Application Security Testing Results You Need V1.0 Public


Published on

This talk, from InfoSec World 2009, discusses how you can go about understanding the terminology and information around building a successful enterprise web application security program.

Published in: Technology
1 Comment
  • Quite interesting presentation, congratulations!
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Application Security Testing Results You Need V1.0 Public

  1. 1. Session H5 Application Security Testing: How to Get the Results You Need Tuesday, March 10th, 2009 9:45am Rafal M. Los Sr. Web Security Specialist –HP/ASC © HP Application Security Center 2009
  2. 2. Key Points Understanding the need for security testing The case for negative-testing Static vs. Dynamic application testing Security testing browser-based applications Arming yourself (tools & knowledge) Piecing it all together © HP Application Security Center 2009
  3. 3. Understanding the Need for Security Testing Asking the big question Question: • Why do businesses need to spend time, money and • resources on additional testing measures to check the security of their web applications? Obvious answer: • Hackers are out to get you – your data and your customers • are subject to hijack and theft! © HP Application Security Center 2009
  4. 4. Understanding the Need for Security Testing A Business Perspective External compliance requirement • PCI – Payment Card Industry standard Internal compliance requirement • Corporate data privacy standards Mission-critical web-based applications • Web applications that drive your business Critical data in web-based applications • Cardholder data, patient records, personal information Company’s online brand is important • Defacements and hijacks repel current and future customers © HP Application Security Center 2009
  5. 5. Understanding the Need for Security Testing More to the point Hackers have clear goals… • Use your systems to launch attacks Your systems • Host spam relays, distribute malware • Databases contain payment information, customer data Your data • Can you identify all data in your applications? Your customers’ • Distribute adware/trojan-ware to your customers • clicks injection/ - The case of Your good • Industrial sabotage is real • Users trust your websites… right? Remember reputation © HP Application Security Center 2009
  6. 6. Understanding the Need for Security Testing Internal Challenges •PMs – Requirements •Developers – Code Lack of •QA – Quality “Security” •Auditors? in SDLC “Semi- Custom” Apps •3rd party developed application •Custom integrations to internal and external systems Legacy Systems •Systems developed before security concerns •Mainframe over HTTP? © HP Application Security Center 2009
  7. 7. The Case for Negative-Testing Let’s define Quality Assurance Quality Assurance defined • Quality assurance, or QA for short, refers to planned and • systematic production processes that provide confidence in a product's suitability for its intended purpose. It is a set of activities intended to ensure that products (goods and/or services) satisfy customer requirements in a systematic, reliable fashion. (Wikipedia) © HP Application Security Center 2009
  8. 8. The Case for Negative-Testing Breaking down quality • Perform only positive-testing Quality assurance is • Test only “good” data the system is known to accept • Tests only proper use of the system or application incomplete • “Why would anyone want to purposely mis-use the system?” • 999,999 buyers and a single hacker No account for • The resource exhaustion example (1 hacker, total DoS) • QA does not try to disprove hypothesis (like in science) malicious users • Only attempts to prove positive • 3 Pillars of Quality Quality assurance • Does it function? must embrace • Does it perform? • Is it secure? security © HP Application Security Center 2009
  9. 9. The Case for Negative-Testing Negative Testing is Critical How does the application behave in adversity? • Test the application against known possible attacks • Attack vectors such as hacking, DoS, DDoS, and more • Intentional mis-use • Test against malicious use-cases • Testers must have a library of known attack data • Unintended functionality • Test for unintended functionality in the application • Test for logic flaws, race conditions, others • © HP Application Security Center 2009
  10. 10. Building a Business Case Putting the pieces together You now understand the need  why? • Web applications must be resilient to attacks • Attacks are a fact of life and business • You now understand the requirement  what? • QA is inadequate as-is • Negative testing (security testing) must be added • You must now learn the methods  how? • What are the basics of negative-testing? • What are the challenges of proper execution? • © HP Application Security Center 2009
  11. 11. Static vs. Dynamic Application Testing Differing testing methods Static Analysis  execution path analysis • Typically through source code analysis • Testing without actual data • Analyze all possible execution branches of code • Dynamic Analysis  data-driven analysis • Typically through black-box testing tools • Testing with pre-defined test data sets • Analyze behavior when different data sets are used • Key point  Each of these is incomplete… • Why? • © HP Application Security Center 2009
  12. 12. Static vs. Dynamic Application Testing Clearly we need both Dynamic Static Lower false-positive rate Absolutely complete analysis Pros Well-established testing tools Identify the issues directly in source code Ability to execute layered testing Pre-defined patterns identified in source Incomplete (impossible to guess whole of Potential for many false-positives data set) Cons Cannot point to source-code where errors Extremely resource intensive analysis exist Prone to inconsistency issues Inability to contextualize issues © HP Application Security Center 2009
  13. 13. Security Testing Browser-Based Applications Think outside the browser Hackers rarely limit themselves to a browser • Testing requires analyzing the application at a lower-level • Think like a 3rd party hacker… systems Database integration queries and information Session & state stores management Authentication systems Input sanitization and client-data handling © HP Application Security Center 2009
  14. 14. Security Testing Browser-Based Applications Testing with tools When is automation appropriate? Tools have limitations • A tools-based approach is confined to matching patterns • Tools cannot (yet) understand complex logic • People build tools, people aren’t perfect • Tools are absolutely necessary • Every trade has evolved to using tools • Tools make mundane, repetitive tasks quick • Tools address the 80/20 rule nicely • Diversify your toolbox • Open-source community-supported tools • Closed-source vendor-supported tools • Custom scripts and such • © HP Application Security Center 2009
  15. 15. Arming Yourself (with Tools & Knowledge) Knowledge Open Web Application Security Project (OWASP) • Free. • Community-based projects to address web application • security in a vendor-neutral fashion Blogs, expert websites & mailing lists • Great wealth of information on the blog-o-sphere • Check the Security Blogger’s Network on FeedBurner • Ask … I can direct you to more blogs/resources • Community Experts • Be careful who’s advice you buy… • © HP Application Security Center 2009
  16. 16. Arming Yourself (with Tools & Knowledge) Tools of the trade No shortage of controversy over security testing tools • Pros/Cons can be debated, but never dismissed • Depending on who you ask, you get biased responses • Bottom-line: tools decrease risk, increase efficiency • There is no magic silver-bullet to make you “secure” • Understand there are false-positives and false-negatives • Risk-reduction benefit from tools use is undeniable • Even the experts and hard-core hackers use tools • Black-box, white-box, hybrid-mode… all fill a need • © HP Application Security Center 2009
  17. 17. Piecing It All Together Everything we’ve learned So far we know… • Your business’ online presence is/will be attacked • Negative testing is necessary to assure security • Static and dynamic testing must be employed together • Security testing browser-based applications is a maturing market • Many available tools are open to you Now the prestige… © HP Application Security Center 2009
  18. 18. Piecing It All Together Enterprise grade secrets First assess your existing infrastructure • Risk is highest with legacy applications • Use risk metrics to leverage funding for a formal security program Work hard towards standardization of process • Experience proves there is no substitute for a strong process • SDLC integration will outlive your tenure Quick fixes are a myth • Security can not be bolted on • “Fix it in a patch later” is a lost cause Never buy a “magic fix” • Security is a process, never actually achieving end-state © HP Application Security Center 2009
  19. 19. Q&A Rafal M. Los • Sr. Security Strategist • Security Solutions Specialist, HP/Application Security Center • Email: • Direct: (404) 606-6056 • Blog: © HP Application Security Center 2009