{"id":20977,"date":"2021-04-11T16:23:47","date_gmt":"2021-04-11T10:53:47","guid":{"rendered":"https:\/\/valeurbit.com\/blog\/?p=20977"},"modified":"2021-04-11T16:23:50","modified_gmt":"2021-04-11T10:53:50","slug":"vulnerability-scanning-safe-development","status":"publish","type":"post","link":"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/","title":{"rendered":"Vulnerability Scanning & Safe development"},"content":{"rendered":"\n

As part of their professional activities, pentesters, developers, and security specialists have to deal with such processes as Vulnerability Management (VM), (Secure) Software Development LifeCycle (S-SDLC).
These phrases cover different sets of practices and tools used, which are intertwined, although their consumers are different.<\/p>\n\n\n\n

Technological progress has not yet reached the point of replacing a person with one tool for analyzing the security of infrastructure and software.
It is interesting to understand why this is so and what problems one has to face.<\/p>\n\n\n\n

For our company, this is not only a subject of research and consulting task, but also the task that our product solves:\u00a0Deteact Application Security Platform\u00a0.<\/p>\n\n\n\n

Processes<\/h2>\n\n\n\n

The Vulnerability Management process is designed to continuously monitor infrastructure security and patch management.
The Secure SDLC (“Secure Development Cycle”) process is designed to maintain the security of an application during development and operation.<\/p>\n\n\n\n

A similar part of these processes is the Vulnerability Assessment process – vulnerability assessment, vulnerability scanning.
The main difference between VM and SDLC scans is that in the former, the goal is to detect known vulnerabilities in third-party software or configuration. For example, an outdated version of Windows or the default SNMP community string.
In the second case, the goal is to detect vulnerabilities not only in third-party components (dependencies), but primarily in the code of a new product.<\/p>\n\n\n\n

This creates differences in tools and approaches. In my opinion, the task of searching for new vulnerabilities in an application is much more interesting, since it is not limited to version fingerprinting, banner collection, brute-forcing passwords, etc.
For high-quality automated scanning of application vulnerabilities, algorithms are required that take into account the semantics of the application, its purpose, and specific threats.<\/p>\n\n\n\n

The infrastructure scanner can often be replaced with a timer: the point is that, purely statistically, you can consider your infrastructure vulnerable if you haven’t updated it for, say, a month.<\/p>\n\n\n\n

Instruments<\/h2>\n\n\n\n

Scanning, as well as security analysis, can be performed both with a black box and with a white box.<\/p>\n\n\n\n

Black Box<\/h3>\n\n\n\n

During blackbox scanning, the tool must be able to work with the service through the same interfaces through which users work with it.<\/p>\n\n\n\n

Infrastructure scanners (Tenable Nessus, Qualys, MaxPatrol, Rapid7 Nexpose, etc.) look for open network ports, collect banners, identify installed software versions, and search their knowledge base for information on vulnerabilities in those versions. They also try to detect configuration errors such as default passwords or public data access, weak SSL ciphers, etc.<\/p>\n\n\n\n

Web application scanners (Acunetix WVS, Netsparker, Burp Suite, OWASP ZAP, etc.) can also detect known components and their versions (for example, CMS, frameworks, JS libraries). The main steps of a scanner are crawling and fuzzing.
During crawling, the scanner collects information about existing application interfaces, HTTP parameters. During fuzzing, mutated or generated data is substituted into all detected parameters in order to provoke an error and detect a vulnerability.<\/p>\n\n\n\n

These application scanners are classified as DAST and IAST – Dynamic and Interactive Application Security Testing, respectively.<\/p>\n\n\n\n

White Box<\/h3>\n\n\n\n

There are more differences in whitebox scanning.
As part of the VM process, scanners (Vulners, Incsecurity Couch, Vuls, Tenable Nessus, etc.) are often given access to systems by performing an authenticated scan. Thus, the scanner can download installed package versions and configuration parameters directly from the system, without guessing them from the banners of network services.
The scan is more accurate and complete.<\/p>\n\n\n\n

