Aricent Havoc
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Aricent Havoc as PDF for free.
More details
- Words: 1,336
- Pages: 4
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (HAVOC) Framework Cyber Situational Awareness in the Product Life Cycle
Overview
Design and Integrity Current approaches are atomic, requiring mundane tasks, such
Products are growing in complexity, experiencing shorter release
as false-positive identification, deduplication, correlation and
lifecycles, and vulnerable to increasingly-sophisticated threats.
prioritization to be performed repeatedly. There is no persistent,
The smarter they are now, the more lucrative targets they make.
iterative risk-mitigation process, which leads to time-intensive
Consumer trust is a priority for manufacturers, developers, and
assessments. Moreover, there are integrity concerns in the form
vendors—who must always “get security right”—while adversaries
of false-negatives, such as undetected threats, if too few tools are
need only succeed once. As we design for security, there is a
used.
significant focus on product hardening, and prioritizing preventive controls.
Left Shift in Product Security
Aricent’s Highly Automated Vulnerability Assessment
Aricent’s HAVOC framework enables product manufacturers, developers,
Orchestration Containers (HAVOC) framework automates
and vendors to integrate security testing in their product lifecycle
security testing—enabling clients to harden products/ecosystems,
management, adopt a risk-based approach toward vulnerability
and reduce risk of zero-day vulnerabilities. HAVOC provides
remediation, and enhance consumer trust in the ecosystem. It is not
extensive tool coverage, accelerates security analysts’ processes,
intended as an alternative to or replacement for scanning tools, rather it
and is highly scalable. Organizations leveraging HAVOC no longer
enables clients to extract maximum value from existing tool investments
require large, highly skilled, and expensive-to-maintain
and deployments.
workforces to design for security, and ensure a high degree of consumer trust.
Source
Vulnerability
Exploit
4
Prioritized Remediation
Security as a Value Creator Source Code Vulnerability
Source Code S Warning Source Code Vulnerability
Source Code Warning
Product security testing relies on static/dynamic code analysis, vulnerability assessments, penetration testing, and compliance
Source Code Warning War a ning ar
Development
checks. These contemporary approaches face a number of
DAST T DAST bi Vulnerability Vulnerability
Exploitable Vulnerability
Source e Code C d abil ab i it il ity y Vulnerability
Source Code So e Vu y Vulnerability
DAST Vulnerability
DAST Vulnerability
Source Code Warning
Exploitable Vulnerability
Deployment
Source Code Vulnerability
challenges including the perception of security as a cost center as
1
Static Code Analysis
2
opposed to a value creator.
Dynamic Analysis & Vulnerability Assessment
3
Automated & AdversaryOriented Penetration Testing
Figure 1: HAVOC adopts a scalable, risk-based approach toward vulnerability remediation
Speed and Evolution Traditional approaches are geared toward waterfall models and
HAVOC automates and orchestrates code analysis, vulnerability
monolithic environments, with infrequent pre-release tests and
assessment, and penetration testing tools to provide comprehensive,
limited post-deployment assessments. They have not evolved to
unified insights.
accommodate speed and rigor of Agile or DevOps processes. With the adoption of micro-service architectures—via message 2
queueing and containerization—and distributed cloud-based functions such as AWS Lambda, current approaches will yield
Automated Security Code Reviews, Finding Deduplication, & FP Elimination Scalable Containers
Scalable, optimized, and parallelized execution of tools via task queues
1
inaccurate threat models and assessments.
/#-#+,
6
01.-2+,
Data lake infrastructure for optimal storage (relational, graph) of results, graph analytics, and deep-link analysis
Scalable Containers Scalab
Orchestrator !"#$%&'
Increase in product frequency release or number of tools utilized results in linear scalability (the best case) for skilled security analysts and developers, which is infeasible from the perspective of cost and talent fulfillment. For IoT ecosystems, not only is
• Continuous, Scalable Assessments • Automated Reporting and Vulnerability Mitigation Prioritization • Insights for vulnerability association with specific libraries, components, and/or configuration changes • Extensible across organizations, and enablement of SCR/VAPTaaS
8
())*+,-#+%.
UI
Scale and Heterogeneity
3 Reporting & Analytics
Visualization of persistent vulnerabilities, exploitability risk, vulnerability correlation across releases or products/apps
Automated vulnerability scans for comprehensive attack surface assessment
Scalable Containers
4
7
Extensible 3rd party integrations for exploit, and context enrichment
Pen Tests to determine attack vector success probability, and automate detection of relatively easily exploitable targets
5
Customizable applications and networks across enterprise, mobile, and IoT for continuous scanning
scale a concern, but heterogeneity in the form of testing device firmware, edge connectivity protocols, gateway firmware,
Figure 2: HAVOC Automation & Orchestration
application software, cloud connectivity, micro-services, and web/mobile applications - is also a major concern.
