Software Security. Group project: application security verification using OWASP ASVS

Similar documents
Software Security. Group project: application security verification using OWASP ASVS

Automatic vs. Manual Code Analysis

Passing PCI Compliance How to Address the Application Security Mandates

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Validation Procedure. ANNEX 4. Security Testing Basis

Web Application Security. Sajjad Pourali CERT of Ferdowsi University of Mashhad

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Adobe Systems Incorporated

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Getting software security Right

SAST, DAST and Vulnerability Assessments, = 4

Web Application Security

Learning objectives for today s session

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Check list for web developers

Secure Development Lifecycle. Eoin Keary & Jim Manico

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Using Free Tools To Test Web Application Security

Integrating Security Testing into Quality Control

What is Web Security? Motivation

Where every interaction matters.

! Resident of Kauai, Hawaii

JVA-122. Secure Java Web Development

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

PCI Self-Assessment: PCI DSS 3.0

Magento Security and Vulnerabilities. Roman Stepanov

State of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

(WAPT) Web Application Penetration Testing

PCI DSS Overview and Solutions. Anwar McEntee

Web application security

Columbia University Web Security Standards and Practices. Objective and Scope

CONTENTS. PCI DSS Compliance Guide

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

elearning for Secure Application Development

Secure development and the SDLC. Presented By Jerry

Threat Modeling for Secure Embedded Software

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Reducing Application Vulnerabilities by Security Engineering

Leveraging OWASP to Reduce Web App Data Breach Risk

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

encription IT Security and Forensic Services

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

2015 Vulnerability Statistics Report

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web Application Security

Penetration Testing in Romania

Integrating Web Application Security into the IT Curriculum

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

RESILIENT. SECURE and SOFTWARE. Requirements, Test Cases, and Testing Methods. Mark S. Merkow and Lakshmikanth Raghavan. CRC Press

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Application Code Development Standards

Web Application security testing: who tests the test?

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

HP Application Security Center

The Top Web Application Attacks: Are you vulnerable?

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Designing and Coding Secure Systems

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Implementing a secure high visited web site by using of Open Source softwares. S.Dawood Sajjadi Maryam Tanha. University Putra Malaysia (UPM)

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

WEB APPLICATION SECURITY

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Keeping your data yours

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Pass-the-Hash. Solution Brief

RIPS - A static source code analyser for vulnerabilities in PHP scripts

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Network Security Audit. Vulnerability Assessment (VA)

PCI DSS v3.0 Vulnerability & Penetration Testing

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

Threat Modeling. A workshop on how to create threat models by creating a hands-on example

IoT Potential Risks and Challenges

Application security testing: Protecting your application and data

Towards More Security in Data Exchange

Pentests more than just using the proper tools

Web Application Report

The Next Generation of Security Leaders

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Transcription:

Software Security Group project: application security verification using OWASP ASVS

Brainstorm What would you do if you if someone asked you to check if some application they use (and possibly bought) is secure?

Assurance Big challenge: how can we provide assurance that an application is secure? NB: it is much easier to demonstrate that an application is not secure than it is to guarantee that it is secure

Assurance Why is the question below silly? how can we provide assurance that an application is secure? We only want to know if the level of security is acceptable given the associated risks

Group Project We do a security code review of a web-application following the OWASP standard Application Security Verification Standard (ASVS) 2014 edition trying out some source code analysis tools Time for this +/- 50 hours, ie afternoon/morning per week for next months

Goals experiencing a software security review process how useful are existing standards and approaches? esp OWASP Application Security Verification Standard how good are tools we can use? eg Fortify, RATS, CheckMarx how should security design and implementation decisions wrt security have been made and documented?

Non-goals For some, this is throwing you in at the deep end. I I realise your experience varies a lot! Don t be tempted in copying results from other groups whether or not find any security problems is not important, it s about forming an well-argued opinion about code reviews, the ASVS as guide for this, static analysis tools, etc. My hidden agenda: getting some empirical data on doing code reviews

OWASP AVSV Application Verification Security Standard (2014) aims to normalise the range in coverage & level of rigour in performing web application security verifcation NB not verification in the mathematical or even testing sense

sadas OWASP ASVS Process

OWASP ASVS Levels

Categories of Verification Requirements V1 Security Architecture V2. Authentication V3. Session Management V4. Access Control V5. Input Validation V6. Output Encoding/Escaping V7. Cryptography V8. Error Handling & Logging V9. Data Protection V10. Communication Security V11. HTTP Security V12. Security Configuration V13. Malicious Code Search V15. Business Logic V16 Files and Recourses V17 Mobile V1 removed in 2014 edition V13 & 17 out of scope

ASVS Security Requirements ASVS provides checklists of security requirements to check clustered in categories where security requirements are stated in a positive way, eg negative positive there are no XSS attacks all HTML output that includes user-supplied input is properly escaped Note: checking positive rather than negative statements is very different

Verification Techniques Dynamic using running application aka (penetration) testing This can be manual application penetration testing automated application penetration testing Static using source code aka code review This can be manual automated using code analysis tools Focus of the group project

Caveat: tools cover at best 45%? [study by MITRE] All application security tool vendors claims put together cover only 45% of the 695 known vulnerability types Very little overlap between tools, so to get 45% you need them all (assuming their claims are true) 14

static source code analyzers RATS basic old tool glorified GREP/CTRL-F Fortify SCA & CheckMarx modern state-of-the-art commercial tools RIPS open source tool, but RIP? Any other tools you know or have experience with? Yasca, PHPLint, FindSecurityBugs... 15

To start Fix a weekly morning/afternoon/night to work on this? Keep a log what you are doing, and who does what Read the AVSV Look at the code Panic? Install the code to get a feel for functionality? Try some of the code analysis tools? Think about you divide the work & organise this April 24 : progress discussion in class with SIG 14

NB We skip the most important steps NB by jumping straight to look at the code using the ASVS we skip the most important first steps of any security analysis: 1. identifying security requirements and their importance ie. threats and impacts, for a good risk assessment 2. defining attacker model eg `standard online attacker, insiders, vandals, hacktivists, mafia, NSA, should also consider capabilities & motivation even if your site has little value, an attacker might still be interested: to break into the machine hosting it, to use it as an attack vector to attack your visitors, to steal re-used passwords,

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information