These are the slides for the Tech Talk that Netsparker's CEO Ferruh Mavituna delivered at Infosecurity Europe in London. During the presentation, Ferruh first talks about the three stages of the vulnerability detection process: Discovery Identify Automate Then he explained the pre-scan and post-scan challenges of automating the vulnerability detection process, such as; configuring authenticated scans, URL Rewrites, manually verifying false positives and much more. Ferruh also explains how today’s technology allows us to overcome most of these challenges and as he says Automate what can be automated. You can watch the presentation here: https://www.netsparker.com/blog/web-security/infosecurity-europe-tech-talk-automating-web-security/

1. Ferruh Mavituna, CEO
Scaling-Up &
Automating Web
Application Security
Netsparker

2. Scaling-Up and Automating Web Application Security
Discover

3. Scaling-Up and Automating Web Application Security
• Public Websites
• Mission Critical
• Temporary (i.e. short-term marketing websites)
• Managed by 3rd party
• Internal Websites
• Mission Critical
• Developed in house
• Developed by a 3rd party
• Hardware Management Interfaces
• Staging Websites
• Actively Developed
• 3rd party & will be deployed
Discover & Prioritize

4. Scaling-Up and Automating Web Application Security
• Process
• Internal asset management
• Introducing a process & policy
• Automated Discovery
• Effectively smart “port scanning”
Discover & Prioritize

5. Scaling-Up and Automating Web Application Security
Identify

6. Scaling-Up and Automating Web Application Security
• Configuration Issues
• TLS, Web Server, Unnecessary features…
• Known Vulnerabilities and Out-of-date Dependencies
• Known vulnerabilities in known applications and dependencies
• Out-of-date JS libraries, modules, dependencies, frameworks…
• Unknown Vulnerabilities (zero-days)
• SQL Injection, CSRF, XSS, LFI, RFI and similar vulnerabilities that are not known yet
• Lack of Security Best Practice and Proactive Measures
• CSP, HSTS, Information Disclosure, Insecure Endpoints, Leaking data to 3rd party resources
etc.
Identify Vulnerabilities

7. Scaling-Up and Automating Web Application Security
Automate

8. Scaling-Up and Automating Web Application Security
• Automation excels at
• Scaling
• Being consistent
• Enforcing checks
• Finding majority of vulnerabilities
• Eliminating human-errors on repeated checks
• Limitations of automation
• Logical issues
• Extremely design specific & platform specific issues
• Discovering all the flows & processes in websites
Automation

9. Scaling-Up and Automating Web Application Security
“Automate what can
be automated”

10. Scaling-Up and Automating Web Application Security
Automation
Challenges

11. Scaling-Up and Automating Web Application Security
• Authenticated Scans
• URL Rewrite
• Custom 404 Pages
• Form Values
Pre-scan Challenges

12. Scaling-Up and Automating Web Application Security
• False Positive
• Correlating Results
• Hot-patching vulnerabilities in WAF level
Post-scan Challenges

13. Scaling-Up and Automating Web Application Security
• How many of the identified vulnerabilities are real?
• What’s the real risk?
• How long would it take to review all vulnerabilities to see which are
False Positives?
• What kind of technical expertise do you need to accomplish this?
10,000 Issues have been identified, Now what?

14. Scaling-Up and Automating Web Application Security
“Automation without
accuracy cannot scale”

15. Scaling-Up and Automating Web Application Security
• How is it done manually?
• Can it be automated?
Elimination of False Positives

16. Scaling-Up and Automating Web Application Security
“If it’s exploitable it
cannot be a false
positive”

17. Scaling-Up and Automating Web Application Security
• Securing thousands of web applications is possible
• Automate what can be automated
• Use the right tools for the job
• Understand what automation can and cannot do
• Plan for the long term
• Challenge the norm
Conclusion