Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation http://www.owasp.org

Similar documents
How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

05.0 Application Development

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Overview of the Penetration Test Implementation and Service. Peter Kanters

Reducing Application Vulnerabilities by Security Engineering

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Secure Code Development

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Adobe Systems Incorporated

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Pentests more than just using the proper tools

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

The Top Web Application Attacks: Are you vulnerable?

Network Test Labs (NTL) Software Testing Services for igaming

Where every interaction matters.

Pentests more than just using the proper tools

Learning objectives for today s session

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Levels of Software Testing. Functional Testing

ISSECO Syllabus Public Version v1.0

Software Testing. Knowledge Base. Rajat Kumar Bal. Introduction

Better Software Though Expertise, Collaboration & Automation. BDD, DevOps and Testing

ensuring security the way how we do it

An approach to Web Application Penetration Testing. By: Whiskah

Essential IT Security Testing

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems

Data Breaches and Web Servers: The Giant Sucking Sound

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Strategic Information Security. Attacking and Defending Web Services

Columbia University Web Security Standards and Practices. Objective and Scope

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Web Application security testing: who tests the test?

Magento Security and Vulnerabilities. Roman Stepanov

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

A Brief Overview of Software Testing Techniques and Metrics

Security Testing & Load Testing for Online Document Management system

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

white SECURITY TESTING WHITE PAPER

Table of Contents. Page 2/13

Integrating Security Testing into Quality Control

How To Evaluate Watchguard And Fireware V11.5.1

Rational AppScan & Ounce Products

Application Security Testing. Generic Test Strategy

Web Engineering Web Application Security Issues

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

Getting software security Right

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

elearning for Secure Application Development

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web Application Penetration Testing

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

How To Perform An External Security Vulnerability Assessment Of An External Computer System

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

Web application security: automated scanning versus manual penetration testing.

Points of View. CxO s point of view. Developer s point of view. Attacker s point of view

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Quality Assurance version 1

SERENA SOFTWARE Serena Service Manager Security

CHAPTER 20 TESING WEB APPLICATIONS. Overview

Penetration Testing in Romania

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

From the Bottom to the Top: The Evolution of Application Monitoring

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Mobile Application Threat Analysis

Development Processes (Lecture outline)

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Software Development: The Next Security Frontier

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

DEVELOPING SECURE SOFTWARE

Cloud Security:Threats & Mitgations

Guidelines for Web applications protection with dedicated Web Application Firewall

SQuAD: Application Security Testing

What is Web Security? Motivation

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Enterprise Application Security Program

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Now Is the Time for Security at the Application Level

Basic Testing Concepts and Terminology

SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Transcription:

Preventive Approach for Web Applications Security Testing 10/30/2009 Luiz Otávio Duarte Ferrucio de Franco Rosa Walcir M. Cardoso Jr. Renato Archer Information Technology Center Brazilian Ministry of Science and Technology +55-19-37466241 Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Agenda Introduction Key Points Techniques for software testing Software Quality Web application security testing approach Practical demonstration Conclusions 2

Agenda Introduction Key Points Techniques for software testing Software Quality Web application security testing approach Practical demonstration Conclusions 3

Motivation The concern with security in developing projects for the Web is essential for the protection of information and business continuity. In recent years the Web has grown significantly and complexity of applications and services even more. New technologies, tools and architectures are adopted without properly concern for security. 4

Statistics data @Risk/SANS Statistics SysAdmin, Audit, Network, Security Institute maintains @RISK a weekly vulnerability consensus digest. NVD/NIST Statistics National Vulnerability Database - repository of vulnerability resources (USA). OSVDB Statistics Top 10 vulnerabilities by 5

Statistics data @Risk/SANS Statistics NVD/NIST Statistics OSVDB Statistics Open Source Vulnerability Database, that aims to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. Top 10 vulnerabilities by Open Web Application Security Project, provides the top 10 most critical web application vulnerabilities. 6

@Risk/SANS @Risk Vulnerabilites Distribution 01/01/2009 08/20/2009 1400 1200 1000 800 600 400 200 0 Web Application Related Cross Plataform Windows Related Others OS Others 7

Statistics data OSVDB 4500 4000 3500 3000 2500 2000 1500 1000 500 0 OSVDB Vulnerabilities Distribution 01/01/2009-08/23/2009 - All Categories All; 4497 Web Related; 2880 All Others; 1617 All Web Related All Others 8

NVD/NIST NVD/NIST 01/01/2009-09/01/2009 SQL Injection: Cross Site Scripting: Others: 544; 14% 740; 18% 2775; 68% 9

