Reducing Our Attack Surface with AppSec Platform
Reducing an organization’s exposure to cyber threats (frequently referred to as its “attack surface”) has become a key objective for many cybersecurity programs. While the concept isn’t new, rapid digital transformation is forcing security teams to fundamentally rethink the way they manage risk across a changing application landscape. Engineering teams are increasingly investing in microservices architectures, cloud/SaaS platforms, and “no code” solutions, which drive digital transformation but significantly change the attack surface from the traditional monolithic application.
Therein lies the challenge: In a world in which digital assets are often growing much faster than security teams, how can you continuously discover and monitor your web assets, regardless of where they reside?
Introducing AppSec Platform
To help address this challenge, we set out to build an automated scanning platform that continuously discovers public WW web assets, performs port scanning, fingerprinting, and other useful reconnaissance, and launches light security scanning to identify potential risks — all built upon free open source tools and low-cost AWS services.
The collected reconnaissance and vulnerability data is fed to a central platform which deduplicates results, filters out known false positives, and generates automated Slack alerts for high-risk issues that require the Product Security team’s attention.
We call this project WW’s AppSec Platform, and we’re excited to share not only an overview of how we built it, but also how you can build a similar pipeline to drive attack surface reduction within your own organization.
Architecture
At a high-level, AppSec Platform consists of two key components:
- Scanning tools
- AppSec Platform API
Scanning tools are open source tools that we’ve forked and customized for our use case around discovering assets, fingerprinting running services, or identifying potential security issues. These tools are deployed as Kubernetes jobs, run on a variable cadence (every five minutes to one hour depending on the tool), and feed scan results to the AppSec Platform API running in AWS.
The AppSec Platform API is a collection of Python 3.x Lambda functions fronted by AWS’s API Gateway. As scanning tools run and report results to the API, the Lambdas process the data accordingly and provide logic to handle situations such as duplicative results, false positives, and already known issues. Data is sent to MongoDB for persistent storage and actionable via a Flask-based web dashboard along with Slack message alerting for relevant security findings.
The diagram below provides a high-level overview of the architecture:
Key Features of AppSec Platform
1) Asset Discovery and Reconnaissance
Thanks to Google’s strong push for Certificate Transparency and the proliferation of bug bounty programs, the security community has open sourced a variety of different tools to help discover web assets. Even if you only stick to the free discovery methods and avoid paid APIs and services, asset discovery techniques such as scraping Certificate Transparency logs, reverse WHOIS lookups, and Wayback archive searches will provide significant visibility into your less well-known web assets.
Thankfully, there are many reliable tools that will aggregate and rationalize discovery data for you. We tried a few different tools but found the following two the most particularly useful:
We run asset discovery scans multiple times a day and feed findings from the discovery tools into the AppSec Platform API. While keeping an up-to-date inventory of both legacy and new assets is important, we’re particularly interested in gaining visibility into new applications. When a DNS record is discovered for the first time, the AppSec Platform API generates a Slack message notifying the team to determine if additional action is required:
Once an asset is discovered, AppSec Platform will run a series of intelligence gathering tools to increase our visibility and answer key questions, such as:
We use Aquatone, Wappalyzer, and nmap for the screenshot capture, tech stack fingerprinting, and port scanning, respectively. The intelligence is captured in a MongoDB collection and viewable in the dashboard described later in the blog post.
Quick tips to building this yourself
- If you don’t have access to authoritative DNS sources, start with a single asset discovery tool to generate your initial list of assets.
- Ensure you have a quick script to validate DNS resolution — most assets you discover through reconnaissance will be long dead (and not very useful).
- Capture scan data in a persistent data store and ensure you collect discovery metadata such as first detected timestamp, last detected timestamp, and DNS resolution status.
2) Continuous Security Monitoring
Once AppSec Platform has captured basic intelligence on an asset, it launches a light scan for common security misconfigurations. We tend to focus on security issues that are easy to find and fix and that can be identified very quickly at scale.
In general, our approach has been to fork popular open source Python tools, customize them to feed results into AppSec platform API, and add multi-threading (ex: Pebble’s concurrency library) to execute efficient parallel scans with minimal scan time. Scans of our entire public footprint often take less than five minutes.
While your environment may have different use cases, the following are examples of vulnerability classes that are relatively easy to detect using open source tools:
- CORS misconfigurations
- Subdomain takeovers
- TLS misconfigurations
- Exposed secrets (e.g. API keys)
- Content discovery / server misconfigurations
Each of our scanning tools is Dockerized and deployed as a K8s job to run on a specified cadence. When a potential security issue is discovered during scanning, a Slack alert is dispatched to the Product Security team, who reviews the relevant information and can manage workflow directly within Slack via interactive status buttons:
Changes to the issue status (such as when a team member closes out a vulnerability as a “false positive”) are sent to a Slack callback and updated in the database and platform dashboard in real time.
When an existing security issue is no longer detected, the AppSec Platform will also send a notification to the team letting them know that the issue has been resolved and the issue status is updated accordingly:
Quick tips to building this yourself
- Categorize your known vulnerabilities to determine which vulnerability classes are most relevant to your environment.
- Focus on integrating open source tools which can provide very quick scanning and results (even non-security tools can be useful — the requests library can be used for very lightweight TLS misconfiguration scanning).
- When ingesting scan results, build simple logic to handle situations like false positives and resolved issues. To start, it could be as simple as suppressing any alerts for issues already marked as a known false positive, and running a daily batch job which automatically closes vulnerabilities which haven’t been discovered in the last “x” days.
3) Platform Dashboard
We quickly discovered that asset reconnaissance is only useful if you have an intuitive way to view, manipulate, and search through your data. We built a simple Flask dashboard that provides CRUD operations and searching capabilities, so that team members can analyze and monitor data in real time:
In addition to providing a view into potential security misconfigurations, the aggregated reconnaissance data also helps us answer common questions that can often be challenging for security teams, such as:
- What web applications are using “x” third-party component or library?
- Do any of our applications have potentially dangerous ports or services exposed — such as anonymous FTP, ElastiCache, Redis, etc?
- Which applications are written in “non-standard” programming languages (e.g. PHP)?
We frequently consult the dashboard to identify potentially higher-risk applications and drive attack surface reduction with the appropriate teams.
Quick tips to building this yourself
- Most languages provide frameworks or libraries with basic dashboard functionality. Once you have the data in a defined schema accessible via a data store, it becomes relatively easy to implement an interactive web view.
- Modern tech stacks are often complex and can be overwhelming to analyze. We use Wappalyzer’s built-in icon library (with hover-over descriptions) to help teams quickly visualize an application’s tech stack.
- If using a microservices approach to scanning, you may want to capture tool scan log data (such as last scan start time, last scan end time, etc.) in your dashboard so the team can quickly troubleshoot when scans are not completing successfully.
Conclusion
We’ve found proactive attack surface management to be a key component in helping to reduce cybersecurity risk. While not designed to be a replacement for more traditional security testing techniques, such as CI/CD scanning, bug bounty programs, or penetration testing, attack surface management provides teams with much needed visibility into web applications regardless of what team manages them or where/how they are deployed.
AppSec Platform helps us automate asset discovery, reconnaissance, and lightweight scanning across our diverse ecosystem of applications. Although the current form of AppSec Platform is very customized to our environment and not yet ready to be open sourced, we hope this guide helps you build your own automated platform to reduce your attack surface using readily available open source tools and technologies.
— Michael Whiteman, Senior Manager of Product Security
Interested in joining the WW team? Check out the careers page to view technology job listings as well as open positions on other teams.
