1 / 22

SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain

SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain. AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide ebellis@orbitz.com. But First... some context. Trip.com. eBookers. HotelClub. Orbitz.com. Orbitz For Business. NWA Booking engine. Away.com. Cheaptickets.

temira
Download Presentation

SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SCAP:Automating Our Way Out Of The Vulnerability Wheel Of Pain • AppSec DC 11.13.2009 • Ed Bellis VP, CISO • Orbitz Worldwide • ebellis@orbitz.com

  2. But First... some context • Trip.com • eBookers • HotelClub • Orbitz.com • Orbitz For Business • NWA Booking engine • Away.com • Cheaptickets • Traveler Care • GORP Travel • Southwest Hotels • AA Booking engine • RBS Rewards • Orbitzgames.com • msn.orbitz.com

  3. Context Matters... • 100’s of Endless Applications • 1000’s of Servers • 1000’s of Devices • 100’s of DBs • Data Centers: multiple continents • Call Centers - follow the sun ...and on and on and on...

  4. Context Matters... • VA Tools • Application • Network & Host • Database • Remediation Tracking • Jira • Remedy ...and on and on and on...

  5. A Proposed Solution: A Case Study

  6. Using Standards to Automate, Correlate & Measure

  7. Centralizing the Data: Overview

  8. Workflow: A Simple Use Case 1. NVD feed is pulled in daily

  9. A Workflow Use Case 2. Whitehat connector runs on a predefined schedule.

  10. A Workflow Use Case 3. Qualys connector runs on a predefined schedule

  11. A Workflow Use Case 4(a). Security Admin manages and modifies asset information discovered by VA tools - CPE Note: Unexpected Benefit!

  12. A Workflow Use Case 5. Vulnerability data is normalized and correlated across VA results utilizing CVE and WASC-TC. Vulns are scored using CVSS / WASC-TC plus Asset/CPE data.

  13. A Workflow Use Case 6. Single click defect creation from Conduit to Jira.

  14. A Workflow Use Case 7. Security defect is remediated by developer and closed in Jira.

  15. A Workflow Use Case 8. Conduit issues re-test of vulnerability via Sentinel API

  16. A Workflow Use Case 9. If re-test returns clean results are fed to Conduit and vulnerability is closed

  17. A Workflow Use Case 10. Metrics can be viewed and filtered via tags added through asset mgmt

  18. Metrics via Tag Lenses • Pre-Defined Vulnerability Metrics • Filtered by Asset Tags • Many-to-Many Tag/Asset Relationship

  19. Wheel of Pain Revisited

  20. The Standards Today CPE: Common Platform Enumeration CVE: Common Vulnerability Enumeration CVSS: Common Vulnerability Scoring System WASC-TC: Web Application Security Consortium Threat Class Roadmap CCE: Common Configuration Enumeration XCCDF: Extensible Configuration Checklist Description Format

  21. Additional & Emerging SCAP Standards OVAL: Open Vulnerability Assessment Language

  22. Q&A Email:ebellis@orbitz.com Twitter:http://www.twitter.com/ebellis More Info On SCAP: http://scap.nist.gov More Info On Conduit: http://www.honeyapps.com

More Related