tag:blogger.com,1999:blog-13756280.post7307213993960617763..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Our infrastructure -- Assessing Over 2,000 websitesJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-13756280.post-77496852657017101672010-10-20T00:54:49.105-07:002010-10-20T00:54:49.105-07:00Very good! Scientific and technological developmen...Very good! Scientific and technological development is so great means to help the present life and future of humanity!jetstarvnhttp://www.vemaybayjetstar.net/dat-ve-may-bay-jetstar/noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-13259063829721524722010-09-15T10:33:17.282-07:002010-09-15T10:33:17.282-07:00@Aaron: Speaking from experience when customers, w...@Aaron: Speaking from experience when customers, when they engage with us they quickly mature from phase of just finding vulnerabilities to actually implementing a process to fix them. <br /><br />"Fixes" are typically an application code change, a configuration change, or a web application firewall rule. Whatever the case may be the vulnerability details and recommended action (policy?) must filter down from the security team to the appropriate people in the organization. <br /><br />The way many of our customers have done this is by using the open XML API in Sentinel. The results are automatically pulled into a bug tracking system or in a higher level dashboard like archer. Of course the XML can also be automatically converted in WAF virtual patch rules.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-38004788953456522652010-09-14T17:33:43.399-07:002010-09-14T17:33:43.399-07:00What vulnerabilities? ; ) Haha.
Well, I am curio...What vulnerabilities? ; ) Haha.<br /><br />Well, I am curious as to what experience you and others have on the subject of handling the mountain scan data and remediations.<br /><br />Also, Brook Schoenfield says, "hello".Aaron Brysonnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-18607748627352983142010-09-14T14:54:25.194-07:002010-09-14T14:54:25.194-07:00@Aaron: Great insights, thank you for sharing. &qu...@Aaron: Great insights, thank you for sharing. "nerd knobs", I like that. LOL! Who would have thought that scanning websites would require so much raw computing horsepower.<br /><br />Anyway, the next challenge our customers are grappling with is how to tackle the mountain of vulnerability data.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76643616217183479392010-09-14T13:04:08.459-07:002010-09-14T13:04:08.459-07:00There is something else that is worth noting.
Whe...There is something else that is worth noting.<br /><br />When talking about desktop and enterprise scanning products. It is VERY important that both products use the same scanning engine, so that way there is consistency. There are certain commercial scanning products out there that use a different code base in their desktop and enterprise product. So what happens is...you scan a web application with the enterprise and desktop product, and end up with a different list of vulnerabilities. False-positive, and even worse, false-negatives.<br /><br />In addition, certain vendor enterprise scanners do not have the same "nerd knobs" as the desktop product. What that means, is there is very little ability to fine-tune the enterprise scanner to a particular web application to the granularity.<br /><br />So you get quantity, and lose quality. Why can't I have both?!Aaron Brysonnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-2925005679678128192010-09-14T12:46:21.302-07:002010-09-14T12:46:21.302-07:00Hi Jeremiah,
The desktop web application scanning...Hi Jeremiah,<br /><br />The desktop web application scanning products definitely do not scale, and as mentioned, they are not supposed to because that is not their intent.<br /><br />As far as commercial scanning products (and I have used and have licenses to all the top commercial scanners), the vendors almost always offer two products. The desktop version, and the "enterprise" version. The different between the the two tends to average about $20,000 for a desktop license, and $1,000,000 for the enterprise product.<br /><br />The enterprise product has to scale, so it will definitely require more hardware. That being said, there are a couple things I have seen.<br /><br />Company A will offer up the service in a SaaS manner, much like WhiteHat. This is great, because it removes a lot of the hardware burden (managing & building labs, etc) from the customer, they are already struggling as it is.<br /><br />Company B, the $1,000,000 price tag includes an company wide license for unlimited scanning using the enterprise product. BUT they DO NOT provide the hardware/infrastructure/resources. The customer has to provide their own servers, virtual machines, etc. Company B sucks. : )<br /><br />Then there are open-source web application vulnerability scanners. They don't scale either in an enterprise fashion, and because they are free there is little customer support. But for a single penetration tester with a single web application target, they are great!Aaron Brysonnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-20725794169645878522010-09-12T19:27:59.153-07:002010-09-12T19:27:59.153-07:00Hence why WhiteHat is a excellent choice for servi...Hence why WhiteHat is a excellent choice for service providers like www.proactiverisk.com to leverage in helping clients meet the needs for enterprise -- no silver bullet, just a machine gun to be leveraged. <br /><br />Home Depot has lots of HAMMERS you have to pick the right one for the type of nail you want to hit ;)Anonymoushttps://www.blogger.com/profile/12469803458959502444noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-65540662347055210292010-09-08T08:42:23.709-07:002010-09-08T08:42:23.709-07:00@Dan
I totally agree with this question.
