Bridging the Gap - Security and Software Testing. Roberto Suggi Liverani ANZTB Test Conference - March 2011

Similar documents
Application Code Development Standards

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

The Top Web Application Attacks: Are you vulnerable?

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

How to Build a Trusted Application. John Dickson, CISSP

Application Security Testing

(WAPT) Web Application Penetration Testing

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Testing the OWASP Top 10 Security Issues

Successful Strategies for QA- Based Security Testing

Web Application Report

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Data Breaches and Web Servers: The Giant Sucking Sound

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Web Application Penetration Testing

WHITEPAPER. Nessus Exploit Integration

Chapter 1 Web Application (In)security 1

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web application testing

Passing PCI Compliance How to Address the Application Security Mandates

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web Application Security

Secrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security

What is Web Security? Motivation

Check list for web developers

Network Security Audit. Vulnerability Assessment (VA)

Intrusion detection for web applications

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Common Security Vulnerabilities in Online Payment Systems

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Penetration Testing with Kali Linux

Criteria for web application security check. Version

Anybody who has a Web presence understands that

Essential IT Security Testing

Adobe Systems Incorporated

Magento Security and Vulnerabilities. Roman Stepanov

Using Nessus In Web Application Vulnerability Assessments

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Project 2: Web Security Pitfalls

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Application security testing: Protecting your application and data

Web Application security testing: who tests the test?

APPLICATION SECURITY AND ITS IMPORTANCE

Web Application Worms & Browser Insecurity

OWASP OWASP. The OWASP Foundation Selected vulnerabilities in web management consoles of network devices

Enterprise Application Security Workshop Series

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

Rational AppScan & Ounce Products

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web

Testing for Security

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Secure development and the SDLC. Presented By Jerry

Pentests more than just using the proper tools

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Ethical Hacking as a Professional Penetration Testing Technique

Learn Ethical Hacking, Become a Pentester

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Bust a cap in a web app with OWASP ZAP

Web Hacking Incidents Revealed: Trends, Stats and How to Defend. Ryan Barnett Senior Security Researcher SpiderLabs Research

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Analysis of SQL injection prevention using a proxy server

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Simon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Reducing Application Vulnerabilities by Security Engineering

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Web application security: automated scanning versus manual penetration testing.

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Standard: Web Application Development

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

HackMiami Web Application Scanner 2013 PwnOff

Web Application Guidelines

Web attacks and security: SQL injection and cross-site scripting (XSS)

Penetration Testing Lessons Learned. Security Research

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Web Application Security

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Pentests more than just using the proper tools

Hacking Database for Owning your Data

OWASP TOP 10 ILIA

Application Security and the SDLC. Dan Cornell Denim Group, Ltd.

OWASP Top Ten Tools and Tactics

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Advanced Web Security, Lab

Transcription:

Bridging the Gap - Security and Software Testing Roberto Suggi Liverani ANZTB Test Conference - March 2011 1

Agenda Roberto, what test are you doing? Is this a defect, vulnerability or both? What can we do to improve things? 2

About Me Roberto Suggi Liverani Principal Security Consultant - Security-Assessment.com roberto.suggi@security-assessment.com http://www.security-assessment.com Founded OWASP New Zealand Chapter http://owasp.org/index.php/owasp_new_zealand Research topics: Black SEO Firefox Extensions Bug discovery Blog: http://malerisch.net Twitter: https://twitter.com/malerisch 3

Part I Roberto, what test are you doing? 4

What do I do for living (and fun) Hack almost everything Web Applications, Software, Networks, etc Experience From small companies to large enterprises Findings bugs Not just my work, it s also my passion 5

Security Testing Type of assessment Black Box Grey Box White Box Type of services Web application intrusion testing Source code review Software testing Scope Discover security bugs Provide recommendations 6

Prerequisites NO QA = NO Security Testing Target software/application must be 100% functional A correct QA process ensures reliable results The environment must be stable during testing No testing while changes occur A confirmed security issue must be reproducible The real world Applications haven t had through QA testing Functionality issues (defects) often found 7

Security Testing Process Information gathering Follow hacker instinct Spot vulnerability before starting testing Follow methodologies Web Application OWASP Testing Guide Software testing The art of software security assessment Exploiting software 8

Tools Web hacking Web Proxies Web Scanner Frameworks Browser + Extensions/Add-ons Manual testing Software testing Disassembler and debugger Extensions + Plugins Fuzzing tools Source code review Static analysis tools 9

What do we find? Common vulnerabilities in web applications A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References [ ] Frameworks PHP Java.NET 10

