Denim Group - All Rights Reserved IBM AppScan Standard 11
Dynamic Application Security Testing •  Spider to enumerate attack surface •  Fuzz to identify vulnerabilities based on analysis of request/response patterns © Copyright 2014 Denim Group - All Rights Reserved 12
Static Application Security Testing •  Use source or binary to create a model of the application –  Kind of like a compiler or VM •  Perform analysis to identify vulnerabilities and weaknesses –  Data flow, control flow, semantic, etc © Copyright 2014 Denim Group - All Rights Reserved 13
Hybrid Analysis Mapping – Phase 1 Sub-Goals •  Standardize vulnerability types •  Match dynamic and static locations •  Improve static parameter parsing © Copyright 2014 Denim Group - All Rights Reserved 14
Hybrid Analysis Mapping Phase 1 - Technical Objectives •  Technical Objective 1: Create common data structure standards for both automated static and dynamic security scanning results. –  Task 1: Create a Data Structure for Automated Dynamic Security Scanning Results –  Task 2: Create a Data Structure for Automated Static Security Scanning Results •  Technical Objective 2: Research and prototype methods of mapping the results of automated static and dynamic security scanning. –  –  –  –  Task 1: Create a Structured Model for Hybrid Analysis Mapping Task 2: Investigate Approaches for Vulnerability Type Mapping Task 3: Investigate Approaches for Mapping Source Code Files to URLs Task 4: Investigate Approaches for Determining Injection Points © Copyright 2014 Denim Group - All Rights Reserved 15
•  Open source vulnerability management and aggregation platform: –  –  •  Allows software security teams to reduce the time to remediate software vulnerabilities Enables managers to speak intelligently about the status / trends of software security within their organization. Features/Benefits: –  –  –  –  –  –  –  •  •  Imports dynamic, static and manual testing results into a centralized platform Removes duplicate findings across testing platforms to provide a prioritized list of security faults Eases communication across development, security and QA teams Exports prioritized list into defect tracker of choice to streamline software remediation efforts Auto generates web application firewall rules to protect data during vulnerability remediation Empowers managers with vulnerability trending reports to pinpoint issues and illustrate application security progress Benchmark security practice improvement against industry standards Freely available under the Mozilla Public License (MPL) 2.0 Download available at: www.denimgroup.com/threadfix © Copyright 2014 Denim Group - All Rights Reserved 16
ThreadFix Accelerate Software Remediation © Copyright 2014 Denim Group - All Rights Reserved ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. 17
Supported Tools: Dynamic Scanners SaaS Testing Platforms Acunetix Arachni Burp Suite HP WebInspect IBM Security AppScan Standard IBM Security AppScan Enterprise Mavituna Security Netsparker NTO Spider OWASP Zed Attack Proxy Tenable Nessus Skipfish w3aF WhiteHat Veracode QualysGuard WAS Static Scanners Atlassian JIRA Microsoft Team Foundation Server Mozilla Bugzilla *Plugin Architecture for Additional Defect Trackers FindBugs IBM Security AppScan Source HP Fortify SCA Microsoft CAT.NET Brakeman © Copyright 2014 Denim Group - All Rights Reserved IDS/IPS and WAF DenyAll F5 Imperva Mod_Security Snort Defect Trackers 18
Large Range of Tool Compatibility © Copyright 2014 Denim Group - All Rights Reserved 19
