WEB Penetration Testing

Similar documents
Pentests more than just using the proper tools

Information Technology Security Review April 16, 2012

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Pentests more than just using the proper tools

WHITEPAPER. Nessus Exploit Integration

Goals. Understanding security testing

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Penetration Testing. Presented by

white SECURITY TESTING WHITE PAPER

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

locuz.com Professional Services Security Audit Services

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Check list for web developers

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Security Testing and Vulnerability Management Process. e-governance

Enterprise Computing Solutions

Cybersecurity Health Check At A Glance

Web App Security Audit Services

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Attachment A. Identification of Risks/Cybersecurity Governance

Guidelines for Web applications protection with dedicated Web Application Firewall

Web Application Security Considerations

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Web Application Report

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

AUTOMATE CRAWLER TOWARDS VULNERABILITY SCAN REPORT GENERATOR

Web Application Security

How to Instrument for Advanced Web Application Penetration Testing

Vulnerability Assessment Report Format Data Model

Managing IT Security with Penetration Testing

WebCruiser Web Vulnerability Scanner User Guide

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Integrated Threat & Security Management.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

STATE OF NEW JERSEY IT CIRCULAR

SANS Top 20 Critical Controls for Effective Cyber Defense

Guideline on Auditing and Log Management

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

APPLICATION SECURITY: ONE SIZE DOESN T FIT ALL

Cisco Security Optimization Service

Certification Report

How To Evaluate Watchguard And Fireware V11.5.1

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FISMA / NIST REVISION 3 COMPLIANCE

Adobe Systems Incorporated

Security Test s i t ng Eileen Donlon CMSC 737 Spring 2008

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Patch and Vulnerability Management Program

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Database Security Guide

Critical Security Controls

Checklist for Vulnerability Assessment

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

OCIE CYBERSECURITY INITIATIVE

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Building Assurance Into Software Development Life- Cycle (SDLC)

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Technical Proposal. In collaboration with Main Contractor. 24 th April 2012 (VER. 1.0) E-SPIN SDN BHD

Justin Kallhoff CISSP, C EH, GPCI, GCIH, GSEC, GISP, GCWN, GCFA. Tristan Lawson CISSP, C EH, E CSA, GISP, GSEC, MCSA, A+, Net+, Server+, Security+

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Penetration Testing Service. By Comsec Information Security Consulting

Software Vulnerability Assessment

IT Security & Compliance. On Time. On Budget. On Demand.

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Information Security Office

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

Database Security & Auditing

Course Descriptions November 2014

2012 Data Breach Investigations Report

Internet Banking System Web Application Penetration Test Report

Certification Report

Penetration Testing Services. Demonstrate Real-World Risk

State of Oregon. State of Oregon 1

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

McAfee Database Security. Dan Sarel, VP Database Security Products

Transcription:

FTA Annual Conference WEB Penetration Testing and Vulnerability Analysis June 10, 2008 Timothy R. Blevins, KDOR Chief Information Officer 1 WEB Penetration Testing What is WEB Penetration Testing? When should Penetration Testing Happen? How does an Organization Prepare? What does a Pen test look like? What is the Cost and Size of the engagement? How to Select a Vendor What is expected as an outcome? Vulnerability Results Reports and Documentation Remediation Best Practices and Lessons Learned Questions 2 1

What is WEB Penetration Testing? Testing of WEB Facing Applications Thin Client, File Transfer, Appliance, Portal Looking for vulnerabilities for exploitation Checking for appropriate controls Probing Vulnerability Analysis Penetration Testing 3 When Should Penetration Testing Happen? Want to be here The First Time Periodically every 12 to 18 months Significant WEB Presence Changes Major Architectural Changes Large Application Launch Do not want to be here After Disclosure or Compromise Requirement by an Audit 4 2

How does an Organization Prepare? Inventory WEB presence Prioritize Risk of Applications Involve Key Personnel (Bus, IT, Sec, Serv Providers) Understand Bus App Peak Usage/Scheduling Educate IT and Sec Organization on Best Practices Engage Private Sector IT Security Firm Negotiate the work plan and the engagement Understand Deliverables Prior to Agreement/Examples 5 What is the Cost and Size of the engagement? Duration of Engagement 3 to 4 Months 1 Month Scoping Statement of Work 1 Month Coordination 1-2 Months Conducting/Remediating/Documenting Size of Engagement 3 to 5 Agency Staff 3 to 5 Engagement Staff Cost of Engagement 20K to 100K Depends on # of URL s Depth of Vulnerability Assessment 6 3

What does a Pen test look like? Automated Phase Robots and Automated Crawlers Open Source Products Proprietary Exploitation Software Manual Phase Heads Down on WEB application Inside your authenticated rule sets Inside your access controls Documentation of Activities and Findings Reports Findings 7 How to Select a Vendor IT Security Industry Avoid Using Same Vendors as Security Product Providers Depth of Attack vs Cost Change Vendors Each Engagement Combine High Level Engagement Firm A Low Level Granular Engagement Firm B 8 4

What is expected as an outcome? Vulnerability Results/Findings Technical Name and Brief Explanation Difficulty of the Exploit Sophisticated, Moderate, Trivial Business Impact High, Medium, Low Remediation Suggestion Application Specific, clear, concise 9 Vulnerability Results Sample Description: SQL Injection Functions that processed database applications within the application did not validate user supplied query parameters. Attackers could inject arbitrary SQL statements Difficulty of the Exploit: Moderate Supplying unexpected parameter inputs by manipulating query construction results in changes to output generation Business Impact: High Possible to extract arbitrary information from the database Remediation Suggestion: Implement data validation routines to restrict query characters to known good values; use parameterized prepared statements 10 5

What is expected as an outcome? Reports and Documentation Initial Vulnerability Analysis at conclusion of scanning by server Final list of Vulnerabilities by application at end of penetration testing Weekly Project Status Reports Final Report Executive Overview Vulnerability Analysis Remediation and Conclusions 11 Remediation Vulnerability Analysis Results Apply Recommendations and Fixes as appropriate, by level of difficulty, business impact, and ease of fix Rescanning/testing for those vulnerabilities Vendor provided Reporting Same format as previously described 12 6

Lessons Learned Service Providers can believe an unplanned attack is underway Intrusion Detection Systems can create alerts Intrusion Prevention Systems can deny engagement or modify results Many IT Security Professional Firms use Common Tools Ask for copies of engagement reports prior to committing to engagements Make sure the examples are similar to your environment or platform In the engagement specifications, build in some additional time for quick remediation and re-scanning at no additional cost and already included in the engagement hours 13 Best Practices Regularly Schedule Engagements Yearly Rotate Security Firms with Different product Sets and Engagement Tactics Remediate during the engagement, not later Insure you have rescanning after remediation available Instill Lessons Learned into Development and ongoing Support standards and best practices Institutionalize Knowledge into IT Development and Security Staffs Create a Complete Test Environment for the Engagement No Major Findings re-enforce best practices 14 7

WEB Penetration Testing and Vulnerability Analysis ANY QUESTIONS? FTA Annual Conference 2008 Timothy R. Blevins KDOR Chief Information Officer TRB@kdor.state.ks.us 15 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information