OSSAMS -Security Testing Automation and Reporting

Similar documents
CSC 5930/9010 Offensive Security: OSINT

Chapter 5: Vulnerability Analysis

Securing Your Company s Web Presence

Cross Platform Penetration Testing Suite

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Vulnerability Management. If you only budget for one project this year...

Vulnerability Validation Tutorial

RiskSense Attack Surface Validation for Web Applications

Offensive Technologies

ScienceDirect. Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Penetration testing using Kali Linux - Network Discovery

What you Need to Know About Security Vulnerability Assessments that no one is willing to share

A D V I S O R Y S E R V I C E S. Web Application Assessment

CSWAE Certified Secure Web Application Engineer

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Certified Secure Web Application Engineer

A Model for Penetration Testing

Tools For Vulnerability Scanning and Penetration Testing

Security Solution. Web Application

Network Security Assessment

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

DefectDojo. The Good, the Bad and the Ugly. OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider

Certified Vulnerability Assessor

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

TexSaw Penetration Te st in g

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

CPTE: Certified Penetration Testing Engineer

Coding for Penetration

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Direct Log Archiver Configuration Guide Version 8.x

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

OWASP Broken Web Application Project. When Bad Web Apps are Good

CoreMax Consulting s Cyber Security Roadmap

Web Application Penetration Testing

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

Testing from the Cloud: Is the sky falling?

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Presentation Overview

Testing from the Cloud: Is the sky falling?

Introduction to Network Discovery and Identity

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

Security!Maturity Oc O t c o t b o er r 20 2, 0,

Introduction to Network Discovery and Identity

CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

Hybrid 2.0 In search of the holy grail

Web Applications Penetration Testing

the SWIFT Customer Security

Evaluating Website Security with Penetration Testing Methodology

Navigating the River of Woe to EPIC Vulnerability Assessments

Vulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.

My name is Jesus Abelarde and I am Lead Systems Security Engineer for the MITRE Corporation. I currently work on multiple engineering domains that

Security Solutions. Overview. Business Needs

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Business Risk Management

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

INNOV-09 How to Keep Hackers Out of your Web Application

Bypassing Web Application Firewalls

Integrigy Consulting Overview

Additional Security Services on AWS

Tenable SCAP Standards Declarations. June 4, 2015 (Revision 11)

During security audits, over 15,000 vulnerability assessments are made, scanning the network IP by IP.

Trustwave Managed Security Testing

hidden vulnerabilities

WHITE PAPER. Best Practices for Web Application Firewall Management

IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners

GFI product comparison: GFI LanGuard 12 vs Microsoft Windows Intune (February 2015 Release)

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

IBM Internet Security Systems Proventia Management SiteProtector

GOING WHERE NO WAFS HAVE GONE BEFORE

NETWORK PENETRATION TESTING

Change Management: DYNAMIC NETWORK MAPPING. LinuxWorld San Francisco Security Track. Presented by Joshua D. Abraham.

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Coding for Penetration Testers Building Better Tools

Think Like an Attacker

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

Information Security Keeping Up With DevOps

Host Hardening Achieve or Avoid. Nilesh Kapoor Auckland 2016

Metricon 06. Leading Indicators in Information security. John Nye August 1, 2006

IBM Proventia Network Enterprise Scanner

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Multi-Post XSRF Web App Exploitation, total pwnage

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

CompTIA. PT0-001 EXAM CompTIA PenTest+ Certification Exam Product: Demo. m/

How to construct a sustainable vulnerability management program

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

A Samurai-WTF intro to the Zed Attack Proxy

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Penetration testing.

