Your SlideShare is downloading. ×
Session H5
Application Security Testing:
  How to Get the Results You Need


      Tuesday, March 10th, 2009
             ...
Key Points

Understanding the need for security testing


      The case for negative-testing


   Static vs. Dynamic appl...
Understanding the Need for Security Testing

Asking the big question


       Question:
   •


          Why do businesses...
Understanding the Need for Security Testing

A Business Perspective
   External compliance requirement
    • PCI – Payment...
Understanding the Need for Security Testing

More to the point

                Hackers have clear goals…

               ...
Understanding the Need for Security Testing

Internal Challenges

                                                        ...
The Case for Negative-Testing

Let’s define Quality Assurance


       Quality Assurance defined
   •

           Quality ...
The Case for Negative-Testing

Breaking down quality
                           • Perform only positive-testing
    Qualit...
The Case for Negative-Testing

Negative Testing is Critical
        How does the application behave in adversity?
    •


...
Building a Business Case

Putting the pieces together
       You now understand the need  why?
   •


           Web appl...
Static vs. Dynamic Application Testing

Differing testing methods
       Static Analysis  execution path analysis
   •


...
Static vs. Dynamic Application Testing

Clearly we need both
                           Dynamic                           ...
Security Testing Browser-Based Applications

Think outside the browser
       Hackers rarely limit themselves to a browser...
Security Testing Browser-Based Applications

Testing with tools
   When is automation appropriate?
    Tools have limitati...
Arming Yourself (with Tools & Knowledge)

Knowledge
       Open Web Application Security Project (OWASP)
   •


          ...
Arming Yourself (with Tools & Knowledge)

Tools of the trade
       No shortage of controversy over security testing tools...
Piecing It All Together

Everything we’ve learned


    So far we know…
    • Your business’ online presence is/will be at...
Piecing It All Together

Enterprise grade secrets
   First assess your existing infrastructure
    • Risk is highest with ...
Q&A




Rafal M. Los
• Sr. Security Strategist
• Security Solutions Specialist, HP/Application Security Center
  • Email: ...
Upcoming SlideShare
Loading in...5
×

Application Security Testing Results You Need V1.0 Public

1,632

Published on

This talk, from InfoSec World 2009, discusses how you can go about understanding the terminology and information around building a successful enterprise web application security program.

Published in: Technology
1 Comment
6 Likes
Statistics
Notes
  • Quite interesting presentation, congratulations!
    http://www.medicaldebtsconsolidation.com
    http://www.medicaldebtsconsolidation.com/category/medical-debt-consolidation/
    http://www.medicaldebtsconsolidation.com/category/medical-debt-relief/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,632
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
21
Comments
1
Likes
6
Embeds 0
No embeds

No notes for slide

Transcript of "Application Security Testing Results You Need V1.0 Public"

