SlideShare a Scribd company logo

Web Application Remediation - OWASP San Antonio March 2007

Denim Group
Denim Group

This presentation covers best practices for organizations looking to remediate software and application security vulnerabilities they have identified in their application portfolios.

Technology
1 of 34
Download to read offline
Web Application Remediation OWASP San Antonio March 28th, 2007
Agenda • Introduction • The Problem: Vulnerable Web Applications • Goals • Example Process Overview • Real World Issues To Address • Conclusion/Questions 1
Introduction • Dan Cornell • Principal of Denim Group, Ltd. • Background in Software Development – Java/JEE, .NET, etc – Java Certified Programmer, MCSD 2
Problem: Vulnerable Web pp Applications • Your organization has identified and verified vulnerabilities in a web application • How did you find out? – Evidence of exploitation – External assessment or audit – I Internal review l i 3
Goals • Address Organizational Risk • Options: – Fix it – Turn it off – Live with it • Often no easy answers • Any solution must be business-driven – Risk mitigation strategies 4
Before You Start • Know your stakeholders – who cares about having vulnerabilities remediated – 3rd party client – Security team – Internal/external audit • This will determine the le el of rigor ill level – Thoroughness of testing – Volume of documentation • Much easier to know up front than to try and reconstruct at the end 5
Example Process Overview • Inception: – Identify Vulnerabilities – Rank – Planning Game – Prepare • Execution: – Remediate • Completion: – Confirm – Report – Deploy • Repeat as Necessary.. 6
Identify Vulnerabilities • How does this happen? – Evidence of exploitation – External assessment or penetration test – Internal assessment or audit 7
Rank • Need to know the severity of vulnerabilities • Think in terms of: – Confidentiality – Integrity – Availability • Data classification policies are key – Your organization has a data classification policy, right? • Rankings will vary by organization and by application 8
STRIDE • Used to classify threats to an application • Spoofing Identity • Tampering with Data • Repudiation • Information Disclosure • Denial of Service • Elevation of Privilege El ti f P i il 9
DREAD • Used to rank the severity of vulnerabilities • Damage potential • Reproducibility • Exploitability • Affected Users • Discoverability • Recommend 1-3 scale rather than 1-10 – How do you know if something is a 7 or an 8? 10
Planning Game Propose Solution Estimate Make Level of Decision Effort Weigh Level of Protection 11
Propose Solution • Coding Fix – No change in functionality for valid inputs • Configuration Change • Functionality Change – Could be large or small – May have significant requirements, architecture or design implications • Web Application Firewall • Do Nothing g 12
Estimate Level of Effort • Code changes tend to be simple but are often widespread throughout the application • Functionality changes have a wide range depending on their impact – Architecture or design changes – Business process impact • Web Application Firewalls – Train – D l Deploy – Manage • Doing nothing is always easy – In the short term at least… least 13
Weigh Level of Protection • SDL: Fix security bugs the right way • That is nice, but not always appropriate (unfortunately) • Quantitative Risk Assessment – Challenging because of a lack of actuarial data – SLE – Single Loss Expectancy – ARO – Annual Rate of Occurrence – ALE – Annual Loss Expectancy – ROSI – Return on Security Investment • Qualitative Risk Assessment Q lit ti Ri k A t – Return to data classification, STRIDE, and DREAD 14
Make Decision • Remember that the goal is to appropriately address risk 15
Prepare • Planning Game should have resulted in a remediation plan – What is going to be fixed and how? • Develop test plan to confirm the remediation worked after completion • Two types of testing – Positive – Negative 16
Positive Testing • “Do No Harm” • Make sure the application works for valid inputs before and after • Tests should pass before and pass after 17