Certification Report

Application Security Approach

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Quick Lockdown Guide. Firmware 6.4

Transcription:

OSSAMS -Security Testing Automation and Reporting Adrien de Beaupré Intru-Shun.ca Inc. SANS Internet Storm Center Handler SecTor 2011, 19 October 2011

Agenda Definitions Methodology Workflow Reporting Problems Solutions Conclusion 2

Definitions Vulnerability -flaw or weakness in a system that can be exploited. Security audit -assess the adequacy of controls and evaluate compliance. Vulnerability assessment -description and analysis of vulnerabilities in a system. Penetration testing -circumvent the security features of a system. 3

Testing Every test consists of a stimulus and response, and monitoring to verify the response, or lack thereof. Testing consists of modules. Each module has an input and an output. You must monitor closely for responses. Testing must be appropriate to the target. Testing is of limited value if nothing is fixed. 4

Methodology Logistics and Planning Open Source Information Gathering Reconnaissance Identification / Enumeration Research Vulnerability Identification Validation / Exploitation Reporting 5

Open Source Info Purpose: gathering information on the target organization, typically from the Internet. Inputs: organization name, URL, IP addresses or ranges, industry or organization type. Outputs: URLs, IP addresses or ranges, email addresses, buzz, technologies used, resumes, names, host names Data types: text, graphics, statistics 6

Reconnaissance Purpose: determine which systems are live and map the network/technology. Inputs: URLs, IP addresses or ranges. Outputs: Whois, DNS, IP addresses or host names of systems which are likely to be live Tools: Ping, Nmap, Ike-scan, Fierce Doman Scanner, traceroute, ICMP Data types: text files, XML files 7

Identification / Enumeration Purpose: enumerate the systems that are live, determine open ports, listening services, map applications, operating systems, and versions. Inputs: systems known to be live/available. Outputs: ports, services, OS, versions, patches. Tools: Nmap, Amap, Ike-scan, Nessus Data types: text files, XML files 8

Research Purpose: list all potential vulnerabilities. Inputs: technologies in use. Outputs: list of potential vulnerabilities. Tools: vulnerability databases, search engines Data types: text files, XML files, databases 9

Vulnerability Identification Purpose: identify known or unknown vulnerabilities in the identified technologies. Inputs: IP addresses, ports, services, applications. Outputs: listing of potential vulnerabilities. Tools: scanners such as Nessus, NexPose, Burp, W3AF, ZAP Data types: text files, XML files, databases 10

Validation / Exploitation Purpose: assign a confidence value and validate potential vulnerabilities. Have FUN!! Inputs: listing of all potential vulnerabilities. Outputs: listing of validated vulnerabilities and confidence rating values. Tools: penetration testing (Metasploit, Core Impact, Canvas ), manual validation, fuzzers Outputs: text files, graphics, XML files, database entries, databases... 11

Reporting Purpose: assign risk and priority ratings to confirmed vulnerabilities. Inputs: list of validated vulnerabilities. Outputs: analysis results. Tools: people brain power. Outputs: text files, database entries, documents... Wordsmithing. 12

Why Automate? Laziness. Consistent results over time. Allows for scheduling and trending. Streamlined and more efficient. Engineering a process that can be run and maintained by an operational group. Allows the test team to concentrate on the areas that are not automated. 13

Requirements Process follow consistent repeatable methodology. Scriptable typically Linux CLI tools. Tool result that can be parsed. Database for correlation and reporting. Correlated multiple sources of data. Analyzed intelligent human analysis. Mitigation how to respond, recommendations. Metrics quantitative, measurable, trends. Severity rating system. 14

Workflow Methodology is broken down into modules. Output from one is the input to the next. Unfortunately most tools do not follow the methodology flow precisely, or may not allow for data extraction between modules. Which means that either we must run each tool multiple times with different configurations, or different tools for each module. 15

Workflow Output from module > database import Database queries > inputs to next module Reporting module > ticketing Tickets > vulnerability management and mitigation Close the loop back to the test team process Re-test where necessary 16

Problem Individual tools do not always follow a methodology and do not always allow for sufficiently granular control. No one tool can perform all modules. Methodology requires use of multiple tools. Each tool may have a different output format or use a proprietary database. Correlation and analysis can be time consuming. 17

What is Missing Security Assessments collect a lot of data, but don t always correlate the data. To properly identify risk and threats, correlation of collected data is necessary. Correlation between different tools is essential! Marking false positives, adding manual findings, and annotating is also required. Current systems Extremely Expensive. 18

Solutions Single unified and normalized database schema for all security assessment tools. Obviously requires that such a schema exist! Requires a parser for each tool we use. This allows us to create an abstract layer between the tools and the common database, while still allowing us to enforce the methodology regardless of the tools used. 19

