Application Security Weekly (Audio)
Navigating the Complexities of Application Security: Vulnerability Management, Risk Mitigation, and Business Logic Attacks - ASW #239
Tue May 02 2023
00:01 - 05:08
- Phones are backed up on the CVE Expressway due to passing 200,000 records last week.
- Major delays at the intersection of CI and CD due to an overturned truck carrying CVSS scores.
- There's major construction down at the infrastructure as code, but once you're past the on-ramp traffic is moving quickly.
- It's stop and go along C-Street due to memory safety activity, but they're opening up new lanes soon.
- No delays on I-239.
Interviews and News
00:01 - 05:08
- This week's episode features an interview with Francesco Chippalon about modern phone management frameworks and how to focus on fixing what's important.
- Two interviews from last week's RSA conference will be shared instead of a news statement this week.
- Security Weekly is a show for security professionals by security professionals that covers DevOps, application security, and cloud security news.
Shift Left Approach
04:39 - 10:23
- Shift left approach brings security back as soon as possible.
- Security team lost control of where security was happening.
- Security is still responsible for security and organization.
- Developers are suddenly responsible for fixing everything before code gets into production.
- Infosec needs to communicate risk to developers.
- Getting buy-in from the business is important to fix identified problems.
- Incremental approach around maturity is necessary for asset management and vulnerability management framework.
- Both shift left and shift right approaches need to be reported up and centralized up.
- Communication of risk is important with the business.
Communication in Risk Management
10:11 - 15:43
- Communication is key in risk management.
- Security is expanding and there needs to be communication with business owners and the board level.
- Business owners want to know what risks they are mitigating today, not just about vulnerabilities or SLAs.
- Vulnerabilities are not risk; risk is how likely something is to manifest and it's driven by the likelihood of attack pattern of specific CVE or CVSS.
- Use risk because it's simple and we have the matrix out there. It reframes the conversation from technical terms to business terms.
- Reframing vulnerability management as risk management can help technical people talk to business people more effectively.
Fixing Vulnerabilities and Calculating Risk
15:23 - 21:09
- Fixing all vulnerabilities is a battle that you will never win and can lead to exhaustion quickly.
- Businesses need to consider the risks of not releasing a feature or fix versus fixing all vulnerabilities.
- Metrics used for measuring risk are often black and white, while businesses operate in shades of gray with varying levels of risk tolerance.
- Not every business wants to operate at the same level of risk; some are heavily regulated due to life being at stake.
- Measuring volume of vulnerabilities found and fixed is easy, but calculating risk requires a maturity model approach.
- Risk calculations require basic information such as how applications are created together, how systems are glued together, and assigning probability of exploitation.
- There is data available to calculate likelihood and impact on an organization for specific vulnerabilities.
- Calculating risk is not hard if you have the right information.
- There is reluctance in using automatic calculation of risk versus human judgment due to psychological factors such as redundancy or fear that someone else could do their job better than them.
Risk and Perimeters
20:48 - 26:24
- Risk changes based on internal or external connection to the internet.
- Zero trust is important in establishing perimeters.
- Vulnerability management framework can help shift from one level of maturity to another.
- The framework includes discovery, prioritization, aggregation, resolution, process procedures, action and measurement.
- The same process applies to vulnerabilities in software, cloud, OS and traditional patching and infrastructure management.
- Discovery section involves scanning for code or operating system.
- Aggregation helps determine criticality levels of assets through metadata and queries.
- Risk calculation is more pragmatic than vulnerability calculation.
- Communicating risk to software engineers is more effective than communicating vulnerabilities alone.
- Developers care about what they need to hit their OKRs.
Developers and Security
26:11 - 31:39
- Developers need clear targets and priorities to focus on fixing bugs and developing features.
- Security engineers have more high-level conversations with product owners to set targets.
- Senior developers care about software quality and resilience, not just fixing individual bugs.
- OKRs and security metrics help ensure that security is not forgotten during crunch time.
- Automating vulnerability management can help with scalability and centralizing information for big data insights.
Centralizing Data and Innovation
31:20 - 37:09
- Centralizing data can help deploy big data insights and surgically upgrade libraries.
- Triage in Dain and De'Al is important, but it shouldn't bog down the abstract team.
- The Phoenix and Runeropity Management Framework aims to change the status quo of appsec teams burning out.
- Small steps towards innovation include centralizing data for vulnerability scanning, prioritization at scale, and creating an asset register.
- Asset registers can be created by aggregating security hub, GitHub, Azure Sentinel, co-pilot, and other scanning solutions.
- AWS has a good way to query for asset management but APIs are changing all the time.
- Bifurcation of APSEC into governance angle or building guardrails is necessary.
- Developing a library requires making a business case.
Demonstrating Value and ROI
36:43 - 42:04
- Developing a library for controlled authentication can eliminate vulnerabilities.
- To make the case for security, ROI needs to be demonstrated through measurement and metrics.
- Bug bounty programs can help demonstrate the value of fixing vulnerabilities.
- The conversation between AppSec teams and developers should shift towards accepting risks instead of fixing every vulnerability.
- Data scientists may be needed in security to extract insights from data.
- Qualitative and pervasive security scanners provide a sea of data but no way to make sense of it all.
Data Science and Security
41:46 - 47:23
- Data science is a good direction to shift towards.
