CONFIDENCE CONFERENCE Analyzing Security Findigns the Easy Way 6 years later… SECCUBUS This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Jul 28, 2015
CONFIDENCE CONFERENCE
Analyzing Security Findigns the Easy Way6 years later…
SECCUBUS
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0
International License.
CONFIDENCE CONFERENCE
Frank Breedijk• Security Officer at Schuberg Philis• (Official) Security dude since 2000• Author of Seccubus
Coordinates:• [email protected] • https://www.linkedin.com/in/seccubus• @Seccubus on Twitter
Glenn ten Cate• Mission Critical Engineer Security at Schuberg Philis• Security Dude• Author of Security Knowledge Framework
Coordinates:• gtencate@schubergphilis• https://nl.linkedin.com/pub/glenn-ten-cate/3b/11a/
117
WHO ARE WE?
CONFIDENCE CONFERENCE
Frustration
Being challanged
To make my life easier
WHY DID I START THE SECCUBUS PROJECT?
Y ? A CC NC ND image by Tehmina Goskarhttps://www.flickr.com/photos/13114254@N00/119475590/
CONFIDENCE CONFERENCE
C. Lueless
Mission:• Mission: Perform a bi-weekly vulnerability scan of all
our public IP addresses
B. Rightlad
A STORY ABOUT TWO GUYS
These and all non-attributed photos of Frank Breedijk are taken by Jan Jacob Bos
CONFIDENCE CONFERENCE
Scanners are written for consultants, not operations
Scanners need to make a tradeoff between false positives and false negatives
Most scanners produce an awfull lot of output
Scanning takes time, tools are poorly automated
WHAT IS C. LUELESS’ PROBLEM?
CONFIDENCE CONFERENCE
… THE SCAN RUNS AT NIGHT …
Image: Orion's Umbra, a CC NC image from jahdakinebrah's photostream
CONFIDENCE CONFERENCE
WHAT HAPPENED UNDER THE HOOD?
Do-scan
Nessus/scan Nessus
.nessus files
nessus2ivilIvil file
Load ivilDatabase
CONFIDENCE CONFERENCE
Is the work in balance with the profit?
BALANCE
A fine balance a CC NC ND Image by Anish B Georgehttps://www.flickr.com/photos/22199070@N00/3311106984/
CONFIDENCE CONFERENCE
… THE SCAN RUNS AT NIGHT …
Image: Half Moon, a CC NC ND image from za3tooor's photostream
CONFIDENCE CONFERENCE
Don’t bother users with non-actionable findings
OK IS OK…
Woo a CC NC SA image by Rick Harrisonhttps://www.flickr.com/photos/81851211@N00/2682663297/
CONFIDENCE CONFERENCE
ANOTHER TWO WEEKS PASS…
Image: Cosas hechas, a CC ND image from srgblog's photostream
CONFIDENCE CONFERENCE
… THE SCAN RUNS AT NIGHT …
Image: Himalayan Moonrise, a CC NC ND image from swamysk's photostream
CONFIDENCE CONFERENCE
Monthly Seccubus runs means:
Scans are scheduled via crontab
Only the findings that need attention get it
Less errors due to less repetitave work.
The amount of effort is proportional to the amount of changes
Risk is proportional to the amount of changes
SO…
CONFIDENCE CONFERENCE
COMPARE
Image: Apples & Oranges - They Don't Compare, a CC image from thebusybrain's
photostream
CONFIDENCE CONFERENCE
ULTIMATE GOAL
Image: StuttgargoalRobin, a CC image from dankamminga's photostream
CONFIDENCE CONFERENCE
Name Seccubus chosen here at Confidence
Added new scanners
Wrote a new GUI
SECCUBUS HAS EVOLVEDMedusa
SSLyze
CONFIDENCE CONFERENCE
Intermediate Vulnerability Information Language
Intermediate format that allows tools to interface and exchange findings
A LITTLE IVIL GOES A LONG WAY
Image: EVIL a CC NC SA image from krazydad's photostream
CONFIDENCE CONFERENCE
It does not try to capture everything
It does not try to fit each case
The specification is not 63 pages
Simple to read
Simple to write
Simple to use
Simple License (MIT)
Easy to integrate new tools into Seccubus
IVIL
CONFIDENCE CONFERENCE
Joined Schuberg Philis 2 years ago
Main focus: Web Application Security
We need to integrate this into our pipeline
ENTER GLENN
Enter here a CC NC ND image by Anne Petersenhttps://www.flickr.com/photos/60258967@N00/4183985730/
CONFIDENCE CONFERENCE
Breaches are moving from layer 3 to layer 7
There’s only so many security dudes to drive the tools
Integrate into continuous delivery
WHY?
CONFIDENCE CONFERENCE
Google’s web application security scanner
Open Source
Noisy
Not very subtile
Not production safe!
FIRST WIN: SKIPFISH
Skip w/ fish a CC NC ND image by AlBakkerhttps://www.flickr.com/photos/45213160@N00/206944920/
CONFIDENCE CONFERENCE
Open source
Like Burp but free (as in speech)
Actively developed and maintained
OWASP Flag Ship Project
SECOND WIN: OWASP ZAP
IEEE Scrum a CC NC SA image by Jim Carsonhttps://www.flickr.com/photos/44124442504@N01/2208956607/
CONFIDENCE CONFERENCE
Help developers write better code
Enable Security by Design• Knowledge system for risk analysis
Code Securely• Code examples
Check code before commit• OWASP Application Security Verification Standard
Newly adopted as OWASP Project
SECURITY KNOWLEDGE FRAMEWORK
Moving Hacks a CC NC SA image by Brian Sawyerhttps://www.flickr.com/photos/45609637@N00/229360390/
CONFIDENCE CONFERENCE
Coding• Perl• Angular
Requirements• What do you want
Testers• Challenge the quality of our crack ;)
Documentation• Help us get new users
Users
SECCUBUS CAN USE YOUR HELP
Image: Hang On, a CC NC ND image from brraveheart's photostream
CONFIDENCE CONFERENCE
First public preview of new interface
SNEAK PREVIEW
"Celebs" a cc by nc sa licensed photo by Nick Sherman: http://flickr.com/photos/nicksherman/4145966095/
CONFIDENCE CONFERENCE
New user interface (RSN)
Start/schedule scans from the GUI
Integration with Security Knowledge Framework
Add user/rights management
Track issues as well as findings
Reporting
More???
ROADMAP
Albany NY 1950 a CC image by davidhttps://www.flickr.com/photos/23465812@N00/6877290919/
CONFIDENCE CONFERENCE
www.seccubus.com
QUESTIONS
Image: What now?, a CC ND image from laurenclose's photostream
CONFIDENCE CONFERENCE
Frank Breedijk• Security Officer at Schuberg Philis• (Official) Security dude since 2000• Author of Seccubus
Coordinates:• [email protected] • https://www.linkedin.com/in/seccubus• @Seccubus on Twitter
Glenn ten Cate• Mission Critical Engineer Security at Schuberg Philis• Security Dude• Author of Security Knowledge Framework
Coordinates:• gtencate@schubergphilis• https://nl.linkedin.com/pub/glenn-ten-cate/3b/11a/
117
WHO ARE WE?