  1. 1. Session H5 Application Security Testing: How to Get the Results You Need Tuesday, March 10th, 2009 9:45am Rafal M. Los Sr. Web Security Specialist –HP/ASC © HP Application Security Center 2009
  2. 2. Key Points Understanding the need for security testing The case for negative-testing Static vs. Dynamic application testing Security testing browser-based applications Arming yourself (tools & knowledge) Piecing it all together © HP Application Security Center 2009
  3. 3. Understanding the Need for Security Testing Asking the big question Question: • Why do businesses need to spend time, money and • resources on additional testing measures to check the security of their web applications? Obvious answer: • Hackers are out to get you – your data and your customers • are subject to hijack and theft! © HP Application Security Center 2009
  4. 4. Understanding the Need for Security Testing A Business Perspective External compliance requirement • PCI – Payment Card Industry standard Internal compliance requirement • Corporate data privacy standards Mission-critical web-based applications • Web applications that drive your business Critical data in web-based applications • Cardholder data, patient records, personal information Company’s online brand is important • Defacements and hijacks repel current and future customers © HP Application Security Center 2009
  5. 5. Understanding the Need for Security Testing More to the point Hackers have clear goals… • Use your systems to launch attacks Your systems • Host spam relays, distribute malware • Databases contain payment information, customer data Your data • Can you identify all data in your applications? Your customers’ • Distribute adware/trojan-ware to your customers • http://cyberinsecure.com/businessweek-online-content-hit-by-sql- clicks injection/ - The case of BusinessWeek.com Your good • Industrial sabotage is real • Users trust your websites… right? Remember Egghead.com? reputation © HP Application Security Center 2009
  6. 6. Understanding the Need for Security Testing Internal Challenges •PMs – Requirements •Developers – Code Lack of •QA – Quality “Security” •Auditors? in SDLC “Semi- Custom” Apps •3rd party developed application •Custom integrations to internal and external systems Legacy Systems •Systems developed before security concerns •Mainframe over HTTP? © HP Application Security Center 2009
  7. 7. The Case for Negative-Testing Let’s define Quality Assurance Quality Assurance defined • Quality assurance, or QA for short, refers to planned and • systematic production processes that provide confidence in a product's suitability for its intended purpose. It is a set of activities intended to ensure that products (goods and/or services) satisfy customer requirements in a systematic, reliable fashion. (Wikipedia) © HP Application Security Center 2009
  8. 8. The Case for Negative-Testing Breaking down quality • Perform only positive-testing Quality assurance is • Test only “good” data the system is known to accept • Tests only proper use of the system or application incomplete • “Why would anyone want to purposely mis-use the system?” • 999,999 buyers and a single hacker No account for • The resource exhaustion example (1 hacker, total DoS) • QA does not try to disprove hypothesis (like in science) malicious users • Only attempts to prove positive • 3 Pillars of Quality Quality assurance • Does it function? must embrace • Does it perform? • Is it secure? security © HP Application Security Center 2009
  9. 9. The Case for Negative-Testing Negative Testing is Critical How does the application behave in adversity? • Test the application against known possible attacks • Attack vectors such as hacking, DoS, DDoS, and more • Intentional mis-use • Test against malicious use-cases • Testers must have a library of known attack data • Unintended functionality • Test for unintended functionality in the application • Test for logic flaws, race conditions, others • © HP Application Security Center 2009
  10. 10. Building a Business Case Putting the pieces together You now understand the need  why? • Web applications must be resilient to attacks • Attacks are a fact of life and business • You now understand the requirement  what? • QA is inadequate as-is • Negative testing (security testing) must be added • You must now learn the methods  how? • What are the basics of negative-testing? • What are the challenges of proper execution? • © HP Application Security Center 2009
  11. 11. Static vs. Dynamic Application Testing Differing testing methods Static Analysis  execution path analysis • Typically through source code analysis • Testing without actual data • Analyze all possible execution branches of code • Dynamic Analysis  data-driven analysis • Typically through black-box testing tools • Testing with pre-defined test data sets • Analyze behavior when different data sets are used • Key point  Each of these is incomplete… • Why? • © HP Application Security Center 2009
  12. 12. Static vs. Dynamic Application Testing Clearly we need both Dynamic Static Lower false-positive rate Absolutely complete analysis Pros Well-established testing tools Identify the issues directly in source code Ability to execute layered testing Pre-defined patterns identified in source Incomplete (impossible to guess whole of Potential for many false-positives data set) Cons Cannot point to source-code where errors Extremely resource intensive analysis exist Prone to inconsistency issues Inability to contextualize issues © HP Application Security Center 2009
  13. 13. Security Testing Browser-Based Applications Think outside the browser Hackers rarely limit themselves to a browser • Testing requires analyzing the application at a lower-level • Think like a 3rd party hacker… systems Database integration queries and information Session & state stores management Authentication systems Input sanitization and client-data handling © HP Application Security Center 2009
  14. 14. Security Testing Browser-Based Applications Testing with tools When is automation appropriate? Tools have limitations • A tools-based approach is confined to matching patterns • Tools cannot (yet) understand complex logic • People build tools, people aren’t perfect • Tools are absolutely necessary • Every trade has evolved to using tools • Tools make mundane, repetitive tasks quick • Tools address the 80/20 rule nicely • Diversify your toolbox • Open-source community-supported tools • Closed-source vendor-supported tools • Custom scripts and such • © HP Application Security Center 2009
  15. 15. Arming Yourself (with Tools & Knowledge) Knowledge Open Web Application Security Project (OWASP) • Free. • Community-based projects to address web application • security in a vendor-neutral fashion Blogs, expert websites & mailing lists • Great wealth of information on the blog-o-sphere • Check the Security Blogger’s Network on FeedBurner • Ask … I can direct you to more blogs/resources • Community Experts • Be careful who’s advice you buy… • © HP Application Security Center 2009
  16. 16. Arming Yourself (with Tools & Knowledge) Tools of the trade No shortage of controversy over security testing tools • Pros/Cons can be debated, but never dismissed • Depending on who you ask, you get biased responses • Bottom-line: tools decrease risk, increase efficiency • There is no magic silver-bullet to make you “secure” • Understand there are false-positives and false-negatives • Risk-reduction benefit from tools use is undeniable • Even the experts and hard-core hackers use tools • Black-box, white-box, hybrid-mode… all fill a need • © HP Application Security Center 2009
  17. 17. Piecing It All Together Everything we’ve learned So far we know… • Your business’ online presence is/will be attacked • Negative testing is necessary to assure security • Static and dynamic testing must be employed together • Security testing browser-based applications is a maturing market • Many available tools are open to you Now the prestige… © HP Application Security Center 2009
  18. 18. Piecing It All Together Enterprise grade secrets First assess your existing infrastructure • Risk is highest with legacy applications • Use risk metrics to leverage funding for a formal security program Work hard towards standardization of process • Experience proves there is no substitute for a strong process • SDLC integration will outlive your tenure Quick fixes are a myth • Security can not be bolted on • “Fix it in a patch later” is a lost cause Never buy a “magic fix” • Security is a process, never actually achieving end-state © HP Application Security Center 2009
  19. 19. Q&A Rafal M. Los • Sr. Security Strategist • Security Solutions Specialist, HP/Application Security Center • Email: rafal@hp.com • Direct: (404) 606-6056 • Blog: http://www.communities.hp.com/securitysoftware/blogs/rafal/ © HP Application Security Center 2009

×