The Security Development Life Cycle

Similar documents
The Top Web Application Attacks: Are you vulnerable?

June 2014 WMLUG Meeting Kali Linux

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Ethical Hacking as a Professional Penetration Testing Technique

Columbia University Web Security Standards and Practices. Objective and Scope

Application security testing: Protecting your application and data

Vulnerability Assessment and Penetration Testing

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

05.0 Application Development

Using Free Tools To Test Web Application Security

Chapter 1 Web Application (In)security 1

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Using Nessus In Web Application Vulnerability Assessments

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Penetration Testing with Kali Linux

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Essential IT Security Testing

Attack and Penetration Testing 101

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Where every interaction matters.


(WAPT) Web Application Penetration Testing

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Web Application Vulnerability Testing with Nessus

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Table of Contents. Page 2/13

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Information Security. Training

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

elearning for Secure Application Development

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

HTTPParameter Pollution. ChrysostomosDaniel

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Web Application Security

Rational AppScan & Ounce Products

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Penetration Testing in Romania

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Kentico CMS security facts

Web Application Report

Client logo placeholder XXX REPORT. Page 1 of 37

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Magento Security and Vulnerabilities. Roman Stepanov

What is Web Security? Motivation

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Web App Security Audit Services

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Learn Ethical Hacking, Become a Pentester

Web application security

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Application Security Testing. Generic Test Strategy

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

How To Protect A Web Application From Attack From A Trusted Environment

Web Vulnerability Assessment Report

Guidelines for Web applications protection with dedicated Web Application Firewall

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Deciphering The Prominent Security Tools Ofkali Linux

Criteria for web application security check. Version

A Network Administrator s Guide to Web App Security

Secure Web Development Teaching Modules 1. Threat Assessment

MANAGED SECURITY TESTING

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Passing PCI Compliance How to Address the Application Security Mandates

Adobe Systems Incorporated

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Columbia University Web Application Security Standards and Practices. Objective and Scope

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Web Engineering Web Application Security Issues

Web application testing

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Penetration Testing Service. By Comsec Information Security Consulting

Attack Vector Detail Report Atlassian

Web Application Attacks And WAF Evasion

Security and Vulnerability Testing How critical it is?

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

Reducing Application Vulnerabilities by Security Engineering

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

A Study on the Security aspects of Network System Using Penetration Testing

Effective Software Security Management

Thick Client Application Security

Transcription:

Intelligent Testing 18 June 2015 Declan O Riordan The Security Development Life Cycle Test and Verification Solutions Delivering Tailored Solutions for Hardware Verification and Software Testing

The Systems Development Framework Copyright TVS Limited Private & Confidential Page 2

Before Development The Security Testing Lifecycle Review SDLC Process Review Policy Review Standards Definition & Design Create/Review Create/Review Review Requirements Design Models Development Review Code Code Walkthrough Unit & System Test Deployment Penetration Config. Mgt. Unit & System Acceptance Test Change Verification Review Health Checks Test Maintenance Operational Reviews Test Regression Tests Copyright TVS Limited Private & Confidential Page 3

Waterfall / V-model & Security Positive: Good documentation up front helps threat modelling; Traditional approach for experienced security professionals; More time for security analysis and planning before delivery. Negative: Architectural decisions taken too early; Tendency towards big-bang testing at the end of development; Change control issues; Last-moment rush to fix security issues leads to ineffective workaround; Maintenance difficulties. Copyright TVS Limited Private & Confidential Page 4

Agile & Security Positive: Easier to fix code vulnerabilities that were written days ago than months or years ago; Abuse cases to complement use cases; More likely to have enough information on code, scale, performance and security to make architectural decisions; Better change control. Negative: Need non-functional expertise in the project team; Over-reliance on automation. Copyright TVS Limited Private & Confidential Page 5

What is driving security? Firewalls / IDS / IPS based upon patternmatching known bad REGEX Copyright TVS Limited Private & Confidential Page 6

EU comprehensive reform of data protection rules A single set of rules on data protection, valid across the EU. Increased responsibility and accountability for processing personal data. e.g. Mandatory notification to the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours). A single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it has to be given explicitly, rather than assumed. A right to be forgotten will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it. EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens. Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to 1 million or up to 2% of the global annual turnover of a company. Copyright TVS Limited Private & Confidential Page 7

The Cost Driver Verizon Copyright TVS Limited Private & Confidential Page 8

Attackers are using asymmetric economics Copyright TVS Limited Private & Confidential Page 9