If we talk about whitebox scanning (CheckMarx, HP Fortify, Coverity, RIPS, FindSecBugs, etc.) of applications, then we are usually talking about static code analysis and using the corresponding tools of the SAST class – Static Application Security Testing.<\/p>\n\n\n\n

Problems<\/h2>\n\n\n\n

There are many problems with scanning! I have to deal with most of them personally as part of providing a service for building scanning processes and secure development, as well as when carrying out work on security analysis.<\/p>\n\n\n\n

I will single out 3 main groups of problems, which are confirmed by conversations with engineers and heads of information security services in various companies.<\/p>\n\n\n\n

Web Application Scanning Problems<\/h4>\n\n\n\n
  1. Complexity of implementation. <\/strong> Scanners need to be deployed, configured, customized for each application, allocated a test environment for scans, and embedded in the CI \/ CD process for this to be effective. Otherwise, it will be a useless formal procedure, producing only false positives.<\/li>
  2. Duration of scanning. <\/strong> Even in 2019, scanners do a poor job of interface deduplication and can scan for days a thousand pages with 10 parameters on each, considering them to be different, although the same code is responsible for them. At the same time, the decision to deploy to production within the development cycle must be made quickly.<\/li>
  3. Meager recommendations. <\/strong> Scanners give quite general recommendations, and not always a developer can quickly understand from them how to reduce the level of risk, and most importantly, whether it needs to be done right now, or is it not scary yet<\/li>
  4. Destructive effect on the application. <\/strong> Scanners may well carry out a DoS attack on an application, and they can also create a large number of entities or modify existing ones (for example, create tens of thousands of comments on a blog), so you should not mindlessly launch a scan in production.<\/li>
  5. Low quality vulnerability detection. <\/strong> Scanners typically use a fixed array of “payloads” and can easily miss a vulnerability that does not fit into their known application behavior scenario.<\/li>
  6. The scanner does not understand the functions of the application. <\/strong> Scanners by themselves do not know what “internet bank”, “payment”, “comment” are. For them, there are only links and parameters, so that a huge layer of possible vulnerabilities of business logic remains completely uncovered, they will not guess to make a double write-off, peep other people’s data by ID, or wind up the balance through rounding<\/li>
  7. The scanner does not understand the semantics of pages. <\/strong> Scanners do not know how to read FAQs, do not know how to recognize captchas, by themselves they will not guess how to register, and what then needs to be re-logged, that it is impossible to press “logout”, and how to sign requests when changing parameter values. As a result, most of the application may not be scanned at all.<\/li><\/ol>\n\n\n\n

    Source code scanning issues<\/h4>\n\n\n\n
    1. False positives. <\/strong> Static analysis is a complex task that involves many trade-offs. Accuracy is often sacrificed, and even expensive enterprise scanners generate a huge number of false positives.<\/li>
    2. Complexity of implementation. <\/strong> To increase the accuracy and completeness of static analysis, it is necessary to refine the scanning rules, and writing these rules can be too time consuming. Sometimes it’s easier to find all the places in the code with some kind of bug and fix them than to write a rule to detect such cases<\/li>
    3. Lack of dependency support. <\/strong> Large projects depend on a large number of libraries and frameworks that extend the capabilities of the programming language. If the knowledge base of the scanner does not contain information about dangerous places (“sinks”) in these frameworks, it will become a blind spot, and the scanner simply will not even understand the code<\/li>
    4. Duration of scanning. <\/strong> Finding vulnerabilities in code is a tricky task in terms of algorithms as well. Therefore, the process may well drag on and require significant computing resources.<\/li>
    5. Low coverage. <\/strong> Despite the resource consumption and scan duration, the developers of SAST tools still have to resort to trade-offs and analyze not all the states in which the program may be.<\/li>
    6. Reproducibility of finds. <\/strong> Pointing to a specific string and call stack that leads to a vulnerability is fine, but in fact, often the scanner does not provide enough information to check for a vulnerability from the outside. After all, the flaw may also be in the dead code, which is unattainable for an attacker.<\/li><\/ol>\n\n\n\n

