The Case for Digital Durability
The increasingly-ubiquitous adoption of the Internet of Things (IoT), along with hyper-convergence of devices, cloud(s), and consumers have resulted in a complex product landscape. We’re witnessing exponential agile development in cloud-based marketplaces and digital products, and the rise of digital assistants, chat bots, connected vehicles, and smart home automation systems. To keep pace with this rapidly-evolving landscape, organizations are leveraging Continuous Development (CD), Continuous Integration (CI) and DevOps to reduce time to market and ensure more frequent releases. Consequently, persistent threats are on the rise, and adversarial sophistication abounds.The exploitation of Zigbee vulnerabilities in Philips’ Hue router to gain control of lighting devices, vulnerabilities in Nest to demonstrate its use as a potential spy device, and remote takeover of a Jeep or hacking Teslas are only a few well-known examples in recent times.
With the trifecta of growing complexity, shorter product release lifecycles, and increasingly-sophisticated persistent threats, we’re at a stage where the smarter products are, the more lucrative targets they make. When coupled with consumer-contextualized models, and enhanced product lifecycles (i.e. longevity of adoption/utilization), product security isn’t just a function of hardware, firmware or software, rather an approach towards minimization and mitigation of zero-day vulnerabilities. Organizations must shift from atomically testing and hardening individual, tangible products toward maintaining consumer trust, and ensuring digital durability. Security testing needs to be considered and performed as an ongoing process, rather than a sporadic, 'check-the-box' activity.
Vulnerability Assessments & Penetration Testing (VAPT): Not [evolving] so fast
Vulnerability Assessments and Penetration Testing are integral to security testing, as enterprises and product makers seek to uncover [exploitable] vulnerabilities - often at infrequent intervals such as during new deployments, major releases, or configuration changes. Reactive assessments may lead to compliance-oriented approaches, wherein selective tests are performed on production environments or existing products as opposed to adopting an adversarial approach. This involves identifying exploitable vulnerabilities, uncovering zero-day vulnerabilities, and iteratively hardening products.
While the scope of testing appears to be constrained, so is its maturity. Configuration and utilization of tools, correlation of vulnerabilities, and prioritization/application of exploits, report generation, and documentation of remediation activities comprise a cumbersome, manual process for testers. This approach doesn’t scale, and is infeasible in DevOps environments. Moreover, highly-skilled penetration testing resources do not scale exponentially, and findings don’t make it into secure coding practices or DevOps rule engines overnight. While VAPT needs to evolve to cater to these realities, what considerations should be made, and where do we start?
Automating The Pen Test
Abstracting components of a VAPT engagement yields repeatable tasks (e.g. vulnerability scans, de-duplication and prioritization of findings), and those requiring skilled resources (e.g. adversary-oriented penetration testing, crafting highly-contextualized exploits). Open-source tools have, in part, sought to automate tool orchestration (e.g. Seccubus) and streamline reporting, yet leave much to be desired.
Our approach in creating a VAPT framework, seeks to alleviate all of the cumbersome tasks attributed to pen testing engagements, and significantly right-shift the need for human expertise. Through a modular approach, the extensible framework currently supports:
- Orchestration of secure code review, vulnerability assessment (e.g. NMap, Nessus), and penetration testing (e.g. Metasploit) tools
- De-duplication, correlation, and prioritization of findings and their associated vulnerabilities, which includes the use of machine learning techniques
- Enrichment of vulnerability details, and retrieval of the latest exploits from ExploitDB and other external sources
- Visualization of exploitable vulnerabilities
- Creation of an up-to-date product-specific security posture
The framework utilizes a graph-based approach for efficient storage and exploratory analysis of targets, vulnerabilities, and exploits. Maintained over several runs, this knowledge graph enables:
- Pen Testers to engage sophisticated, manual techniques to discover additional vulnerabilities based on derived insights, and existing attack surface
- Pen Testers to utilize contextualized exploits following a review of successful/failed exploits
- Developers to visualize (and mitigate) vulnerabilities that are persistent across multiple parts of their product/application, and/or across multiple successive releases
Stay tuned for our next blog in this series, which features a deeper dive into our automated VAPT Framework, of which an initial version was demonstrated at Black Hat Europe 2016
Aricent’s Assessment & Analysis services enable clients across Communications, Industrial, and Software sectors to ensure resiliency across products, networks, and applications. Our Vulnerability Assessment & Penetration Testing (VAPT) services leverage differentiated technological solutions for greater efficiency, and skilled resources to ensure product security, and mitigate against zero-day exploits.
To learn more about our VAPT Framework, and how we can help you, contact firstname.lastname@example.org.