• Save
Application Security Testing   Results You Need   V1.0 Public
Upcoming SlideShare
Loading in...5
×
 

Application Security Testing Results You Need V1.0 Public

on

  • 3,142 views

This talk, from InfoSec World 2009, discusses how you can go about understanding the terminology and information around building a successful enterprise web application security program.

This talk, from InfoSec World 2009, discusses how you can go about understanding the terminology and information around building a successful enterprise web application security program.

Statistics

Views

Total Views
3,142
Views on SlideShare
3,117
Embed Views
25

Actions

Likes
6
Downloads
21
Comments
1

3 Embeds 25

http://www.linkedin.com 12
https://www.linkedin.com 8
http://www.slideshare.net 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Quite interesting presentation, congratulations!
    http://www.medicaldebtsconsolidation.com
    http://www.medicaldebtsconsolidation.com/category/medical-debt-consolidation/
    http://www.medicaldebtsconsolidation.com/category/medical-debt-relief/
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Application Security Testing   Results You Need   V1.0 Public Application Security Testing Results You Need V1.0 Public Presentation Transcript

  • Session H5 Application Security Testing: How to Get the Results You Need Tuesday, March 10th, 2009 9:45am Rafal M. Los Sr. Web Security Specialist –HP/ASC © HP Application Security Center 2009
  • Key Points Understanding the need for security testing The case for negative-testing Static vs. Dynamic application testing Security testing browser-based applications Arming yourself (tools & knowledge) Piecing it all together © HP Application Security Center 2009
  • Understanding the Need for Security Testing Asking the big question Question: • Why do businesses need to spend time, money and • resources on additional testing measures to check the security of their web applications? Obvious answer: • Hackers are out to get you – your data and your customers • are subject to hijack and theft! © HP Application Security Center 2009
  • Understanding the Need for Security Testing A Business Perspective External compliance requirement • PCI – Payment Card Industry standard Internal compliance requirement • Corporate data privacy standards Mission-critical web-based applications • Web applications that drive your business Critical data in web-based applications • Cardholder data, patient records, personal information Company’s online brand is important • Defacements and hijacks repel current and future customers © HP Application Security Center 2009
  • Understanding the Need for Security Testing More to the point Hackers have clear goals… • Use your systems to launch attacks Your systems • Host spam relays, distribute malware • Databases contain payment information, customer data Your data • Can you identify all data in your applications? Your customers’ • Distribute adware/trojan-ware to your customers • http://cyberinsecure.com/businessweek-online-content-hit-by-sql- clicks injection/ - The case of BusinessWeek.com Your good • Industrial sabotage is real • Users trust your websites… right? Remember Egghead.com? reputation © HP Application Security Center 2009
  • Understanding the Need for Security Testing Internal Challenges •PMs – Requirements •Developers – Code Lack of •QA – Quality “Security” •Auditors? in SDLC “Semi- Custom” Apps •3rd party developed application •Custom integrations to internal and external systems Legacy Systems •Systems developed before security concerns •Mainframe over HTTP? © HP Application Security Center 2009
  • The Case for Negative-Testing Let’s define Quality Assurance Quality Assurance defined • Quality assurance, or QA for short, refers to planned and • systematic production processes that provide confidence in a product's suitability for its intended purpose. It is a set of activities intended to ensure that products (goods and/or services) satisfy customer requirements in a systematic, reliable fashion. (Wikipedia) © HP Application Security Center 2009
  • The Case for Negative-Testing Breaking down quality • Perform only positive-testing Quality assurance is • Test only “good” data the system is known to accept • Tests only proper use of the system or application incomplete • “Why would anyone want to purposely mis-use the system?” • 999,999 buyers and a single hacker No account for • The resource exhaustion example (1 hacker, total DoS) • QA does not try to disprove hypothesis (like in science) malicious users • Only attempts to prove positive • 3 Pillars of Quality Quality assurance • Does it function? must embrace • Does it perform? • Is it secure? security © HP Application Security Center 2009
  • The Case for Negative-Testing Negative Testing is Critical How does the application behave in adversity? • Test the application against known possible attacks • Attack vectors such as hacking, DoS, DDoS, and more • Intentional mis-use • Test against malicious use-cases • Testers must have a library of known attack data • Unintended functionality • Test for unintended functionality in the application • Test for logic flaws, race conditions, others • © HP Application Security Center 2009
