Cloud Application Security Assessment, Guerrilla Style

Similar documents
Bust a cap in a web app with OWASP ZAP

ensuring security the way how we do it

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

(WAPT) Web Application Penetration Testing

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

STABLE & SECURE BANK lab writeup. Page 1 of 21

SANS Top 20 Critical Controls for Effective Cyber Defense

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

How To Protect A Web Application From Attack From A Trusted Environment

Web Application Vulnerability Testing with Nessus

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

How To Use A Policy Auditor (Macafee) To Check For Security Issues

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Using Nessus In Web Application Vulnerability Assessments

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

THE OPEN UNIVERSITY OF TANZANIA

Penetration Test Report

Web Application Security

How to build a security assessment program. Dan Boucaut

The Game of Hide and Seek, Hidden Risks in Modern Software Development

Thomas Röthlisberger IT Security Analyst

Improving Web Vulnerability Scanning. Daniel Zulla

Web Application Vulnerability Scanning. VITA Commonwealth Security & Risk Management. April 8, 2016

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Cyber Security Challenge Australia 2014

Challenges of Automated Web Application Scanning

Interactive Application Security Testing (IAST)

The New PCI Requirement: Application Firewall vs. Code Review

Critical Controls for Cyber Security.

Web Testing. Main Concepts of Web Testing. Software Quality Assurance Telerik Software Academy

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS. Junos WebApp Secure Junos Spotlight Secure

Adding Value to Automated Web Scans. Burp Suite and Beyond

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

The Top Web Application Attacks: Are you vulnerable?

Check list for web developers

HackMiami Web Application Scanner 2013 PwnOff

Good Guys vs. the Bad Guys: Can Big Data Tools Counteract Advanced Threats?

From the Bottom to the Top: The Evolution of Application Monitoring

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Internet Banking System Web Application Penetration Test Report

PCI-DSS Penetration Testing

Security Test s i t ng Eileen Donlon CMSC 737 Spring 2008

Criteria for web application security check. Version

Load testing with. WAPT Cloud. Quick Start Guide

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Security and Vulnerability Testing How critical it is?

PayPal Integration Instructions

Data Breaches and Web Servers: The Giant Sucking Sound

<Insert Picture Here> Oracle Web Cache 11g Overview

Concierge SIEM Reporting Overview

APPLICATION SECURITY: ONE SIZE DOESN T FIT ALL

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Using Free Tools To Test Web Application Security

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

Introduction Jim Rowland, Senior System Architect and Project Manager Daly

How To Test Your Web Site On Wapt On A Pc Or Mac Or Mac (Or Mac) On A Mac Or Ipad Or Ipa (Or Ipa) On Pc Or Ipam (Or Pc Or Pc) On An Ip

LIVE CHAT CLOUD SECURITY Everything you need to know about live chat and communicating with your customers securely

Adobe Systems Incorporated

April 11, (Revision 2)

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

APPLICATION PROGRAM INTERFACE (API) FOR AIRASSURE WEB PM2.5 SOFTWARE

Vulnerability Assessment Report Format Data Model

Index. AdWords, 182 AJAX Cart, 129 Attribution, 174

AtlSecCon 2012, 01 March Intru-Shun.ca Inc.

<Insert Picture Here>

Web Application Security

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Vulnerability Management

Incident Response. Six Best Practices for Managing Cyber Breaches.

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Cross Site Scripting in Joomla Acajoom Component

Implementation of Web Application Firewall

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Web Application Firewall

Web Application Firewall Profiling and Evasion. Michael Ritter Cyber Risk Services Deloitte

Enabling Security Operations with RSA envision. August, 2009

Where every interaction matters.

