Web Application security testing: who tests the test?



Similar documents
Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Pentests more than just using the proper tools

Pentests more than just using the proper tools

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Cyber Exploits: Improving Defenses Against Penetration Attempts

Security Testing. How security testing is different Types of security attacks Threat modelling

The Top Web Application Attacks: Are you vulnerable?

An approach to Web Application Penetration Testing. By: Whiskah

Passing PCI Compliance How to Address the Application Security Mandates

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Effective Software Security Management

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Functional vs. Load Testing

Five Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline

Integrating Security Testing into Quality Control

Rational AppScan & Ounce Products

Bridging the Gap - Security and Software Testing. Roberto Suggi Liverani ANZTB Test Conference - March 2011

Software Development: The Next Security Frontier

Building a Corporate Application Security Assessment Program

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Starting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden

Penetration Testing in Romania

Vulnerability Management

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

The Evolution of Application Monitoring

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Secure Web Applications. The front line defense

Web Application Security

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

ISTQB - Certified Tester Advanced Level - Test Manager

Learning objectives for today s session

Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

External Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments

Best Practices - Remediation of Application Vulnerabilities

Microsoft STRIDE (six) threat categories

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

WHITEPAPER. Nessus Exploit Integration

New IBM Security Scanning Software Protects Businesses From Hackers

Secure Development Lifecycle. Eoin Keary & Jim Manico

Securing OS Legacy Systems Alexander Rau

Information Security Services

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation

Web Application Security Considerations

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Cybersecurity Governance Update on New FFIEC Requirements

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Application Security Best Practices. Wally LEE Principal Consultant

RSA Security Anatomy of an Attack Lessons learned

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

PCI-DSS Penetration Testing

Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Contents. -Testing as a Services - TaaS 4. -Staffing Strategies 4. -Testing as a Managed Services - TaaMS 5. -Services 6.

Secure Software Begins in the Development Process

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Advanced Threats: The New World Order

Managing Vulnerabilities For PCI Compliance

SECURITY EDUCATION CATALOGUE

05.0 Application Development

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

How To Ensure That Your Computer System Is Safe

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Mobile Application Security Report 2015

WebGoat for testing your Application Security tools

State of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net

Security within a development lifecycle. Enhancing product security through development process improvement

How to Build a Trusted Application. John Dickson, CISSP

Application Security Testing

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Reducing Application Vulnerabilities by Security Engineering

Enterprise-Grade Security from the Cloud

Web application security: automated scanning versus manual penetration testing.

PENTEST. Pentest Services. VoIP & Web.

Web Application Security

Course Descriptions November 2014

Penetration Testing Service. By Comsec Information Security Consulting

Securing SharePoint 101. Rob Rachwald Imperva

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

SECURITY. Risk & Compliance Services

W16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM

What is Really Needed to Secure the Internet of Things?

Where every interaction matters.

Time Is Not On Our Side!

! Resident of Kauai, Hawaii

The Value of Vulnerability Management*

Application Security Center overview

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

Security and Privacy

Security Assessment of Waratek AppSecurity for Java. Executive Summary

Web Application Remediation. OWASP San Antonio. March 28 th, 2007

The Business Case for Security Information Management

Transcription:

Web Application security testing: who tests the test? Ainārs Galvāns Application Penetration Tester www.exigenservices.lv

About myself Functional testing Leading test group Reporting to client Performance testing HTTP level analysis Behavior modelling Security testing Application security Threat analysis Formal QA Certificates: ISTQB, CTT+, CPTE 2 www.exigenservices.lv

Why we test, what we test? 3 www.exigenservices.lv

Why we test, what we test? Specification Design Code What they needed 4 www.exigenservices.lv

Test levels - theory UAT System Integration Unit What they needed Specification Design Code 5 www.exigenservices.lv

Different test levels Dev. User Test 6 www.exigenservices.lv

Because bugs escape testing mistakes DEV Test time User changes skills 7 www.exigenservices.lv

QA approach: test to reduce bugs Functional testing practice: bug metrics Defect Removal Efficiency (DRE) = bugs before delivery / total number of bugs Defect density = defects / number of code lines passing security testing is not an indication that no flaws exist 8 www.exigenservices.lv