      Infrastructure Scan Issues<\/h4>\n\n\n\n
      1. Insufficient inventory.\u00a0<\/strong>\u00a0In large infrastructures, especially geographically dispersed, it is often the hardest to figure out which hosts to scan.\u00a0In other words, the scanning task is closely related to the asset management task.<\/li>
      2. Bad prioritization.\u00a0<\/strong>\u00a0Network scanners often produce many results with flaws that are not exploitable in practice, but formally their level of risk is high.\u00a0The consumer receives a report that is difficult to interpret and it is not clear what needs to be corrected in the first place<\/li>
      3. Meager recommendations.\u00a0<\/strong>\u00a0In the knowledge base of the scanner, there is often only very general information about the vulnerability and how to fix it, so admins will have to arm themselves with Google.\u00a0The situation is a little better with whitebox crawlers, which can issue a specific command to fix<\/li>
      4. Handmade.\u00a0<\/strong>\u00a0Infrastructures can have many nodes, which means there are potentially many shortcomings, reports for which have to be disassembled and analyzed manually with each iteration.<\/li>
      5. Poor coverage.\u00a0<\/strong>\u00a0The quality of infrastructure scanning directly depends on the size of the knowledge base about vulnerabilities and software versions.\u00a0At the same time,\u00a0\u00a0it turns out\u00a0that even the market leaders do not have a comprehensive knowledge base, and there is a lot of information in the databases of free solutions that the leaders do not have.<\/li>
      6. Patching problems.\u00a0<\/strong>\u00a0Most often, patching infrastructure vulnerabilities is updating a package or changing a configuration file.\u00a0The big problem here is that the system, especially the legacy system, can behave unpredictably as a result of the upgrade.\u00a0In fact, you will have to conduct integration tests on live infrastructure in production<\/li><\/ol>\n\n\n\n

        Approaches<\/h2>\n\n\n\n

        How to be?
        I will talk in more detail about examples and how to deal with many of the listed problems in the following parts, but for now I will indicate the main directions in which you can work:<\/p>\n\n\n\n

        1. Aggregation of various scanning tools.\u00a0<\/strong>\u00a0With the correct use of multiple scanners, a significant increase in the knowledge base and the quality of the detection can be achieved.\u00a0You can find even more vulnerabilities than the total of all scanners launched separately, while you can more accurately assess the level of risk and make more recommendations<\/li>
        2. Integration of SAST and DAST.\u00a0<\/strong>\u00a0You can increase DAST coverage and SAST accuracy by exchanging information between them.\u00a0From the source you can get information about the existing routes, and using DAST you can check if the vulnerability is visible from the outside<\/li>
        3. Machine Learning\u00a0\u2122<\/sup>\u00a0.\u00a0<\/strong>\u00a0In 2015, I\u00a0\u00a0talked\u00a0\u00a0(and\u00a0\u00a0more\u00a0) about using statistics to give crawlers a hacker’s intuition and speed them up.\u00a0This is definitely food for the development of automatic security analysis in the future.<\/li>
        4. Integration of IAST with autotests and OpenAPI.\u00a0<\/strong>\u00a0Within the framework of the CI \/ CD-pipeline, it is possible to create a scanning process based on tools that work as an HTTP proxy and functional tests that work over HTTP.\u00a0OpenAPI \/ Swagger tests and contracts will give the scanner the missing information about data streams, make it possible to scan the application in various states<\/li>
        5. Correct configuration.\u00a0<\/strong>\u00a0For each application and infrastructure, you need to create a suitable scanning profile, taking into account the number and nature of the interfaces, the technologies used<\/li>
        6. Scanner customization.\u00a0<\/strong>\u00a0Often, an application cannot be scanned without reworking the scanner.\u00a0An example is a payment gateway where every request must be signed.\u00a0Without writing a connector to the gateway protocol, scanners will mindlessly pound with requests with an incorrect signature.\u00a0It is also necessary to write specialized scanners for a specific kind of flaws, such as\u00a0\u00a0Insecure Direct Object Reference<\/li>
        7. Risk management.\u00a0<\/strong>\u00a0The use of various scanners and integration with external systems such as Asset Management and Threat Management will allow the use of many parameters for assessing the level of risk, so that management can get an adequate picture of the current state of security of the development or infrastructure<\/li><\/ol>\n\n\n\n

