Continuous Prevention Testing



Similar documents
Path X. Explosive Security Testing Tools with XPath

Java Software Quality Tools and techniques

SOFTWARE TESTING TRAINING COURSES CONTENTS

Application Code Development Standards

Security Metrics Rehab. Breaking Free from Top X Lists, Cultivating Organic Metrics, & Realizing Operational Risk Management

SAST, DAST and Vulnerability Assessments, = 4

Software infrastructure for Java development projects

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Web Application Penetration Testing

BDD FOR AUTOMATING WEB APPLICATION TESTING. Stephen de Vries

HP WebInspect Tutorial

Web application testing

Integrating Web Application Security into the IT Curriculum

Integrating Tools Into the SDLC

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Software Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security

WebGoat for testing your Application Security tools

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together. Dan Cornell. CTO, Denim

Risk Assessment and Security Testing Johannes Viehmann 2015 of Large Scale Networked Systems with RACOMAT

Build management & Continuous integration. with Maven & Hudson

Automatic vs. Manual Code Analysis

Continuous Integration in Kieker

Improving Software Quality with the Continuous Integration Server Hudson. Dr. Ullrich Hafner Avaloq Evolution AG 8911

(WAPT) Web Application Penetration Testing

Fuzzing in Microsoft and FuzzGuru framework

Introduction to Automated Testing

Web Applications Testing

HP Fortify application security

For more about patterns & practices: My blog:

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

Best Overall Use of Technology. Jaspersoft

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Rolling out an Effective Application Security Assessment Program. Jason Taylor, CTO

Using the Juliet Test Suite to compare Static Security Scanners

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

Software security, by the numbers. October 20, 2015

Development Testing for Agile Environments

Agile Web Application Testing

Load and Performance Load Testing. RadView Software October

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

Building a Web Application Security Program. Rich Mogull Adrian Lane Securosis, L.L.C.

Successful Strategies for QA- Based Security Testing

Stories From the Front Lines: Deploying an Enterprise Code Scanning Program

Application Security Testing

HtmlUnit: An Efficient Approach to Testing Web Applications

Coverity Services. World-class professional services, technical support and training from the Coverity development testing experts

Continuous Integration Multi-Stage Builds for Quality Assurance

Software Development: The Next Security Frontier

Jenkins Continuous Build System. Jesse Bowes CSCI-5828 Spring 2012

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

The Top Web Application Attacks: Are you vulnerable?

Application Security Center overview

soapui Product Comparison

Continuous Integration with Jenkins. Coaching of Programming Teams (EDA270) J. Hembrink and P-G. Stenberg [dt08jh8

Security Products Development. Leon Juranic

We ( have extensive experience in enterprise and system architectures, system engineering, project management, and

Software Code Quality Checking (SCQC) No Clearance for This Secret: Software Assurance is MORE Than Security

Application Security Testing How to find software vulnerabilities before you ship or procure code

Security Testing For RESTful Applications

! Resident of Kauai, Hawaii

Static Analysis Techniques for Testing Application Security. OWASP Austin March 25 th, 2008

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Source Code Review Using Static Analysis Tools

Integrating Team Foundation Server, Microsoft Test Manager and Coded UI Tests

Web Application Scanners: Definitions and Functions

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Application Vulnerability Management

Integrating Automated Tools Into a Secure Software Development Process

HP ESP Partner Enablement Fortify Proof of Concept Boot Camp Training

Testing Lifecycle: Don t be a fool, use a proper tool.

Software Quality Testing Course Material

Dissertation Masters in Informatics Engineering

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Jenkins: The Definitive Guide

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Innovating Application Security.