2
During product development, continuous running of code analysis
Infrastructure and Private-Cloud Security
tools ensures implementation of secure coding practices and
Hardening OpenStack environments—including OS images for
applicable controls. Automated vulnerability scans in
bare-metal infrastructure or VMs, VNFs, and network
development environments or product prototypes help uncover
components.
vulnerabilities, which are automatically exploited via numerous
Risk-Based Change Management
contemporary techniques to determine risk. Findings throughout the process are normalized, aggregated, deduplicated, enriched (with attributions, potential solutions, etc.) and prioritized. This degree of automation, coupled with higher-order analytics and
Fingerprinting of baseline environments, and continuous scanning, to ensure network, host, or application updates or configuration changes do not introduce new vulnerabilities.
insights obtained from graph-based approaches and machine
IoT Security Assessment
learning, allows for extensive coverage via a small security team.
Scalable vulnerability assessment and penetration testing for IoT
Furthermore, it enables security testers to focus on
ecosystems that leverage micro-services (such as queueing and
adversary-oriented penetration testing, as opposed to mundane
containers), distributed deployment (such as edge, fog and cloud
procedural tasks.
models) and utilization of IoT-specific testing tools.
Key Features Modular, Extensible Tool-Suite
•
Numerous commercial and open-source Static/Dynamic Analysis, Vulnerability Assessment, and Penetration Testing tools supported
•
Seamless integration of Mobile/IoT-specific tools, and client-specific security/compliance tools
Horizontal Scalability and Cloud Enablement
•
Virtual Machine (VM) instances or Docker containers for demand-based testing, configuration-free, cloud-native runs
•
Secure DevOps Enablement Automated secure code reviews and attestation of committed code and/or development pipelines, continuous vulnerability assessments of nightly builds, and risk-based remediation insights for developers. Product SIEM Utilization as a Product SIEM to continuously evaluate product-centric threats, and correlation of network activity/observables from deployed products.
Aricent Differentiators
Reduction of infrastructure licensing costs, as VMs or
Aricent’s offering can be leveraged via a licensable framework that is
containers are only active for assessment duration
extensible by clients, customizable for client-specific needs via Aricent’s services, or deployed as a managed service for those seeking strategic,
Graph and ML for Insights and Visualization
•
Algorithms—such as PGM, Bayesian Modeling and Clustering—to determine exploitability, key vulnerabilities, principal attack surfaces, and tool efficacy
•
Natural Language Processing (NLP) to de-duplicate findings, reduce false-positives, and apply exploits
•
Developer and security analyst dashboards for insights, graph-based visualization for threat hunting, and
comprehensive testing capabilities. Additional capabilities include:
•
Growing ecosystem of supported Static/Dynamic Analysis, Vulnerability Assessment, and Penetration Testing tools
•
Continuously enhanced analytics, insights, and reporting capabilities
•
Integration and offering with Aricent’s DevOps framework for provisioning and implementation of a Secure DevOps methodology and pipeline
stakeholder-report generation Secure DevOps Enablement
•
Integration of Continuous Integration (CI) tools, such as Jenkins, for agile security testing
•
Attribution of exploitable vulnerabilities to source-code vulnerabilities, along with remediation guidelines, for increased developer throughput and delivery quality assurance
Why Aricent? Aricent Security Services bring bespoke and product-centric security capabilities to enterprise and consumer software, Network Equipment Providers, Communication Service Providers and Semiconductor companies. Aricent Security Services ensure an elevated product security posture and help mitigate against zero-day exploits. Aricent’s Security Software Frameworks and Solutions accelerate the deployment of differentiated security capabilities and include: HAVOC, IDROCK,
Use Cases
Network Security Protocol Stacks, and Security Virtual Network Functions.
HAVOC’s versatility renders it a value-added solution across numerous use cases that include: 3
Contacts Prakasha Ramachandra, AVP, Security Practice Leader Email: [email protected] Shaan Mulchandani, Director, Security Industry Solution Leader Email: [email protected]
About Aricent Aricent is a global design and engineering company innovating for the digital era. With more than 12,000 design and engineering talent and over 25 years of experience, we help the world’s leading companies solve their most important business and technology innovation challenges - from Customer to Chip.
