Your SlideShare is downloading. ×
Software Security Testing
Software Security Testing
Software Security Testing
Software Security Testing
Software Security Testing
Software Security Testing
Software Security Testing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Software Security Testing

307

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
307
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Software Security Testing The Next Frontier Software Confidence. Achieved. Scott Matsumoto Principal Consultant smatsumoto@cigital.com www.cigital.com info@cigital.com +1.703.404.9293 Tuesday, May 01, 2007 1 About Cigital A leading consulting firm specializing in helping organizations improve their software security and software quality posture Recognized experts in “Building Security In” Extensive Industry Standards, Best Practices, and Regulatory Compliance Experience © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 2 1
  • 2. Software Security Is A Challenge The Trinity of Trouble …is this complex program Connectivity The network is the computer. The Internet is everywhere and most software is on it Complexity Networked, distributed, mobile code is hard Extensibility Systems evolve in .NET unexpected ways and are changed on the fly This simple interface… © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 3 Software Vulnerability Growth Reported Software Vulnerabilities 9000 8064 8000 7000 5690 6000 5000 4129 3784 3780 4000 3000 2437 2000 1090 1000 0 2000 2001 2002 2003 2004 2005 2006 Source: CERT © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 4 2
  • 3. Web-based Application Vulnerability Software Security problems are in the application software © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 5 Top 4 Vulnerabilities in CVE Percentage distribution of top 4 vulnerabilities 25.00% 20.00% XSS 15.00% buf sql-inject 10.00% dot 5.00% 0.00% 2000 2001 2002 2003 2004 2005 2006 2007 © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 6 3
  • 4. Software Security Touchpoints © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 7 SQL Injection Insert SQL commands into data fields to alter behavior of server Return different data Overwork server with unbounded queries and joins (denial of service) Alter data Execute blocks of arbitrary SQL statements © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 8 4
  • 5. Example SQL Injection Vulnerability Compose a dynamic query based on user input: SELECT cc_type, cc_num FROM cc_data WHERE id=‘%s’ AND cc_type=‘%s’ Normal cc_type = ‘Visa’: SELECT cc_type, cc_num FROM cc_data WHERE id=‘123456789’ AND cc_type=‘VisaVisa’ Visa © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 9 JRM2 SQL Injection Insert SQL commands into data fields to alter behavior of application Example: Enter x’ OR ‘a’=‘a instead of “Visa” to produce SELECT cc_type, cc_num FROM cc_data WHERE id=‘123456789’ AND cc_type =‘x’ OR ‘a’ = ‘a’ Results in all credit card data being returned © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 10 5
  • 6. Slide 10 JRM2 Brook: Explain why this is important to morgan. rmills, 11/6/2006
  • 7. Software Security Testing – Call to Action Types of problems (vulnerabilities) Weaknesses, Vulnerability and Attack Patterns Tools and Techniques for Testing Penetration and Fuzzing tools Think like a bad guy Know your application Resources CWE/CVE – mitre.org OWASP – owasp.org Verify 2007 – verifyconference.com © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 11 Thank you for your time. © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 12 6

×