Daily Archives: April 2, 2019

ST03: Cloud Technology Trends with Wayne Anderson and Dan Flaherty

In this episode, we’ll hear from Wayne Anderson, Enterprise Security Architect at McAfee and Dan Flaherty from the cloud security product team speak on a wide range of topics from upcoming technology trends in the market, to adversarial machine learning, cloud models for security, and a look back at the RSA conference.

The post ST03: Cloud Technology Trends with Wayne Anderson and Dan Flaherty appeared first on McAfee Blogs.

Veracode Dynamic Analysis: Reduce the Risk of a Breach

This blog post has been updated as of April 2, 2019

Veracode Dynamic Analysis is a dynamic scanning solution that features automation, depth of coverage, and unmatched scalability. Built on microservices and cloud technologies, the Veracode Dynamic Analysis solution is available on the Veracode SaaS platform. Veracode Dynamic Analysis helps both vulnerability managers tasked with safeguarding the entire web application portfolio, and AppSec managers tasked with safeguarding critical applications in pre-production. With the frameworks developers use to build web applications changing often, and the push toward single page applications, Veracode Dynamic Analysis gives you the automated dynamic scanning you need to find vulnerabilities quickly and accurately.

Benefits of Scheduling Automation

Consistent dynamic scanning is key to keeping your web applications safe, and consistent scanning is achievable with an automated dynamic scanning solution. Imagine your CISO tells you to scan your web apps as often as feasible. Depending on remediation frequency, you come up with a quarterly, monthly, or weekly scanning schedule. To add additional complexity, IT gives you a maintenance window when dynamic scanning cannot occur. If you’re part of a global company, you also have time zones to contend with, making it virtually impossible to depend on a manual pause and resume, not to mention the inconvenience of waking up at 3:00 AM to pause a running scan. With all these variables to handle, you need a dynamic scanning solution that provides true automation to handle scheduling and IT maintenance windows, so you can “set it and forget it.” 

Recurring Scan Scheduling provides the ability to set up a schedule such that the application can be automatically scanned on a weekly, monthly, or quarterly cadence (or anything in between). Once the schedule has been set up, the dynamic scan will kick off automatically at the defined cadence. If the scan has been set up to start on a Tuesday, it will maintain that start day for the weekly scans to avoid running into weekends and holidays.

Automated Pause & Resume provides the ability to designate a maintenance window when the applications won’t be scanned. Dynamic scanning will be automatically paused when the IT maintenance window begins and automatically resume when the applications can be scanned. The pause and resume functionality has been built to ensure scanning resumes where it left off, with the goal of full coverage.

The screenshot below shows how to set up a weekly recurring scan that runs year round, pauses at midnight, and resumes at 4:00 AM each day.

  • Each week the application is dynamically scanned with the automated schedule and scan kick-off.
  • The system automatically pauses at the start of the maintenance window at 12:00 AM and resumes scanning at 4:00 AM.
  • You can adjust the duration based on the size of the application and the number of applications scanned in the batch to get the best coverage.

Authenticated Batch Scanning provides the ability to increase coverage by scanning behind the login screen, using a multitude of login mechanisms such as auto login, basic authentication, or uploading a login script. You can depend on the pre-scan feature to provide accurate feedback on the connection and authentication for the application under test, so you can fix any access issues ahead of the scheduled start time. In addition, a batch of scans can be kicked off at the same time to allow concurrent scanning with authentication. You save a lot of time when all applications can be concurrently scanned, with coverage for single page applications, modern frameworks such as Angular and ReactJS, and the ability to cover large web applications quickly.

Dynamic Analysis makes it easy to onboard applications and provides multiple input mechanisms. Uploading a CSV file is a quick way for large and small companies to take advantage of scanning applications concurrently.

Internal Scanning Management with Veracode Dynamic Analysis

There are many reasons for an application to live behind a firewall, beyond that it still in the development process waiting for test and quality assurance checks. Some applications are used for more sensitive financial operations and HR purposes, while others are used in highly regulated industries like healthcare and financial services. Even more simply, organizations use many applications internally and there is no reason for them to expose them externally. Historically, the enduser has had to install a Virtual Scan Appliance within their environment and send scan data through an insecure midpoint so the vendor can actually receive the data and return results.

Our Internal Scanning Management Feature takes a fresh approach to this challenge by offering a completely new, IT-compliant way to access these behind-the-firewall applications. Rather than using a Virtual Scan Appliance, or an on premise scanner that is difficult to maintain and does not scale, the Veracode Dynamic Analysis scanner continues to run in the cloud and uses the Secure Scanning Gateway. This gateway connection is completely controlled by the enduser. You can open the connection to scan your applications behind the firewall – and close the gateway whenever you’d like. This empowers you to not only scan applications that live behind the firewall, but to apply dynamic testing to applications in the Staging environment before they are pushed into production. Below is a screenshot with a gateway and endpoint from the Veracode Platform.

 

Show Me the Results: Consolidated View

Veracode Dynamic Analysis provides visibility into the scanning process to give you peace of mind and comprehensive results once the scanning is complete. The Veracode Platform’s Triage Flaw Viewer provides CWE details, vulnerability severity, along with request/response. In addition, the Platform provides reports to show scan coverage, summary reports for executives, and detailed reports for AppSec teams.