@Risk/SANS @Risk - Web Application Related Vulnerabilities 01/01/2009 08/20/2009 40 35 30 25 20 15 10 5 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 Web Application - Cross Site Scripting Web Application - SQL Injection Web Application - Others 10

- Top 10 Web app. vulns. for 2007 A1 - Cross Site Scripting (XSS) A2 - Injection Flaws A3 - Malicious File Execution A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 - Information Leakage and Improper Error Handling A7 - Broken Authentication and Session Management A8 - Insecure Cryptographic Storage A9 - Insecure Communications A10 - Failure to Restrict URL Access 11

Aspects of the problem Developers/Architects are making the same kind of mistakes. Many of software development life cycles (SDLC) do not provide an effectively approach for security aspects. How to spot web vulnerabilities and the correct then are well known, but repairing could be expensive. Applications are not properly tested in terms of security. Lack of a de facto standard or approach to conduct a good software security testing for web applications. Know-how on penetration test is far from a good software security testing. 12

Goal Software Testing Software Quality Process Documentation Real Test Cases 13

Goal Software Testing Software Quality Process Documentation Real Test Cases 14

Initial Concepts Mistake Defect Error Fail Mistake A human action that can introduce some kind of defect in the software. Defect, Fault It is a deficiency (step, process or incorrect definition) resident in the software. The defect when executed can cause an error. 15

Initial Concepts Mistake Defect Error Fail Error It is caused by the execution of a defect and is characterized by an unexpected or inconsistent program state. It is the incorrect value in a given state of the program. Fail It is an observable event that the software infringed its specification. It is the noticed spread of an error. 16

Initial Concepts Vulnerability A weakness in a computing system which can be exploited and harmed by one or more threats. Making the system do what it was not designed to do. Web Application (In this presentation) Is an application coded in a browser-supported language that is acessed via a web browser over a network such as Internet. Some times we will use webapp as a synonymous of Web Application. 17

Agenda Introduction Key Points Techniques for software testing Software Quality Web application security testing approach Practical demonstration Conclusions 18

Web Application Vulnerabilities Life-Cicle Web Application Development Bad design/development Poor or not tested Software Deploy with Several Defects (In the Wild) Affects the quality Affects the security Defect detection (Reactive Fashion) By Software Security Testing Ocasional Not spoted Web Application Defect Correction 19

Web Application Vulnerabilities Life-Cicle Web Application Development Bad design/development Poor or not tested Software Deploy with Several Defects (In Wild) Affect the quality Preventive Approach, before software deploy Affect the security Defect detection (Reactive Fashion) By Software Security Testing Ocasional Not spoted Web Application Defect Correction 20

Preventive Approaches Line Fronts Secure Development Secure Design Secure Coding Education Software Security Testing Structural Functional 21

Preventive Approaches Line Fronts Secure Development Secure Design Secure Coding Education Software Security Testing Structural Functional 22

Agenda Introduction Key Points Techniques for software testing Software Quality Web application security testing approach Practical demonstration Conclusions 23

Software Testing Software testing is the process of running the software in a controlled way to evaluate whether it behaves as specified. The main goal of software testing is to detect software failures so defects may be uncovered and corrected. 24

Software Testing - Aspects A fundamental software testing problem is that testing all possible test cases is not feasible. (combinatorial explosion) The solution is the definition of a good test criterion, that selects a reduced set of test cases that have high probability to find defects. There are several criteria types and objectives: Test criteria; Test case selection criteria; Adequacy criteria; 25

Software Testing We test the software only partially? Yes. We can not conclude that the software is free from defects, even after running several test cases. The cost of testing to ensure that software has no defects can overcome the project budget. We should plan what to test: The targets must be critical points, those most vulnerable, more susceptible to defects, which offer greater risk to the business. 26

Technical aspects of software testing What to test Types of testing Functionality Testing Interface Testing Stress Testing Usability Testing Security Testing... How to test Test Criteria When to test - SDLC 27

Technical aspects of software testing What to test Types of testing How to test Test Criteria Functional Testing Equivalence Partition Boundary Value Analysis... Structural Testing Branch Testing Condition Testing Function Testing... When to test - SDLC 28

Technical aspects of software testing What to test Types of testing How to test Test Criteria When to test - SDLC Unit Testing Integration/Module Testing System Testing / Validation Testing Acceptance Testing Regression Testing 29

