Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda



Similar documents
Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Web Application Report

Microsoft STRIDE (six) threat categories

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Check list for web developers

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Columbia University Web Security Standards and Practices. Objective and Scope

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Security Testing. How security testing is different Types of security attacks Threat modelling

Understanding and evaluating risk to information assets in your software projects

Web Application Security Considerations

Where every interaction matters.

Application Security Testing. Generic Test Strategy

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Last update: February 23, 2004

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Recall the Security Life Cycle

What is Web Security? Motivation

Essential IT Security Testing

Bridging the Gap - Security and Software Testing. Roberto Suggi Liverani ANZTB Test Conference - March 2011

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Criteria for web application security check. Version

Web App Security Audit Services

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

The Top Web Application Attacks: Are you vulnerable?

Magento Security and Vulnerabilities. Roman Stepanov

Network Security Audit. Vulnerability Assessment (VA)

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Attack Vector Detail Report Atlassian

Application Security Testing

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Mobile Application Threat Analysis

Adobe Systems Incorporated

Web Application Remediation. OWASP San Antonio. March 28 th, 2007

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Penetration Testing Service. By Comsec Information Security Consulting

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1

Threat Modeling. 1. Some Common Definition (RFC 2828)

Cyber Exploits: Improving Defenses Against Penetration Attempts

Implementation of Web Application Firewall

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Intrusion detection for web applications

Application security testing: Protecting your application and data

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

OWASP AND APPLICATION SECURITY

Thick Client Application Security

Hack Proof Your Webapps

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Passing PCI Compliance How to Address the Application Security Mandates

Web application testing

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

white SECURITY TESTING WHITE PAPER

Threat Modeling. A workshop on how to create threat models by creating a hands-on example

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Attack and Penetration Testing 101

Web Application Guidelines

External Network & Web Application Assessment. For The XXX Group LLC October 2012

(WAPT) Web Application Penetration Testing

An Introduction to Application Security In ASP.NET Environments. Houston.NET User Group. February 23 rd, 2006

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Columbia University Web Application Security Standards and Practices. Objective and Scope

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Web Application Security

Web application security

elearning for Secure Application Development

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Information Systems Security

Data Breaches and Web Servers: The Giant Sucking Sound

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Sample Report. Security Test Plan. Prepared by Security Innovation

Application Code Development Standards

Sitefinity Security and Best Practices

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Java Web Application Security

05.0 Application Development

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Secure Web Applications. The front line defense

Penetration Test Report

OWASP TOP 10 ILIA

Threat modeling. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Web Security Testing Cookbook*

White Paper BMC Remedy Action Request System Security

Application Intrusion Detection

Functional vs. Load Testing

How To Protect A Web Application From Attack From A Trusted Environment

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Lecture 11 Web Application Security (part 1)

Transcription:

Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security Testing Fundamentals Different Stages of Security Testing Threat Modeling Security Testing Security Code Review Summary Q/A? Tarun Banga, Adobe 1

Security Principles If you do not perform Security Testing for your application, Someone else not working for your company will. The defender must defend all points, the attacker can choose the weakest point The defender can defend only against known attacks, the attackers can probe for unknown vulnerabilities The defender must be constantly vigilant, the attackers can strike at will The defender must play by the rules, the attackers can play dirty Why Security Testing? Security, like performance, affects ALL users of a product It s transparent until something goes wrong ALL applications are security sensitive, to some degree They are a potential attack vector against the user s computer (and data) Interconnected application & Interconnected computers can be attacked Lot of script kiddies Competitor s sales force will whisper to your potential customers Security Vulnerabilities are expensive to fix Tarun Banga, Adobe 2

Before We Begin Before we start, it is important that you understand the following basic terminology: Asset. A resource of value, such as the data in a database or on the file system. A system resource. Threat. A potential occurrence, malicious or otherwise, that might damage or compromise your assets. Vulnerability. A weakness in some aspect or feature of a system that makes a threat possible. Vulnerabilities might exist at the network, host, or application levels. Attack (or exploit). An action taken by someone or something that harms an asset. This could be someone following through on a threat or exploiting a vulnerability. Countermeasure. A safeguard that addresses a threat and mitigates risk. System: A group of a related components Process: Anything that transforms or manipulates data Security Testing Fundamentals Security testing is generally negative testing Standard QA testing (functional testing) ensures that the application does everything it is supposed to do. Security testing ensures that the application does not do anything it is not supposed to do. White Box vs. Black Box Testing White Box is usually a more efficient way of finding everything that a black box test can find Black Box is usually closer to what an actual attacker would do and may be quicker Tools exist for both of these types of testing. Both of these types of testing have value. Tarun Banga, Adobe 3

