Monday, September 19, 2016

Monday, August 22, 2016

Dynamic Auto Assessment - Simple but effective

edgescan provides our clients with #fullstack security assessments but what does #fullstack mean?

#fullstack covers may layers in the OSI  inter-connectivity diagram.

From "the top down......"

Deep Coverage

Web Applications:

  1. Technical vulnerabilities (Injection attacks, scripting, error based attacks)
  2. Logical vulnerabilities
  3. Component Security (end-of-life components/plugins, insecure config)

Host Security:

  1. Patching
  2. Enabled services (Type, version, known vulnerabilities etc)
  3. Operating System Known vulnerabilities
  4. Weak protocols
  5. Weak configuration
So unlike many application-only or Host-only assessment services, edgescan discovers more possible weaknesses as a result of either via poor maintenance, configuration mistakes, deployment security, patching and also developer code....#fullstack

Wide Coverage

The holistic approach also covers ranges of IP's such as say a /24 or /16 cidr block.

Automatic Assessment:
edgescan shall assess anything that is "live" at a given point in time across the entire block. We find this helps with the use case of rogue deployments, insecure services being deployed, APT, data ex-filtration servers etc

In the age of the cloud, organisations servers are constantly being spun-up and torn-down depending on demand. Our approach to range-based assessments covers this scenario as our clients know everything live within their range shall be detected and assessed.

Automatic vulnerability assessment coupled with continuous asset profiling provides our clients with a very adaptable solution when their systems are constantly in a state of flux.

No need for messy licensing or paper work for every assessment given our licensing is range based and we don't mind how many servers are live at any point in-time they shall all be assessed and the results manually validated in our SoC...

edgescan also has alerting capability such as SMS, email and soon to be #slack alerting which shall be 2-way (think of it as a vulnerability management #slackbot). 
You and ask edgescan to alert you if certain conditions arise such as:
  1. New asset discovered
  2. New Vulnerability Discovered
  3. Change in hosting environment
  4. Assessment cycle is completed
  5. etc etc
Risk Mitigation
Via our API you can now generate web layer mitigation rules for Web Application Firewalls (WAF) on demand (CItrix Netscalar and Mod_Security). This gives you the flexibility to virtually patch discovered issues very quickly using your underused WAF :)

Tuesday, August 2, 2016

Continuous Asset Profiling - What is your attack surface?

At edgescan we have a solution called HIDE (Host Index Discovery and Enumeration) which is in effect a continuous asset profiling function it does the following:

HIDE query's entire IP ranges for our clients. This "blanket" covering of ranges gives our clients the ability to see whats "Alive" and whats enabled in seconds.
If an endpoint is decommissioned or newly deployed, HIDE detects the change and can alert users.

  • Detection of the state of all endpoints exposed to the public Internet
  • Identification the endpoint and tries to resolve any DNS associated with it
  • Enumeration the services and open ports enabled on the endpoint.
  • Automated alerts based on user defined criterion (e.g. New host discovered,  HOST dies etc).
  • Detection is via cloud API's and/or port enumeration (TCP/UDP).
Via the HIDE console you can query say across 10,000 endpoints, what system is running Linux and has port 25 open etc.

Why is HIDE "a hit" with our clients...?

Larger and growing organisations sometimes don't know what they have deployed to the public Internet.

Organisations which have migrated to the cloud may spin-up and tear-down instances on a frequent basis which can result in reallocation of IP's on a dynamic basis.

Tracking a dynamic attack surface in the case of cloud is challenging using traditional techniques and results in poor coverage and reaction time.

Even using immutable secure baseline instances in the cloud requires constant validation, this is where HIDE comes in.

The ability to provide continuous vigilance and alerting in a constantly changing environment is very attractive to most CISO's

Dynamic automated vulnerability management

As we can track the dynamic attack surface we can also deliver on-point vulnerability management such that once we discover a new instance we can immediately verify if it poses any security risk to the business. This coupled with alerting and awareness gives our clients much greater visibility of our security posture as our attack surface grows and reduces over time.

