Security Certification of Third- Parties Applications

Similar documents
NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Copyrighted , Address :- EH1-Infotech, SCF 69, Top Floor, Phase 3B-2, Sector 60, Mohali (Chandigarh),

2011 Forrester Research, Inc. Reproduction Prohibited

HTExploit: Bypassing htaccess Restrictions

SAST, DAST and Vulnerability Assessments, = 4

Application Code Development Standards

i Network, Inc Technology Solutions, Products & Services Providing the right information, to the right customer, at the right time.

SOFTWARE TESTING TRAINING COURSES CONTENTS

Network Test Labs (NTL) Software Testing Services for igaming

Integrating Web Application Security into the IT Curriculum

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Web attacks and security: SQL injection and cross-site scripting (XSS)

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

White Paper Server. SUSE Linux Enterprise Server 12 Modules

How to Grow and Transform your Security Program into the Cloud

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Course: 10174B: Configuring and Administering Microsoft SharePoint 2010

Best Practices for Web Application Load Testing

Automatic vs. Manual Code Analysis

SOFTWARE PERFORMANCE TESTING SERVICE

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

SharePoint 2010

Azure Day Application Development

Architecture Workshop

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Malicious Network Traffic Analysis

Using Nessus In Web Application Vulnerability Assessments

Web Applications Testing

ITMC 2079 MCTS Configuring and Administering Microsoft SharePoint 2010

HP LoadRunner: Essentials 11

Security Assessment of Waratek AppSecurity for Java. Executive Summary

Executive Summary On IronWASP

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Vulnerability Management

Developing ASP.NET MVC 4 Web Applications MOC 20486

Security Testing for Developers using OWASP ZAP

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Security Testing with Selenium

Meister Going Beyond Maven

<Insert Picture Here> Application Testing Suite Overview

Protecting the Cloud from Inside

Developing Microsoft SharePoint Server 2013 Core Solutions

Fundamentals of LoadRunner 9.0 (2 Days)

How To Improve Your Software

CS 558 Internet Systems and Technologies

Open Source in Mobile Test Automation. Ru Cindrea - Altom ru@altom.ro

Web Intrusion Detection with ModSecurity. Ivan Ristic

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

StriderCD Book. Release 1.4. Niall O Higgins

Using WebLOAD to Monitor Your Production Environment

SAFECode Security Development Lifecycle (SDL)

From Traditional Functional Testing to Enabling Continuous Quality in Mobile App Development

Web application security: automated scanning versus manual penetration testing.

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Integrigy Corporate Overview

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

10174: Configuring and Managing Microsoft SharePoint 2010

Securing PHP Based Web Application Using Vulnerability Injection

A Study on the Security aspects of Network System Using Penetration Testing

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Content. Development Tools 2(63)

"Charting the Course to Your Success!" MOC B Configuring and Administering Microsoft SharePoint Course Summary

Comparing Application Security Tools

Penetration Testing in Romania

CYBERTRON NETWORK SOLUTIONS

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

You ll need to have: It d be great if you have:

Hack Proof Your Webapps

TUNNA. A tool designed to bypass firewall restrictions on remote webservers. By: Rodrigo Marcos Nikos Vassakis

Developing ASP.NET MVC 4 Web Applications

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis. Patrick Hildenbrand, Product Management Security, SAP AG September 2014

How To Prevent Hacker Attacks With Network Behavior Analysis

Adobe Systems Incorporated

Evaluation of Penetration Testing Software. Research

JavaScript static security analysis made easy with JSPrime

OF 1.3 Testing and Challenges

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Network Security Testing using MMT: A case study in IDOLE project

Three Ways to Secure Virtual Applications

Programming IoT Gateways With macchina.io

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis

What is new for HP LoadRunner and Performance Center 11.52

Web Application Security: Exercise Development Approaches

Interactive Application Security Testing (IAST)

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

WEB TESTING APPLICATION WITH PHP AUTOMATED TOOL

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Transcription:

Security Certification of Third- Parties Applications Stanislav Dashevskyi dashevskyi@fbk.eu Advisors: Fabio Massacci, Antonino Sabetta

Agenda Introduction Third-party code in web applications Third-party JavaScript The problem What was done so far Conclusions

Third-party components in modern software Software is getting more complex, and developers tend to reuse the work of their colleagues This helps to build a strong community over a technology and save development resources It makes it possible to create complex software that is able to solve real-world problems Every software module used can have bugs of security vulnerabilities that influence the whole product Quality of the product becomes a shared value 3

