WebGoat for testing your Application Security tools



Similar documents
IBM Rational AppScan: Application security and risk management

The Top Web Application Attacks: Are you vulnerable?

Rational AppScan & Ounce Products

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Learning objectives for today s session

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

IBM Innovate AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance

Adobe Systems Incorporated

New IBM Security Scanning Software Protects Businesses From Hackers

Enterprise Application Security Program

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

How to Build a Trusted Application. John Dickson, CISSP

How To Ensure That Your Computer System Is Safe

OWASP Top Ten Tools and Tactics

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Security Testing and Vulnerability Management Process. e-governance

Building Assurance Into Software Development Life- Cycle (SDLC)

Performing a Web Application Security Assessment

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Comparing Application Security Tools

Starting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Application Security Testing How to find software vulnerabilities before you ship or procure code

Web Applications The Hacker s New Target

SAST, DAST and Vulnerability Assessments, = 4

Integrating Tools Into the SDLC

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Production Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva

Security Automation in Agile SDLC Real World Cases

Application Code Development Standards

Security Testing of Java web applications Using Static Bytecode Analysis of Deployed Applications

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Leveraging OWASP to Reduce Web App Data Breach Risk

WEB APPLICATION SECURITY

Reducing Application Vulnerabilities by Security Engineering

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

1000 Projects later. Security Code Scans at SAP

Automatic vs. Manual Code Analysis

Pentests more than just using the proper tools

How To Protect Your Data From Attack

Pentests more than just using the proper tools

HP Fortify application security

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Using Foundstone CookieDigger to Analyze Web Session Management

Web Engineering Web Application Security Issues

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Mobile Security Framework

Strategic Information Security. Attacking and Defending Web Services

Web Application security testing: who tests the test?

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

From the Bottom to the Top: The Evolution of Application Monitoring

Interactive Application Security Testing (IAST)

Braindumps.C questions

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

The New OWASP Testing Guide v4

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

Tobias Gondrom (OWASP Global Board Member)

Early Vulnerability Detection for Supporting Secure Programming

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Passing PCI Compliance How to Address the Application Security Mandates

Software Development: The Next Security Frontier

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Application Security Testing

Development Testing for Agile Environments

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies

Web Application Report

OpenSAMM Software Assurance Maturity Model

Web Application Penetration Testing

QA Classroom and Online training from Yes-M Systems

How To Protect A Web Application From Attack From A Trusted Environment

Transcription:

WebGoat for testing your Application Security tools NAISG-DFW February 28 th, 2012 Michael A Ortega, CISSP CEH CISM GCFA Sr Application Security Professional IBM Security Systems 312.523.1538 maortega@us.ibm.com 1

Agenda Application Security testing technologies What is WebGoat and should you use it App Sec testing examples using AppScan Dynamic Static Best tips/practices for your deployment for your tools Q&A 2

Application Security Testing Technologies Static Analysis (White Box testing) Dynamic Analysis (Black Box testing) Runtime Analysis (Glass Box testing) Scan input Scans source code and bytecode for security and quality issues. Requires access to source or bytecode Scans running web applications. Requires starting point URL, and login credentials where relevant Similar to black box to scan running web applications with an agent installed on the application Assessment techniques Uses taint analysis and pattern matching techniques to locate issues Tampering of HTTP messages to locate application and infrastructure layer issues Agent monitors application performance during a black box scan for expanding threat coverage and greater detail Role in application development lifecycle Development: Scan code and work remediation from IDE Build: Scan nightly or weekly build to highlight defects for developers to correct Security: Define & customize security best practices for developers; Execute preproduction scans and audits Build: Scan as part of build acceptance tests before releasing build to testing team Test: Execute security test scripts as part of quality plan Security: Define test scripts for quality plan; Execute preproduction scans and audits Build: Provides added layer of vulnerability detail that assists developers with security debugging Security: Expands threat coverage for hard-to-identify vulnerabilities (including all OWASP Top 10) Results & Output Results are presented by line of code, source to sink functions flow Results are presented as HTTP messages (exploit requests) Results are presented as a combination of HTTP messages (exploit requests) and the line of code 3

What is WebGoat? WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. * Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment * * Taken directly from the WebGoat project page 4

When should you use WebGoat you are new to Application Security testing you are evaluating Application Security tools your existing Application Security tools have had a major update or introduced a new feature you would like to test a global change with your existing Application Security solution You should not use WebGoat as your only criteria for selection a Application Security Testing solution 5

App Sec testing examples using AppScan Dynamic Static 6

Best Practices Determine best phased approach for your organization Security, QA and Development Collaborate on Policies and Approach Roles & Responsibility of each team Workflow between teams Official security strategy (i.e. all apps scanned and no high prior vulnerabilities) Agree on metrics to measure results and progress Formal Training/Enablement Plan Types of Security Vulnerabilities Analysis and triage skills Formal Solution training Identification of Security SME/Evangelist for Dev and QA Formation of security community Share best practices Share/create FAQs Ongoing informal enablement (i.e. lunch and learns) 7 Secure Your SDLC 7

Questions & Answers 8

References WebGoat Project Home Page: https://www.owasp.org/index.php/category:owasp_webgoat_project Install Guide: https://www.owasp.org/index.php/webgoat_user_and_install_guide_tabl e_of_contents Web Application Security Consortium (WASC) Dynamic Scanner Selection Criteria: http://projects.webappsec.org/w/page/13246986/web%20application%20s ecurity%20scanner%20evaluation%20criteria WASC Static Analysis Tool Evaluation Criteria (active): http://projects.webappsec.org/w/page/41188978/static%20analysis%20to ol%20evaluation%20criteria 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information