Negative Testing • Make sure the remediation worked • Tests should fail before and succeed after 18
Automated Testing • Automate as much as possible • Reasons – Easier to test and re-test – Test scripts offer repeatable demonstration of behavior • Types – Web Application Scanners – Unit Testing – Acceptance Testing 19
Automated Testing: Web Application Scanners pp • Compare before and after results • Most modern application scanners will compare or trend results • Excellent choice if organizations have a scan template that is a “standard” 20
Automated Testing: Unit Testing • Frameworks: – JUnit: www.junit.org – Nunit: www.nunit.org 21
Automated Testing: Acceptance g Testing • Frameworks – Web Application Tests In Ruby: wtr.rubyforge.org – Web Application Tests In Java: www.watij.com – Web Application Tests In .NET: watin.sourceforce.net – Perl Mechanize: search.cpan.org/dist/WWW-Mechanize 22
Remediation Testing Patterns • SQL Injection and Cross Site Scripting (XSS) – Fairly simple coding fixes – May be widespread – Before and after tests should be self explanatory • Authorization – S i t access to pages with diff Script t ith different roles t l • Parameter Tampering / Insecure Direct Object Reference – Testing will be data driven and specific to login 23
Remediate • Now you actually get to make changes • Often the easiest phase • Do not forget about change control – Tag or branch source code repositories – Note before/after versions for policies and procedures 24
Confirm • Run through test plan • Run automated tests • Capture the results – These will be used for reporting later • Separation of duties p – One individual or team should remediate – Another individual or team should confirm that remediation was effective 25
Report • Who are the “clients” of the remediation? – Actual 3rd party client? – Security team – Internal/external audit – Executive sponsor • Different groups will have different needs and different reporting requirements • Repeatable output from automated scripts is often useful • Use U source control to provide li b li change l l id line-by-line h logs if necessary 26
Deploy • Deploying security remediation updates should be treated as any other significant release 27
Real World Concerns • Who is going to do the work? • How does remediation get prioritized alongside other efforts? 28
Real World Concerns • Who is going to do the work? – In house developers • Do they have the requisite security knowledge? • Is it possible to allocate their time (versus existing projects)? – 3rd party • Can they learn enough about the application? • How will they get access to the code and environment? 29
Real World Concerns • How does remediation get prioritized alongside other efforts? – Business decision for the organization – Often compliance or Service Level Agreement (SLA) issues making security remediation a priority 30
Process Improvement • “Those who cannot remember the past are doomed to repeat it” (George Santayana) • If an organization does not learn from their security mistakes they will repeat those security mistakes • What to learn from remediated vulnerabilities? – Do coding standards need to be updated to help protect against technical application vulnerabilities? • (Does the organization need coding standards?) – What activities in the SDLC would have helped prevent the injection of these vulnerabilities or would have caught them sooner • Threat Modeling / Risk Assessment • Security code reviews 31
Thoughts and Conclusions • Application security remediation must be business-focused because there is never enough time to fix everything perfectly • Communication is essential – what is going to be fixed and under what conditions? • Understand the constituencies up front so appropriate documentation and confirmation occurs • Automate testing wherever possible to facilitate iterative development as well as create repeatable demonstrations of progress 32
Questions Dan Cornell dan@denimgroup.com (210) 572-4400 Web: www denimgroup com www.denimgroup.com Blog: denimgroup.typepad.com 33