The goal of dynamic scanning is to find exploitable vulnerabilities at runtime, and remediate the issues found. The Dynamic Flaw Inventory provides a dashboard that provides historical vulnerability information, allowing AppSec managers to track team progress toward fixing vulnerabilities. 

Veracode Dynamic Analysis gives you a solution to scan your entire portfolio of web applications with ease, provides accurate results, and puts you on the path to remediate the findings. Even if you are running static scans early in the SDLC, dynamically scanning your web application at runtime uncovers exploitable vulnerabilities that static scans won’t find. Use our dynamic scanning solution to find and remediate flaws before a hacker exploits the vulnerability, resulting in a breach.

I’d love to hear your feedback

Would Veracode Dynamic Analysis benefit your AppSec program and reduce the risk of a breach? I’d like to hear your thoughts. To learn more please download our whitepaper, "Reducing Your Risk of a Breach with Dynamic Analysis," or to schedule a demo now, click here.

How Many Web Applications Does Your Organization Have? It’s More Than You Think

“Automation has saved a tremendous amount of time. We went from a day per app to review and now we are essentially reviewing through automation 18,000 scans a day with only 20 AppSec engineers. You do the math — 18,000 deploys a day with 20 engineers — you can’t scale that manually.”

Senior manager application and cloud security, insurance, The Total Economic ImpactTM of the Veracode Application Security Platform Study

One of the things we pride ourselves on here at Veracode is offering solutions and services that help add a little bit more ease to the application security process. We talk a lot about shifting left, and we do our best to put our money where our mouths are by creating a variety of integrations and automations that empower development teams to adopt a security-first mindset without sacrificing speed or agility. Yet there is more to a complete and holistic application security program than scanning in the CI/CD or making sure you’re securing open source components.

What about all of the web applications that you don’t know or simply forgot about? What about the exploitable vulnerabilities that can only be found at runtime? Or the applications that contain sensitive data and live behind the firewall? In order to ensure the security of these applications – and to make sure you have a proper inventory – you need to conduct discovery and dynamic scans.

What Do You Mean Web Applications I Don’t Know About or Forgot?

It’s more common that you would imagine that organizations and brands have more web apps than they realize – at Veracode, we help our clients create comprehensive application inventories, and find that they are, on average, comprised of roughly 30 percent more applications than clients knew about. For example, in M&A activity, more than just a company or brand is acquired – you also acquire their web assets. Further, the digital landscape is decorated with marketing promotional sites meant to attract attention.

Paul Farrington, Veracode CTO in EMEA, is familiar with how common it is to underestimate the extent and reach of an organization’s IT assets. In a project that Veracode conducted for a high street bank, we discovered 1,800 websites that had yet to be logged.

“Their perimeter can be 50% larger than they originally thought it was,” Farrington told the BBC.

It's impossible to secure an entire web application attack surface if you don’t know about all of your applications, and the very thing meant to draw attention to your brand and boost your bottom line is the same target attackers go after to infiltrate your organization. According to the 2018 Verizon Data Breach Investigations Report, web applications continue to be the number one vector for reported breaches. In nearly 90 percent of breaches, it took only minutes for attackers to gain access – and it took months for nearly 70 percent of organizations to detect the systems that had been compromised.

Securing ALL of Your Web Applications With Veracode Discovery + Veracode Dynamic Analysis

Without a solution to help you discover these web applications, you can never be completely certain that you have scanned all of your web applications. This is where Veracode Discovery can help.

Veracode Discovery is a threat intelligence solution that leverages IP ranges, host names, keywords, and other inputs to scan the web for every web application that may be associated with your organization. The results are uploaded to the Veracode Application Security Platform where users can sort through the findings and input them into Veracode Dynamic Analysis through an easy-to-follow workflow. This ensures that you have full visibility into what your organization owns and that you are able to either scan and remediate those applications or sunset them, which improves the organization’s overall security posture.

Veracode Dynamic Analysis is fast, but it’s not just about the speed at which a scan returns results. It’s about the complete workflow – scan start, scan complete, and through to remediation. Veracode Dynamic Analysis is fast because of scheduling automation and a single upload that allows you to batch upload multiple applications into the same analysis. As a SaaS solution, Veracode Dynamic Analysis is able to kick off a scan for hundreds of applications at the same time. Unlike other solutions on the market, Veracode Dynamic Analysis can concurrently scan both authenticated and unauthenticated applications both in front of and behind a firewall. What’s more, the results that you receive are immediately actionable: they contain less than 1 percent false positives thanks to the accuracy of our scanner and limited manual scrubbing.

Veracode Dynamic Analysis covers a wide variety of application frameworks, including Single Page Applications, JavaScript apps, HTML5, Angular, and ReactJS. This gives you the reassurance that Veracode Dynamic Analysis will be able to return results on your applications and provide you with actionable results.

To learn more about Veracode Dynamic Analysis, download our whitepaper, Reducing Your Risk of a Breach with Dynamic Analysis.