Automating Security Testing. Mark Fallon Senior Release Manager Oracle



Similar documents
Web Application Report

SAST, DAST and Vulnerability Assessments, = 4

Application Code Development Standards

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Application Security Testing

Web App Security Audit Services

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Security

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Introduction to Automated Testing

Web application security: automated scanning versus manual penetration testing.

elearning for Secure Application Development

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Attack Vector Detail Report Atlassian

WHITEPAPER. Nessus Exploit Integration

Using Nessus In Web Application Vulnerability Assessments

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Sample Report. Security Test Plan. Prepared by Security Innovation

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Interactive Application Security Testing (IAST)

Adobe Systems Incorporated

Fuzzing in Microsoft and FuzzGuru framework

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Check list for web developers

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Detecting SQL Injection Vulnerabilities in Web Services

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

How To Ensure That Your Computer System Is Safe

Using Web Security Scanners to Detect Vulnerabilities in Web Services

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

Learn Ethical Hacking, Become a Pentester

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Security Testing & Load Testing for Online Document Management system

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

IT Security & Compliance. On Time. On Budget. On Demand.

Reducing Application Vulnerabilities by Security Engineering

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

New IBM Security Scanning Software Protects Businesses From Hackers

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

Where every interaction matters.

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Braindumps.C questions

Chapter 1 Web Application (In)security 1

Client logo placeholder XXX REPORT. Page 1 of 37

Web Application Penetration Testing

Analysis of SQL injection prevention using a proxy server

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

Levels of Software Testing. Functional Testing

Last update: February 23, 2004

Penetration Testing with Kali Linux

Integrating Security Testing into Quality Control

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Using WebLOAD to Monitor Your Production Environment

Auditing the Security of an SAP HANA Implementation

What is Web Security? Motivation

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Java Program Vulnerabilities

Source Code Review Using Static Analysis Tools

SANS Dshield Webhoneypot Project. OWASP November 13th, The OWASP Foundation Jason Lam

How To Protect A Web Application From Attack From A Trusted Environment

Countering The Faults Of Web Scanners Through Byte-code Injection

Intrusion Detection Systems (IDS)

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

(WAPT) Web Application Penetration Testing

Web Application Security How to Minimize Prevalent Risk of Attacks

Integrating Tools Into the SDLC

Cloud Security:Threats & Mitgations

owncloud Architecture Overview

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

ensuring security the way how we do it

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Software Quality Testing Course Material

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Web Application Vulnerability Testing with Nessus

Bust a cap in a web app with OWASP ZAP

Columbia University Web Security Standards and Practices. Objective and Scope

Transcription:

Automating Security Testing Mark Fallon Senior Release Manager Oracle

Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage of implementation issues Automation of that testing is essential It allows the process to scale It reduces cost for continued maintenance It helps ensure repeatability in process Security testing is an essential part of the overall development process

Development Process Ever growing number of development processes available Some organizations will use different processes for different projects Artifacts for security testing remain the same Code Generated objects e.g. binaries, class files Running systems Other areas of software assurance are potentially more significantly impacted Some areas of the process needs to be adapted to ensure assurance requirements are met

Code Scanning Code scanning is the first phase of our automated security checks Can start as soon as the first lines of code are committed to the project Helps to provide instant feedback to developers Can help enforce coding rules Avoid poor coding styles Enforce use of mandated functions Can reliably find a number of data flow & semantic issues e.g.: Format String Injection Attacks SQL, Process, XML Certain classes of buffer overflow

Rolling Out Tools Three step program: 1. Eliminate the noise: Need to present a sanitized list of issues to developers Builds trust in tool Makes best use of their time 2. Eliminate the backlog Time needs to be added to the schedule Helps to build awareness and momentum 3. Make it part of daily development Provide immediate feedback to developers Stops the build up of new issues

Automated Testing Second phase of our automated security testing This testing starts as soon as there is running code Three areas of automated tests: Targeted Generated Leverage

Targeted Tests New functional/unit tests written to exercise a specific feature Standard functional tests for security functionality Transparent Data Encryption Unit tests for feature that are used in security contexts random numbers Destructive Protocol tests Typically done with a parameterized client Different attack vectors or combinations can be easily automated Stateful protocols require more effort, problem may not be with initial connection Domain expert usually required to write these tests Some 3 rd party test suites available in this area Usually available for public protocols http, ftp, LDAP etc. Need to be evaluated for coverage How much / which versions of protocols covered Types of attacks they try. Deployment issues need to be accessed Fit into current testing infrastructure

Generated Tests Automate what others are trying against our system Similar approach to application scanners Generated to find classes of vulnerabilities across an entire attack surface Most success with PL/SQL and code loaded into database Data dictionary helps drive automation List of PL/SQL functions (attack surface) Provides type information - Helps with generating parameterized attacks Need to be careful of false negatives Certain functions will require some state to execute If that state is evaluated before vulnerable parameter is, the call maybe rejected before we hit the potential issue Test harness is updated with necessary code to create a valid state and this is passed in when testing the other parameters

Design To Test For Security Features and diagnostics that exist as part of the product that can be leveraged for security testing New features have been added to specifically enable better security testing As these are destructive they are typically enabled by relinking a new object into the server. These can be used the following ways In combination with the generated or targeted tests to help find issues To inject errors to test for robustness To turn existing functional tests into security tests

Leverage Testing Large body of functional regressions tests have already been written as product has matured. Database product has some 250,000 nightly regressions These tests can be leveraged in two ways Add extra checks to the results looking for specific issues Enable diagnostic or specific tests features to find classes of issues. This can also be done with 3 rd Party tools like memory debuggers Some examples of extra checks are: Scanning trace and log files looking for information leakage Checking for file / process permissions on install tests

In Combination With Other Tests Done with diagnostics to highlight issues. Diagnostics have been added to help in support situations, typically enabled by an event. Example: Database does it s own memory management We can enables extra checking and protected pages, to detect overruns and corruption Would be turned on when running the generated PL/SQL tests Some of this can also be achieved with 3 rd party memory tools valgrind, Purity etc.

In Combination With Other Tests Testing features added to the product to leverage existing tests Enabled through relinking of binaries Literal blow-up tests Parser maximizes size of all string literals Turns 250,000 functional tests, into 250,000 buffer overflow tests Testing features added to the product to enable destructive tests Robustness testing done with Iterative Kill Test

Application Scanners Application scanners used in final stages of automated security testing Language agnostic black box testing against running applications Like code scanners lengthy evaluation process performed Some had been used internally before Will only test exposed interfaces

Application Scanners Type of issues we see them finding Parameter manipulation SQL injection Directory Traversal, XSS Deployment issues http error code checks Apache configuration checks

Vulnerability Coverage How do you know you are done? Testers familiar with the concept of code coverage With security testing it is not that you touched a code block but how it was touched Vulnerability Coverage a metric in progress Enumerate the attack surface API s, command line, open ports etc. Enumerate the attack vectors SQL injection, buffer overflow, XSS Augment test scripts, tool results to log combinations This metric can be done to help measure completeness of the automated security tests

Acknowledgements Security Program Office Security Assurance Group Integration team QA team PL/SQL group VOS group

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information