Stages of Security Testing Secuirty Testing can be done at following: Network Security Host Security Application Security We are discussing about Application Security Threat Modeling (Design Stage) Security Testing (Testing stage) Security Code Review (Coding Stage) Threat Modeling Threat Modeling is a process of understanding and evaluating threats in a system by analyzing its assets and how data is passed around. We will cover Goals, Responsibilities Threat Modeling Process DFD, Attack/Threat Trees, Identify, Document, rate & Prioritize threats how to mitigate threats. Tarun Banga, Adobe 4

Goals of Threat Modeling Ship more complete and secure product Help the team understand better: how the systems really works how the systems really interacts with other systems Validate designs Find bugs Create a record of security related design & coding decisions Help systems that build on top of your system to understand better their dependency Help testers to drive well-designed security test plan Output Tarun Banga, Adobe 5

Identify the Assets Identify the assets that you need to protect. This could range from confidential data, such as your customer or orders database, to your Web pages or Web site availability. Architecture Overview Tarun Banga, Adobe 6

Application Decomposition Break down your application to create a security profile Identify trust boundaries. Identify data flow. Identify entry points. Identify privileged code. Document the security profile. Identify Threats Apply S.T.R.I.D.E. threat categorizing technique on threat targets in your system Spoofing: allowing an adversary to pose as another user, component, or other system that has an identity in the system being modeled. Tampering: modifying data within the system to achieve a malicious goal. Repudiation: deny performing some malicious activity because the system does not have sufficient evidence to prove otherwise. Information Disclosure: exposing protected data to a user that is otherwise not allowed to access that data. Denial of Service: preventing legitimate users from using the normal functionality of the system. Elevation of Privilege: using illegitimate ways to access a system with higher privileges than assigned. Tarun Banga, Adobe 7

Rate and Prioritize Threats Use DREAD to calculate a threat s risk (each of these are a scale 1 10) Damage Potential: damage if a vulnerability is exploited 1 (no damage) - 10 ( allowing the attacker to circumvent all security restrictions and do virtually anything.) Reproducibility: how easy is to get a potential threat to work (a threat to became exploit) 1 (Can t make it happen) - 10 (happens every time) Exploitability: ranks effort and expertise required to exploit the vulnerability 1 (requires massive resources and time) - 10 (Novice programmer can mount the attack from his home PC) Affected Users: percentage of users impacted by an exploit 1 (0-10 % of users) - 10 (91 100% of users) Discoverability: likelihood it would be found by external security researchers, hackers, etc. 1 = (?) - 10 (come on, you know someone will find it!) Risk = (D + R + E + A + D) / 5 Low values 0 3 not very risky, should have a mitigation Medium values 4 6; team judgment call. High values 7 10 very risky; should be totally mitigated Document Threats (Threat Modeling) Document the threats identified by entering the data into the Threat Modeling (title, target, type, risk, threat tree, bug number) Associate a bug with each threat. Threat trees allow identify failure modes and better understanding of how a threat might become an attack. Tarun Banga, Adobe 8

Attack/Threat Trees Attack/Threat Tree is a representation of conditions, with the root node being the threat. It is used to determine valid attack paths which are in fact vulnerabilities. Root node is a high level goal. Example: Gain access to the user profile store Child nodes show paths to that goal. Child nodes that both need to be true for the parent to be true are ANDed using a line connecting them. Tree should be broken down such that a tester can easily understand what to test to verify a leaf node. Example Threat Tree Tarun Banga, Adobe 9

Mitigate Threats Response Options: Do Nothing at least turn the feature off by default Warn the user to decide to use or not the feature Warnings, Documentation, Log the warnings, Audit Events Remove the feature Fix it If the product is changed to mitigate a threat, that change should be included in the Threat Model The mitigation might pose a security risk Mitigations need to be tested When is a Threat Model done? All entry points are explored All external dependencies are listed and the risks are understood Threat models are reviewed by people not familiar with the components. Every part of the system is fully implemented. Every implementation assumption is verified and moved to one of the following sections: External Dependencies, Security Notes for Client systems, Internal Security Notes All the threats have been listed, analyzed and entered as bugs. Tarun Banga, Adobe 10

Security Testing Major step of Security Testing is covered in threat modeling Buffer Overflow Bad Parameter Leak testing Access Control Spoofing identity Security Boundary Denial of Service Named Object permissions Inject Mutated Data SQL Injection, Function Injection, EOF, New line character injected for logs etc. On Wire Attacks Different Tools can be used for different types of testing Common Web Vulnerabilities Cross Site Scripting (XSS) SQL Injection Cookie issues Session issues Authentication and Authorization issues Directory traversal Information leakage Cross Site Request Forgery (XSRF/CSRF ) 22 Tarun Banga, Adobe 11