Recommended

Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Raphael Denipotti
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
Michael.aguilar
Michael.aguilarMichael.aguilar
Michael.aguilar
NASAPMC
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 

Recommended

Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Raphael Denipotti
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
Michael.aguilar
Michael.aguilarMichael.aguilar
Michael.aguilar
NASAPMC
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Characterizing and Predicting Which Bugs Get Reopened
Characterizing and Predicting Which Bugs Get ReopenedCharacterizing and Predicting Which Bugs Get Reopened
Characterizing and Predicting Which Bugs Get Reopened
Thomas Zimmermann
 
Predicting Method Crashes with Bytecode Operations
Predicting Method Crashes with Bytecode OperationsPredicting Method Crashes with Bytecode Operations
Predicting Method Crashes with Bytecode Operations
Thomas Zimmermann
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
Rogue Wave Software
 
2016-05-30 risk driven design
2016-05-30 risk driven design2016-05-30 risk driven design
2016-05-30 risk driven design
Jaap van Ekris
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
Denim Group
 
Analytics for smarter software development
Analytics for smarter software development Analytics for smarter software development
Analytics for smarter software development
Thomas Zimmermann
 
Intro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality AssuranceIntro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality Assurance
Radu_Negulescu
 
Open source software support for the enterprise
Open source software support for the enterpriseOpen source software support for the enterprise
Open source software support for the enterprise
Rogue Wave Software
 
Psqt east risk testing
Psqt east risk testingPsqt east risk testing
Psqt east risk testing
Jorge Boria
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
 
Rapid software testing
Rapid software testingRapid software testing
Rapid software testing
Sachin MK
 
Faster apps. faster time to market. faster mean time to repair
Faster apps. faster time to market. faster mean time to repairFaster apps. faster time to market. faster mean time to repair
Faster apps. faster time to market. faster mean time to repair
Compuware ASEAN
 
Top Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityTop Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliability
Ann Marie Neufelder
 
SDPM - Lecture 3 - Selecting an appropriate software development approach.pdf
SDPM - Lecture 3 - Selecting an appropriate software development approach.pdfSDPM - Lecture 3 - Selecting an appropriate software development approach.pdf
SDPM - Lecture 3 - Selecting an appropriate software development approach.pdf
OpenLearningLab
 
Trackid H4D Stanford 2018
Trackid H4D Stanford 2018Trackid H4D Stanford 2018
Trackid H4D Stanford 2018
Stanford University
 
Software risk management
Software risk managementSoftware risk management
Software risk management
Jose Javier M
 
testing throughout-the-software-life-cycle-section-2
testing throughout-the-software-life-cycle-section-2testing throughout-the-software-life-cycle-section-2
testing throughout-the-software-life-cycle-section-2
Dr. Ahmed Al Zaidy
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani
 

More Related Content

What's hot

Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
Denim Group
 
Intro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality AssuranceIntro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality Assurance
Radu_Negulescu
 
Rapid software testing
Rapid software testingRapid software testing
Rapid software testing
Sachin MK
 
SDPM - Lecture 3 - Selecting an appropriate software development approach.pdf
SDPM - Lecture 3 - Selecting an appropriate software development approach.pdfSDPM - Lecture 3 - Selecting an appropriate software development approach.pdf
SDPM - Lecture 3 - Selecting an appropriate software development approach.pdf
OpenLearningLab
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
 

What's hot (20)

Characterizing and Predicting Which Bugs Get Reopened
Characterizing and Predicting Which Bugs Get ReopenedCharacterizing and Predicting Which Bugs Get Reopened
Characterizing and Predicting Which Bugs Get Reopened
 
Predicting Method Crashes with Bytecode Operations
Predicting Method Crashes with Bytecode OperationsPredicting Method Crashes with Bytecode Operations
Predicting Method Crashes with Bytecode Operations
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 
2016-05-30 risk driven design
2016-05-30 risk driven design2016-05-30 risk driven design
2016-05-30 risk driven design
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
 
Analytics for smarter software development
Analytics for smarter software development Analytics for smarter software development
Analytics for smarter software development
 
Intro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality AssuranceIntro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality Assurance
 
Open source software support for the enterprise
Open source software support for the enterpriseOpen source software support for the enterprise
Open source software support for the enterprise
 
Psqt east risk testing
Psqt east risk testingPsqt east risk testing
Psqt east risk testing
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
Rapid software testing
Rapid software testingRapid software testing
Rapid software testing
 
Faster apps. faster time to market. faster mean time to repair
Faster apps. faster time to market. faster mean time to repairFaster apps. faster time to market. faster mean time to repair
Faster apps. faster time to market. faster mean time to repair
 