How much testing is enough? Functional testing experience: Coverage problem part of test strategy IEEE Std 829, Standard for test documentation Security testing is different: OWASP testing standard (minimal tests) ISO 2700*standard (minimal controls) Guides on: testing, coding, code review 9 www.exigenservices.lv

How much testing is enough? - experience Test guides: i.e. by OWASP ~100 attack types B.B. Test tools: thousands of attacks My own experience Average internal audit : Perhaps 3-5 person automated days testing is the choice? Singe attack type per field take up to 2 hours I don t test everything I don t test app., I validate assumptions 10 www.exigenservices.lv

Recent movement in Functional Testing Industry leaders re-defining term test Automated Checks VS Sapient Tests Some checks are hard(er) to automate check known Automated security test tools checks to see if the application is vulnerable to attacks that s not hard to automate Tools that help sapient (manual) testing 11 www.exigenservices.lv

Risk assessment: issue -> threat DREAD: prioritize issues based on sum of Damage potential Reproducibility (prerequisites) Exploitability (knowledge/tools required) Affected users Discoverability (e.g. risk of getting caught) Alternatives exist, such as CVSS Assumes we know the vulnerability Assumes we know all ways to exploit it (now or in future) 12 www.exigenservices.lv

Experience: missing threat analysis Audit Development 13 www.exigenservices.lv

Different security testing levels Application VS Perimeter* Code VS network Threat VS vectors Internal VS External Interfaces VS business Techniques VS risks * PCI: Application Layer VS Network Layer Testing 14 www.exigenservices.lv

Risk assessment: threat -> issue Step 1 OWASP Application Threat Modeling Decompose the application Step 2 Step 3 Determine (and rank) threats Set countermeasures & mitigation TEST it 15 www.exigenservices.lv

Mitigation strategies Performance monitoring Utilization = % of CPU, memory, network, etc. Response times, Session count, fault ratios, Security monitoring Analyze authentication (login) failures Analyze authorization failures (server side) Analyze XSS attack attempts 16 www.exigenservices.lv

Missed bug = reported by user? most of security incidents are discovered and reported only months after the initial intrusion or data compromise. OWASP: The CISO Guide Exception: DOS attack 17 www.exigenservices.lv

Backdoor mitigation Backdoors Application code (created on purpose) Created by hacker (i.e. stolen admin password) Mitigation analyze attacks not vulnerabilities Security Intelligence, SIEM Honeypot Users could help mitigate Inform user about last login User intelligence (i-bank: transaction history) Change passwords on regular basis 18 www.exigenservices.lv

Industry accepted as well as my own new and even crazy RECOMMENDATIONS 19 www.exigenservices.lv

Analysis of discovered vulnerabilities (findings) Adopt PCI recommendations per vulnerability : Define whether/how exploitable Risk ranking Adopt PCI overall analysis recommendations: Describe restriction imposed Use PCI Test report evaluation checklists Analyze risk of vulnerabilities missed 20 www.exigenservices.lv

Comprehensive testing Demand standard security Protect from script kiddies Discourage hackers (i.e. do not encourage) Distinguish comprehensive testing Documenting test coverage, not just bugs Hire two independent auditors to compete Penalties for missed security threats Developer testing 21 www.exigenservices.lv

Mitigation: intrusion detection Example:XSS protection options Turtle: do not allow Accepted: do not allow and notify admin Honeypot: allow, temporarily move to vault 22 www.exigenservices.lv

Gartner Top 10 Strategic Technology Trends for 2015 Risk-Based Security and Self-Protection While 100% security solutions aren t feasible, advanced risk assessment and mitigation will come into play in the next few years. Security will move away from perimeter defense to multifaceted approaches test educate 23 www.exigenservices.lv

QUESTIONS? Contact: Ainārs Galvāns Aplication PenTester, Exigen Services Latvia ainars.galvans@exigenservices.com J.Daliņa iela 15 Rīga, LV-1013, Latvia phone +371 6707 2976 mobile +371 2943 2698 www.exigenservices.lv 24 www.exigenservices.lv

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information