OSSAMS Open Source Security Assessment Management System www.ossams.com A framework for security assessors to correlate and analyze risk to information systems. Streamlines the assessment reporting process. A modular process that builds on past assessments. 20

Database Design One of the key aspects of OSSAMS is the database design. It is capable of having any number of tool outputs as an input. Currently using MySQL on Linux with Python, PowerShell, or Perl scripts to parse outputs. A front-end will be designed in addition to CLI. It is flexible, extensible, and Open Source. 21

19/07/2011 Intru-Shun.ca Inc. 22

Parsing Scripts Main function Read configuration function Database access function Read a list of files Read a directory of files Parsing XML, HML, or text file function Insert function Return 23

Tooloutput For every tool there are outputs. An output file, typically an XML file, will describe what the tool has discovered from the target domain, subnet, system, host, or application). Tooloutputnumber- Primary Key, autoincrement. Projectname, Projectid, Toolname, Filename, Filedate, Tooldate, Version, OSSAMSversion, Scanner, Inputtimestamp. 24

Configuration For every TOOLOUTPUT it may contain configuration information about the tool. Its primary key is configurationnumber, which is an auto-increment. Configurationtype, Configurationoptionname, Configurationoptionvalue 25

Hosts A toolout may describe none, one, or more hosts (computers or network devices). Its primary key is hostnumber, which is an autoincrement. Hostproperty, Hostvalue, ipv4, ipv6, Hostname, Hostptr, Whois, Recon, Reconreason, Hostcriticality, Macaddress, Macvendor, Hostnotes, Hostos, Osgen, Osfamily. 26

Ports A host may have none, one, or more ports open. This table contains information about ports (open, filtered, or closed). Its primary key is portsnumber, which is an autoincrement. Protocol, Portnumber, Portstate, Reason, Portbanner, Portversion, Portname, Service, Method, Confidence, Portvalue. 19/07/2011 27

Vulnerabilities A host, port, or application may have none, one, or more vulnerabilities associated with it. Its primary key is vulnerabilitynumber, which is an auto-increment. Vulnerabilityid, Vulnerabilityseverity, Vulnerabilityrisk, Vulnerabilityconf, Falsepositive, Vulnerabilityname, Vulnerabilitydescription, Vulnerabilitysolution, Vulnerabilitydetails, Vulnerabilityextra, Vulnerabilityvalidation, Vulnerabilitynotes, Vulnerabilityattribute, Vulnerabilityvalue, Vulnerabilityuri, Httprequest, Httpresponse, Httpparam. 19/07/2011 28

Refs A vulnerability may have none, one, or more references associated with it. A reference can be a link to a web site, a database entry (such as SecurityFous bid, OSVDB, Secunia, CVE, CCE, CWE, ). Referencetype -Type reference (URI, OSVDB, CVE ) Referencevalue Value of the reference. 19/07/2011 29

Other Objects Particularly for internal and/or authenticated scanning. Subnets: a host may be part of a subnet. Domains: a host may be part of a domain. Groups: a host or domain may group objects. Users: a host or domain may contain users. 19/07/2011 30

Supported tools Completed: acunetix, burp, grendel, nessus, netsparker, nexpose community, nikto, nmap, ratproxy, retina community, skipfish, sslscan, w3af, wapiti, watcher, websecurify, zap. Roadmap: arachni, core impact, fierce, httprint, iss, languard, metasploit, ncircle, nexpose, n-stalker, ntospider, openvas, proxystrike, retina, saint, sandcat, webcruiser, webinspect, wsfuzzer 31

Demo A brief demo of the parsing script and database use. Also briefly discuss the roadmap for OSSAMS: Finalize the database design and parser scripts. Reporting templates. Query database for module tool input. OSSTMM RAVs. OWASP. Other methodologies/frameworks. Work on tool data interchange format. Get more people involved!! 32

Conclusions The key is not running the scanners, but analysis, methodology, correlation, documentation, and problem solving. Organizations can automate security testing and reporting processes, particularly consultants and enterprises. The key is analysis and database utilization. These can be built using Free / Open Source Software tools and/or commercial offerings. Should be done with proper planning, tools, methodology, processes, and expertise. 33

QUESTIONS? ADRIEN@INTRU-SHUN.CA THANK YOU! 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback