Testing for Security



Similar documents
Ethical Hacking and Attack Tools

Designing and Coding Secure Systems

Web Application Security: Exercise Development Approaches

Peach Fuzzer Platform

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Linux Operating System Security

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Integrating Web Application Security into the IT Curriculum

ensuring security the way how we do it

Monitoring, Tracing, Debugging (Under Construction)

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

GDB Tutorial. A Walkthrough with Examples. CMSC Spring Last modified March 22, GDB Tutorial

Security Tools - Hands On

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Application Code Development Standards

Integrating Tools Into the SDLC

The Hacker Strategy. Dave Aitel Security Research

Advanced Linux System Administration on Red Hat

Linux System Administration on Red Hat

Evaluation of Penetration Testing Software. Research

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Security Testing OpenGGSN: a Case Study

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities. A.K.A Fuzzing 101

(WAPT) Web Application Penetration Testing

Web application testing

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Using Free Tools To Test Web Application Security

Hands-on Security Tools

protocol fuzzing past, present, future

Using Nessus In Web Application Vulnerability Assessments

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

90% of data breaches are caused by software vulnerabilities.

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

DEVELOPING SECURE SOFTWARE

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Programming Flaws and How to Fix Them

Tuning WebSphere Application Server ND 7.0. Royal Cyber Inc.

Web App Security Audit Services

CS3600 SYSTEMS AND NETWORKS

Application Security Testing

Web Application Security

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

elearning for Secure Application Development

Lab Configure Basic AP Security through IOS CLI

Bust a cap in a web app with OWASP ZAP

Security Testing Of (Web) Applications. Erwin Geirmaert Security Innovation

Homeland Security Red Teaming

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

OWASP WebScarab NG FOSDEM The OWASP Foundation

Secure Web Development Teaching Modules 1. Threat Assessment

Secure Programming Lecture 9: Secure Development

Web Application Penetration Testing

Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools

Software Security Touchpoint: Architectural Risk Analysis

In Building Security In, Gary McGraw proposes three pillars to use throughout the lifecycle: I: Applied Risk Management

Chapter 1 Web Application (In)security 1

Real-time Debugging using GDB Tracepoints and other Eclipse features

Red Hat Linux Internals

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

CS 253: Intro to Systems Programming

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Web Application Report

Custom Penetration Testing

Common Security Vulnerabilities in Online Payment Systems

Web attacks and security: SQL injection and cross-site scripting (XSS)

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Source Code Review Using Static Analysis Tools

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Cutting Edge Practices for Secure Software Engineering

TOOL EVALUATION REPORT: FORTIFY

SAFECode Security Development Lifecycle (SDL)

Programming with the Dev C++ IDE

Software Design and Implementation - or, how to be a hacker

Threat Modeling for Secure Embedded Software

Easy Method: Blind SQL Injection

Debugging & Profiling with Open Source SW Tools

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Modern Binary Exploitation Course Syllabus

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

Frysk The Systems Monitoring and Debugging Tool. Andrew Cagney

<Insert Picture Here> What's New in NetBeans IDE 7.2

Transcription:

Testing for Security Kenneth Ingham September 29, 2009 1 Course overview The threat that security breaches present to your products and ultimately your customer base can be significant. This course is designed to assist testers in updating their testing practices to include testing for security. The goal of this effort is to reduce the number of identified post-release security vulnerabilities. Many tools exist to assist testers. However, more important is to understand the testing techniques. This class uses the tools to teach the techniques. While the students will learn about some of the available tools, they are not the primary focus of the class. 2 Course objectives Understand how the risk analysis drives security testing. Learn the concepts of penetration, black box, and white box testing, and understand the strengths and weaknesses of each technique. Know when to apply each. Understand the types of attacks (attack patterns) and tools that hackers use against your products in order to develop or utilize testing practices to duplicate the more common forms of these attacks. Thinking like an attacker is important for this understanding, so the class shows the approaches attackers often take. Understand what tools are available and appropriate to use in different security testing situations. 3 Student background If you are attending this class, then we assume that You have already had a class on or experience with threat models and risk analysis. 1

You understand programming using a major programming language (C, C++, Java, etc). You are (or will be) testing products or applications for possible security breaches. 4 Logistics The class lasts two days. nothing; no class computers are needed The class uses the following software: Firefox (on Linux distribution but needed for Windows) Firefox Web Developer toolbar Java JDK 1.6 Missing from auth2testing.tex Missing from dynamictesting.tex Missing from errortest.tex Missing from featureinteractions.tex Missing from fuzztesting.tex Missing from injectiontesting.tex Missing from insecurecomm.tex Missing from outputtesting.tex Missing from resourcetesting.tex Missing from staticanalysis.tex Nikto (on class web site) Paros proxy PortSwigger burp suite WebGoat v5.2 WebScarab emacs (on Linux distribution) firefox g++ (on the Linux distribution) gcc (on Linux distribution) gdb (on Linux distribution) opera strace (on the Linux distribution) a class web server that can run perl CGI programs at least one of ddd or the GNU Visual Debugger (on Linux distribution) perl 5.8 (On Linux distribution but needed for Windows) the Firefox web developer toolbar No class network information specified. The class needs a web server for the class web site. The instructor s laptop may be this web server; otherwise the machine provided in the classroom for the instructor is a good choice. This machine obviously will need web server software installed. 2

