Do you know what your attacks are?

Do you know what your attacks are so that you can validate that the defensive controls that you are building are really helping keep your applications safe?

In most of the organizations, the attacks detected by SOC (Security Operations Center) never make it to the Development teams or even their counterparts in SSG (Software Security Group) that work with development teams to fortify their application defensive controls. In my opinion this leaves a big gap between the actual attacks and the defenses that SSG and Application teams are building. This leaves organizations susceptible as they may not be fortifying defenses where they need to. Does this sound like what happens in your organization?

In the absence of real information on the attacks seen by the organizations, the SSG teams rely upon OWASP Top 10 Categories to prioritize application defenses to build out. Although this better than nothing, the OWASP Top 10 are based on the vulnerabilities found in the applications based on the penetration testing done by security firms that participate in the OWASP Top 10 projects. For the most part, the Top 10 vulns seems like they align with High Value rewards the attackers go after. But, there is no validation or data supporting this that I could put my hands on.

So, why does the SOC team hesitant to share the attack patterns they detect and respond with the SSG and Development teams. If you work in SOC, I would like to hear from you. Please drop in a note.

In the meantime, OWASP Top 10 is the best we have to prioritize defensive controls to fortify applications. So, long !

Advertisements

AppSec Blogs (Current & Future)

Please vote (by way of comments) for the topic that is of interest to you.

  1. Securing REST APIs/Micro Services
    1. Security vs Speed and Flexibility: A Conundrum
    2. Authentication
    3. Authorizations
    4. Input Validations & Output Encoding
    5. CSRF Defense
    6. Authorize Direct Object References
    7. Error handling/Information Disclosure
    8. API Gateway: Why you need it?
    9. CORS Demystified!
  2. Amazon Web Services
    1. How do you know if your AMIs are secure?
  3. Dynamic testing using a Proxy
    1. Burp
    2. Zap
  4. OWASP (Open Web Application Security Project)
    1. Newest OWASP Top 10 Release Candidate List is Out
    2. OWASP Mobile Top 10: A Critique
  5. DevSecOps: Shifting Security to the Left/Automating Security in DevOps Pipelines
    1. Static code analysis for security vulnerabilities
    2. Dynamic Application Security Testing (SAST) tools
    3. Interactive Application Security Testing (IAST) Tools
    4. Open Source Software (OSS) Vulnerability Scanning Tools
    5. Automated Security Test Cases
    6. Bamboo APIs – Love ’em
    7. Break Builds: Getting Devs to take action !
    8. Just In Time (JIT) Training
  6. Setting up Security Assurance Program
    1. Security Architecture
    2. Security Assessments
    3. Vulnerability Management
    4. Security Training
  7. Security Learning Resources
    1. Conferences
    2. Training
    3. Webinars/Webcasts
  8. Miscellaneous
    1. Do you know what your attacks are?
  9. Professional Success
    1. How to make effective presentations?  A Survival Guide for Techies