Application Security Testing

Transcription

1 Tstsec - Version: 1 09 July 2016 Application Security Testing

2 Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the most valuable asset is information. There is no doubt that today's applications must be secure. Security Standards are created to insure products will implement security measures to protect their data. Security is an "all-inclusive" term, which means it must be implemented "everywhere", in all levels: Users: Train your users and build awareness to help them to reduce the risk of performing irresponsible actions which will be used by the attacker. Make sure your UI helps your user to take the correct decisions. Infrastructure: Firewalls, Network Admin, Host & Server Hardening, Network traffic encryption etc. Application: Authentication, Authorization, Input validation, Encryption, Configuration management, Parameters manipulation, Auditing, Error Handling etc. The application must be designed and implemented while taking security issues into consideration. We have to remember that the attacker needs to find just one security breach while we have to protect everywhere. Leaving one of the above levels unhandled will result in a completely unsecured product. Application security is not just another feature. You can not just turn it on. Application security demands a lot of thinking. Threat modeling and a lot of design work must be done. Many concrete actions must follow in every phase of the development cycle.

3 Security Testing: Testing is a crucial part of Security Development Lifecycle. The tester must understand methodology of secure development. He has to build a security test plan using the threat modeling documentation. The tester has to understand the Hacking mechanics. He has to get out of the box and think like a hacker. The tester has to know the security testing methodology. The hacker must be diligent and work systematically to find security breaches All this and more will be taught in the course. Intended audience: This course is intended for Test engineers, Test Team Leaders, Quality Officers/Engineers. Prerequisites: Participants should be familiar with the general concept of a Web development & technologies Objectives: Write a Security Test Plan Understand common attacks Understand and practice the procedure of security testing & Hacking Be able to take an application and conduct Penetration Testing and Fuzzing. Work with common tools in the market. Topics: What is application security What does Application Security deals with Best practices

4 º WS basics º In the Lab the students will test a live demo site using the tools and methods they learned in the class. Network Hacking Labs (2 days) Network Discovery Enumeration Null Sessions and shares Sniffing Bypass identity management. Vulnerabilities Scanners Attack Frameworks Reverse shells Trojans Applications Tampering DOS º Networking Attacks simulation Tools and methods

5 º The students will conduct code scanning SDL Security Development Life Cycle and Threats and vulnerabilities The STRIDE categories Creating a threat model The SDL methodology º Security Challenges in the SOA world and testing implications º The students will conduct threat modeling Writing a security test plan How to write security test cases How to set up security testing programs (and how they are different from standard testing) OWASP testing best practices º Federation and check identity

6 º The students will design and conduct a fuzzing test Web technologies & security Technologies Http & TCP Servers & Proxies Encryption and Hashing SSL & Digital signatures Authentication Technologies Common attacks & Demos OWASP top ten Buffer Overrun SQL Injection Cross Side Scripting XSS Denial Of Service (many types) Back Doors Spoofing Forceful browsing & Flow Bypassing Parameter manipulation Information Disclosure One Click Attack Session Hijacking Cookie Poisoning Directory Traversal º XML WS standards

7 º Validation Testing execution and methodologies Requirement phase Design phase Discovery phase The security testing check lists Execution phase - Attacks simulation Tools and methods º Discovery tools º Http Proxies º Fuzzing tools º Crackers (Brute force, Hashing ) º Scanners º Code analyzers How to choose the correct tool Tools evaluation Fuzzing Penetration Testing White box vs. black box After testing Static and dynamic code analysis theory Describe how the tools work and compare them Static code analyzer review Dynamic code analyzer review º Web Services Documentation How to write a security report Mitigations

8 º App security Labs