Software Test Documentation IEEE STD 829-2008 Defines several documents to make the testing more reliable. Test Plan; Test Design Specification; Test Case Specification; Test Procedure Specification; Test Item Transmittal Report; Test Log; Test Incident Report; Test Summary Report. 30

Software Test Documentation IEEE STD 829-2008 Defines several documents to make the testing more reliable. Test Plan; Test Design Specification; Test Case Specification; overhead to testing. Test Procedure Specification; Test Item We Transmittal can use a different Report; and more effective Test Log; approach to deal with documentation. Test Incident Report; Test Summary Report. Those documents can introduce unnecessary 31

Agenda Introduction Key Points Techniques for software testing Software Quality Web application security testing approach Practical demonstration Conclusions 32

Software Quality Is the degree in which the software product meets stated and implied needs when used under specified conditions. ISO/IEC 25010 Draft Software product Quality Requirements and Evaluation (SQuaRE) Quality models for software product quality and system quality in use. ISO/IEC 14598 Information technology - Software product evaluation - Part 1: General overview. Software product evaluation - Part 5: Process for evaluators. 33

ISO/IEC 25010 Draft Software product quality model Portability Maintainability Compatibility Operability Performance Efficiency Reliability Functional Suitability Security 34

Security Authenticity Accountability Non-repudiation Integrity Confidentiality 35

ISO/IEC 14598-1 (ISO/IEC 14598-5) Provides basis for a systematic evaluation process and general software quality. Establishes evaluation process, such as: Repeatability / Reproducibility / Impartiality / Objectivity (RRIO). Estabilish evaluation requirements Specify the evaluation Design the evaluation Execute the evaluation Conclusion of the evaluation 36

Agenda Introduction Key Points Techniques for software testing Software Quality Web application security testing approach Practical demonstration Conclusions 37

Proposed Approach Software Testing Software Quality Process Documentation Real Test Cases 38

Proposed Approach Software Testing - Security Will define the web application security testing criteria; Will define the test case selection criteria; Will define the adequacy criteria. Software Quality Security The evaluation phases are extends to software security testing, defining The process: Establish security testing requirements; Especify the security testing; Design the security testing; Execute the security testing; Conclusion of the security testing. Based on ISO/IEC 14598-5: 39

Proposed Approach Process Documentation Security When not based on IEEE 829-2008, is based on the documentation of each ISO/IEC 14598-5 evaluation phase. Real Test Cases Security The easiest part for security guys. We have several test cases to identify different types of vulnerabilities. 40

Web Application Security Testing Approach Aims to be SDLC and STM independent. SDLC 2 STM 1 SDLC 1 STM N SDLC 3 SDLC N STM 2 41

Web Application Security Testing Approach Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 42

A web application security testing criterion The webapp security testing criterion will define what is the prioritization of security control or threat that must be exercised in the testing, based on security requirements. Furthermore will establish security metrics for testing. What security testing criterion can we use? Web Application Risk Analisys? Web Application Threat Modeling? Web Application Security Use Cases?... Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 43

A web application security testing criterion Almost all security test case will cause an abnormal behavior in the structure under testing. The oracle must be able to determine if this abnormal behavior is related or not with some kind of security flaw. If the system's behavior is "normal then, either the flaw was not spotted or does not exists. Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 44

A web application security testing criterion Is any of those webapp security testing criteria a valid criterion? All of those criteria, in addition to an adequate test case set, have the ability to identify security flaws presence. But we have not yet been able to prove that all flaws (defined by the criterion) can be exercised. Once established the webapp security testing criterion, we must determine the set of case tests. This is the test case select criterion. 45

A security test case selection criterion We already know what kind of security control or threat to prioritize, now we need to determine a criterion to select good test cases. How to define the test data selection criterion? How to select properly real test cases and automated test case generation tools, so those threats and security controls can be well exercised? Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 46

A security test case selection criterion Adequacy Criteria We can: Derive vulnerabilities from threat; Derive attack trees from security use cases or risk analysis, defining vulnerabilities; The aim is to reduce the testing efforts to the identified vulnerabilities that could be exploited by threats or could be present on security controls. Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 47

The Adequacy Criterion The adequacy criterion is used to determine whether a program has been tested enough. It is based on the evaluation of the security test case set: the set is adequate if and only if it satisfies each sequence defined by the webapp security testing criterion. In other words: is the confrontation of test case set and webapp security test criterion requirements. Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 48

The Adequacy Criterion It is a hard work to state the adequacy of a selected set of security test case. But we can estimate the coverage test: Were all attack surface tested? Were all defined threat tested? Were all defined security controls tested? Were all defined vulnerabilities spottable? Were all attach tree tested? Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 49

Web Application Security Test Case / Tools We select the security test case and tools based on the security test case criterion, because on the security field we have many ways/techniques and tools that helps the process to spot a vulnerability. What we need to do is to generate test cases from those huge quantity of ways/techniques and tools. Remember the testing must be RRIO. We can use pentest techniques, but in a structured way. Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 50

Web Application Security Test Case / Tools So now it is time to use the security skills to generate test cases. Who can save us? OSSTMM; ; Pentesting techniques; Exploitation techniques; Security testing tools. Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 51

Web Application Security Test Case / Tools As the used approach is broad, there might have methodologies that allow the use of the suggested approach. As our goal is a preventive approach, the methodology must be defined during the development of the software product. That is, during the SDLC. Let's take the Vee model as an example. Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 52

Software Testing Vee model (Generic) 53

Software Testing Vee model (Generic) Requeriment Analysis System Design Architecture Specification Module Specification Coding 54

Software Testing Vee model (Generic) Requeriment Analysis System Design Architecture Specification Acceptance Test Design System Test Design Integration Test Design Unit Test Design Module Specification Coding 55

Software Testing Vee model (Generic) Requeriment Analysis System Design Architecture Specification Acceptance Test Design System Test Design Integration Test Design Unit Test Design Module Specification Coding 56

Software Testing Vee model (Generic) Requeriment Analysis System Design Architecture Specification Acceptance Test Design System Test Design Integration Test Design Unit Test Design Integration Testing Acceptance Testing System Testing Module Specification Unit Testing Coding 57

Software Testing Vee model (Generic) Requeriment Analysis System Design Architecture Specification Acceptance Test Design System Test Design Integration Test Design Unit Test Design Integration Testing Acceptance Testing System Testing Module Specification Unit Testing Coding 58

Software Testing Vee model (Generic) Requeriment Analysis System Design Architecture Specification Acceptance Test Design System Test Design Integration Test Design Unit Test Design Integration Testing Acceptance Testing System Testing Module Specification Unit Testing Coding 59

Software Testing Vee model (Generic) Requeriment Analysis System Design Architecture Specification Acceptance Test Design System Test Design Integration Test Design Unit Test Design Integration Testing Acceptance Testing System Testing Module Specification Unit Testing Coding 60

Documentation Process The documentation process is the base of RRIO. It is important to use a well-established process of testing so the documentation process is naturally achieved. Remember ISO/IEC 14598-5? We extended it to security testing. So the process of testing follows this ISO and so does documentation. Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Process 61

Testing phases, based on ISO/IEC 14598-5 Estabilish testing requirements Establish the purpose of the test - SECURITY Identify types of product(s) to be evaluated - WEBAPPS Specify quality model WebApp secure testing criterion Specify the testing Select Metrics Establish rating levels for metrics Establish criteria for assessment Design the testing Produce evaluation plan Execute the testing Conclusion of the evaluation Take measures Compare with criteria did the adequacy criterion Worked? Assess results Generate a reviewed security testing report 62

Testing phases, based on ISO/IEC 14598-5 Depending on what is being tested (acceptance, system, integration, unit) we must use the test phases in different ways. For example, the test criteria may be different for each phase; The test case selection criterion for unit testing uses knowledge of the webapps source-code, code review and inspection tools might be used as well as patterns of input validation. The criterion for selection of test cases for integration testing can involve manipulation of input and communication between modules. That is, for each type of test this set of phases should be re-drawn, re-structured, re-thought. 63

Testing phases, based on ISO/IEC 14598-5 The steps should be repeated until the program reaches the desired level of security. (Maturity models?) Remember: New risk analysis should be made; New types of threats; New security use cases; New attacks trees; New tests case. Adequacy Criteria Web Application Security Testing Methodologies Web Application Security Test Cases / Tools Security Test Case Selection Criteria Web Application Security Test Criteria Documentation Documentation rocess Process 64

Agenda Introduction Key Points Techniques for software testing Software Quality Web application security testing approach Practical demonstration Conclusions 65

Agenda Introduction Key Points Techniques for software testing Software Quality Web application security testing approach Practical demonstration Conclusions 66

Conclusions It is a preventive approach (and practice), using risk analysis (threat modeling) and other technologies, in order to establish guidelines for test criteria for sensitive applications. The key point is how to use technology properly in a determinated flow of phases in order to achieve a given result. It is fully applicable to any type (adherent) of software testing model and any SDLC. 67

Thanks 68

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information