A Practical Approach to Security Testing!

Similar documents
How To Test For Security

Integrating Tools Into the SDLC

Security Tools - Hands On

Integrating Automated Tools Into a Secure Software Development Process

Developing Secure Mobile Apps

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Hands-on Security Tools

Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers

Integrating Security Testing into Quality Control

Bust a cap in a web app with OWASP ZAP

Peach Fuzzer Platform

Testing for Security

Ethical Hacking as a Professional Penetration Testing Technique

Bridging the Gap - Security and Software Testing. Roberto Suggi Liverani ANZTB Test Conference - March 2011

Web Application Security

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

Crowbar: New generation web application brute force attack tool

Secure Programming Lecture 9: Secure Development

In Building Security In, Gary McGraw proposes three pillars to use throughout the lifecycle: I: Applied Risk Management

Application Code Development Standards

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Learning objectives for today s session

Mobile App Security. Using Threat Modeling to Review Mobile Devices and Apps. Copyright 2012 KRvW Associates, LLC

Effective Software Security Management

ensuring security the way how we do it

*[Bug hunting ] Jose Miguel Esparza 7th November 2007 Pamplona S21sec

Levels of Software Testing. Functional Testing

Web Application Penetration Testing

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities. A.K.A Fuzzing 101

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Application Security in the Software Development Lifecycle

Web Application security testing: who tests the test?

HTTP Response Splitting

Using SAML for Single Sign-On in the SOA Software Platform

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

How to Build a Trusted Application. John Dickson, CISSP

T14 SECURITY TESTING: ARE YOU A DEER IN THE HEADLIGHTS? Ryan English SPI Dynamics Inc BIO PRESENTATION. Thursday, May 18, :30PM

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

Building Security into the Software Life Cycle

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Test What You ve Built

Software Development: The Next Security Frontier

Penetration Testing Tools

New IBM Security Scanning Software Protects Businesses From Hackers

LBL Application Availability Infrastructure Unified Secure Reverse Proxy

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Software Security Touchpoint: Architectural Risk Analysis

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

Software Application Control and SDLC

Application Security Testing. Generic Test Strategy

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Web Application Security

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Demystifying cache. Kristian Lyngstøl Product Specialist Varnish Software AS

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Application Security Center overview

HTTP Caching & Cache-Busting for Content Publishers

WHITEPAPER. Nessus Exploit Integration

Seven Practical Steps to Delivering More Secure Software. January 2011

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Application Security Testing

Developing Applications With The Web Server Gateway Interface. James Gardner EuroPython 3 rd July

Successful Strategies for QA- Based Security Testing

Application security testing: Protecting your application and data

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Software Testing Lifecycle

NWEN405: Security Engineering

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Web application security: automated scanning versus manual penetration testing.

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Web Application Security

Vulnerability Management

Will Dormann: Sure. Fuzz testing is a way of testing an application in a way that you want to actually break the program.

Getting software security Right

AUTOMATED PENETRATION TESTING PRODUCTS

elearning for Secure Application Development

IT Security & Compliance. On Time. On Budget. On Demand.

Using Nessus In Web Application Vulnerability Assessments

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Real World Web Service Testing For Web Hackers

How to Avoid an Attack - Security Testing as Part of Your Software Testing Process

Is your business prepared for Cyber Risks in 2016

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Newsletter - September T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

Threat Modeling for Secure Embedded Software

The only False Positive Free. Web Application Security Scanner

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Passing PCI Compliance How to Address the Application Security Mandates

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Introduction to Penetration Testing Graham Weston

Using Free Tools To Test Web Application Security

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Transcription:

Security Testing Fundamentals SecAppDev 2014 Ken van Wyk, @KRvW! Leuven, Belgium 10-14 February 2014

Confessions of a pen tester Typical scenario looks like this Customer calls and asks for a test 2-3 weeks prior to product going live Security test required by auditors Want to ensure hackers can t get in How secure are we?! What problems do you see here?!2

The problem Too many organizations have either: Neglected security testing entirely Assumed (incorrectly) their QA testing will catch security issues Adopted a late-cycle penetration test process as their sole security test! When you ask the wrong questions, you won t get the answers you need!!3

Security testing is different Security focus should primarily be on nonfunctional aspects of the software Not just focused on what the software can or should do Active deception of software intent Need to test every aspect of app! QA team often has a tough time thinking like an attacker!4

Uninformed black box testing Advantages Unencumbered by prejudices of how things should behave Accurately emulates what an outsider might find Can be inexpensive and quick Disadvantages Coverage is abysmal (10-20% LOC not abnormal) No notion of risk prioritization!5

Informed testing Advantages Effort can be allocated by risk priority Can ensure high coverage through careful test design Emulate an insider attack Disadvantages Functional blinders might miss things!6

Testing methods Common practices include Fuzzing Penetration testing Dynamic validation Risk-based testing!7

Fuzzing Basic principle Hit software with random/ garbage Look for unanticipated failure states Observe and record Any good? MS estimates 20-25% of bugs found this way Watch for adequate coverage!8

Fuzzing techniques Smart fuzzing and dumb fuzzing Dumb refers to using random, unchosen data Smart implies using chosen garbage Example - fuzzing a graphic renderer l Dumb approach is to throw it randomness l Smart approach is to study its expected file formats and to construct garbage that looks like what it expects, but isn t quite right!9

What to fuzz Fuzz targets File fuzzing Network fuzzing Other I/O interfaces! Constructing dumb scenarios for each is easy, so let s look at some smart approaches!10

File fuzzing Smart scenarios Really study the expected file format(s) Look for things like parameters in data Construct nonsensical input data parameters l Negative or huge bitrate values for audio/video l Graphic dimensions!11

Network fuzzing Smart scenarios Really study the software-level network interfaces l Coverage here must include state Look for things like flags, ignoring state Also, HTTP/HTTPS interfaces l GET/POST l SOAP and RESTful interfaces too Don t stop with the functions specified in the WSDL Construct nonsensical input data parameters l Insane packet sizes l Data overflows and underflows!12

Interface fuzzing Smart scenarios for all other surfaces Really study the data interfaces l APIs, registry, environment, user inputs, etc. Construct nonsensical input data parameters l Overflows and underflows l Device names when file names are expected!13

Automation is your friend... and your foe Lots of fuzz products are appearing How can one size possibly fit all? How would you fuzz a browser Javascript (AJAX) function? Best fuzzing tools are in fact frameworks Examples OWASP s JBroFuzz, PEACH, SPI Fuzzer!14

Finding value in pen testing Enough with what s wrong Consider informed testing Quick form of attack resistance analysis Risk-based prioritization Nightmare scenarios from architectural risk analysis Abuse case stories Start with vendor tools, but then roll your sleeves up and do it yourself l Scripting tools can help tremendously!15

Pen testing strategies Inside => out approach is most likely to yield meaningful results It doesn t hurt to also do an outside => in test One very small part of overall testing Adversarial approach Surprises happen!16

Basic pen testing methods Target scan Take inventory of target space Vulnerability scan What potential preliminary weaknesses are present? Vulnerability exploit Attempt entry Host-based discovery What interesting stuff is on each breached system? Recursive branching Repeat until finished!17

Pen test results Results need to be actions for dev team Traditional pen test teams report to IT Need to adapt to different audience Map findings to modules and code!18

Automation is really your friend Pen test tool market is (arguably) one of the strongest in the security business Choices abound in commercial and open source Many are quite mature Almost a commodity market Examples include Nmap, nessus, Metasploit, ISS, Core Impact, Retina!19

Dynamic validation Time to verify all those security requirements and functional specs QA will have easiest time building test cases with these Fault injection often used Helps if requirements verbiage is actionable Can also be driven by design Look for key assumptions l E.g., session token is always HTTPS!20

Automation, what s that? Dearth of available tools Some process monitors are available and helpful Test cases are easiest to define Specific tool hints Web app proxies (work great with mobile apps too) Single stepping debuggers with key breakpoints MITM tools between app and OS!21

Examples HTTP 1 POST http://www.example.com/authenticationservlet HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.14) Gecko/20100404 Accept: text/xml,application/xml,application/xhtml+xml Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.example.com/index.jsp Cookie: JSESSIONID=LVrRRQQXgwyWpW7QMnS49vtW1yBdqn98CGlkP4jTvVCGdyPkmn3S! Content-Type: application/x-www-form-urlencoded Content-length: 64! delegated_service=218&user=test&pass=test&submit=submit!22