Pop over to for more information.

Wednesday, July 20, 2016

edgescan - Virtual Patching and WAF integration - Reducing "time-to-fix"

What is a Virtual Patch?

The idea of virtual patching is to apply a rule on a perimeter endpoint which mitigates/reduces the risk of the vulnerability being exploited. This can be performed without changing any application source code and is in effect applying a rule to an IDS/IPS or WAF such that it is aware and can defend against a particular attack vector and protect a system from exploitation or breach.

When you consider the numerous use cases when organizations can’t simply edit and fix the source code, the benefits of virtual patching becomes apparent.
  • It is a scalable solution as it is implemented in a single location (the firewall) vs. installing patches on all hosts.
  • It reduces/mitigates risk of breach or exploitation until a vendor-supplied patch is released or while a patch is being tested and applied.
  • The source code is not altered and hence it reduces the likelihood of code conflicts or introducing errors.
  • It provides timely protection for mission-critical systems that may not be taken offline but have an exposed vulnerability.
  • Legacy/3rd Party Apps; The code may not be available but we need to fix the vulnerability.
"Defenders are always on the back-foot as time to fix is longer than time-to-exploit. This slow reaction time creates a permanent offensive advantage to the attacker."

edgescan provides continuous vulnerability managed coupled with expert validation and support via its cloud based SaaS. It manages over 20,000 systems globally every month and provides full-stack vulnerability management to our clients. 

A new feature in edgescan gives or users the ability to generate rules for a chosen firewall vendor/version which are customized to the vulnerabilities unique to the application in question.

  • Auto-generation of firewall rules gives you the ability to patch a critical issue very quickly using your Web Application Firewall.
  • No need to change the applications source code (and maybe that's not possible).
  • Multiple web application vulnerabilities can be mitigated at the same time.
  • No need to be a firewall expert.
  • The edgescan API gives access to automating rule generation and easy deployment to pre-production / production environments.
Generating Virtual Patch rules for an entire application is as simple as hitting the "WAF Rules" button.

Rules generated for Citrix Netscalar
WAF Rules generation for a single selected vulnerability

Tuesday, April 12, 2016

Web Application security for CISO's - 6 things to consider

At edgescan we assess 1000's of systems globally across both the web site & application layers. 

We assess both pre-production and production environments deployed to data centres and the cloud alike.

From experience the job of a CISO involves much more than cybersecurity but the CISO is required to set strategic direction for many aspects of security and be an oracle of knowledge....

Many of my CISO friends and colleagues understand the need to security across the entire systems development and maintenance lifecycle and have a large list of areas to cover off and secure not to mention maintaining compliance...

  • Measuring the security maturity Level, and building an integrated approach to maintain posture
  • Balancing cost/budget and risk prioritization
  • Consolidation of metrics and trends to make informed decisions
  • Maintaining clear channels of communication with the business
  • Helping to keep security promises made to users by the business.

The following is a list of items a CISO should consider in the cybersecurity space which support some of the above responsibilities....

Establish development security touchpoints and toll gates
Formalise touch points in the system development and maintenance lifecycle, this can include:

  • Integrating simple checks for sanity; logical and behavioural checks as part of functional testing.
  • Investment in QA staff to conduct anti-pattern testing and negative abusive testing.
  • Leverage automation or managed service provision for in-line technical security validation. If you don't have the skills leverage a MSSP (Managed Security Service Provider) to conduct frequent testing and validation.

Simple fixes can result in huge dividends
The edgescan 2014 and 2015 vulnerability stats report both resulted in a number of stand-out issues which are not super complex and we have been doing similar for many years....

  • Patching and maintaining systems or using secure baseline builds in the cloud. 63% of vulnerabilities discovered on 2015 and a similar % in 2014 related to maintenance, configuration and component security/patching. 
  • A robust OS/Host/Framework/Component maintenance process will result in a high reduction of security vulnerabilities for any company.

