Owasp vulnerability Management Guide (ovmg) June 1, 2020
Yüklə 1,27 Mb. Pdf görüntüsü
|
|
1.2 TASK INPUT OUTPUT Optimize Tools 1.1 Scope 1.4 Confirm Findings 1.3 Run Tests 1.4 Confirm Findings # TO-DO WHY 1.2.1 Determine the type of your test/scan The scope defines targeted assets and determines what type of security test you ’ll conduct. The common choices are: • Network scans: credential vs. uncredentialed scans • Applications scans: static code analysis (SAST) vs. dynamic scans (DAST) • Business email security or Social Engineering (SE) security tests Network scans are suitable for detecting missing patches, misconfigurations, and default credentials on web servers and network devices. The credentialed scan usually provides more accurate results than non-credentialed. We tend to use non-credentialed scans for scanning assists exposed to the public Internet. Note, when you are rolling out the scans for the first time (and that may include a first time for some group of assets), check the “health” of assets before and after. While SAST analyzes the quality of code, DAST simulates real-world attacks. Note, DAST may cause some damage to the web application and underlying server. It would be wise to avoid running DAST in the production environment. OWASP Vulnerability Management Guide (OVMG) - June 1, 2020 6 Business email security tests, or phishing tests, are a way to engage the critical thinking of users and prevent click fatigue. SE tests are not very common but have been found to be a very effective way to raise self- awareness in employees. Note, retraining should be preceded by formal information security training. 1.2.2 Determine the frequency of your security tests The scope should provide the input based on legal, regulatory, and contractual requirements that your organization must comply with. The most popular compliance framework for vulnerability management is PCI DSS. 1.2.3 Ensure the latest vulnerability feed Subscribe to “patch Tuesday” emails from all your major vendors. Subscribe to the full disclosure database and other feeds where you can track all new CVEs. Ask the tool vendor how long it takes to update vulnerability definitions in their feed; it could be up to 1 or 2 weeks from the patch release. 1.2.4 Check if vulnerability exceptions exist If you inherited the vulnerability scanner tool, make sure that some vulnerabilities are not exempt from showing up on the report. 1.2.5 Test your tool for integrity You can scan your computer or other devices you are well familiar with and have access to. Cross-reference the output from your scanner with what is actually on the device. Does your scanner properly fingerprint your operating system or enumerate all URLs of a Web application? Were all applications running on your device enumerated? Alternatively, you can use the OWASP vulnerable applications to assess if you correctly set up your dynamic scanner for application tests. Check out the OWASP Juice shop or the OWASP Mutillidae. 1.2.6 Adjust your tools ’ settings, preferences, templates Start safe and small, observe results, then increment and observe again. What is different? Does it add any value? Read help and feedback provided by the community around these security testing tools. Ensure that you are not inside your own bubble. End Goal: you should be able to adjust your tools to fulfill the scoped objectives. 1.3 Run Tests Yüklə 1,27 Mb. Dostları ilə paylaş:
|