© 2017 Aricent. All rights reserved. All Aricent brand and product names are service marks, trademarks, or registered marks of Aricent in the United States and other countries.
Overview
Design and Integrity Current approaches are atomic, requiring mundane tasks, such
Products are growing in complexity, experiencing shorter release
as false-positive identification, deduplication, correlation and
lifecycles, and vulnerable to increasingly-sophisticated threats.
prioritization to be performed repeatedly. There is no persistent,
The smarter they are now, the more lucrative targets they make.
iterative risk-mitigation process, which leads to time-intensive
Consumer trust is a priority for manufacturers, developers, and
assessments. Moreover, there are integrity concerns in the form
vendors—who must always “get security right”—while adversaries
of false-negatives, such as undetected threats, if too few tools are
need only succeed once. As we design for security, there is a
used.
significant focus on product hardening, and prioritizing preventive controls.
Left Shift in Product Security
Aricent’s Highly Automated Vulnerability Assessment
Aricent’s HAVOC framework enables product manufacturers, developers,
Orchestration Containers (HAVOC) framework automates
and vendors to integrate security testing in their product lifecycle
security testing—enabling clients to harden products/ecosystems,
management, adopt a risk-based approach toward vulnerability
and reduce risk of zero-day vulnerabilities. HAVOC provides
remediation, and enhance consumer trust in the ecosystem. It is not
extensive tool coverage, accelerates security analysts’ processes,
intended as an alternative to or replacement for scanning tools, rather it
and is highly scalable. Organizations leveraging HAVOC no longer
enables clients to extract maximum value from existing tool investments
require large, highly skilled, and expensive-to-maintain
and deployments.
workforces to design for security, and ensure a high degree of consumer trust.
Source
Vulnerability
Exploit
4
Prioritized Remediation
Security as a Value Creator Source Code Vulnerability
Source Code S Warning Source Code Vulnerability
Source Code Warning
Product security testing relies on static/dynamic code analysis, vulnerability assessments, penetration testing, and compliance
Source Code Warning War a ning ar
Development
checks. These contemporary approaches face a number of
DAST T DAST bi Vulnerability Vulnerability
Exploitable Vulnerability
Source e Code C d abil ab i it il ity y Vulnerability
Source Code So e Vu y Vulnerability
DAST Vulnerability
DAST Vulnerability
Source Code Warning
Exploitable Vulnerability
Deployment
Source Code Vulnerability
challenges including the perception of security as a cost center as
1
Static Code Analysis
2
opposed to a value creator.
Dynamic Analysis & Vulnerability Assessment
3
Automated & AdversaryOriented Penetration Testing
Figure 1: HAVOC adopts a scalable, risk-based approach toward vulnerability remediation
Speed and Evolution Traditional approaches are geared toward waterfall models and
HAVOC automates and orchestrates code analysis, vulnerability
monolithic environments, with infrequent pre-release tests and
assessment, and penetration testing tools to provide comprehensive,
limited post-deployment assessments. They have not evolved to
unified insights.
accommodate speed and rigor of Agile or DevOps processes. With the adoption of micro-service architectures—via message 2
queueing and containerization—and distributed cloud-based functions such as AWS Lambda, current approaches will yield
Automated Security Code Reviews, Finding Deduplication, & FP Elimination Scalable Containers
Scalable, optimized, and parallelized execution of tools via task queues
1
inaccurate threat models and assessments.
/#-#+,
6
01.-2+,
Data lake infrastructure for optimal storage (relational, graph) of results, graph analytics, and deep-link analysis
Scalable Containers Scalab
Orchestrator !"#$%&'
Increase in product frequency release or number of tools utilized results in linear scalability (the best case) for skilled security analysts and developers, which is infeasible from the perspective of cost and talent fulfillment. For IoT ecosystems, not only is
• Continuous, Scalable Assessments • Automated Reporting and Vulnerability Mitigation Prioritization • Insights for vulnerability association with specific libraries, components, and/or configuration changes • Extensible across organizations, and enablement of SCR/VAPTaaS
8
())*+,-#+%.
UI
Scale and Heterogeneity
3 Reporting & Analytics
Visualization of persistent vulnerabilities, exploitability risk, vulnerability correlation across releases or products/apps
Automated vulnerability scans for comprehensive attack surface assessment
Scalable Containers
4
7
Extensible 3rd party integrations for exploit, and context enrichment
Pen Tests to determine attack vector success probability, and automate detection of relatively easily exploitable targets
5
Customizable applications and networks across enterprise, mobile, and IoT for continuous scanning
scale a concern, but heterogeneity in the form of testing device firmware, edge connectivity protocols, gateway firmware,
Figure 2: HAVOC Automation & Orchestration
application software, cloud connectivity, micro-services, and web/mobile applications - is also a major concern.