The spending mismatch Source: OWASP AppSec USA 2014 Firewalls / IDS / IPS based upon patternmatching known bad REGEX Copyright TVS Limited Private & Confidential Page 10

Security Policies: Regulatory/Advisory/Informative Organizational policy Issue-specific policies (aka Functional): Acceptable use Vulnerability Mgt. Physical security Risk management e-mail Access Control Data Protection Business Continuity Personnel security Incident response Log aggregation and auditing Secure application development Change control System-specific policies: e.g. How laptops are protected Who has access Auditing process Copyright TVS Limited Private & Confidential Page 11

Before Development The Security Testing Lifecycle Review SDLC Process Review Policy Review Standards Definition & Design Create/Review Create/Review Review Requirements Design Models Development Review Code Code Walkthrough Unit & System Test Deployment Penetration Config. Mgt. Unit & System Acceptance Test Change Verification Review Health Checks Test Maintenance Operational Reviews Test Regression Tests Copyright TVS Limited Private & Confidential Page 12

Derive Negative Security Test Requirements Misuse cases describe unintended and malicious use scenarios. Think about how a use scenario can be maliciously exploited. Discover potential flaws or aspects of the app that are not welldefined. Describe all possible, or at least the most critical use and misuse scenarios. Copyright TVS Limited Private & Confidential Page 13

Security Design Earn, never assume trust Defend in depth Grant least privileges Get cryptography right Avoid complexity Promote privacy Mediate completely Always consider the users Authorize after Authentication Separate privileges Fail securely Validate at every boundary Separate data & instructions Assume secrets are unsafe Understand external components attack surface impact Copyright TVS Limited Private & Confidential Page 14

Security Models State Machine Biba Information Flow Lattice Graham-Denning Bell-LaPadula Clark-Wilson Non-interference Brewer and Nash Harrison-Ruzzo-Ullman Copyright TVS Limited Private & Confidential Page 15

Before Development The Security Testing Lifecycle Review SDLC Process Review Policy Review Standards Definition & Design Create/Review Create/Review Review Requirements Design Models Development Review Code Code Walkthrough Unit & System Test Deployment Penetration Config. Mgt. Unit & System Acceptance Test Change Verification Review Health Checks Test Maintenance Operational Reviews Test Regression Tests Copyright TVS Limited Private & Confidential Page 16

Firewalls / IDS / IPS based upon patternmatching known bad REGEX Copyright TVS Limited Private & Confidential Page 17

Automated scanners: How do they do that? Crawler module: Seeded with URLs, retrieves pages, follows links and redirects to identify all reachable pages and input points. Attack module: Analyses discovered URLs and input points, then generates values likely to trigger a vulnerability. Analysis module: Examines responses to attacks by signature recognition. Copyright TVS Limited Private & Confidential Page 18

What are standalone scanners good at? Reflected cross-site scripting (XSS) Some SQL injections Some path traversals Some command injections Simple directory listings Clear text password submission Liberally scoped cookies Forms with autocomplete enabled Items not linked from the main published content Copyright TVS Limited Private & Confidential Page 19

OWASP #3 Cross Site Scripting (XSS) Cross-Site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign Firewalls and / IDS trusted / IPS based web upon sites. patternmatching known bad REGEX Cross-site scripting attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Copyright TVS Limited Private & Confidential Page 20

OWASP #3 XSS: Reflected Reflected XSS Firewalls attacks / are IDS / those IPS based where upon the patternmatching known bad REGEX injected code is reflected off the web server, such as in an error message, search result, or any response that includes some or all of the input sent to the server as part of the request. Copyright TVS Limited Private & Confidential Page 21

OWASP #3 XSS: Stored Firewalls / IDS / IPS based upon patternmatching known bad REGEX Stored XSS attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. Copyright TVS Limited Private & Confidential Page 22

OWASP #3 XSS Type 3 of 3: DOM-based The page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment. Firewalls / IDS / IPS based upon patternmatching known bad REGEX DOM (Document Object Model) XSS attacks execute a payload as a result of modifying the DOM environment in the victim s browser used by the original client side script. Copyright TVS Limited Private & Confidential Page 23