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Introduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions

Microsoft SDL: Agile Development

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Traditionally, developers

Static Analysis Techniques for Testing Application Security. OWASP San Antonio January 31 st, 2008

Developing Secure Software, assignment 1

How to Maximise ROI and drive IT Governance with Visual Studio Team System

EUROPEAN ORGANIZATION FOR NUCLEAR RESEARCH CERN ACCELERATORS AND TECHNOLOGY SECTOR

TeamCity A Professional Solution for Delivering Quality Software, on Time

Choosing A Load Testing Strategy Why and How to Optimize Application Performance

Certified Selenium Professional VS-1083

How To Make Your Software More Secure

Accelerate Software Delivery

Domain Specific Languages for Selenium tests

Continuous Integration

Java Power Tools. John Ferguson Smart. ULB Darmstadt 1 PI. O'REILLY 4 Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo

Protecting Database Centric Web Services against SQL/XPath Injection Attacks

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Vulnerability Management in an Application Security World. January 29 th, 2009

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

How to Select a Web Content Management System

Transcription:

Continuous Prevention Testing By Andre Gironda OWASP October 2007

Bio Andre Gironda OWASP Phoenix, Chicago, MSP Other projects involved in WASC WASSEC NIST SAMATE Web Application Scanner Focus Group

Web scanner challenges Logical flaws Crawling HTTP and Ajax Scraping [malformed] HTML and scripts False negatives / positives Coverage Reports sit on desks

Current situation RIA / RCP frameworks Marketing vs. security Software weaknesses CWE scoring (Wysopal) CVE data (Linder, ModernApps)

Outline of this talk OWASP: Problems to solve Developer testing and inspection Automated software testing Process improvements Security testing improvements

OWASP: Problems to solve Identify and code around security weaknesses Provide guides and metrics Modelers vs. measurers (Jaquith)

Development: Epic fail #1 Commercial software: 2x size every 18 months on average Developer education Security {people process tech} One of your developers knows how to fix everything One of your developers is continually allowed to check-in the same security-related defect over and over and over again

Intake testing: Keep the bar green Unit testing, Never in the field of software development was so much owed by so many to so few lines of code. Martin Fowler pretending to be Winston Churchill Developer freebies in their IDE/SCM (e.g. promotion of warnings to errors) Static code analysis Coding standards Continuous-testing IDE with decisioncondition coverage

Smoke testing: Build every day Component tests (DB stubs, mock objects) Continuous integration server ThoughtWorks Buildix boot CD Subversion, Trac, CruiseControl, User manager Atlassian JIRA/Confluence, FishEye, Bamboo Prioritization of defect fixes with issue tracking Code metrics

Inspection! Review the code Major builds securecoding (SC-L) Fagan inspection Peer review Author Reviewer Moderator Continuous inspection at each check-in

Automated testing: Fail #2 Automated software testing (for quality) Finds 30% of the possible defects Eats up 50%-80% of the development budget

Websites in outer space Safety testing (NASA) vs. security testing Model checking Smart fuzz testing Concolic unit testing Two motivations to fuzz fat apps (Evron) Fuzz before release: security vendors Fuzz before purchase: financials, ecommerce

System integration testing Test the code in working server environment Components work with all other components Script-driven, domain-specific languages Protocol drivers, proxy fuzzers Data-driven test frameworks

Functional testing Test the client Simulate or drive browsers and plug-ins Application drivers Repeatable tests Capture/playback test frameworks

Regression testing Re-test the application for the same bugs CVE finds a chance >15% to cause a new defect at least as severe as the fixed issue Web application security defects are completely ignored 90% of the time, YoY Regression testing vs. maintenance testing

Process improvements: Win #1 Design reviews with threat-modeling Attack-trees Seven pernicious kingdoms STRIDE MITRE CAPEC CWE ITU-T X.805 WASC TC OWASP T10 Trike

Secure development 101 Continuous-prevention development Write a unit test to check for known vulns Add it to your daily builds (i.e. CI server) Bonus: Assert others by looking for defect s fix Better workflow methodologies and tools Code review Architecture review

Secure development lifecycle Expensive to implement Only Microsoft does this today If SecurityCost > SDLCost Then SDL

Security and quality metrics Business scorecards, 6S tools you! ISAC s information sharing (Geer) Application security vendors / consultants MITRE / securitymetrics.org OWASP / WASC / ISECOM / NIST Data breaches (Shostack)

Security testing today: Win #2 Complete automation, default mode Fully automated scanning solution Don t exist for quality or safety testing Why would they exist for security testing?