Bugs In Software Memory corruption bugs Stack/Heap buffer overflows Other bugs Filter controls bypass Where? Some examples from our research: Browser and browser plugins Internet Kiosks File Formats (e.g. chm) MS Office Products 11

After Testing Reporting Exec/tech overviews Details section Recommendations Classification and severity Type of vulnerability Level of exploitability Discussion with clients 12

Ideal Approach Ideal approach Security should be a priority in early phases Security must be a component of every project From the initial stage to production Changes in the industry Some of our clients are moving in this direction New project: Ask us - What do you think? Recommendations can help avoid serious design flaws 13

Part II Is this a defect, vulnerability or both? 14

A defect or a vulnerability? Definition defect = potential vulnerability Defects can: Hide an underlying vulnerability Have security implications (and so it is also a vulnerability) Lead in the discovery of a vulnerable associated component Strategy prior testing Ask for more info from QA testers 15

Sharing is caring! QA feedback User A edits profile page; has details of user B Could not reproduce the issue Assumption This is a proxy/load balancing issue Analysis Security issues in the session management Conclusions Each team might have their own ideas about the issue Further investigation is required if opinion differs on the same matter 16

Login Fails Open QA Feedback When I login using these steps, the Welcome page is blank Analysis Login bypass via internal pages Conclusion A defect affecting a critical security component (e.g. authentication) is a vulnerability 17

Lethal Injections QA Feedback Last name with single quote (e.g. N Doba) accepted Database error when changing last name from user profile page Analysis The single quote broke the SQL query statement SQL injection allowed remote code execution Conclusion Simple observations can make the difference 18

I like refunds QA Feedback Refund action is possible For each refund, 50 cents is given to merchant System accepted 2 split refund transactions for the same payment Analysis A 10 dollar payment refunded with mini transactions of 1 cent For each mini transaction, 50 cents were given to the merchant Fraud was possible Conclusion A defect can lead to discovery of security issues in other components associated to the defect 19

I would like all the seats, please. QA Feedback System is fine but we did not test the release mechanism for booked seats Analysis System failed to free booked seats if not purchased Conclusion Untested/out-of-scope area can lead to discovery of issues with security implications 20

Part III What can we do to improve things? 21

Some ideas Security testing is not part of QA. Is it someone s fault? Would like access to: Bug tracking software Access to identified defects (database) Spot weaknesses by area (e.g. authentication) Gives an indication where to look first or with more focus Pre-testing meeting with QA team See what they think about the application 22

Security and QA Provide security test cases Preliminary security testing No exploitation flag potential issues Manual testing and white box approach Identify defects with security impacts earlier Worst case: QA needs to be re-performed after a major re-design Costs vs ROI Costs increase for additional testing during QA ROI achieved if no delays or unexpected costs arise 23

Example of preliminary checks Case-sensitive login Username: Test test Authorisation controls Profile.aspx?memberId=10000 Try: memberid=10001 If user 10000 can access user 10001 s page without authorisation 24

Further examples Strong password format User can choose password as password User can choose qwerty as password Credentials enumeration Error message returns wrong username Error message returns wrong password Malformed request Debug exception output is publicly viewable 25

Quick checks Cookie settings No Secure flag in HTTPS No HTTPOnly flag Sensitive info in cookie Cookie domain and path incorrectly set Data Transport Sensitive information transmitted over HTTP Data Storage Credentials stored in database with no hash 26

Collaboration Online collaboration OWASP Project to bridge gap between security and QA QA communities should do the same Local collaboration Increase collaboration between chapters OWASP NZ chapter ANZTB SIGIST Security talks at QA chapter meetings and vice versa 27

Conclusion Wrap up QA is prerequisite for any security testing QA defect database should be accessed by security staff Preliminary security test-cases can identify low-hanging fruit 28

Questions? Thanks! E-mail: roberto.suggi@security-assessment.com Blog: http://malerisch.net Twitter: https://twitter.com/malerisch 29

References/Useful Links Software Security Testing in Quality Assurance and Development http://www.qasec.com/ Fuzzing for Software Security Testing and Quality Assurance ISBN-10: 1596932147, Artech House; 1 edition (June 30, 2008) OWASP Software Quality Assurance https://www.owasp.org/index.php/software_quality_assurance Vulnerability as a Function of Software Quality https://www.giac.org/paper/gsec/647/vulnerability-function-softwarequality/101493 Why QA Doesn't Do Security Testing https://www.infosecisland.com/blogview/10736-why-qa-doesnt-do- Security-Testing.html 30

References/Useful links Security is the sexy part of QA http://www.madirish.net/justin/security-sexy-part-qa Are Security and Quality Assurance Part of Your Software Development Life Cycle? http://www.educause.edu/ir/library/powerpoint/wrc0667.pps 31

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information