          Stay tuned and let’s disrupt the vulnerability scanning!<\/p>\n","protected":false},"excerpt":{"rendered":"

          As part of their professional activities, pentesters, developers, and security specialists have to deal with such processes as Vulnerability Management (VM), (Secure) Software Development LifeCycle (S-SDLC).These phrases cover different sets of practices and tools used, which are intertwined, although their consumers are different. Technological progress has not yet reached the point of replacing a person…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"yoast_head":"\nVulnerability Scanning & Safe development | ValeurBit Infosec<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vulnerability Scanning & Safe development | ValeurBit Infosec\" \/>\n<meta property=\"og:description\" content=\"As part of their professional activities, pentesters, developers, and security specialists have to deal with such processes as Vulnerability Management (VM), (Secure) Software Development LifeCycle (S-SDLC).These phrases cover different sets of practices and tools used, which are intertwined, although their consumers are different. Technological progress has not yet reached the point of replacing a person...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/\" \/>\n<meta property=\"og:site_name\" content=\"ValeurBit Infosec\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/valeurbitinfo\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-11T10:53:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-04-11T10:53:50+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@valeurbit\" \/>\n<meta name=\"twitter:site\" content=\"@valeurbit\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/valeurbit.com\/blog\/#organization\",\"name\":\"Valeurbit Infosec\",\"url\":\"https:\/\/valeurbit.com\/blog\/\",\"sameAs\":[\"https:\/\/www.facebook.com\/valeurbitinfo\/\",\"https:\/\/www.instagram.com\/valeurbit\",\"https:\/\/www.linkedin.com\/company\/valeurbit-infosec\/\",\"https:\/\/twitter.com\/valeurbit\"],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/valeurbit.com\/blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/valeurbit.com\/blog\/wp-content\/uploads\/2021\/02\/Valeurbit-new-logo-center.png\",\"contentUrl\":\"https:\/\/valeurbit.com\/blog\/wp-content\/uploads\/2021\/02\/Valeurbit-new-logo-center.png\",\"width\":1080,\"height\":512,\"caption\":\"Valeurbit Infosec\"},\"image\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/valeurbit.com\/blog\/#website\",\"url\":\"https:\/\/valeurbit.com\/blog\/\",\"name\":\"ValeurBit Infosec\",\"description\":\"Cyber Security Company\",\"publisher\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/valeurbit.com\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/#webpage\",\"url\":\"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/\",\"name\":\"Vulnerability Scanning & Safe development | ValeurBit Infosec\",\"isPartOf\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/#website\"},\"datePublished\":\"2021-04-11T10:53:47+00:00\",\"dateModified\":\"2021-04-11T10:53:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/valeurbit.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Vulnerability Scanning & Safe development\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/#webpage\"},\"author\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/#\/schema\/person\/df20c1cd317765fa8677a3056caeccfa\"},\"headline\":\"Vulnerability Scanning & Safe development\",\"datePublished\":\"2021-04-11T10:53:47+00:00\",\"dateModified\":\"2021-04-11T10:53:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/vulnerability-scanning-safe-development\/#webpage\"},\"wordCount\":1973,\"publisher\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/#organization\"},\"articleSection\":[\"Valeurbit\"],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/valeurbit.com\/blog\/#\/schema\/person\/df20c1cd317765fa8677a3056caeccfa\",\"name\":\"ValeurBit\",\"sameAs\":[\"https:\/\/valeurbit.com\/blog\"],\"url\":\"https:\/\/valeurbit.com\/blog\/author\/valeurbit\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/posts\/20977"}],"collection":[{"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/comments?post=20977"}],"version-history":[{"count":0,"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/posts\/20977\/revisions"}],"wp:attachment":[{"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/media?parent=20977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/categories?post=20977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/tags?post=20977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}