Examples HTTP 2 POST https://www.example.com:443/login.do HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.14) Gecko/ 20100404 Accept: text/xml,application/xml,application/xhtml+xml,text/html Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://www.example.com/home.do Cookie: language=english; Content-Type: application/x-www-form-urlencoded Content-length: 50! Command=Login&User=test&Pass=test!23

Examples HTTP 3 POST https://www.example.com:443/login.do HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.14) Gecko/20100404 Accept: text/xml,application/xml,application/xhtml+xml,text/html Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.example.com/homepage.do Cookie: SERVTIMSESSIONID=s2JyLkvDJ9ZhX3yr5BJ3DFLkdphH0QNSJ3VQB6pLhjkW6F Content-Type: application/x-www-form-urlencoded Content-length: 45! User=test&Pass=test&portal=ExamplePortal!24

Examples HTTP 4 GET https://www.example.com/success.html?user=test&pass=test HTTP/ 1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.14) Gecko/20100404 Accept: text/xml,application/xml,application/xhtml+xml,text/html Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://www.example.com/form.html If-Modified-Since: Mon, 30 Jun 2010 07:55:11 GMT If-None-Match: "43a01-5b-4868915f"!25

Risk-based testing Time to animate those nightmare scenarios you uncovered in the architectural risk analysis Start with abuse cases, weakness scenarios! Describe and script them Try them one step at a time! Begin at the beginning and go on till you come to the end; then stop. Lewis Carroll!26

Automation, what s that? Dearth of available tools It s rare that these scenarios lend themselves to general purpose automation Test cases are really tough to define But many of same tools used in dynamic validation can be useful!27

Additional considerations There s plenty other things to think about Threat modeling Results tracking Five stages of grief Knowledge sharing Improvement and optimization!28

Threat modeling can help drive Who would attack us? What are their goals? What resources do they have? How will they apply technology? How much time do they have?! Answers can help in understanding feasibility of attacks!29

Results tracking Lots of good reasons to track results Use again during regression testing Ensure closure Knowledge transfer of lessons learned Justify time spent Tools can help Test Director!30

Five stages of grief Security testers are often the bearers of bad news Learn from the Kübler-Ross model l Denial, anger, bargaining, depression, acceptance l Watch out for denial and anger! Understand and anticipate Diplomacy and tact will optimize likelihood of acceptance!31

Knowledge sharing Show the dev team how their code broke Best way to learn Learning from mistakes visually is hugely powerful! If a picture tells a thousand words, a live demonstration shows a thousand pictures!32

Improvement and optimization Immediate goal is to find defects in today s software, but preventing future defects is also a worthy goal Formalize lessons learned process Consider papers, blog entries, etc., to share new findings (once fixed) with others Learn from medical community model!33

Getting started Some general tips and guidelines Interface inventory Let risk be your navigator Get the right tools for the job Scripting skills can be very valuable!34

Interface inventory Start by enumerating every interface, API, input, output, etc. This should be done per module as well as per application List everything Some call this the attack surface This list should become a target list as you plan your tests Flow/architecture charts are useful!35

Risk navigation The target list is probably too big to do a thorough job Prioritize focus in descending risk order! Follow the most sensitive data first Those flow charts will set you free See now why rigorous testing should be informed?!36

Test scenario sources 1 Develop test scenarios throughout SDLC Start at requirements, such as l US regs: GLBA, SOX, HIPPA l ISO 17799 / BS 7799 l PCI l OWASP s WASS Warning, they re often fuzzy (no pun ) l SOX says, Various internal controls must be in place to curtail fraud and abuse.!37

Test scenario sources 2 Also look elsewhere in SDLC for test cases Abuse cases l Many cases translate directly to test cases Architectural risk analysis l Seek the doomsday scenarios Code l Compliance with coding standards!38

Deployment testing Rigorous testing of environment Network services File access controls Secure build configurations Event logging Patch management Test for all of this l Not your job? Who is doing it? The pen testers?!39

References Some useful additional reading Adapting Penetration Testing for Software Development Purposes, Ken van Wyk, http://buildsecurityin.uscert.gov The Security Development Lifecycle, Michael Howard and Steve Lipner Fuzz testing tools and techniques http:// www.hacksafe.com.au/blog/2006/08/21/fuzz-testingtools-and-techniques/!40

Kenneth R. van Wyk KRvW Associates, LLC! Ken@KRvW.com http://www.krvw.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information