Prioritizing Risk Relative to Mitigating Vulnerabilities Lucas von Stockhausen, Senior Product Manager & Application Security Strategist Jimmy Rabon, Senior Product Manager #MicroFocusCyberSummit
Understanding Risk Relative to Remediation Security testing tools provides you knowledge of potential vulnerabilities in your application Any successful app sec program must be able to intelligently calculate what that risk means to their business We will demonstrate how to calculate this risk effectively, at scale, and provide best practices with regards to actually fixing these issues It’s not what you found, that an application security program is judged by. It’s what you did with that information and how effectively is was used. 2
Agenda Prioritization of Security Issues Risk profiling your application inventory Leveraging Issue Impact + Likelihood at scale Using auditor decisions to predict future vulnerabilities w/ Audit Assistant Remediation of Security Issues Understanding the convergence of dataflow for static analysis issues Utilizing industry and organization best practices with regards to fixing issues Implementing an internal mapping to share best practices throughout your organization Q&A 3
What’s New & Wrong with Apps?
Applications Have Become the De Facto Interface for all Businesses Application development became a competitive differentiator. Mobile apps are no longer just for banking, telco or tech!
Modern Needs for Business Require Faster and More Function Packed Releases 2010 2017 2020 ? Average Software 3 minutes 12 months 3 weeks Release Cycle (anticipated) Source: https://medium.com/data-ops/how-software-teams-accelerated-average-release-frequency-from-three-weeks-to-three-minutes-d2aaa9cca918
More Applications + Faster Releases = More Vulnerabilities + Less Time to Detect 7
Prioritization of Security Issues
Risk Profile of Your Application Inventory Application Accessibility Internal External Sensitivity of Data PII / Financial / IP / etc. Compliance Obligation PCI / GDPR / MAS / etc. Business IMPACT of breach Financial damage Reputation damage Non-compliance Privacy Violation
Discover The Attack Surface Understanding your application portfolio is the first step to securing it Discover Our Process Discovery Verification Risk profile For all customers: Complimentary annual discovery 10
Why Not CVSS Common Vulnerability Scoring System (CVSS) focus on describing vulnerabilities in deployed products or services so that administrators can decide how to react. Shortcomings: CVSS is extremely sensitive to, and in many cases dependent on, qualitative information provided by a human reviewer. They cannot provide an aggregate score for a set of vulnerabilities. Methods that require a human to estimate every finding are limited when the number of findings is large and the intended audience is small. 11
Security Issue – Impact and Likelihood Risk = Impact and Likelihood High Critical High Impact/ High Impact/ Low Likelihood High Likelihood Impact Impact is the negative outcome resulting from a vulnerability Low Medium Low Impact/ Low Impact/ Low Likelihood High Likelihood Likelihood is the probability that the impact will come Likelihood to pass 12
Star Rating – FoD 13
Using Machine Learning to Predict Vulnerabilities Auto-train Audit assistant derives anonymous issue metrics and Unaudited securely sends to results enter Auto-predict scan analytics SSC Classifiers report verified vulnerabilities with up to 98% accuracy Audited issues arrive in SSC Auto-tag
Fortify Audit Assistant Applies Machine Learning to Identify the Vulnerabilities Most Relevant to Your Organization Predictions Fortify Audit Analytics Fortify Software Security Center Training Prediction F Prediction & Confidence Results submitted returned Fortify Audit Assistant Issues are audited meta1 Focus on what counts Build accuracy Issues anonymized Focus auditing meta2 meta2 Correct what is wrong Extend workflows XSS SQLi Accelerate DevOps Issue NAI Remediate faster … vuln X Corrections anonymized {“Analysis”:”Issue”,”Analyzer”:”Dataflow”,“Inputs”:”8”,“Branches”:”2”}
Demo: Jenkins Pipeline w/ Auto Predict (Audit Assistant)
Prioritization - External Mapping & Schema OWASP TOP 10 2017 DISA STIG CCI (Control Correlation Identifier) GDPR / PCI / MISRA
Convergence of Data Flow – Smart View Efficient Auditing and Remediation Sort by Folder -> Then by Group By any mapping -> Then by Source OR Sink OR Converged Data Flow Quickly understand how multiple issues are related from a data flow perspective Apply Smart View filters to begin triaging or fixing issues at most efficient point 19
Convergence of Data Flow – Smart View Efficient Auditing and Remediation Quickly advance through three level of groupings Tiles are dynamically sized based upon the number of issues Design works with large amounts of issues and is very performant For auditors and developers 20
Demo: AWB Smart View and Mapping Prioritization
Remediation of Security Issues
Remediating Security Issues Convergence of data flow across security issues Rule Remediation Guidance -> Organizational Specific Remediation Guidance by Technology Stack Contextually Correct Security Training 23
Demo: Details / Recommendations / Training
Question & Answer
#MicroFocusCyberSummit
Recommend
More recommend
