Cooking Tips To Craft A Super Powered Risk Assessment Program

COOKING TIPS FOR CRAFTING A SUPER-POWERED RISK ASSESSMENT PROGRAM Traditional risk assessment techniques alone are often silo-ed and not effective enough to secure your enterprise. Network and application assessments respectively contribute to the overall security architecture of an organization, but by combining the two, enterprises can benefit exponentially-gaining increased visibility and responding more rapidly to vulnerabilities. IVBinaries Chris Wysopal Gordon MacKay See CHRIS WYSOPAL, Veracode and GORDON MACKAY, Digital Defense Inc. present on this topic at RSA. ASEC-W25-SAST, DAST and Vulnerability Assessments 1+1+1=4 SETTING THE TABLE What do these companies have in common? BIG breaches AND application vulnerability ExonMobil. was a critical weakness in all three: a SQL Injection vulnerability exposed to the Heartland PAYMENT S YSTEMS bp internet was the vector to penetrate the organizations. • 3 different organizations • 3 different attacker goals • 1 vulnerability type Linked in SONY Why aren't traditional security measures working? FIREWALLS - Firewalls don't block data moving to and from trusted computers. You trust your web servers. You trust your employees desktops. Won't stop spear phishing or web app attacks. ENCRYPTION – You encrypt data so it can't be snooped over network or read from stolen hard drive. Attackers access 29375 encrypted data through applications posing as legitimate users. ANTIVIRUS - Can only stop known malware. Attackers make brand new custom malware to attack you. GET THE "[Good Eats is] really about making sense of BEST INGREDIENTS ingredients." - Alton Brown, Food Network V Ingredient 1: Application Security Application Security helps identify, fix and prevent security vulnerabilities in any kind of software application - no matter the function, language, or platform. "Over 8 in 10 "Writing insecure code creates a system that is "just as vulnerable as not using passwords, missing "encryption, or neglecting to build any other "security feature." - Chris Wysopal applications failed to pass against a zero tolerance policy for frequently exploited vulnerabilities such as Cross-site Scripting (XSS) and SQL Injection (root cause of countless enterprise breaches)." IVBinaries - State of Software Security, Volume 4 YIngredient 2: SAST RSA CONFERENCE Static analysis, also commonly called "white-box" testing, looks at applications in a non-runtime environment. This method of 2013 FEBRUARY 25 - MARCH 1 SAN FRANCISCO security testing has distinct advantages in that it can evaluate both web and non-web applica- tions and through advanced modeling, can detect flaws in the software's inputs and outputs that cannot be seen through dynamic web scanning alone. See Veracode at RSA Booth #1342 V Ingredient 3: DAST Dynamic analysis security testing (DAST) or "black-box testing" empowers companies to identify and remediate security issues in their running web applications before hackers can exploit them. By dynamically testing web applications at run-time, a user inspects applications the same way a hacker would attack them - providing accurate and actionable vulnerability detection. "Vulnerabilities are the gateways by which threats are manifested" - SANS GIAC Security Essentials Training Manual Ingredient Vulnerability Assessment Vulnerability Assessments Assess Risk from Outside In • Risk is all about your perspective • Risk = Threat x Vulnerability x Cost "Within the context of network security, the items being assessed are computer networks, individual computers, or specific applications. The value of these items is gauged based upon their security weak- nesses. In order to determine the value of these items, vulnerability assessors first identify the security vulnerabilities for these items and then secondly, classify them." - Brandon Shilling, Digital Defense Inc DIGITAL DEFENSE INGOR PORATED THE RIGHT MIX MAKES THE SWEETEST PIE Application Testing: Network scanner now knows: vulnerability Where all the web applications are. Application testing has the knowledge of vulnerabilities that If there are any host vulnerabilities. network vulnerability scanners don't know about. The criticality of assets application has access to. *Cover tightly and test repeatedly. By selecting the best ingredients YOU GET THE BEST RESULTS The right combination of network vulnerability scanning and application security testing results in more accurate risk assessments, improved vulnerability class coverage and increased environmental context. • see where application flaws are located in assets deployed in their computing networks. • determine if flaws introduced during the Software Development Life Cycle of an Pairs fantastically with SECURITY AWARENESS application have made it into a production network will greatly improve the efficacy of TRAINING organizations' security risk reduction efforts. See Veracode at RSA Booth # 1342 Learn about SAST, DAST and Vulnerability RSA Assessments in 1+1+1=4 CONFERENCE at RSA Conference 2013 IVninaries with Chris Wysopal and Gordon MacKay FEBRUARY 25- MARCH 1 Wednesday, February 27th SAN FRANCISCO 1:00pm PT, Room 132 Chris Wysopal Gordon MacKay VERACODE Veracode.com | 1-888-ZER-ODAY (937-0329) O 2013 Veracode, Inc. All rights reserved. All other brand names, product names, or trademarks belong to their respective holders.