Medical testing and biostats Binary classification: No gold standard test Sensitivity (positive test that ground beef has E.Coli) Specificity (negative test that ground beef does not have E.Coli) Developers want higher specificity Security professionals want higher sensitivity Provide good benchmarks and analysis from weakness and vulnerability statistics

Software security standards XPath and AVDL tool support The wisdom of crowds / reputation systems Popular IDE and build server code metrics (e.g. Fortify SCA, Microsoft VS2k8) Secure frameworks (e.g. HDIV,.NET 3.5) Perfection is achieved not when there is nothing left to add, but rather when there is nothing left to take away

Web scanner improvements Logical flaws Crawling HTTP and Ajax Scraping [malformed] HTML and scripts False negatives / positives Code coverage Reports sit on desks Multiple credentials Application drivers Better parsers, domain specific languages Binary classification: sensitivity Submit to issue tracking (or XML out)

Refs Robert Auger: http://www.cgisecurity.com/articles/scannerchallenges.shtml L.Suto: http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/ OWASP DC on RIA: http://www.owasp.org/index.php/ria_security_smackdown Java RCP: http://www.eclipse.org/org/press-release/20071015_raprelease.php CWE scoring, Chris Wysopal: https://securitymetrics.org/content/attach/metricon2.0/wysopal-metricon2.0-softwareweakness-scoring.ppt FX / Felix Linder: http://conference.hackinthebox.org/hitbsecconf2007kl/?page_id=130 Security Metrics: Modelers vs. measurers - http://safari5.bvdep.com/9780321349989/ch02lev1sec2?imagepage=13 Continuous Integration book - http://www.testearly.com Mark Curphey Types of testing: http://securitybuddha.com/2007/09/03/the-art-ofscoping-application-security-reviews-part-2-the-types-of-testing-2/ Promoting Warnings to Errors: http://safari5.bvdep.com/9780596510237/enabling_useful_warnings_disabling_usele ss_ones_and_promoti PMD: http://pmd.sf.net CheckStyle: http://checkstylesf.net FindBugs: http://findbugs.sf.net CT-Eclipse: http://ct-eclipse.tigris.org EMMA: http://emma.sf.net http://www.eclemma.org Buildix: http://buildix.thoughtworks.com Java metrics: http://metrics.sf.net

Refs (cont d) SecureCoding Mailing-list: http://www.securecoding.org/list/ Atlassian (formerly Cenqua) Crucible: http://www.atlassian.com/software/crucible/ Concolic testing: http://osl.cs.uiuc.edu/~ksen/cute/ Fuzzing in the corporate world, Gadi Evron: http://events.ccc.de/congress/2006/fahrplan/events/1758.en.html Proxy Fuzzing: http://www.darknet.org.uk/2007/06/proxyfuzz-mitm-network-fuzzer-inpython/ GPath with XmlParser and NekoHTML: http://sylvanvonstuppe.blogspot.com/2007/08/ive-said-it-before-but.html Canoo WebTest: http://webtest.canoo.com Jameleon: http://jameleon.sf.net Twill: http://twill.idyll.org MaxQ: http://maxq.tigris.org OpenQA Selenium: http://openqa.org WebDriver: http://code.google.com/p/webdriver/ HDIV: http://hdiv.org Topps meat E.Coli http://rationalsecurity.typepad.com/blog/2007/10/topps-meat-comp.html Microsoft Visual Studio 2008: http://www.eweek.com/article2/0,1895,2192515,00.asp http://en.wikipedia.org/wiki/binary_classification Brian Chess & Katrina Tsipenyuk: http://securitymetrics.org/content/attach/welcome_blogentry_010806_1/software_che ss.ppt

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information