Overview of the Penetration Test Implementation and Service. Peter Kanters



Similar documents
Where every interaction matters.

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web Application Penetration Testing

OWASP Top Ten Tools and Tactics

05.0 Application Development

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Pentests more than just using the proper tools

Pentests more than just using the proper tools

Integrating Security Testing into Quality Control

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

OWASP AND APPLICATION SECURITY

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

The Top Web Application Attacks: Are you vulnerable?

Annex B - Content Management System (CMS) Qualifying Procedure

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Magento Security and Vulnerabilities. Roman Stepanov

Essential IT Security Testing

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Using Free Tools To Test Web Application Security

Rational AppScan & Ounce Products

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

How to complete the Secure Internet Site Declaration (SISD) form

Sitefinity Security and Best Practices

SQuAD: Application Security Testing

Quality Assurance version 1

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Web Engineering Web Application Security Issues

Testing the OWASP Top 10 Security Issues

Web Application Security and the OWASP Top 10. Web Application Security and the OWASP Top 10

Criteria for web application security check. Version

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Adobe Systems Incorporated

MANAGED SECURITY TESTING

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Web Application Report

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE

How To Test A Computer System On A Microsoft Powerbook 2.5 (Windows) (Windows 2) (Powerbook 2) And Powerbook (Windows 3) (For Windows) (Programmer) (Or

Auditing Web Applications

(WAPT) Web Application Penetration Testing

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Cloud Security:Threats & Mitgations

Web Application Vulnerability Testing with Nessus

Secure Web Applications. The front line defense

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Smart (and safe) Lighting:

SERENA SOFTWARE Serena Service Manager Security

Statistics Whitepaper

Reducing Application Vulnerabilities by Security Engineering

Columbia University Web Security Standards and Practices. Objective and Scope

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Sichere Software- Entwicklung für Java Entwickler

Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Web application security

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Passing PCI Compliance How to Address the Application Security Mandates

Application Security Best Practices. Wally LEE Principal Consultant

PCI Compliance Updates

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Barracuda Web Site Firewall Ensures PCI DSS Compliance

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Bad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up

Making your web application. White paper - August secure

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Application Security Vulnerabilities, Mitigation, and Consequences

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Guidelines for Web applications protection with dedicated Web Application Firewall

Web application testing

Session 30. IT Security: Threats, Vulnerabilities and Countermeasures. Phillip Loranger, DoED CISO Robert Ingwalson, FSA CISO

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Insecurity breeds at home

elearning for Secure Application Development

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Penetration testing systems since 1989

Table of Contents. Page 2/13

Attack Vector Detail Report Atlassian

Intrusion detection for web applications

Network Test Labs (NTL) Software Testing Services for igaming

EVALUATION SECURITY OF THE U.S. DEPARTMENT OF THE INTERIOR S PUBLICLY ACCESSIBLE INFORMATION TECHNOLOGY SYSTEMS

Web Application Firewall on SonicWALL SSL VPN

Transcription:

Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010

Contents 1. Introduction. 2. The history of Penetration Testing @ ABN AMRO. 3. Penetration Testing Process overview. 4. Open Web Application Security Project (OWASP) top 10. 5. Penetration testing services. 6. Recommendations. 7. Recap. 8. Questions. 2

1. Introduction. Peter Kanters ABN AMRO Bank NV. Information Security Office Technical Security Assessment Foppingadreef 22 1102 BS Amsterdam Netherlands +31 20 6285411 peter.kanters@nl.abnamro.com 25 + years experience at ABN AMRO. Mainframe Systems Programmer. Networking and E-Infra Specialist. Security Specialist.

1.What we try to prevent! http://threatpost.com/en_us/blogs/anatomy-rbs-worldpay-hack-111009

2. History of Penetration Testing @ ABN AMRO. Pentests at AAB originally serviced by combination of Internal Team and External Vendor. Internal team : - More than Average Quality Limitations in tooling and experience. - High Cost 7 team members / 1 Manager. - Low Flexibility - Lead time 3 months. - Global Service. External Vendor : - Good Quality More divers experience. - High Costs Much Overhead in Intake and Reporting / High Rates. - Good Flexibility Lead time about 1 month. - Service limited to the Netherlands. Overall the service was good but expensive. 5