2
During product development, continuous running of code analysis
Infrastructure and Private-Cloud Security
tools ensures implementation of secure coding practices and
Hardening OpenStack environments—including OS images for
applicable controls. Automated vulnerability scans in
bare-metal infrastructure or VMs, VNFs, and network
development environments or product prototypes help uncover
components.
vulnerabilities, which are automatically exploited via numerous
Risk-Based Change Management
contemporary techniques to determine risk. Findings throughout the process are normalized, aggregated, deduplicated, enriched (with attributions, potential solutions, etc.) and prioritized. This degree of automation, coupled with higher-order analytics and
Fingerprinting of baseline environments, and continuous scanning, to ensure network, host, or application updates or configuration changes do not introduce new vulnerabilities.
insights obtained from graph-based approaches and machine
IoT Security Assessment
learning, allows for extensive coverage via a small security team.
Scalable vulnerability assessment and penetration testing for IoT
Furthermore, it enables security testers to focus on
ecosystems that leverage micro-services (such as queueing and
adversary-oriented penetration testing, as opposed to mundane
containers), distributed deployment (such as edge, fog and cloud
procedural tasks.
models) and utilization of IoT-specific testing tools.
Key Features Modular, Extensible Tool-Suite
•
Numerous commercial and open-source Static/Dynamic Analysis, Vulnerability Assessment, and Penetration Testing tools supported
•
Seamless integration of Mobile/IoT-specific tools, and client-specific security/compliance tools
Horizontal Scalability and Cloud Enablement
•
Virtual Machine (VM) instances or Docker containers for demand-based testing, configuration-free, cloud-native runs
•
Secure DevOps Enablement Automated secure code reviews and attestation of committed code and/or development pipelines, continuous vulnerability assessments of nightly builds, and risk-based remediation insights for developers. Product SIEM Utilization as a Product SIEM to continuously evaluate product-centric threats, and correlation of network activity/observables from deployed products.
Aricent Differentiators
Reduction of infrastructure licensing costs, as VMs or
Aricent’s offering can be leveraged via a licensable framework that is
containers are only active for assessment duration
extensible by clients, customizable for client-specific needs via Aricent’s services, or deployed as a managed service for those seeking strategic,
Graph and ML for Insights and Visualization
•
Algorithms—such as PGM, Bayesian Modeling and Clustering—to determine exploitability, key vulnerabilities, principal attack surfaces, and tool efficacy
•
Natural Language Processing (NLP) to de-duplicate findings, reduce false-positives, and apply exploits
•
Developer and security analyst dashboards for insights, graph-based visualization for threat hunting, and
comprehensive testing capabilities. Additional capabilities include:
•
Growing ecosystem of supported Static/Dynamic Analysis, Vulnerability Assessment, and Penetration Testing tools
•
Continuously enhanced analytics, insights, and reporting capabilities
•
Integration and offering with Aricent’s DevOps framework for provisioning and implementation of a Secure DevOps methodology and pipeline
stakeholder-report generation Secure DevOps Enablement
•
Integration of Continuous Integration (CI) tools, such as Jenkins, for agile security testing
•
Attribution of exploitable vulnerabilities to source-code vulnerabilities, along with remediation guidelines, for increased developer throughput and delivery quality assurance
Why Aricent? Aricent Security Services bring bespoke and product-centric security capabilities to enterprise and consumer software, Network Equipment Providers, Communication Service Providers and Semiconductor companies. Aricent Security Services ensure an elevated product security posture and help mitigate against zero-day exploits. Aricent’s Security Software Frameworks and Solutions accelerate the deployment of differentiated security capabilities and include: HAVOC, IDROCK,
Use Cases
Network Security Protocol Stacks, and Security Virtual Network Functions.
HAVOC’s versatility renders it a value-added solution across numerous use cases that include: 3
Contacts Prakasha Ramachandra, AVP, Security Practice Leader Email: [email protected] Shaan Mulchandani, Director, Security Industry Solution Leader Email: [email protected]
About Aricent Aricent is a global design and engineering company innovating for the digital era. With more than 12,000 design and engineering talent and over 25 years of experience, we help the world’s leading companies solve their most important business and technology innovation challenges - from Customer to Chip.
© 2017 Aricent. All rights reserved. All Aricent brand and product names are service marks, trademarks, or registered marks of Aricent in the United States and other countries.
Related Documents
Aricent Havoc
August 2019 3