Metrics not all the metrics but the right ones

  • Measure the most common vulnerabilities and root causes (Developer bugs/maintenance/insecure component/poor configuration). Such information can be attributed to teams and departments (development, Devops, Admin, Deployment). 
  • Metrics on technology platform with the most issues and types of issues can also shed light on where there are awareness weaknesses, technical debt or poor technology choices (unsupported systems etc).
  • Consolidated views via GRC/SEIM/BugTracking Integration is important, the last thing you need is another dashboard! 

Security solutions are investments, choose wisely

  • Given the trend towards devops and continuous integration/deployment we need to "Push Left" and catch issues earlier be they non-compliance or security vulnerabilities or both. Your solution should support integration with development and an assessment model which maps to your development methodology in terms of frequency of change and deployment model. Root cause and prevention is always better than detection and patch.
  • Pushing vulnerability data directly to development assuming validation of discovered issues has been performed. Security vulnerabilities are bugs treat them as such, track them and fix'em.
  • Scalability and Accuracy is important in order to handle the level of assessment required which is a function of change and deployment frequency.
  • Fullstack solutions - Hackers don't give a sh1t. Lets converge as per the DevOps model and treat security vulnerabilities as "Risk Items". Lets not treat application security and host/network security as separate things. They are all simply paths to being compromised.

Vulnerabilities are bridges which join assets to attackers

  • Don't fix all vulnerabilities fix the right ones. - Not all vulnerabilities are equal. understand business context of a vulnerability - risk is a human concept and can (currently) only be understood by people.
  • Vulnerabilities come and go - it's not always the developers fault and they can arise even in a static system with little change due to newly discovered issues in your supporting OS/Framework/third-party components.

3rd Party Development and Commercial Off-the Shelf Solutions

  • Do your system suppliers code securely, have a secure SDLC - ask them to prove it.
  • T&C's should cover quality, security and attribution to a secure development methodology being used.
  • Require evidence of assessment, SAST, DAST, Training, monitoring and ongoing improvement in relation to product development.

Friday, March 18, 2016

AppSec Training

Building Secure Apps...

We did a bunch of Application Security development training over the past 6 months.
You can find it here

On the 6th April we have a Secure Ruby development class running in conjunction with the IISF ( which is all but sold out.

Link to the event in April is here:

There is also a bunch of editable stuff to use in your own classes here:
Which I delivered in 2014/2015 at RSA, LASCON and RSA (EU).
Stuff delivered over the years in the EU and USA.

Thursday, February 18, 2016

Dr StrangeLove (How I Learned to Stop Worrying and Love Managed Services),

Convergence of data, economies, supply chains & critical infrastructure and it all needs to be secure...welcome to the Internet.
As a practitioner in the software development and security industries for over 15 years, I've got to say it has never felt like a job. For people to like their jobs it's a blessing, particularly as my skillset is in demand. 

Demand is based on need and  given the proliferation of internet technologies for literally anything (finance, military, energy, mobile, IoT) is does not see to be getting any less busy.

As with anything if there is a demand for something there comes a tipping point. Be it energy, clean water, food security or even Internet security. 

As a result there are some knock-on effects and many are the result of a capacity to deliver.

Given so many different industry verticals are all converging into a single approach to delivery (the Internet) the responsibility of securing such a global machine is only getting more demanding.

Early Warning Signs 
  • A shortfall of experienced cyber security experts is expected to reach 1,000,000 by 2019
  • PWC recently did a survey in which  only 26% of companies said they have adequate staff.
  • Consultant driven security assessments (penetration tests) do not map to contemporary software or system development methodologies.
  • Consultant driven testing is not scalable for any agile organisation is prohibitively expensive if full coverage is required on a regular basis.
  • Risk & Vulnerability intelligence is not consolidated by default.

As with climate change, the approach to solving the Internet Security challenges of the future won't be addressed until people are told "There are no more [resources]".

