SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP,...
Transcript of SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP,...
![Page 1: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/1.jpg)
SCAP:Automating Our Way Out Of The Vulnerability Wheel Of Pain
AppSec DC 11.13.2009
Ed Bellis VP, CISO
Orbitz Worldwide
![Page 2: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/2.jpg)
Orbitz.com NWA Booking engine
But First... some context
Orbitz For Business
Cheaptickets Away.com
eBookersHotelClub
Traveler CareGORP Travel
RBS Rewards
Southwest Hotels
Orbitzgames.com
Trip.com
msn.orbitz.com
AA Booking engine
![Page 3: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/3.jpg)
Context Matters...
...and on and on and on...
100’s of Endless Applications
1000’s of Servers
1000’s of Devices
100’s of DBs
Data Centers: multiple continents
Call Centers - follow the sun
![Page 4: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/4.jpg)
Context Matters...VA Tools
Application
Network & Host
Database
Remediation Tracking
Jira
Remedy
...and on and on and on...
![Page 5: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/5.jpg)
A Proposed Solution: A Case Study
![Page 6: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/6.jpg)
Using Standards to Automate, Correlate & Measure
![Page 7: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/7.jpg)
Centralizing the Data: Overview
![Page 8: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/8.jpg)
Workflow: A Simple Use Case
1. NVD feed ispulled in daily
![Page 9: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/9.jpg)
A Workflow Use Case
2. Whitehat connectorruns on a predefined
schedule.
![Page 10: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/10.jpg)
A Workflow Use Case
3. Qualys connectorruns on a
predefined schedule
![Page 11: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/11.jpg)
A Workflow Use Case
4(a). Security Admin manages and modifies
asset informationdiscovered byVA tools - CPE
Note: Unexpected Benefit!
![Page 12: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/12.jpg)
A Workflow Use Case
5. Vulnerability data isnormalized and
correlated across VAresults utilizing
CVE and WASC-TC.Vulns are scored
using CVSS / WASC-TCplus Asset/CPE data.
![Page 13: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/13.jpg)
A Workflow Use Case
6. Single click defect creation from Conduit to
Jira.
![Page 14: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/14.jpg)
A Workflow Use Case
7. Security defect is remediated by developer
and closed in Jira.
![Page 15: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/15.jpg)
A Workflow Use Case
8. Conduit issues re-testof vulnerability via Sentinel API
![Page 16: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/16.jpg)
A Workflow Use Case9. If re-test returns cleanresults are fed to Conduitand vulnerability is closed
![Page 17: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/17.jpg)
A Workflow Use Case
10. Metrics can be viewedand filtered via tags added
through asset mgmt
![Page 18: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/18.jpg)
Metrics via Tag LensesPre-Defined Vulnerability Metrics
Filtered by Asset Tags
Many-to-Many Tag/Asset Relationship
![Page 19: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/19.jpg)
Wheel of Pain
Revisited
![Page 20: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/20.jpg)
The Standards
CPE: Common Platform EnumerationCVE: Common Vulnerability EnumerationCVSS: Common Vulnerability Scoring SystemWASC-TC: Web Application Security Consortium Threat Class
Today
Roadmap
CCE: Common Configuration EnumerationXCCDF: Extensible Configuration Checklist Description Format
![Page 21: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/21.jpg)
Additional & Emerging SCAP Standards
OVAL: Open Vulnerability Assessment Language
![Page 22: SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649d185503460f949ee048/html5/thumbnails/22.jpg)
Q&A
Email: [email protected]: http://www.twitter.com/ebellis
More Info On SCAP:http://scap.nist.gov
More Info On Conduit:http://www.honeyapps.com