"As...@Dan<br />I totally agree with this question.<br /><br />"Aside from SaaS vendors (little control of the schedule) and universities or hosting companies (little control of the content/configuration), what sort of users are you finding that require a high degree of parallel testing?"<br /><br />If a single customer has 100 (or more) apps to look at then I think they have bigger business issues to consider.kingthorinnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1342462115212113432010-09-05T18:15:33.820-07:002010-09-05T18:15:33.820-07:00@Jeremiah - Thanks for posting for me!
@Ory - May...@Jeremiah - Thanks for posting for me!<br /><br />@Ory - Maybe it can... Thinking about the problem a bit more...<br /><br />Aside from the initial scan for a new effort, wouldn't "normal" operations be to scan as part of the ongoing lifecycle, periodically, and as the threat changes?<br /><br />So, once you get past that first "Scan Everything for Everything" scan (which I can't imagine would really be done all at once on 100 servers anyway - given the constraints I mentioned earlier), then you have:<br /><br />1. Full "as needed" scan on some subset of hosts as their code & environment changes,<br />2. full "periodic" scans,<br />3. and delta scans for specific newly discovered vulnerabilities & techniques<br /><br />So, maybe you could reasonably cover 100 sites with a desktop tool. Since, the problem doesn't necessarily require a full crawl and scan over and over daily.<br /><br />Running several new tests on 100 pre-crawled sites doesn't seem too far beyond the capabilities of desktop scanners - although, they would probably be serially executed (?) and not parallel. <br /><br />But I'm not sure the average company will get too excited about serial versus parallel execution. If you're that time sensitive (and not a SaaS vendor) you probably need another control anyway - since fixes are going to take awhile in an "Enterprise" environment.<br /><br />Aside from SaaS vendors (little control of the schedule) and universities or hosting companies (little control of the content/configuration), what sort of users are you finding that require a high degree of parallel testing?Dannoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-29410488177145978192010-09-05T12:57:38.991-07:002010-09-05T12:57:38.991-07:00I don't know why I keep coming back for more.....I don't know why I keep coming back for more...but...it's stronger than me :-)<br /><br />Back to my original point - we do not tell people that our !!desktop!! product can scan 100 applications, like your post suggests.<br /><br />And now, I will go back to my quiet Sunday evening.Orynoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22988457202213119742010-09-05T12:25:17.601-07:002010-09-05T12:25:17.601-07:00Hi,
I am not trying to stall or avoid giving an a...Hi,<br /><br />I am not trying to stall or avoid giving an answer, I simply don't have the answer, since I do not deal with AppScan Enterprise, I'm mostly involved in the AppScan desktop product (Standard Edition), as you probably know.<br /><br />Having said that, I guess our support team has a formula to help our (successful) customers with their scale-up questions.<br /><br />What can I say - Whitehat does it all, it's the best company, with the best scanning solution on the planet. There you go, I admit it, we suck, you rule :-)<br /><br />Geez.Orynoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-28693344741628225192010-09-05T12:03:50.881-07:002010-09-05T12:03:50.881-07:00Impossible to validate sale process nonsense claim...Impossible to validate sale process nonsense claims aside...<br /><br />In the "Edition comparison" PDF (RAB14001USEN.PDF), linked from:<br />http://www-01.ibm.com/software/awdtools/appscan/enterprise/<br /><br />says...<br /><br />"The ability to scan and test thousands of applications simultaneously on a complex Web site and retest them frequently, following changes."<br /><br />Let try to define "scalable" in terms of hardware. Hardware requirements for AppScan Enterprise:<br /><br />http://www-01.ibm.com/software/awdtools/appscan/enterprise/sysreq/?S_CMP=rnav<br /><br />This does not give any sense for one how much will be required when scaled out to 100 simultaneous scans, let alone the "thousands" claimed. What is the formula?<br /><br />Same question, 3 times now and the last time I'll be asking.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-78379391732931531102010-09-05T11:48:29.376-07:002010-09-05T11:48:29.376-07:00Jer -
Can you give more specific examples of fal...Jer - <br /><br />Can you give more specific examples of false claims made by IBM? any quotes? references? supporting documents?<br /><br />With regards to required hardware by AppScan Enterprise, this information is freely available on the IBM and IBM Support sites.<br /><br />-OryOrynoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-8647337238924327872010-09-05T11:01:37.558-07:002010-09-05T11:01:37.558-07:00Posting for @Dan....
