Mitigating Vulnerabilities Lucas von Stockhausen, Senior Product - - PowerPoint PPT Presentation

#MicroFocusCyberSummit

Prioritizing Risk Relative to Mitigating Vulnerabilities

Lucas von Stockhausen, Senior Product Manager & Application Security Strategist Jimmy Rabon, Senior Product Manager

• Security testing tools provides you knowledge
• f potential vulnerabilities in your application
• Any successful app sec program must be able to intelligently

calculate what that risk means to their business

• We will demonstrate how to calculate this risk

effectively, at scale, and provide best practices with regards to actually fixing these issues

• It’s not what you found, that an application

security program is judged by. It’s what you did with that information and how effectively is was used.

2

Understanding Risk Relative to Remediation

Prioritization of Security Issues

• Risk profiling your application inventory
• Leveraging Issue Impact + Likelihood at scale
• Using auditor decisions to predict future vulnerabilities w/ Audit Assistant

Remediation of Security Issues

• Understanding the convergence of dataflow for static analysis issues
• Utilizing industry and organization best practices with regards to fixing issues
• Implementing an internal mapping to share best practices throughout your organization

Q&A

3

Agenda

What’s New & Wrong with Apps?

Applications Have Become the De Facto Interface for all Businesses

Application development became a competitive differentiator. Mobile apps are no longer just for banking, telco or tech!

Modern Needs for Business Require Faster and More Function Packed Releases

Source: https://medium.com/data-ops/how-software-teams-accelerated-average-release-frequency-from-three-weeks-to-three-minutes-d2aaa9cca918

Average Software Release Cycle 12 months 3 weeks 3 minutes

(anticipated) 2010 2017 2020 ?

More Applications + Faster Releases = More Vulnerabilities + Less Time to Detect

7

Prioritization of Security Issues

Risk Profile of Your Application Inventory

• Application Accessibility
• Internal
• External
• Sensitivity of Data
• PII / Financial / IP / etc.
• Compliance Obligation
• PCI / GDPR / MAS / etc.
• Business IMPACT of breach
• Financial damage
• Reputation damage
• Non-compliance
• Privacy Violation

10

Discover The Attack Surface

Understanding your application portfolio is the first step to securing it

Discovery Verification Risk profile

Our Process For all customers:

Complimentary annual discovery

Discover

• Common Vulnerability Scoring System (CVSS) focus on describing

vulnerabilities in deployed products or services so that administrators can decide how to react.

• Shortcomings:
• CVSS is extremely sensitive to, and in many cases dependent on, qualitative information

provided by a human reviewer.

• They cannot provide an aggregate score for a set of vulnerabilities.
• Methods that require a human to estimate every finding are limited

when the number of findings is large and the intended audience is small.

11

Why Not CVSS

12

Security Issue – Impact and Likelihood

High

High Impact/ Low Likelihood

Critical

High Impact/ High Likelihood

Low

Low Impact/ Low Likelihood

Medium

Low Impact/ High Likelihood Likelihood Impact

Risk = Impact and Likelihood

Impact is the negative

• utcome resulting from

a vulnerability Likelihood is the probability that the impact will come to pass

13

Star Rating – FoD

Using Machine Learning to Predict Vulnerabilities

Auto-train Auto-predict Auto-tag

Unaudited results enter SSC Audited issues arrive in SSC Audit assistant derives anonymous issue metrics and securely sends to scan analytics Classifiers report verified vulnerabilities with up to 98% accuracy

Fortify Audit Assistant Applies Machine Learning to Identify the Vulnerabilities Most Relevant to Your Organization

Fortify Software Security Center

Training meta1 meta2 meta2

Issue NAI

Prediction {“Analysis”:”Issue”,”Analyzer”:”Dataflow”,“Inputs”:”8”,“Branches”:”2”}

vuln X

SQLi XSS

Corrections anonymized

Predictions

Fortify Audit Analytics

Results submitted Issues anonymized

F

Issues are audited Prediction & Confidence returned Focus on what counts Correct what is wrong

Fortify Audit Assistant Build accuracy Focus auditing Extend workflows Accelerate DevOps Remediate faster …

Demo:

Jenkins Pipeline w/ Auto Predict (Audit Assistant)

• OWASP TOP 10 2017
• DISA STIG CCI (Control Correlation Identifier)
• GDPR / PCI / MISRA

Prioritization - External Mapping & Schema

Convergence of Data Flow – Smart View

Efficient Auditing and Remediation

19

• Sort by Folder -> Then by Group By any

mapping -> Then by Source OR Sink OR Converged Data Flow

• Quickly understand how multiple

issues are related from a data flow perspective

• Apply Smart View filters to begin

triaging or fixing issues at most efficient point

Convergence of Data Flow – Smart View

Efficient Auditing and Remediation

20

• Quickly advance through three level
• f groupings
• Tiles are dynamically sized based upon

the number of issues

• Design works with large amounts of

issues and is very performant

• For auditors and developers

Demo:

AWB Smart View and Mapping Prioritization

Remediation of Security Issues

• Convergence of data flow across

security issues

• Rule Remediation Guidance ->

Organizational Specific Remediation Guidance by Technology Stack

• Contextually Correct Security Training

23

Remediating Security Issues

Demo:

Details / Recommendations / Training

Question & Answer

#MicroFocusCyberSummit