OWASP #1 Injection SQL (Oracle, MySQL, MS-SQL) Database injection Operating System (OS) command injection Web scripting language injection XPath injection SOAP injection SMTP injection LDAP injection HTTP Header injection Occurs when an Firewalls application / IDS is / IPS built based upon upon false patternmatching properly known validated bad and REGEX commands are injected when assumptions of trust. User input is not the language interpreter treats malicious input as program instructions written by the developer. Copyright TVS Limited Private & Confidential Page 24

Path traversal example https://example.com/scripts/getimage.aspx?file=diagram1.jpg The Server extracts the value of the file parameter from the string. The value is appended to C:\example\images\ The file called diagram1.jpg at that location is opened. The contents of the file are read and sent to the client. What if we placed an alternative value in the file parameter? https://vulnerablesite.com/scripts/getimage.aspx?file=..\..\windows\re pair\sam The application obtains the following path: C:\example\images\..\..\winnt\repair\sam The two traversal Firewalls sequences / IDS / step IPS based up the upon directory patternmatching known bad REGEX to the root. C:\winnt\repair\sam (Windows Security Accounts Manager password database file) Copyright TVS Limited Private & Confidential Page 25

Automated scanners: What goes wrong? Rudimentary input validation not probed for bypass Vulnerability triggered but result doesn t match expected signature Broken access controls do not have a standard signature Scanners don t understand the meaning of changing parameters within the application Logic flaws don t have a standard signature Design vulnerabilities don t have a signature Understanding the significance of content from modifying session parameters (predictable sessions) Leakage of sensitive information Copyright TVS Limited Private & Confidential Page 26

Automated scanners: What goes wrong? Attempts at Artificial Intelligence generate massive volumes of false positive and false negative results A large proportion, but not all, low-hanging fruit will be detected by automated scanners Every Web Application is different, much more than network infrastructures Syntax versus semantic meaning of content Improvisation Intuition (multi-stage process, sequence changes, crafted changes to multiple parameters) Copyright TVS Limited Private & Confidential Page 27

Security Testing Tools Pentest Frameworks: Metasploit & Kali Linux Intercepting Proxy: BurpSuite Zap w3af Charles Webscarab Ratproxy / IPS based upon pattern-matching known bad REGEX Copyright TVS Limited Private & Confidential Page 28

Security Testing Tools Password / Network cracker: John The Ripper Hydra Cain & Abel Web server vulnerability scanner: Nessus Network Scanner: Nmap Netcat Zmap / IPS based upon pattern-matching known bad REGEX Copyright TVS Limited Private & Confidential Page 29

Security Testing Tools Sniffer: Wireshark Ettercap Dsniff Wireless: Aircrack-ng (best with Fern Wifi Cracker as a GUI interface) Kismet WifiScanner Bluetooth: Bluescanner FTS4BT BlueSpam / IPS based upon pattern-matching known bad REGEX Copyright TVS Limited Private & Confidential Page 30

OSINT tools Maltego is a program that can be used to determine the relationships and real world links between: People Groups of people (social networks) Companies Organizations Web sites Internet infrastructure such as: Domains DNS names Netblocks IP addresses Phrases Affiliations Documents and files Copyright TVS Limited Private & Confidential Page 31

The intercepting proxy Penetration testers and hackers will use an intercepting proxy. Firewalls / IDS / IPS based upon patternmatching known bad REGEX Copyright TVS Limited Private & Confidential Page 32

Before Development The Security Testing Lifecycle Review SDLC Process Review Policy Review Standards Definition & Design Create/Review Create/Review Review Requirements Design Models Development Review Code Code Walkthrough Unit & System Test Deployment Penetration Config. Mgt. Unit & System Acceptance Test Change Verification Review Health Checks Test Maintenance Operational Reviews Test Regression Tests Copyright TVS Limited Private & Confidential Page 33

OWASP #9 Using Known Vulnerable Components / IPS based upon pattern-matching known bad REGEX Copyright TVS Limited Private & Confidential Page 34

OWASP #9 Using Known Vulnerable Components Verizon research found 99.9% of exploited vulnerabilities were compromised more than a year after the CVE was published. / IPS based upon pattern-matching known bad REGEX Year CVE was published for vulnerabilities exploited in 2014 Copyright TVS Limited Private & Confidential Page 35

Safe journey home Firewalls / IDS / IPS based upon patternmatching known bad REGEX Copyright TVS Limited Private & Confidential Page 36

TMS - Bristol 18 th June 2015 Declan O Riordan The Security Development Life Cycle Test and Verification Solutions Delivering Tailored Solutions for Hardware Verification and Software Testing

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information