Other then the first three p...Posting for @Dan....<br /><br />Other then the first three paragraphs, a nice post. (Although, 2 100MB links seems a bit odd - I'd think you'd be better off if you spread them out a bit between telcos for better peering - but maybe you are using someone like InterNAP.)<br /><br />Now, about those three paragraphs... :)<br /><br />>Say Whaaa!?!<br /><br />Are you suggesting that "Desktop" scanners _should_ scale?<br /><br />That doesn't make any sense. <br /><br />If you need to scan 100 websites within tight time constraints, surely you might consider that a desktop tool is the wrong one to do so?<br /><br />>He said, “Who beside you guys <br />>[WhiteHat] needs to scan that many <br />>websites at a time?” To which I <br />>humbly replied, “the customer.”<br /><br />The customer of the "Desktop" tool vendor or a Whitehat customer?<br /><br />If you meant the "Desktop" customer - they should consider an appropriate "Enterprise" tool. Strapping together 100 desktop tools seems too goofy to consider.<br /><br />If you mean a WhiteHat SaaS customer - well, that's what you are there for. :)<br /><br />In the real world, I don't think you will find too much demand for vast scaling to the degree that a SaaS vendor needs. <br /><br />In my experience, even if the threats change daily, test schedules/windows, CM policies, approvals, backups, etc slow things down to a more cautious pace. <br /><br />Even when/if you do get authorization to do a BIG scan, a little bit of creative scheduling and risk assessment/prioritization will help with bottle necks and keep your server and network teams happier with you anyway.<br /><br />(This discussion almost ends up as a advertisement for WAF as 0-day protection.)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-78330734676633185322010-09-05T10:59:36.493-07:002010-09-05T10:59:36.493-07:00As far as I know, I am not doing anything weird - ...As far as I know, I am not doing anything weird - entering the message, doing the captcha, hitting submit... So, not sure, but it isn't me. :)Dannoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-82184104532262779852010-09-05T10:53:04.296-07:002010-09-05T10:53:04.296-07:00@Ory: Propaganda? I'm specifically comparing a...@Ory: Propaganda? I'm specifically comparing against the invalid claims perpetuated by desktop scanner vendors, which include IBM. A conversation that yes, not only product my business, but also protects customers against such false and misleading scalability claims.<br /><br />I asked you a fair and direct question about the hardware requirements when deploying AppScan Enterprise to scan 100 sites simultaneously. You did not answer. If that's the way you protect your business, so be it.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-84628183972145481572010-09-05T10:15:45.935-07:002010-09-05T10:15:45.935-07:00Jer -
I'm sure no scanner vendor ever said t...Jer - <br /><br />I'm sure no scanner vendor ever said that its desktop scanner scales to the point of 100 concurrent scans (at least not IBM) That's why there's an Enterprise scanner.<br /><br />Do we really need to continue with the anti-scanner-vendor propaganda all the time? or is that your way of protecting the business?Orynoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-4615702927444342312010-09-05T08:15:53.330-07:002010-09-05T08:15:53.330-07:00@Dan: The data center provider handles the relatio...@Dan: The data center provider handles the relationships and connections through multiple telcos.<br /><br />Desktop scanner vendors claim their solution scales, when it clearly does not at several multiple levels. Secondly, in network VA, a single scan box is capable scanning huge host/ip space. The perception among many is that the same can be done in webappsec. Obviously not true.<br /><br />"In the real world", our experience has been that there are a great many organizations who are responsible for literally hundreds and if not thousands of websites. For those yes, I think we'd be a fine match. :)<br /><br />I'll not be addressing the WAF issue here, except to say that something needs to be done with the vulns found.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-85822020071591839122010-09-05T07:48:21.632-07:002010-09-05T07:48:21.632-07:00@Anonymous: yes, enough file-system level crypto i...@Anonymous: yes, enough file-system level crypto is applied in the case of physical hardware theft, the risk of is which is already extremely low. Application level encryption is a more complicated subject because we must be able to read the data to perform our duties.<br /><br />@Ory: Would you mind describing what AppScan Enterprise's hardware requirements would be when an organization needs to scan 100 sites simultaneously? And if the answer is "it depends," perhaps explaining how creating such an estimate is approached and estimated.<br /><br />@Dan: Im seeing your comments emailed to me, but for some reason they are not being posted to blogger. Not sure if this is a bug or you are deleting the message. Either way, hard to respond to a comments that no one else sees.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-74926418301826868432010-09-05T03:33:02.014-07:002010-09-05T03:33:02.014-07:00Jer,
