Pentests more than just using the proper tools

Similar documents
Pentests more than just using the proper tools

Overview of the Penetration Test Implementation and Service. Peter Kanters

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Adobe Systems Incorporated

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Where every interaction matters.

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Reducing Application Vulnerabilities by Security Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

OWASP Top Ten Tools and Tactics

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Penetration Testing in Romania

The Top Web Application Attacks: Are you vulnerable?

Web Application Penetration Testing

Magento Security and Vulnerabilities. Roman Stepanov

Web Application Report

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

ISSECO Syllabus Public Version v1.0

WEB APPLICATION VULNERABILITY STATISTICS (2013)

05.0 Application Development

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Cloud Security:Threats & Mitgations

Web Application Vulnerability Testing with Nessus

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Web App Security Audit Services

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

Development Processes (Lecture outline)

Model-Based Vulnerability Testing for Web Applications

Attack Vector Detail Report Atlassian

Web Application security testing: who tests the test?

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

SAST, DAST and Vulnerability Assessments, = 4

Introduction to Penetration Testing Graham Weston

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

MANAGED SECURITY TESTING

Essential IT Security Testing

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Intrusion detection for web applications

Criteria for web application security check. Version

Rational AppScan & Ounce Products

Using Free Tools To Test Web Application Security

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Security Testing and Vulnerability Management Process. e-governance

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Web Application Security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web Application Security

Testing the OWASP Top 10 Security Issues

How To Fix A Web Application Security Vulnerability

SWAT PRODUCT BROCHURE

OWASP TOP 10 ILIA

Information Security Office

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

SQuAD: Application Security Testing

Data Breaches and Web Servers: The Giant Sucking Sound

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

How To Ensure That Your Computer System Is Safe

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

WEB Penetration Testing

elearning for Secure Application Development

HTExploit: Bypassing htaccess Restrictions

Strategic Information Security. Attacking and Defending Web Services

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

METHODS TO TEST WEB APPLICATION SCANNERS

Enterprise Application Security Program

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Web Application Report

How To Write A Web Application Vulnerability Scanner And Security Auditor

Web Application Attacks And WAF Evasion

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Guidelines for Web applications protection with dedicated Web Application Firewall

Web Vulnerability Assessment Report

How to complete the Secure Internet Site Declaration (SISD) form

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Passing PCI Compliance How to Address the Application Security Mandates

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

ensuring security the way how we do it

IJMIE Volume 2, Issue 9 ISSN:

How To Perform An External Security Vulnerability Assessment Of An External Computer System

Transcription:

Pentests more than just using the proper tools

Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security Analyses (optional) 7/1/2015 Pentests more than just using the proper tools

Information security @TÜV Rheinland. Providing information security services worldwide (Europe, North America, Asia, Middle East) Germany s leading vendor independent service provider for information security Köln Frankfurt Over 500 security experts worldwide 150 in Germany and growing Saarbrücken For the 7 th time: München

Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security Analyses (optional) 7/1/2015 Pentests more than just using the proper tools

Security Testing. Goals. Software testing an investigation conducted to provide stakeholders with information about the quality of the product or service under test. (Wikipedia) Goals of security testing Detection of security vulnerabilites Demonstrate vulnerability of systems Identify the potential damage caused by real attacks Identification of remedial measures Increase overall security level Variations Black Box White Box any other color in between Vulnerability scans

Security Tests. Targets. Evaluation Targets Applications Web Client-Server Mainframe Mobile Infrastructure Server DMZ Intranet Special purpose hardware Processes and organizations

Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security Analyses (optional) 7/1/2015 Pentests more than just using the proper tools

Penetration Tests. Definition. Pros and Cons. Definition an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data. (Wikipedia) Pros + Verification of the security of complex systems including multiple security layers + Dynamical testing including tester s creativity, e.g. combination of low impact vulnerabilities + Using up-to-date attack vectors + Verify attack detection Cons Security Snap-shot - Results valid for a limited time Quality of results depend upon tester s quality Very high complexity of finding previously unknown vulnerabilities Penetration testing is one important mechanism for security quality assurance

Penetration Test. Workflow. 1. Kick-Off / Preparation 2. Information gathering and -analysis (manually and automated) Online search engines Scanning Tools (port-, vulnerability-scanner, etc.) 3. Information evaluation / risk analysis Based on results of phase 1 and information of phase 2 Identification of vulnerabilities 4. Active Intrusion Exploitation of vulnerabilities (mostly manually) Use of exploit code 5. Finalization Result evaluation Report generation

Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security Analyses (optional) 7/1/2015 Pentests more than just using the proper tools

DREAD Risk assessment model DREAD risk evaluation model Damage - how bad would an attack be? Reproducibility - how easy is it to reproduce the attack? Exploitability - how much work is it to launch the attack? Affected users - how many people will be impacted? Discoverability - how easy is it to discover the threat?

Common Vulnerability Scoring System (CVSS) Common Vulnerability Scoring System (CVSS) Common standard Description of vulnerability s severity Evaluation based on Metrics Base (Access Vector, Access Complexity, Authentication, Confidentiality, Integrity, Availability) Environmental (Confidentiality Requirement, Integrity Requirement, Availability Requirement, Collateral Damage Potential, Target Distribution) Temporal (Exploitability, Remediation Level, Report Confidence) Allows to compare vulnerabilities CVSS-calculator: http://nvd.nist.gov/cvss.cfm?calculator&version=2

Common Vulnerability Scoring System (CVSS)

Generic evaluation and risk classification. Risk classification is performed from an IT security perspective in relation to infrastructure, systems, services and processes in the area of observation Risk Rating for the business processes is done by the internal risk management of our customer. Recommendation Low Risk Medium Risk High Risk Suggestions to improve the overall security situation, though a concrete threat is not present. Includes i.e. out-of-scope-observations. The implemented security mechanisms to ensure confidentiality and integrity of sensible data availability of necessary systems has a minor deficit. The implemented security mechanisms to ensure confidentiality and integrity of sensible data availability of necessary systems has a deficit. The implemented security mechanisms to ensure confidentiality and integrity of sensible data availability of necessary systems has a severe deficit.

Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security Analyses (optional) 7/1/2015 Pentests more than just using the proper tools

Open Web Application Security Project (OWASP) Top 10 1. Injection 2. Cross Site Scripting 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross Site Request Forgery 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards

Top 1. Injection. 1. Injection 2. Cross Site Scripting 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross Site Request Forgery 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards

Injections. Basics. Fundamental Trouble Input is not completely validated Data provided by the user is interpreted: Data base (SQL-Injection) Operation system calls (Command Injection) XML-Tags and Entities (XML Injection) Scriptcode (i.e. Ruby, PHP) gets executed (Code-Injection)

SQL-Injection. Description. Issue Data provided by the user is not validated completely User can execute SQL queries Consequences An Attacker can execute almost arbitrary SQL queries Login without password Attacker can extract data from the database

SQL-Injection. Demo.

Thank you for your attention and questions! Dr. Daniel Hamburg Head of Security Engineering T: +49 221 56783 220 E-Mail: daniel.hamburg@i-sec.tuv.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information