Concerns and how to improve security posture:

In 2015 a Questionnaire via the WEF World Economic Forum - hyperconnected world
posed the following questions:

"What actions that your institution could take would have the most impact in reducing the risk associated with cyberattacks?"

  • 38% said "Develop deep integration of security into the technology environment to drive scalability" is a "game changer".
  • 57% said "Prioritize information assets and related risks in a way that helps engage business leaders" would have significant impact.
  • 55% said  "Deploy active defences to be proactive in uncovering attacks early" would have significant impact. 

From the responses above amongst others the idea that consultant driven vulnerability management, penetration testing / security assessment and point-in-time approaches to securing a business don't work, are not scaleable.

The above can be considered a business case for engaging with managed services in order to provide the scale, frequency, visibility and accuracy required in the every changing landscape that is the Internet.

The adoption of managed services shall continue to increase as organisations understand:

  • the need for an "adequate level" of security to mirror development / devops
  • it is a necessary operating cost of any business.
  • approaching security in an ad-hoc manner shall not solve anything.
  • metrics are required in order to engage the business of the value of security.
  • security needs to be Integrated at many levels in a business and its associated systems.

Thursday, January 21, 2016

5 Tips To Keeping Hackers Out Of Your Business in 2016

So, to start off 2016 on a secure footing here are 5 tips that can radically reduce your risk profile....

We recently released the edgescan 2015 Vulnerability stats report to positive feedback
You can find it here: edgescan - resources page

The tips below are based on the vulnerability stats report. So they are in effect a result of 1000's of security assessments in 2015 and what we believe are simple but effective tips to help you consider some of the right things. 

Sometimes focus on  "doing the right things" and not "doing things right" is what matters.

The findings were not too surprising for 2015 covering off the volume of high profile cyber attacks, the root cause and how we can improve our security?. 

Here's my Top 5 based on the most common issues discovered in the stats report and effective fixes which could dramatically improve your security posture.

Patch Or Recycle Your Servers!!

In 2015 63% of vulnerabilities discovered could of been mitigated via patching, configuration or component management. - That's a high % and in many cases not a relatively difficult thing to do. 

Over 7.1% of patch related vulnerabilities were Critical or High Risk. In the cloud if we don't patch, define secure baseline instances and deploy new versions (recycle) once we know they have a patching of configuration weakness. This can have a huge impact on your security posture. Patching is not exclusive to Operating systems but should also include frameworks, services etc.
Consider automation such as 

Use TLS, Drop SSL

This also relates to the above point of configuration management and patching. A very large proportion of issues discovered in 2015 related to weak using SSL or weak cipher implementation. 99% of users browsers support strong transport security so turn up the crypto and remove the old crud!

Use HTTP Security Headers

Implementing HTTP Security headers generally takes literally a couple of lines of code and can make life difficult for attackers. HTTP Strict Transport Security (HSTS) prevents man in the middle attacks and associated attacks associated with malware on infected devices/PC's. X-Frame-Options headers, again easily implemented can help prevent some Phishing and social engineering attacks. 

In 2015 a 15% risk reduction could be achieved if all sites assessed used HTTP Security Response Headers!!

More on security headers to be found here

Frequent Assessments and Root Cause Analysis

The "old model" of an annual penetration test is broken and always has been. 

Systems are in a constant state of flux and change and testing a dynamic system for security once a year does not have any positive impact on it's security posture. Once we discover an issue we also need to try and determine how the bug/vulnerability got deployed undetected. 

Root cause and frequent output of security assessments can feed into training requirements and also help identify any holes in the SDLC from a security standpoint.

 Awareness, Auditing, Detective Controls

Underrated and ignored but detecting attempts to breach your business is rather important. To implement such controls does not need to cost the earth. Logging on servers for specific events and archiving of logs is a good start. 

Application Layer logging in the case of exceptions is also worthwhile and inexpensive if done with some thought.

Client-side logging is also worth consideration in order to track browser scripting errors which can help detect malware on users browsers.

Check out: