Learning objectives for today s session

Similar documents
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Using Free Tools To Test Web Application Security

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Rational AppScan & Ounce Products

How to Build a Trusted Application. John Dickson, CISSP

Web Application Penetration Testing

The Top Web Application Attacks: Are you vulnerable?

Reducing Application Vulnerabilities by Security Engineering

Application Code Development Standards

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Adobe Systems Incorporated

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

05.0 Application Development

HP Application Security Center

WebGoat for testing your Application Security tools

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

From the Bottom to the Top: The Evolution of Application Monitoring

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Where every interaction matters.

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Passing PCI Compliance How to Address the Application Security Mandates

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Security Testing and Vulnerability Management Process. e-governance

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Automatic vs. Manual Code Analysis

IBM Rational AppScan: Application security and risk management

Web application security: automated scanning versus manual penetration testing.

Enterprise Application Security Program

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Strategic Information Security. Attacking and Defending Web Services

elearning for Secure Application Development

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Metrics, methods and tools to measure trustworthiness

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Table of Contents. Page 2/13

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

External Supplier Control Requirements

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Magento Security and Vulnerabilities. Roman Stepanov

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Building a Robust Web Application Security Plan

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Secure Coding in Node.js

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Web Application Report

A Network Administrator s Guide to Web App Security

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Development Processes (Lecture outline)

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

HackMiami Web Application Scanner 2013 PwnOff

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Five Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline

Integrating Security Testing into Quality Control

SAST, DAST and Vulnerability Assessments, = 4

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

Web Application Security Roadmap

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Web Application Security

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together. Dan Cornell. CTO, Denim

Protecting Database Centric Web Services against SQL/XPath Injection Attacks

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

WEB APPLICATION VULNERABILITY STATISTICS (2013)

ISSECO Syllabus Public Version v1.0

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Transcription:

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify tools that support black and white box testing Understand testing coverage and limitation of automated black and white box tools

Denim Group Background Professional services firm that builds & secures enterprise applications Application security services include: Black-box and white-box assessments Secure application development and remediation Application security training for developers, security professionals, and auditors Software development lifecycle development (SDLC) consulting Application identity management enablement Competencies in the following areas: PCI pre-assessment readiness Secure agile development Threat modeling Personal Background 15-year information security consultant background Principal at Denim Group Ex-Air Force security analyst at AFCERT Trident Data Systems, KPMG, SecureLogix, and Denim Group information security consultant Works with CISOs to help them develop and deploy more secure systems and applications CISSP since 1998

Key Challenges Why is it that serious web application vulnerabilities still exist in organizations what have been conducting network and hostbased assessments for years? How do information security professionals reduce the risk that Internet-facing applications represent to the enterprise when they have little control over development efforts? How can they quantify the risk when application security scanners identify only ~30% of the most serious flaws that exist in large-scale web software systems? Software Implementation Perfect World Actual Functionality Actual Intended Functionality Intended Functionality 5

Software Implementation Real World Intended Functionality Actual Functionality Bugs Intended Actual Functionality Functionality Unintended and Undocumented Functionality Built Features 6 Nature of Application Security Problem Most security professionals do not have a development background Security managers do not control application development Security requirements rarely are central to development priorities Attackers are focusing more on web applications as network perimeters are more secure Fielded applications developed over the years are largely insecure Who gets fired first when penetration occurs via web application?

1998 Network Security Question? Firewall? 2008 Application Security Question? Automated Application Scanner?

Application Penetration test Controlled test from the outside simulating a sophisticated attacker with limited information Goal: exploit a vulnerability to gain system level access or obtain sensitive data Somewhat a capture the flag exercise to prove a point can potentially show you one route to gain access, not all possible approaches Typically conducted to validate previous assessments or to prove a theory Focus of the presentation will be assessments, and not penetration tests Types of Application Vulnerabilities Technical Implementation flaws introduced at the keyboard Straightforward to identify and mitigate Most analogous to TCP vulnerabilities Scanners best suited to identify technical flaws Logical Architectural or design flaws typically introduced before coding Much harder to identify potentially painful to mitigate Fix might include an architectural re-write Scanners deeply limited in ID ing logical flaws

Dynamic, Static and Manual Testing Black Box Assessments Automated application security testing that view the security state of an application from the outside looking in Mirrors the perspective of an outside attacker Infers that certain vulnerabilities exist by sending inputs to an application and analyzing outputs Does not involve review of application source code

Pro s for black box assessment approach Well understood by security professionals Network vulnerability analogy Measures security state of environment in which application resides Can quantify security risks of third-party components or other resources outside the application Con s for black box assessment approach Results tell you what vulnerabilities exist, not how or why they exist Can only test the attack surface they identify May be additional endpoints with vulnerabilities Provides less input for remediation

White Box Assessments Involve reviewing application source code to determine the difference between what security was designed in the system and what was built Typically complemented with an architectural design review to ID non-code problems Pro s for white box assessment approach Identifies exactly where vulnerabilities exist and why/how they occurred Tells you definitively whether code design is implemented in source code Easier to begin remediation because the exact location of the vulnerabilities has been identified

Con s for white box assessment approach Potentially can generate a large number of false positives ( noise ) if source code analyzer is not tuned well Provides less feedback on environmental components that affect the security of an application Likely the sole domain of developers security staff are less trained to interpret results Sometimes hard to identify context Black box automated assessment tools HP (SPI Dynamics) WebInspect & DevInspect IBM Rational (Watchfire) AppScan Cenzic Hailstorm NT Objectives NTO Spider Acunetix Web Vulnerability Scanner

White box assessment tools Major product vendors: Fortify Source Code Analyzer Ounce Labs Coverity Prevent SQS Attributes Licenses are often priced by LOC Most web languages, some legacy languages Limitations of Automated Tools Only find Technical flaws in applications What about Logical flaws? Can require sophisticated users to drive them correctly Can provide a false sense of security

Potential security points in SDLC Inception Design Development QA Deployment 22 OWASP Top 10 Critical Web Application Security Vulnerabilities Cross Site Scripting (XSS) Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access http://www.owasp.org/documentation/topten.html

Contact Information John B. Dickson, CISSP Principal Denim Group, Ltd. John.Dickson@denimgroup.com (210) 572-4400 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information