Risk - Medieval approaches to AppSec

By -
Vulnerability management involves a little more than finding security issues in code and/or hosting systems......I find that much of the industry does not understand that vulnerability management, penetration testing, threat detection, endpoint detection, malware prevention and even anti-virus services and tools are about managing risk.
Managing risk is about reducing it to a suitable level based on the cost of reducing it in the first place. There is no point in spending lots of time and effort on an issues which have little impact or which are very unlikely. Firstly what we want to to reduce the impact of the stuff which has a decent chance of occurring and would be a real pain in the ass if it happened, it would disrupt our business etc.
"A situation involving exposure to danger..."
So blindly throwing tools at a problem to help discover risks to your business is not going to work....but why??
  • Tools don't understand Risk: automated tools cannot give you an idea of risk. They find technical bugs wherein they manifest themselves into security vulnerabilities if they introduce the potential of risk. A tool does not understand what a risk is in the context of "a situation involving exposure to danger..." Tools find bugs. - Blessed are the tool makers whom hand craft the tools of the interweb to detect systems unworthy of the title "secure". - Nobody expects the Spanish inquisition!!
  • People will not understand Risk without understanding what is at Risk: So to understand a potential risk faced by a system the individual making the risk based decision needs to understand the system. The fact remains most security folks don't have time to understand what the system is/does and therefore cant apply a reflective relative risk assessment. - “The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown”
  • Tools may discover risk in a risky way!!: Many security assessment tools are not designed, out-of-the-box to be production safe. Production safe testing requires rule tuning such that detection of technical vulnerabilities does not invoke invasive or disruptive tests. We dont want our assessment methodology to damage our sick patient. - "Our chief weapon is surprise, fear and surprise; two chief weapons, fear, surprise, and ruthless efficiency! Er, among our chief weapons are: fear, surprise, ruthless efficiency, and near fanatical devotion.."
  • Risk Based approach - Really?? Wow!: All risk management is based on er, um Risk. If you hear someone talking about "A risk based approach when discussing Application security" ask them "what is the risk of of a kick in the ass?" Or "What other approaches are there?" - “A ship is always safe at the shore - but that is NOT what it is built for.”
Vulnerability is the state of being open to injury...
  • All vulnerabilities are not created equal: Bottom line is how open are you to the possibility of said injury? How bad can the injury be? We don't need to fix all the bugs just the ones that matter (and that which may injure the business or your clients). To understand "what matters" you need to understand the context of the issue. Tools alone can't do this, that's why we developed edgescan.com.....

Comments

Post a Comment

Popular posts from this blog

Edgescan, why we do what we do.....

By -
Image
  The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories!  I suppose we need to ask ourselves as companies from time to time why we do what we do?  So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection.... Vulnerability scanning alone did not work. The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives.  Accuracy : To that end we built edgescan as a combination of automation to discover vulnerabilities at scale but  when c
Read more

20 years of Vulnerability Managment - Why we've failed and continue to do so.

By -
Image
Cyber Security: Keeping Pace with Change. Getting breached can really ruin your day. Actually it normally happens on a friday evening as you are about chill for the weekend. The cause of must breaches is not rocket science, its more to do with the poor approach we have accepted because we underestimate the threat actor.  - An attacker does not scan your website/network once a quarter with a commercial or open source scanner or perform an annual penetration test against your systems to see if there is any low hanging fruit, so how do we expect to defend against such an advisory using that approach? Systems change now more frequently than ever due to the ease of cloud deployments and the speed of software deployments due to iterative development techniques. The rate of change increase results in exposures quickly manifesting and the organisation not even being aware of the exposure in the first place. Many organisations dont know what they have exposed on the public Internet. We need t
Read more
By -
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA
Read more