- A data scientist's job is to tell a story with pie charts and trending diagrams.
- Start with basic stuff and demonstrate value in five or six projects to get buy-in from the business.
- The vulnerability management framework helps aggregate and prioritize data.
- Completing all quests in each maturity level isn't necessary, but it's up to you how far you want to be on the maturity level scale.
- Excel can still be used even at higher levels of maturity.
- SLAs are quick and easy to measure, but we became too reliant on them as the Bible of every security policy.
Application Security and Vulnerability Management
46:57 - 52:28
- SLA is a data point that can be used to create us.
- Different SLAs tell different stories about vulnerabilities.
- Mean time to resolution and mean time to open are also important data points.
- Using multiple data points together creates a more controlled and powerful way of managing risk.
- Regulations are driving the need for better control of security programs.
- AppSec in three words: beautiful, chaotic, sales-love-it.
- The vulnerability management framework can be found on phoenix.security/vulnerability-management-framework.
- Join the vulnerability management SIG on OWASP's Slack channel to discuss abstracts around everything related to vulnerability management.
Insights from Application Security Indicator Report
52:02 - 57:36
- The Security Weekly News is a podcast that provides insights on major stories in the industry.
- Invicti, a zero noise application security platform, helps dev, sec and ops teams work together to secure every website, web app and API.
- Patrick Vandenberg, director of product at Invicti Security, discusses the company's application security indicator report.
- The report indicates that scanning frequency has increased while severe vulnerabilities have decreased for the first time.
- Scanning more frequently leads to finding more vulnerabilities which ultimately leads to better collaboration between security and development teams.
- Developers get better at remediation with more practice and recognition of vulnerabilities.
Automating Scanning and Collaboration
57:09 - 1:02:35
- Automating scanning back into CICD pipeline can reduce friction between AppSec and Dev in fast-paced development release cycles.
- Shifting DAS scanning further left in the initial cycle can help developers get a functional check on security side of things.
- Shift right to continuous monitoring can help get a weekly or daily check on web assets, which is changing rapidly.
- Collaboration between AppSec and development organization is necessary for success.
- Manufacturing industry has about 3X scanning rates of other industries due to pandemic and going digital.
- Applying security for supply chain functionality in the digital spectrum is important.
Scanning Rates and Vulnerability Trends
57:09 - 1:02:35
- Manufacturing had 3X scanning rates of other industries.
- Pandemic led to a rush to expose supply chain functionality into the digital spectrum.
- Subset of manufacturing customers adopted scanning and CI/CD pipeline.
- 19% down tick in severe vulnerabilities seen in the report.
- Adopting automated testing can help catch up quickly.
- Seven industries had a four-year steady annual increase in their scanning activity, indicating they are on the right track.
- Prevalence of mediums and lows are high because nobody's paying attention to it.
- Remote code execution has low prevalence but has increased every year for four years, which is worth noting and paying attention to.
- 'Business logic' attacks tend to be very focused on the specific weaknesses of the logic of the application.
Business Logic Attacks and API Security
1:07:01 - 1:11:24
- Business logic attacks are very focused on the specific weaknesses of the logic of the application.
- Attackers have to surveil and understand the application, map it out, and understand how data is pre-traversing the app.
- Developers tend not to be very good at security.
- Applications have vulnerabilities that need to be defended against.
- APIs are a fertile ground for attacks because they bypass traditional web app mitigations and provide access to different types of data.
- Last year alone, 17% of attacks against APIs were business logic attacks.
API Attacks and Evasive Bots
1:11:01 - 1:15:39
- 17% of attacks against APIs were business logic attacks last year.
- Another 22% were some sort of automated attack.
- Mobile apps can be backed by APIs, and attackers can poorly design what mobile apps will grab the secrets out of that.
- Botnet and hacker attacks on mobile browser emulation are growing quickly due to obfuscation technology put in place to protect privacy.
- It's much harder to detect headless browsers and mobile agents than humans, making bot detection increasingly difficult.
- 60% of all application access is now over mobile devices.
- Web application firewalls provide a platform for managing protocols, with more specific aspects of the application and business logic components residing on top of that.
- Developers need to test and validate their applications before writing code. Test-driven development is a good principle to follow.
- Compliance side API security involves detecting changes in APIs, blocking invalid policies, building a test platform for developers to run against, and validating conformance.
Evasive Bots and Security Measures
1:15:20 - 1:19:54
- Build a test platform for developers to validate APIs, schemas, endpoints and data.
- Avoid blocking progress and stopping business by inserting into developer's workflow with low or no friction.
- Changes in underlying technology create opportunities for flaws due to ignorance of how it works.
- Bad bot growth is about 30% of the traffic on the internet.
- Rise of attacks against business logic and API exploits have gone up massively.
- Evasive bots are trying to emulate human behaviors with mouse moves and rotating IP addresses.
- Sophistication of evasive bots is expected to go up significantly due to generative AI systems that can learn quickly.
Generative AI Systems and Bot Detection
1:19:24 - 1:20:43
- Generative AI systems can learn quickly and piece things together, making it difficult to develop mechanisms that can proactively block them.
- Captions are becoming useless and will likely be replaced by waiting rooms or other measures.
- There are no other mechanisms to check if someone is human or a bot.
- The interviewee has not been evasive on any questions.