WebGoat for testing your Application Security tools

Transcription

1 WebGoat for testing your Application Security tools NAISG-DFW February 28 th, 2012 Michael A Ortega, CISSP CEH CISM GCFA Sr Application Security Professional IBM Security Systems maortega@us.ibm.com 1

2 Agenda Application Security testing technologies What is WebGoat and should you use it App Sec testing examples using AppScan Dynamic Static Best tips/practices for your deployment for your tools Q&A 2

3 Application Security Testing Technologies Static Analysis (White Box testing) Dynamic Analysis (Black Box testing) Runtime Analysis (Glass Box testing) Scan input Scans source code and bytecode for security and quality issues. Requires access to source or bytecode Scans running web applications. Requires starting point URL, and login credentials where relevant Similar to black box to scan running web applications with an agent installed on the application Assessment techniques Uses taint analysis and pattern matching techniques to locate issues Tampering of HTTP messages to locate application and infrastructure layer issues Agent monitors application performance during a black box scan for expanding threat coverage and greater detail Role in application development lifecycle Development: Scan code and work remediation from IDE Build: Scan nightly or weekly build to highlight defects for developers to correct Security: Define & customize security best practices for developers; Execute preproduction scans and audits Build: Scan as part of build acceptance tests before releasing build to testing team Test: Execute security test scripts as part of quality plan Security: Define test scripts for quality plan; Execute preproduction scans and audits Build: Provides added layer of vulnerability detail that assists developers with security debugging Security: Expands threat coverage for hard-to-identify vulnerabilities (including all OWASP Top 10) Results & Output Results are presented by line of code, source to sink functions flow Results are presented as HTTP messages (exploit requests) Results are presented as a combination of HTTP messages (exploit requests) and the line of code 3

4 What is WebGoat? WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. * Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment * * Taken directly from the WebGoat project page 4

5 When should you use WebGoat you are new to Application Security testing you are evaluating Application Security tools your existing Application Security tools have had a major update or introduced a new feature you would like to test a global change with your existing Application Security solution You should not use WebGoat as your only criteria for selection a Application Security Testing solution 5

6 App Sec testing examples using AppScan Dynamic Static 6

7 Best Practices Determine best phased approach for your organization Security, QA and Development Collaborate on Policies and Approach Roles & Responsibility of each team Workflow between teams Official security strategy (i.e. all apps scanned and no high prior vulnerabilities) Agree on metrics to measure results and progress Formal Training/Enablement Plan Types of Security Vulnerabilities Analysis and triage skills Formal Solution training Identification of Security SME/Evangelist for Dev and QA Formation of security community Share best practices Share/create FAQs Ongoing informal enablement (i.e. lunch and learns) 7 Secure Your SDLC 7

8 Questions & Answers 8

9 References WebGoat Project Home Page: Install Guide: e_of_contents Web Application Security Consortium (WASC) Dynamic Scanner Selection Criteria: ecurity%20scanner%20evaluation%20criteria WASC Static Analysis Tool Evaluation Criteria (active): ol%20evaluation%20criteria 9