These are the slides for the Tech Talk that Netsparker's CEO Ferruh Mavituna delivered at Infosecurity Europe in London.
During the presentation, Ferruh first talks about the three stages of the vulnerability detection process:
Discovery
Identify
Automate
Then he explained the pre-scan and post-scan challenges of automating the vulnerability detection process, such as; configuring authenticated scans, URL Rewrites, manually verifying false positives and much more. Ferruh also explains how today’s technology allows us to overcome most of these challenges and as he says Automate what can be automated.
You can watch the presentation here: https://www.netsparker.com/blog/web-security/infosecurity-europe-tech-talk-automating-web-security/
3. Scaling-Up and Automating Web Application Security
• Public Websites
• Mission Critical
• Temporary (i.e. short-term marketing websites)
• Managed by 3rd party
• Internal Websites
• Mission Critical
• Developed in house
• Developed by a 3rd party
• Hardware Management Interfaces
• Staging Websites
• Actively Developed
• 3rd party & will be deployed
Discover & Prioritize
4. Scaling-Up and Automating Web Application Security
• Process
• Internal asset management
• Introducing a process & policy
• Automated Discovery
• Effectively smart “port scanning”
Discover & Prioritize
6. Scaling-Up and Automating Web Application Security
• Configuration Issues
• TLS, Web Server, Unnecessary features…
• Known Vulnerabilities and Out-of-date Dependencies
• Known vulnerabilities in known applications and dependencies
• Out-of-date JS libraries, modules, dependencies, frameworks…
• Unknown Vulnerabilities (zero-days)
• SQL Injection, CSRF, XSS, LFI, RFI and similar vulnerabilities that are not known yet
• Lack of Security Best Practice and Proactive Measures
• CSP, HSTS, Information Disclosure, Insecure Endpoints, Leaking data to 3rd party resources
etc.
Identify Vulnerabilities
8. Scaling-Up and Automating Web Application Security
• Automation excels at
• Scaling
• Being consistent
• Enforcing checks
• Finding majority of vulnerabilities
• Eliminating human-errors on repeated checks
• Limitations of automation
• Logical issues
• Extremely design specific & platform specific issues
• Discovering all the flows & processes in websites
Automation
11. Scaling-Up and Automating Web Application Security
• Authenticated Scans
• URL Rewrite
• Custom 404 Pages
• Form Values
Pre-scan Challenges
12. Scaling-Up and Automating Web Application Security
• False Positive
• Correlating Results
• Hot-patching vulnerabilities in WAF level
Post-scan Challenges
13. Scaling-Up and Automating Web Application Security
• How many of the identified vulnerabilities are real?
• What’s the real risk?
• How long would it take to review all vulnerabilities to see which are
False Positives?
• What kind of technical expertise do you need to accomplish this?
10,000 Issues have been identified, Now what?
15. Scaling-Up and Automating Web Application Security
• How is it done manually?
• Can it be automated?
Elimination of False Positives
16. Scaling-Up and Automating Web Application Security
“If it’s exploitable it
cannot be a false
positive”
17. Scaling-Up and Automating Web Application Security
• Securing thousands of web applications is possible
• Automate what can be automated
• Use the right tools for the job
• Understand what automation can and cannot do
• Plan for the long term
• Challenge the norm
Conclusion
Notes de l'éditeur
Use automation for what
Automation can deliver a lot but might need to be configured correctly to get the best out it.