Third-party components in web applications We consider web applications that are powered by JavaScript Dynamic and interpreted language Allows performance benefits and homogeneous programming experience Enables reflection and metaprogramming at ease JavaScript web applications use numerous third-party libraries both on client and server Third-party client script used on the owner s website, but served from a remote source A third-party library for server-side JavaScript, such as those used from Node.js official package registry 4

Third-party modules: Node.js example The following images are taken from http://exploringdata.github.io/info/npm-packages-dependencies/ 5

Agenda Introduction Third-party code in web applications Third-party JavaScript The problem What was done so far Conclusions

The problem: third-party JavaScript Developers often do not know neither the full set of the libraries they use, nor their exact versions Their products can be vulnerable for years! If one module is vulnerable the product becomes vulnerable JavaScript is hard to get right and to analyze automatically Dynamic code generation and execution Variable/Function Aliasing, Scoping Dynamic type systems and various Inheritance mechanisms Obfuscation mechanisms evasion techniques 7

The problem: third-party JavaScript (EXAMPLE II) 8

The problem: third-party JavaScript (CONTINUED) Classical static analysis approaches are insufficient to for finding all possible classes of vulnerabilities in large codebases Static analysis must be guided by code annotations, runtime information, or other mechanisms Mostly static approaches are able to detect a limited set of vulnerability classes Soundness is often sacrificed for the sake of not overwhelming an analyst with false alarms However, dynamic analysis is too expensive for large codebases 9

Agenda Introduction Third-party code in web applications Third-party JavaScript The problem What was done so far Conclusions

What was done so far Software developers need a tool support for scanning full codebase of their applications All of the problematic JavaScript features must be considered It must be able to analyze large codebases All classes of vulnerabilities must be handled (write rules for finding instances of a certain class) We have created TestREx*** To understand the behaviour of vulnerable JavaScript code To have a reliable environment for collecting benchmarks and assessing JavaScript analysis approaches 11

What is TestREx? Management system for software environments Provides an isolated playground for every application and its corresponding software environment Testbed for performing web application vulnerability experiments Run scripted exploits automatically Give testers the access to a sandboxed application and let them play Test suite for managing and running scripted exploits against the corresponding applications 12

Motivation for TestREx Systematic collection of exploits into a knowledge base Exploit DB, WebGoat, etc. Advantages for developers of exploited software Provide evidence on actual risks of vulnerabilities Study explicit/implicit causes of vulnerabilities, their connections Insight for software analysis tools and verification approaches What about developers using that software? 13

Third-party developers perspective A vulnerability was reported How do I actually repeat an exploit in my operational environment? Applications run on different platforms SQL injection for MySQL will not work on MongoDB Software changes exploit works only if run in a certain software environment Essentially, it is a non constructive existence proof 14

Exploits (TestREx view) A sequence of [automated] actions required to subvert a vulnerability in and application and verify that subversion was successful Self-contained unit test + metadata Python scripts that use Selenium to automate browser and simulate attacker s actions Scripts are controlled by Execution Engine of TestREx 15

TestREx usage model Executable documentation for software companies Document an exploit == write a TestREx script Automated security + configuration + version testing Automated regression testing suite Penetration testing support Aid for security-unaware developers Part of a training toolkit for studying web application security Benchmark/supporting tool for code analysis approaches evaluation 16

TestREx: workflow 17

How sandboxes are implemented? Docker container with Ubuntu OS Docker container with Ubuntu OS, SQL and Apache server Docker container with all of the above + Wordpress app 18

Running an experiment Modular ways to run exploits and applications All exploits are independent and can be supplied by anyone An application can be started either in clean or infected state Sample scenarios regression testing and configuration testing Deploy multiple versions of an application and understand what was fixed through the version history Deploy an application in different platforms and see the correlation between thirdparty software and vulnerabilities Report generation A.csv file with exploit run results and exploit metadata 19

Agenda Introduction Third-party code in web applications Third-party JavaScript The problem What was done so far Conclusions

Current work on TestREx We have engaged students in the Offensive Technologies course at UNITN Extension of the exploits/vulnerabilities corpus Implementation of a number of attack scenarios and countermeasures for server-side JavaScript Usage of TestREx as a part of a toolchain for scanning Node.js Semi-automatic exploit generation with MITM proxy

Getting TestREx GitHub: https://github.com/standash/testrex DISI Security Lab: https://securitylab.disi.unitn.it/doku.php?id=malware_analysis Corresponding publication: ***Dashevskyi, S., Dos Santos, D. R., Massacci, F., & Sabetta, A. (2014, August). TESTREX: a testbed for repeatable exploits. In Proceedings of the 7th USENIX conference on Cyber Security Experimentation and Test (pp. 1-1). USENIX Association. Note: it s free for experiments, however it is under the pending patent from SAP Labs 22

Thank you!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information