  • Building a Business Case Putting the pieces together You now understand the need  why? • Web applications must be resilient to attacks • Attacks are a fact of life and business • You now understand the requirement  what? • QA is inadequate as-is • Negative testing (security testing) must be added • You must now learn the methods  how? • What are the basics of negative-testing? • What are the challenges of proper execution? • © HP Application Security Center 2009
  • Static vs. Dynamic Application Testing Differing testing methods Static Analysis  execution path analysis • Typically through source code analysis • Testing without actual data • Analyze all possible execution branches of code • Dynamic Analysis  data-driven analysis • Typically through black-box testing tools • Testing with pre-defined test data sets • Analyze behavior when different data sets are used • Key point  Each of these is incomplete… • Why? • © HP Application Security Center 2009
  • Static vs. Dynamic Application Testing Clearly we need both Dynamic Static Lower false-positive rate Absolutely complete analysis Pros Well-established testing tools Identify the issues directly in source code Ability to execute layered testing Pre-defined patterns identified in source Incomplete (impossible to guess whole of Potential for many false-positives data set) Cons Cannot point to source-code where errors Extremely resource intensive analysis exist Prone to inconsistency issues Inability to contextualize issues © HP Application Security Center 2009
  • Security Testing Browser-Based Applications Think outside the browser Hackers rarely limit themselves to a browser • Testing requires analyzing the application at a lower-level • Think like a 3rd party hacker… systems Database integration queries and information Session & state stores management Authentication systems Input sanitization and client-data handling © HP Application Security Center 2009
  • Security Testing Browser-Based Applications Testing with tools When is automation appropriate? Tools have limitations • A tools-based approach is confined to matching patterns • Tools cannot (yet) understand complex logic • People build tools, people aren’t perfect • Tools are absolutely necessary • Every trade has evolved to using tools • Tools make mundane, repetitive tasks quick • Tools address the 80/20 rule nicely • Diversify your toolbox • Open-source community-supported tools • Closed-source vendor-supported tools • Custom scripts and such • © HP Application Security Center 2009
  • Arming Yourself (with Tools & Knowledge) Knowledge Open Web Application Security Project (OWASP) • Free. • Community-based projects to address web application • security in a vendor-neutral fashion Blogs, expert websites & mailing lists • Great wealth of information on the blog-o-sphere • Check the Security Blogger’s Network on FeedBurner • Ask … I can direct you to more blogs/resources • Community Experts • Be careful who’s advice you buy… • © HP Application Security Center 2009
  • Arming Yourself (with Tools & Knowledge) Tools of the trade No shortage of controversy over security testing tools • Pros/Cons can be debated, but never dismissed • Depending on who you ask, you get biased responses • Bottom-line: tools decrease risk, increase efficiency • There is no magic silver-bullet to make you “secure” • Understand there are false-positives and false-negatives • Risk-reduction benefit from tools use is undeniable • Even the experts and hard-core hackers use tools • Black-box, white-box, hybrid-mode… all fill a need • © HP Application Security Center 2009
  • Piecing It All Together Everything we’ve learned So far we know… • Your business’ online presence is/will be attacked • Negative testing is necessary to assure security • Static and dynamic testing must be employed together • Security testing browser-based applications is a maturing market • Many available tools are open to you Now the prestige… © HP Application Security Center 2009
  • Piecing It All Together Enterprise grade secrets First assess your existing infrastructure • Risk is highest with legacy applications • Use risk metrics to leverage funding for a formal security program Work hard towards standardization of process • Experience proves there is no substitute for a strong process • SDLC integration will outlive your tenure Quick fixes are a myth • Security can not be bolted on • “Fix it in a patch later” is a lost cause Never buy a “magic fix” • Security is a process, never actually achieving end-state © HP Application Security Center 2009
  • Q&A Rafal M. Los • Sr. Security Strategist • Security Solutions Specialist, HP/Application Security Center • Email: rafal@hp.com • Direct: (404) 606-6056 • Blog: http://www.communities.hp.com/securitysoftware/blogs/rafal/ © HP Application Security Center 2009