5 Class outline 1. Introduction (Lecture: 15; Lab: 0) (a) Class Introductions (b) Class Logistics i. Class schedule ii. Breaks iii. Question policy iv. Break room and restroom locations v. Assumptions about your background (c) Typographic conventions (d) What the class covers 2. Security Testing Introduction (Lecture: 25; Lab: 0) (b) What is a secure program? (c) The Cost of a Serious Security Problem (d) Why do security testing? (e) Who should perform the testing (f) Types of security testing (g) Limitations of Testing (h) When to test (i) Staying current (j) System Requirements and Security Testing (k) Notes about the class (l) Summary 3. Risk-based Testing (Lecture: 35; Lab: 90) (b) The threat model (c) The assets you are protecting (d) Attackers (e) Common attack goals (f) Example (g) Failures of Imagination i. Clients, servers, and embedded systems A. Embedded system (h) Risk analysis (i) Using risk analysis to drive testing i. Prioritizing Abuse Scenarios ii. Focus Security Testing on Targeted Areas (j) Summary 3

(k) Lab 4. Input Validation Vulnerabilities (Lecture: 30; Lab: 30) (b) Beware hidden user input (c) Some failures of input validation i. Buffer Overflows A. A simple buffer overflow example B. Finding buffer overflows ii. Integer Range Errors A. Value truncation B. Example C. Integer overflow and underflow D. Finding integer range errors iii. Format string vulnerabilities iv. Repeated Input (d) Finding input locations i. Example (e) Tools i. Firefox Web Developer toolbar (f) Summary (g) Lab 5. Fuzz testing (fuzzing) (Lecture: 35; Lab: 45) (b) Types of fuzz testing (c) Tools i. The Peach Fuzzer (d) A quick Python tutorial i. Running Python programs ii. Variables and data types iii. I/O iv. Control flow v. Data structures and classes vi. Errors and exceptions (e) Summary (f) Lab 6. Injection vulnerabilities (Lecture: 30; Lab: 30) (b) SQL injection 4

(c) Shell injection (d) Finding these vulnerabilities (e) Tools i. SQL injection (f) Summary (g) Lab 7. Static code analysis (Lecture: 30; Lab: 30) (b) Test types i. Type checking ii. Style checking iii. Property checking and program verification iv. Bug finders (c) Tools i. Commercial ii. Open Source 8. Testing resource management (Lecture: 10; Lab: 30) (b) Graceful degradation (c) Testing for this problem 9. Dynamic analysis (Lecture: 30; Lab: 45) (b) Tools (c) valgrind i. Example bug finding ii. Finding memory leaks A. Command-line flags specific to memcheck iii. Finding illegal free() calls iv. Other uses of memcheck 10. Complete and correct error handling (Lecture: 15; Lab: 40) (b) Examples 5

(c) Proper failure state (d) Testing for these problems i. Fault injection (e) Summary (f) Lab 11. Output validation (Lecture: 10; Lab: 30) (b) Examples (c) Testing for this problem 12. Feature interactions (Lecture: 10; Lab: 30) (b) Finding feature interaction vulnerabilities (c) Summary (d) Lab 13. Data Security Testing (Lecture: 20; Lab: 40) (b) Least Privilege (c) Separation of privilege i. Example: NTP client ii. Compartmentalization (d) Erasing data (e) Erasing Memory (f) Testing (g) Summary (h) Lab 14. Insecure Communication (Lecture: 30; Lab: 30) (b) Using cryptography to protect communication i. Using public key cryptography to protect communication (c) Testing for this problem 15. Authentication and Authorization Errors (Lecture: 25; Lab: 45) (b) Example failures (c) Authentication 6

Appendices (d) Access control i. Access control vocabulary ii. Access Control Matrix (e) Testing for these problems i. Bad habits to check for (f) Summary (g) Lab A. Debugging with gdb (Lecture: 25; Lab: 30) (b) Compiling programs to be debugged (c) Working in gdb i. Starting and exiting gdb ii. gdb commands iii. Help iv. Info v. Show vi. Running programs (d) Breakpoints and watchpoints (e) Continuing and single stepping (f) Viewing data and the stack (g) Demonstration (h) GUI front ends for gdb (i) Lab B. More debugging with gdb (Lecture: 20; Lab: 50) (a) Dealing with core dumps (b) Debugging when the program was not compiled for debugging (c) Attaching to already-running programs (d) fork and processes (e) Debugging threads (f) Signals (g) Lab C. Attacking Web Applications (Lecture: 50; Lab: 45) (b) PortSwigger s Burp Suite (c) WebScarab (d) Paros Suite (e) Nikto 7

(f) Firefox Web Developer toolbar (g) WebGoat (h) Summary (i) Lab 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information