Information Used •  Source Code (Git URL) •  Framework Type (JSP, Spring) •  Extra information from Fortify (if available) © Copyright 2014 Denim Group - All Rights Reserved 20
Vulnerability Types •  Successful CWE standardization •  Investigation into trees and Software Fault Patterns –  Meant to correct for human errors –  Hard to do in an automated fashion © Copyright 2014 Denim Group - All Rights Reserved 21
Unified Static and Dynamic Locations •  PathUrlTranslator interface –  getUrlPath(Finding) –  getFileName(Finding) •  JSP only needs the root source folder •  Spring @Controller parsing © Copyright 2014 Denim Group - All Rights Reserved 22
Static Parameter Parsing •  Look for request.getParameter() in JSPs •  Parse Spring @RequestParam, @PathVariable, @Entity annotations © Copyright 2014 Denim Group - All Rights Reserved 23
HAM Bridge Static Dynamic •  PathUrlTranslator enables more than merging •  IDE plugin shows all vulnerabilities inline •  Scanner integration allows smarter scanning © Copyright 2014 Denim Group - All Rights Reserved 24
System Architecture ZAP Scanner ThreadFix Server Target Application Application Source Code © Copyright 2014 Denim Group - All Rights Reserved Eclipse IDE 25
Demonstrations •  Show me my application’s attack surface •  Merge static and dynamic scanner results •  De-duplicate dynamic RESTful scanner results •  Pre-load my scanner with attack surface data •  Map my dynamically-identified vulnerabilities to their source code location © Copyright 2014 Denim Group - All Rights Reserved 26
Application Attack Surface (CLI) © Copyright 2014 Denim Group - All Rights Reserved 27
Merging Static and Dynamic Scanner Results © Copyright 2014 Denim Group - All Rights Reserved 28
Merging Static and Dynamic Scanner Results © Copyright 2014 Denim Group - All Rights Reserved 29
De-Duplicate Dynamic RESTful Scanner Results © Copyright 2014 Denim Group - All Rights Reserved 30
De-Duplicate Dynamic RESTful Scanner Results © Copyright 2014 Denim Group - All Rights Reserved 31
Seed Scanner with Attack Surface © Copyright 2014 Denim Group - All Rights Reserved 32
Map Dynamic Scan Results to LoC in IDE © Copyright 2014 Denim Group - All Rights Reserved 33
What’s next? •  More frameworks: –  –  –  –  –  –  –  Django (in progress) ASP.NET ASP.NET MVC JSF Struts Ruby on Rails And so on… •  More IDEs: –  IntelliJ –  Visual Studio –  And so on… © Copyright 2014 Denim Group - All Rights Reserved 34
Call To Action •  Download the endpoint calculator and run on your code –  What works? What doesn’t work? –  Currently support: Java/JSP and Java/Spring –  Others in the works •  Download the ThreadFix ZAP plugin –  Pre-seed some scans –  Store scan data in ThreadFix •  Download the ThreadFix Eclipse plugin –  Pull dynamic scan results into your IDE •  What tools and frameworks do YOU want to see supported? © Copyright 2014 Denim Group - All Rights Reserved 35
Resources •  ThreadFix downloads (NOT on GitHub, moving soon) –  https://code.google.com/p/threadfix/downloads/list •  Endpoint generator –  https://github.com/denimgroup/threadfix/wiki/Endpoint-CLI •  ZAP plugin –  https://github.com/denimgroup/threadfix/wiki/Zap-Plugin •  Eclipse plugin –  https://github.com/denimgroup/threadfix/wiki/Eclipse-IDE-Plugin © Copyright 2014 Denim Group - All Rights Reserved 36
Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com blog.denimgroup.com (210) 572-4400 www.denimgroup.com/threadfix github.com/denimgroup/threadfix © Copyright 2014 Denim Group - All Rights Reserved 37