For large enterprises that require scanning ...Jer,<br /><br />For large enterprises that require scanning numerous applications, in a recurring manner, we have a different product called AppScan Enterprise, which does exactly that. It sits on dedicated hardware, uses a robust database, and can handle the load mentioned.<br /><br />-OryOryhttp://blog.watchfire.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-45548293738063994622010-09-04T20:06:42.115-07:002010-09-04T20:06:42.115-07:00Other then the first three paragraphs, a nice post...Other then the first three paragraphs, a nice post. (Although, 2 100MB links seems a bit odd - I'd think you'd be better off if you spread them out a bit between telcos for better peering - but maybe you are using someone like InterNAP.)<br /><br />Now, about those three paragraphs... :)<br /><br />>Say Whaaa!?!<br /><br />Are you suggesting that "Desktop" scanners _should_ scale?<br /><br />That doesn't make any sense. <br /><br />If you need to scan 100 websites within tight time constraints, surely you might consider that a desktop tool is the wrong one to do so?<br /><br />>He said, “Who beside you guys <br />>[WhiteHat] needs to scan that many <br />>websites at a time?” To which I <br />>humbly replied, “the customer.”<br /><br />The customer of the "Desktop" tool vendor or a Whitehat customer?<br /><br />If you meant the "Desktop" customer - they should consider an appropriate "Enterprise" tool. Strapping together 100 desktop tools seems too goofy to consider.<br /><br />If you mean a WhiteHat SaaS customer - well, that's what you are there for. :)<br /><br />In the real world, I don't think you will find too much demand for vast scaling to the degree that a SaaS vendor needs. <br /><br />In my experience, even if the threats change daily, test schedules/windows, CM policies, approvals, backups, etc slow things down to a more cautious pace. <br /><br />Even when/if you do get authorization to do a BIG scan, a little bit of creative scheduling and risk assessment/prioritization will help with bottle necks and keep your server and network teams happier with you anyway.<br /><br />(This discussion almost ends up as a advertisement for WAF as 0-day protection.)Dannoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-36618697238468386922010-09-04T10:31:52.930-07:002010-09-04T10:31:52.930-07:00Does the storage use any kind of encryption?Does the storage use any kind of encryption?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-25648616454194881252010-09-03T21:44:19.335-07:002010-09-03T21:44:19.335-07:00Other then the first three paragraphs, a nice post...Other then the first three paragraphs, a nice post. (Although, 2 100MB links seems a bit odd - I'd think you'd be better off if you spread them out a bit between telcos for better peering - but maybe you are using someone like InterNAP.)<br /><br />Now, about those three paragraphs... :)<br /><br /><br />>Say Whaaa!?!<br /><br />Are you suggesting that "Desktop" scanners _should_ scale?<br /><br />That doesn't make any sense. <br /><br />If you need to scan 100 websites, surely you might consider that a desktop tool is the wrong one to do so?<br /><br />>He said, “Who beside you guys <br />>[WhiteHat] needs to scan that many <br />>websites at a time?” To which I <br />>humbly replied, “the customer.”<br /><br />The customer of the "Desktop" tool vendor or a Whitehat customer?<br /><br />If you meant the "Desktop" customer - they should consider an appropriate "Enterprise" tool. Strapping together 100 desktop tools seems too goofy to consider.<br /><br />If you mean a WhiteHat SaaS customer - well, that's what you are there for. :)<br /><br />In the real world, I don't think you will find too much demand for vast scaling to the degree that a SaaS vendor needs. <br /><br />In my experience, even if the threats change daily, test schedules/windows, CM policies, approvals, backups, etc slow things down to a more cautious pace. <br /><br />Even when/if you do get authorization to do a BIG scan, a little bit of creative scheduling and risk assessment/prioritization will help with bottle necks and keep your server and network teams happier with you anyway.<br /><br />(This discussion almost ends up as a advertisement for WAF as 0-day protection.)Danhttp://google.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1737218720857347002010-09-03T15:42:26.812-07:002010-09-03T15:42:26.812-07:00@Anonymous: LOL, I had some help with the draf to ...@Anonymous: LOL, I had some help with the draf to make sure all the big words were accurate. Usually if a subjection doesn't start with "cross" or end with "jacking", I'm lost. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22499416511392345882010-09-03T15:33:00.555-07:002010-09-03T15:33:00.555-07:00Geeze a webapp guy that knows his hardware. Who K...Geeze a webapp guy that knows his hardware. Who KnewAnonymousnoreply@blogger.com