Top Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityTop Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliability
 
SDPM - Lecture 3 - Selecting an appropriate software development approach.pdf
SDPM - Lecture 3 - Selecting an appropriate software development approach.pdfSDPM - Lecture 3 - Selecting an appropriate software development approach.pdf
SDPM - Lecture 3 - Selecting an appropriate software development approach.pdf
 
Trackid H4D Stanford 2018
Trackid H4D Stanford 2018Trackid H4D Stanford 2018
Trackid H4D Stanford 2018
 
Software risk management
Software risk managementSoftware risk management
Software risk management
 
testing throughout-the-software-life-cycle-section-2
testing throughout-the-software-life-cycle-section-2testing throughout-the-software-life-cycle-section-2
testing throughout-the-software-life-cycle-section-2
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
 

Viewers also liked

Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
Denim Group
 

Viewers also liked (18)

Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and Profit
 
XSS Remediation
XSS RemediationXSS Remediation
XSS Remediation
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Basic reverse engineering steps about .apk file
Basic reverse engineering steps about .apk fileBasic reverse engineering steps about .apk file
Basic reverse engineering steps about .apk file
 
Decompiling Android Workshop
Decompiling Android WorkshopDecompiling Android Workshop
Decompiling Android Workshop
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Software development with qt
Software development with qtSoftware development with qt
Software development with qt
 
Scripting Your Qt Application
Scripting Your Qt ApplicationScripting Your Qt Application
Scripting Your Qt Application
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 

Similar to Web Application Remediation - OWASP San Antonio March 2007

Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Dan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software RemediationDan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software Remediation
Source Conference
 
Designing the expert system
Designing the expert systemDesigning the expert system
Designing the expert system
asimnawaz54
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
PA2557_SQM_Lecture7 - Defect Prevention.pdf
PA2557_SQM_Lecture7 - Defect Prevention.pdfPA2557_SQM_Lecture7 - Defect Prevention.pdf
PA2557_SQM_Lecture7 - Defect Prevention.pdf
hulk smash
 

Similar to Web Application Remediation - OWASP San Antonio March 2007 (20)

Enterprise system implementation strategies and phases
Enterprise system implementation strategies and phasesEnterprise system implementation strategies and phases
Enterprise system implementation strategies and phases
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
 
Agile and Secure
Agile and SecureAgile and Secure
Agile and Secure
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
Back to the basics principles for constructing quality software
Back to the basics principles for constructing quality softwareBack to the basics principles for constructing quality software
Back to the basics principles for constructing quality software
 
Ch1 preliminaries
Ch1 preliminariesCh1 preliminaries
Ch1 preliminaries
 
Continuous Delivery Maturity Model
Continuous Delivery Maturity ModelContinuous Delivery Maturity Model
Continuous Delivery Maturity Model
 
Dan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software RemediationDan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software Remediation
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Designing the expert system
Designing the expert systemDesigning the expert system
Designing the expert system
 
Chapter 04
Chapter 04Chapter 04
Chapter 04
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
 
Lec25
Lec25Lec25
Lec25
 
Agile Session @ Universidade Portucalense
Agile Session @ Universidade PortucalenseAgile Session @ Universidade Portucalense
Agile Session @ Universidade Portucalense
 
uTest STPCon 2011 Presentation
uTest STPCon 2011 PresentationuTest STPCon 2011 Presentation
uTest STPCon 2011 Presentation
 
PA2557_SQM_Lecture7 - Defect Prevention.pdf
PA2557_SQM_Lecture7 - Defect Prevention.pdfPA2557_SQM_Lecture7 - Defect Prevention.pdf
PA2557_SQM_Lecture7 - Defect Prevention.pdf
 
Cleaning Code - Tools and Techniques for Large Legacy Projects
Cleaning Code - Tools and Techniques for Large Legacy ProjectsCleaning Code - Tools and Techniques for Large Legacy Projects
Cleaning Code - Tools and Techniques for Large Legacy Projects
 