Recommandé

Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 

Recommandé

Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
Robin Lutchansky
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 

Contenu connexe

Tendances

Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 

Tendances (20)

Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 

Similaire à Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together

Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
Denim Group
 

Similaire à Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together (20)

Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 

Plus de Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

Plus de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Dernier

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together

  • 1. ! Hybrid Analysis Mapping:! Making Security and Development Tools Play Nice Together! ! Dan Cornell! CTO, Denim Group! @danielcornell This presentation contains information about DHS-funded research: Topic Number: H-SB013.1-002 - Hybrid Analysis Mapping (HAM) Proposal Number: HSHQDC-13-R-00009-H-SB013.1-002-0003-I © Copyright 2014 Denim Group - All Rights Reserved
  • 2. Dan Cornell •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio •  15 years experience in software architecture, development and security •  Heads Denim Group’s application security team © Copyright 2014 Denim Group - All Rights Reserved 2
  • 3. Denim Group Overview •  Headquarters in San Antonio, TX –  Remote offices: San Francisco, Seattle, New York City, Dallas and Austin –  Founded in 2001, 90 employees, profitable since inception –  Inc. Magazine 5000 Fastest Growing Company (5 consecutive years) •  Secure software services and products company –  Builds secure software –  Helps organizations assess and mitigate risk of existing software –  Provides e-Learning and classroom training so clients can build secure software •  Customer base spans Fortune 500 and DoD –  Market Focus: Financial Services, Banking, Insurance, Healthcare, and U.S. Air Force •  Software-centric view of application security –  Application security experts are practicing developers delivering a rare combination of expertise in today’s industry –  Development pedigree translates to rapport with development managers –  Business impact: shorter time-to-fix application vulnerabilities © Copyright 2014 Denim Group - All Rights Reserved 3
  • 4. Development and Security •  Have different goals •  Use different tools •  MUST WORK TOGETHER © Copyright 2014 Denim Group - All Rights Reserved 4
  • 5. Development •  Features, functions timelines –  Get it done! •  Manage workload: Defect tracking systems •  Write code: Integrated Development Environment (IDE) © Copyright 2014 Denim Group - All Rights Reserved 5
  • 6. Security •  Policies, standards, risks –  Keep the world safe! •  Network and infrastructure tools/paradigms adapted for applications –  Network scanners -> Application scanners –  Network firewalls -> Web application firewalls © Copyright 2014 Denim Group - All Rights Reserved 6
  • 7. Problems with Security Tools (if you are in Security) •  Code analysis (static) tools can be challenging –  Often require coding experience to use effectively –  Provide LOTS of results (often including false positives) •  Application scanning (dynamic) tools have their own challenges –  Have to be properly configured to get good coverage –  Have to learn about the application © Copyright 2014 Denim Group - All Rights Reserved 7
  • 8. Problems with Security Tools (if you are a Developer) •  Developers Don’t Speak PDF –  Developers also don’t speak Excel •  Taking action based on dynamic scan results can be challenging –  What code needs to be changed and how? © Copyright 2014 Denim Group - All Rights Reserved 8
  • 9. How Do We Make Things Better? •  Developers need to learn more about security –  To better understand what impact their actions have on their organization’s security posture •  Security teams need to learn more about development –  What tools do they use? –  How do they manage their workload •  These interactions need to become more natural © Copyright 2014 Denim Group - All Rights Reserved 9
  • 10. So What? •  Genesis of this presentation was some DHS-funded research –  Looking into “Hybrid Analysis Mapping” (HAM) via their SBIR program •  Looking into better integration between dynamic and static scanners –  Found interesting applications above and beyond our original goals © Copyright 2014 Denim Group - All Rights Reserved 10
  • 11. Hybrid Analysis Mapping – Phase 1 Goal •  Determine the feasibility of developing a system that can reliably and efficiently correlate and merge the results of automated static and dynamic security scans of web applications. HP Fortify SCA © Copyright 2014 Denim Group - All Rights Reserved IBM AppScan Standard 11
  • 12. Dynamic Application Security Testing •  Spider to enumerate attack surface •  Fuzz to identify vulnerabilities based on analysis of request/response patterns © Copyright 2014 Denim Group - All Rights Reserved 12
  • 13. Static Application Security Testing •  Use source or binary to create a model of the application –  Kind of like a compiler or VM •  Perform analysis to identify vulnerabilities and weaknesses –  Data flow, control flow, semantic, etc © Copyright 2014 Denim Group - All Rights Reserved 13
  • 14. Hybrid Analysis Mapping – Phase 1 Sub-Goals •  Standardize vulnerability types •  Match dynamic and static locations •  Improve static parameter parsing © Copyright 2014 Denim Group - All Rights Reserved 14
  • 15. Hybrid Analysis Mapping Phase 1 - Technical Objectives •  Technical Objective 1: Create common data structure standards for both automated static and dynamic security scanning results. –  Task 1: Create a Data Structure for Automated Dynamic Security Scanning Results –  Task 2: Create a Data Structure for Automated Static Security Scanning Results •  Technical Objective 2: Research and prototype methods of mapping the results of automated static and dynamic security scanning. –  –  –  –  Task 1: Create a Structured Model for Hybrid Analysis Mapping Task 2: Investigate Approaches for Vulnerability Type Mapping Task 3: Investigate Approaches for Mapping Source Code Files to URLs Task 4: Investigate Approaches for Determining Injection Points © Copyright 2014 Denim Group - All Rights Reserved 15