Cross-Site Scripting (XSS) An attack on input and output validation on the website. Special characters are submitted into the web application and returned within the HTML response. Special characters can include: Double-quote, single-quote, less-than, greater-than, ampersand, space and more http://ha.ckers.org/xss.html If you can inject a special character without it being escaped, then you have probably found a cross-site scripting vulnerability Two types of cross-site scripting: Persistent Temporary Bypassing Filters One way to try and stop cross-site scripting is to remove/block certain strings used during an XSS exploit like script Different encodings can bypass a simple filter like this : script is blocked But what about sc ri ipt? Filters need to be validated they need to stop every encoding of an attack Good reference for filter evasion : http://ha.ckers.org/xss.html 24 Tarun Banga, Adobe 12

SQL Injection What does SQL injection consist of? A form accepts username and password from the user The username and password are passed into the following SQL statement: select * from customers where username = $username and password = $password ; A malicious attacker sends the following values to the form: username = admin password = %20or%201=1;-- These values are put into the SQL statement: select * from customers where username = admin and password = or 1=1;-- ; This results in the SQL query being interpreted as: Select all users from customers where the username is admin and (the password is NULL or true); Cookie, Authentication and Authorization Issues Is the HTTPOnly flag set? (where appropriate) Is the Secure flag set? (where appropriate) Does the cookie contain sensitive information encoded in plain text or an easily reversible manner? Try Base64 decoding it, for example, and see if you can see something you shouldn t Authentication and Authorization Issues Passwords length/strength, Password reset expiration, single use, no passwords sent in plain text! Brute forcing lockouts and delays Bypassing authorization do all pages do checks? Masquerading as another user modifying username or user ID in a request, Can you access another user s or admin information? 26 Tarun Banga, Adobe 13

Directory Traversal Try this anywhere you can supply a file name or path name! The canonical string to try is../../../../ etc. Example from our Tech Summit talk : http://www.adobe.com/shockwave/download/download.cgi?p1_p rod_version=../../../../../../../../..//usr/local/apache/conf/ssl.key/www.adobe.com.key%00 Note the extra %00 NULL terminator that is used/needed! Don t forget to try encoding -..\ might be blocked but is %2e%2e%2f? 27 Information Leakage Helping the Attacker This is less severe issue in general, but also one that is consistently found and reported by 3 rd party audits The idea is that any information about the server or application can help the attacker in their understanding and aid their attacks Common information leakages : Server version File paths / locations if you can upload content, this is more serious Detailed error messages particularly stack traces Errors messages Hidden Fields Comments & Privacy 28 Tarun Banga, Adobe 14

Tools The best tool for web application testing is your browser! Tests for many vulnerabilities like XSS can be conducted easily manually via the browser The view source option can help you understand how an application works and give you insight into what values are passed in posts Cookies can be viewed Firefox in particular has a wide array of plugins designed for web testing including : FireBug web debugger Cookie editors Add and Edit Cookies Header modification LiveHTTPHeaders GET <-> POST modification Tools AppScan is a commercial product that scans web applications for vulnerabilities. It can scan content automatically or process new content that is explored manually Web proxy tool Charles : Charles intercepts requests made by your browser and the responses to them and logs them. It logs both the structure of the site and also the sequence of requests/responses. It lets you modify and replay requests. If your application uses AMF calls, Charles even decodes these including parameters There are other web proxy tools also, notably OWASP s WebScarab Many, many open source and free web security testing tools out there. Try everything! pick your favorites (Eatmem, Eat Hard disk, Netthrottle etc..) Tarun Banga, Adobe 15

Security Code Review Seem to be much same as an ordinary code review We can follow Multiple-Pass Approach Target the low hanging fruit first I.e. Use of Dangerous APIs, strncpy instead of strcpy, use of TCHAR, integer overflow & underflow, Checking returns Perform Extra review of pointer code Never Trust Data Overall Summary Do Threat modeling File TM related bugs and close once they are fixed Security test Plan and Test Cases Execute Security Related Test Cases, file & close security related bugs. Use Different Tools Security code review Tarun Banga, Adobe 16

References & Resources Writing Secure Code, 2 nd Edition: MS Press. Their web site is at OWASP.org They are constantly adding new content and projects Their mission is to advance the state of web security for everyone In particular, the OWASP Testing Guide is an exhaustive reference on different web security issues and how to test for them Q&A Please email to tarunbanga@rocketmail.com (Preferred) tbanga@adobe.com Tarun Banga, Adobe 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information