PENETRATION TESTING IN THE DEVELOPMENTAL ENVIRONMENT Benefiting the Developer Bill Argenbright and Al Pruitt 2 December 2015

Transcription

1 PENETRATION TESTING IN THE DEVELOPMENTAL ENVIRONMENT Benefiting the Developer Bill Argenbright and Al Pruitt 2 December 2015

2 SLIDE 2 Incorporating Security into the Software Development Life Cycle (SDLC) Introduction Engineering V-Model Security Initiation Vulnerability Scan vice Penetration Test When to Test Web Testing

3 SLIDE 3 Biggest Revolution in Warfare The increasingly wired nature of the world means cyberspace will likely be the world's next large battlefield (if it isn't already). Israel, always at the forefront of military technology, is paying close attention to the way the wind is blowing. Major General Aviv Kochavi, speaking at the annual conference of the Institute for National Security Studies in Tel Aviv, went on record as saying "cyber, in my modest opinion, will soon be revealed to be the biggest revolution in warfare, more than gunpowder and the utilization of air power in the last century."

4 SLIDE 4 Introduction Engineering V- Model System Development Software Development (Applications/Widgets) Two Streams Specification Testing Stream

5 SLIDE 5 Cyber Threat Tiers Tier I II III Description Practitioners who rely on others to develop the malicious code, delivery mechanisms, and execution strategy (use known exploits). Practitioners with a greater depth of experience, with the ability to develop their own tools (from publically known vulnerabilities). Practitioners who focus on the discovery and use of unknown malicious code, are adept at installing user and kernel mode root kits, frequently use data mining tools, target corporate executives and key users (government and industry) for the purpose of stealing personal and corporate data with the expressed purpose of selling the information to other criminal elements. IV V VI Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits. State actors who create vulnerabilities through an active program to influence commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest. States with the ability to successfully execute full spectrum (cyber capabilities in combination with all of their military and intelligence capabilities) operations to achieve a specific outcome in political, military, economic, etc. domains and apply at scale.

6 SLIDE 6 Security Initiation Phase

7 SLIDE 7 Vulnerability Scan vice Penetration Test Assured Compliance Assessment Solution (ACAS) 5 Pieces or Options Continuous visibility across the enterprise by coupling active and passive scanning. eeye Retina Network Security Scanner As software or as a hardware appliance Provides cross-platform vulnerability management. Identify not only known vulnerabilities, but zero-day vulnerabilities as well. Rapid 7 Vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation.

8 SLIDE 8 Vulnerability Scan vice Penetration Test Pen Testing is Tool Based with Manual Input Metasploit Pro (Cost) / Backtrack 5 r3 (freeware) Core Impact (Cost) Social-Engineer Toolkit (SET) (Freeware) Wireshark (Freeware) Burp Suite (Cost) Cain & Able (Freeware) Nmap (Freeware) Nexpose (Cost) Nessus (Cost) W3af Web Application (Freeware) Netsparker Web Application (Cost)

9 SLIDE 9 When penetration testing should be performed Pen tests should be scheduled and performed on a regular basis. The number of times a pen test is performed per year will depend on factors such as environment and industry. In addition to scheduled pen tests, additional testing should be performed when: New network infrastructure or applications are added. Significant upgrades or modifications are applied to infrastructure or applications. New office locations are established. Security patches are applied. End user policies are modified. Well known vulnerability is revealed to the public.

10 SLIDE 10 New Battlefield President Obama stated, America's economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Lt. Gen. George Flynn, then-deputy commandant commanding the Marine Corps Combat Development Command, was dual-hatted as the first head of MARFORCYBER. He summed up the Marine role as ensuring defense of the Corps and DoD cyber turf. The cyberspace domain is the newest and possibly the most complicated we must now dominate. If we are to be dominant on land, at sea, and in the air, we must be dominant in cyber, he said.

11 SLIDE 11 What Type of Pen Testing Should be Performed What exactly is a Web Application A Web application is an application, generally comprised of a collection of scripts that reside on a Web server and interact with databases or other sources of dynamic content. Web Application Penetration Testing Application Pen Testing Software Pen Testing, better known as Code Review

12 SLIDE 12 Greatest Threat The Army has over 200 years experience dealing with the physical threats of the battlefield, and leaders are pretty confident in their ability to overcome them. These days, it is the other kind of threat that has them concerned. "The greatest threat I face as a brigade commander on the battlefield is not tanks, snipers or IEDs," Col. Chuck Masaracchia said as the Army got started hosting the largest-ever joint forces network exercise. "It's defending the network."

13 SLIDE 13 QUESTIONS?