  • 16. •  Open source vulnerability management and aggregation platform: –  –  •  Allows software security teams to reduce the time to remediate software vulnerabilities Enables managers to speak intelligently about the status / trends of software security within their organization. Features/Benefits: –  –  –  –  –  –  –  •  •  Imports dynamic, static and manual testing results into a centralized platform Removes duplicate findings across testing platforms to provide a prioritized list of security faults Eases communication across development, security and QA teams Exports prioritized list into defect tracker of choice to streamline software remediation efforts Auto generates web application firewall rules to protect data during vulnerability remediation Empowers managers with vulnerability trending reports to pinpoint issues and illustrate application security progress Benchmark security practice improvement against industry standards Freely available under the Mozilla Public License (MPL) 2.0 Download available at: www.denimgroup.com/threadfix © Copyright 2014 Denim Group - All Rights Reserved 16
  • 17. ThreadFix Accelerate Software Remediation © Copyright 2014 Denim Group - All Rights Reserved ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. 17
  • 18. Supported Tools: Dynamic Scanners SaaS Testing Platforms Acunetix Arachni Burp Suite HP WebInspect IBM Security AppScan Standard IBM Security AppScan Enterprise Mavituna Security Netsparker NTO Spider OWASP Zed Attack Proxy Tenable Nessus Skipfish w3aF WhiteHat Veracode QualysGuard WAS Static Scanners Atlassian JIRA Microsoft Team Foundation Server Mozilla Bugzilla *Plugin Architecture for Additional Defect Trackers FindBugs IBM Security AppScan Source HP Fortify SCA Microsoft CAT.NET Brakeman © Copyright 2014 Denim Group - All Rights Reserved IDS/IPS and WAF DenyAll F5 Imperva Mod_Security Snort Defect Trackers 18
  • 19. Large Range of Tool Compatibility © Copyright 2014 Denim Group - All Rights Reserved 19
  • 20. Information Used •  Source Code (Git URL) •  Framework Type (JSP, Spring) •  Extra information from Fortify (if available) © Copyright 2014 Denim Group - All Rights Reserved 20
  • 21. Vulnerability Types •  Successful CWE standardization •  Investigation into trees and Software Fault Patterns –  Meant to correct for human errors –  Hard to do in an automated fashion © Copyright 2014 Denim Group - All Rights Reserved 21
  • 22. Unified Static and Dynamic Locations •  PathUrlTranslator interface –  getUrlPath(Finding) –  getFileName(Finding) •  JSP only needs the root source folder •  Spring @Controller parsing © Copyright 2014 Denim Group - All Rights Reserved 22
  • 23. Static Parameter Parsing •  Look for request.getParameter() in JSPs •  Parse Spring @RequestParam, @PathVariable, @Entity annotations © Copyright 2014 Denim Group - All Rights Reserved 23
  • 24. HAM Bridge Static Dynamic •  PathUrlTranslator enables more than merging •  IDE plugin shows all vulnerabilities inline •  Scanner integration allows smarter scanning © Copyright 2014 Denim Group - All Rights Reserved 24
  • 25. System Architecture ZAP Scanner ThreadFix Server Target Application Application Source Code © Copyright 2014 Denim Group - All Rights Reserved Eclipse IDE 25
  • 26. Demonstrations •  Show me my application’s attack surface •  Merge static and dynamic scanner results •  De-duplicate dynamic RESTful scanner results •  Pre-load my scanner with attack surface data •  Map my dynamically-identified vulnerabilities to their source code location © Copyright 2014 Denim Group - All Rights Reserved 26
  • 27. Application Attack Surface (CLI) © Copyright 2014 Denim Group - All Rights Reserved 27
  • 28. Merging Static and Dynamic Scanner Results © Copyright 2014 Denim Group - All Rights Reserved 28
  • 29. Merging Static and Dynamic Scanner Results © Copyright 2014 Denim Group - All Rights Reserved 29
  • 30. De-Duplicate Dynamic RESTful Scanner Results © Copyright 2014 Denim Group - All Rights Reserved 30
  • 31. De-Duplicate Dynamic RESTful Scanner Results © Copyright 2014 Denim Group - All Rights Reserved 31
  • 32. Seed Scanner with Attack Surface © Copyright 2014 Denim Group - All Rights Reserved 32
  • 33. Map Dynamic Scan Results to LoC in IDE © Copyright 2014 Denim Group - All Rights Reserved 33
  • 34. What’s next? •  More frameworks: –  –  –  –  –  –  –  Django (in progress) ASP.NET ASP.NET MVC JSF Struts Ruby on Rails And so on… •  More IDEs: –  IntelliJ –  Visual Studio –  And so on… © Copyright 2014 Denim Group - All Rights Reserved 34
  • 35. Call To Action •  Download the endpoint calculator and run on your code –  What works? What doesn’t work? –  Currently support: Java/JSP and Java/Spring –  Others in the works •  Download the ThreadFix ZAP plugin –  Pre-seed some scans –  Store scan data in ThreadFix •  Download the ThreadFix Eclipse plugin –  Pull dynamic scan results into your IDE •  What tools and frameworks do YOU want to see supported? © Copyright 2014 Denim Group - All Rights Reserved 35
  • 36. Resources •  ThreadFix downloads (NOT on GitHub, moving soon) –  https://code.google.com/p/threadfix/downloads/list •  Endpoint generator –  https://github.com/denimgroup/threadfix/wiki/Endpoint-CLI •  ZAP plugin –  https://github.com/denimgroup/threadfix/wiki/Zap-Plugin •  Eclipse plugin –  https://github.com/denimgroup/threadfix/wiki/Eclipse-IDE-Plugin © Copyright 2014 Denim Group - All Rights Reserved 36
  • 37. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com blog.denimgroup.com (210) 572-4400 www.denimgroup.com/threadfix github.com/denimgroup/threadfix © Copyright 2014 Denim Group - All Rights Reserved 37