2. Setting up the new Penetration Testing @ ABN AMRO. Rebuild of service necessary due to RBS separation. Pentests at AAB now performed by two External Vendors. Vendor selection : - Request for Information / Request for Proposal. - Proof of Concept (POC). - Selected 2 Vendors from 7 vendors. Improvements accomplished : - Overhead external pentests reduced drastically. - Discount on rates (reduction up to 30%) based on 80 Pentests per year. - Lead time reduced from 3 months (internal team) to 10 business days. - A noticeable quality improvement was achieved. 6

3. Penetration Test Process overview. Process Overview : Internal Preparation: - Documentation. - What do we want tested. - Which Vendor do we use for the test. Intake Meeting with selected Vendor (Conference Call +/- ½ Hour): - Scope of the Test. - Start Date. - Number of Days needed. - Letter of Authority Needed from Third Party. - Credentials Involved. Preparation for Penetration Test. Vendors perform Penetration Test and deliver report within 5 Business Days. Administration.

4. Penetration testing services provided. ABN AMRO Penetration Testing Services menu: Penetration Testing Services: Small Medium Large 1. Source code review < 15K LOC* 15K - 50K LOC 50K - 100K LOC 2. Full "Grey Box" penetration test 3 Days 5 Days 7 Days 3. Lightweight penetration test (automated scan + credentials) 1 Day 2 Days 3 Days 4. Network Penetration Test 3 Days 5 Days 7 Days 5. Retest ¼Day ½Day 1 Day 6. Custom Hourly Rate * LOC: Lines of Code Source code review: Identifying application level security issues by using a combination of manual review, and automated source code analysis on the applications source code. Penetration test: The objective of the Penetration Tests is to protect sensitive and / or confidential data by identifying weaknesses in the application. A penetration test consist out of: Reconnaissance, Known Issues, Application Testing. Within the Lightweight Penetration test less effort is spend on application testing by using automated scanning tools. Information required; IP addresses, (virtual) hostnames, operating system, database and application versions, test accounts, tokens (when needed), application programming language. Network penetration test: Identifies security weaknesses that could be exploited by motivated malicious individuals to gain unauthorised access to systems or data on network segments. The penetration testing should demonstrate the ability to gain unauthorised access to system resources and/or disrupt system services. 8

4.OWASP Top 10 2010 A1 Injection Flaws, such as SQL, OS, and LDAP injection can lead to executing unintended commands or accessing unauthorized data. A2 Cross Site Scripting (XSS) allows attackers to execute script in the victim s browser A3 Broken Authentication and Session Management allowing attackers to compromise passwords, keys, session tokens, identity theft. A4 Insecure Direct Object References attackers can manipulate these references to access unauthorized data. A5 Cross Site Request Forgery (CSRF) allows the attacker to force the victim s browser to generate requests. A6 Security Misconfiguration for the application, framework, web server, application server, and platform. A7 Failure to Restrict URL Access Attackers will be able to forge URLs A8 Invalidated Redirects and Forwards Attackers can redirect victims to phishing or malware sites. A9 Insecure Cryptographic Storage Attackers may use this weakly protected data to conduct identity theft, credit card fraud. A10 -Insufficient Transport Layer Protection Applications frequently fail to encrypt network traffic http://www.owasp.org/images/0/0f/owasp_t10_-_2010_rc1.pdf

5. Is Security Testing a normal part of the test methodology? Security Testing is now often performed at the end of a project. - This puts extra stress on the go life date. - Extra expensive because findings have to fixed at the last minute. OWASP certification becomes mandatory for programmers. Is there a development similar in the test world? In TMap Next voor resultaatgericht testen over 900 pages only 5 pages are mentioning Information Security. In the future the Test management Methodology should make Pentesting obsolete!

5.Recommendations. INPUT VALIDATION, INPUT VALIDATION and AGAIN!!!! Secure Programming (OWASP) Application security testing in development phase (OWASP) Proper Platform Hardening System and Network monitoring Proper security management Integrate Security testing in Test methodology in an early stage. Train Testers in OWASP principles.

6. Recap. We discussed the past and present Penetration Testing @ ABN AMRO. We reviewed the day to day Penetration Testing Process. Open Web Application Security Project (OWASP) top 10. We have seen the Penetration testing services. We discussed Recommendations. 12

? Questions? peter.kanters@nl.abnamro.com 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information