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Web-Application Security

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Attack and Penetration Testing 101

FROM PRINTER TO PWND. Leveraging Multifunction Printers During Penetration Testing

Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)

Client logo placeholder XXX REPORT. Page 1 of 37

How To Protect Your Data From Attack

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

The SIEM Evaluator s Guide

Getting Started with Web Application Security

Handling of "Dynamically-Exchanged Session Parameters"

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

Penetration Testing Services. Demonstrate Real-World Risk

Course Title: Penetration Testing: Network & Perimeter Testing

SAFECode Security Development Lifecycle (SDL)

Transcription:

Cloud Application Security Assessment, Guerrilla Style SESSION ID: CSV-F03A Mark Orlando Director of Cyber Operations Foreground Security Adam Willard Application Security Analyst Foreground Security

Agenda Challenge Potential Solutions Our Approach Results and Lessons Learned

Challenge Responsible for securing web applications that we: Didn t build Don t host Can t harden Can t disrupt via active (penetration) testing 3

Potential Solution: Create great processes

Potential Solution: Recommend standards

Potential Solution: Ask for full spectrum testing Many cloud service providers WILL let you conduct active testing Just need to understand limitations and try to build testing requirements into service agreement (d oh!)

Our Goal DO NOT want to replace existing tools, code analysis, or automated scanning processes DO want to: Facilitate ongoing discussions Make a case for comprehensive security testing Provide historical context Tailor features and functionality to customer Empower the analyst 7

Reconnaissance Understand the environment XML Firewalls and Edge Devices Load Balancers Firewall Configurations and Logs aggregated Security logs (SIEM) Enterprise AV/IDS Exploratory testing via site walkthrough, documentation review, and interviews 8

Reconnaissance Gathering Host and IP data What are your targets? Basic analysis of your requests Begin mapping the systems based on simple analysis of headers and cookies 9

Static Analysis Involve security teams in the process Every little bit helps Be a fly on the wall in developer meetings You ll be amazed at how much information can be gathered regarding the health of a project. Also helps identify breakdowns in communication Developers are in the trenches and are usually vocal about what problems they are having if upper management is not in the meetings 10

3 rd Party Components While it is important to review the code that is being developed, there is a reason for patches and zero days Read 3 rd party CVE and Documentation carefully Much of the documentation is based on simple implementations and are usually presenting live samples or default configurations Plan to test those items You ll be surprised what is installed by default as many teams install everything so they can get systems up and running quickly 11

Tools Burp w3af sqlmap Fiddler with Casaba Plugin Nmap/Zenmap Kali Linux Custom tools developed in house 12

Response Analysis Extract the Contents of the Response Embedded Hyperlinks (review query string parameters) Comments (html and JavaScript) You may even find SQL Forms Hidden Fields CSS Iframes JavaScript 13

Response Analysis Additional items to place into the tests Test urls with parameters (GET) and switch to a POST Test POST parameters as a GET (simple tools can assist) IP vs Hostname Identify shared resources Look for the URLs constructs May be an authentication mechanism 14

Response Analysis Weak Encoding Look at the responses and compare the data that is displayed due to parameters Identify Cookies and their scope 15

Reporting Structure Understand reporting requirements (content and presentation) Automate as much as possible Run analysis as often as possible to continuously validate issues; remediation time is a useful metric 16

Our Results: One Project, Eight Months 30+ issues identified in commercial products 116 unique security findings for one major system alone More findings than external penetration testing or code analysis 17

Lessons Learned Developers/COTS embed details that can lead you to vulnerabilities Quality analysis and demonstration are key Keep your ear to the ground. Go to dev meetings! Manage expectations (yours and theirs) Work with ops Findings alone may mean little to business owners Test early and often

Lessons Learned Don t reinvent the wheel Obtain or develop a set of passive tools and a sustainable testing framework: continuous, low-intensity, multi-pronged. Guerrilla style. Demonstrate understanding and value Seek to build trust with developers and system maintainers; this is part of understanding the environment Manage expectations Testing, like the app itself, should evolve over time; this is why recurring testing and situational awareness is key

Try It Out Download Web Analyzer for free at http://foregroundsecurity.com/resources/tools Give us feedback! awillard@foregroundsecurity.com morlando@foregroundsecurity.com 20

Cloud Application Security Assessment, Guerilla Style

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information