More from Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

More from Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Web Application Remediation - OWASP San Antonio March 2007

  • 1. Web Application Remediation OWASP San Antonio March 28th, 2007
  • 2. Agenda • Introduction • The Problem: Vulnerable Web Applications • Goals • Example Process Overview • Real World Issues To Address • Conclusion/Questions 1
  • 3. Introduction • Dan Cornell • Principal of Denim Group, Ltd. • Background in Software Development – Java/JEE, .NET, etc – Java Certified Programmer, MCSD 2
  • 4. Problem: Vulnerable Web pp Applications • Your organization has identified and verified vulnerabilities in a web application • How did you find out? – Evidence of exploitation – External assessment or audit – I Internal review l i 3
  • 5. Goals • Address Organizational Risk • Options: – Fix it – Turn it off – Live with it • Often no easy answers • Any solution must be business-driven – Risk mitigation strategies 4
  • 6. Before You Start • Know your stakeholders – who cares about having vulnerabilities remediated – 3rd party client – Security team – Internal/external audit • This will determine the le el of rigor ill level – Thoroughness of testing – Volume of documentation • Much easier to know up front than to try and reconstruct at the end 5
  • 7. Example Process Overview • Inception: – Identify Vulnerabilities – Rank – Planning Game – Prepare • Execution: – Remediate • Completion: – Confirm – Report – Deploy • Repeat as Necessary.. 6
  • 8. Identify Vulnerabilities • How does this happen? – Evidence of exploitation – External assessment or penetration test – Internal assessment or audit 7
  • 9. Rank • Need to know the severity of vulnerabilities • Think in terms of: – Confidentiality – Integrity – Availability • Data classification policies are key – Your organization has a data classification policy, right? • Rankings will vary by organization and by application 8
  • 10. STRIDE • Used to classify threats to an application • Spoofing Identity • Tampering with Data • Repudiation • Information Disclosure • Denial of Service • Elevation of Privilege El ti f P i il 9
  • 11. DREAD • Used to rank the severity of vulnerabilities • Damage potential • Reproducibility • Exploitability • Affected Users • Discoverability • Recommend 1-3 scale rather than 1-10 – How do you know if something is a 7 or an 8? 10
  • 12. Planning Game Propose Solution Estimate Make Level of Decision Effort Weigh Level of Protection 11
  • 13. Propose Solution • Coding Fix – No change in functionality for valid inputs • Configuration Change • Functionality Change – Could be large or small – May have significant requirements, architecture or design implications • Web Application Firewall • Do Nothing g 12
  • 14. Estimate Level of Effort • Code changes tend to be simple but are often widespread throughout the application • Functionality changes have a wide range depending on their impact – Architecture or design changes – Business process impact • Web Application Firewalls – Train – D l Deploy – Manage • Doing nothing is always easy – In the short term at least… least 13
  • 15. Weigh Level of Protection • SDL: Fix security bugs the right way • That is nice, but not always appropriate (unfortunately) • Quantitative Risk Assessment – Challenging because of a lack of actuarial data – SLE – Single Loss Expectancy – ARO – Annual Rate of Occurrence – ALE – Annual Loss Expectancy – ROSI – Return on Security Investment • Qualitative Risk Assessment Q lit ti Ri k A t – Return to data classification, STRIDE, and DREAD 14
  • 16. Make Decision • Remember that the goal is to appropriately address risk 15
  • 17. Prepare • Planning Game should have resulted in a remediation plan – What is going to be fixed and how? • Develop test plan to confirm the remediation worked after completion • Two types of testing – Positive – Negative 16
  • 18. Positive Testing • “Do No Harm” • Make sure the application works for valid inputs before and after • Tests should pass before and pass after 17
  • 19. Negative Testing • Make sure the remediation worked • Tests should fail before and succeed after 18
  • 20. Automated Testing • Automate as much as possible • Reasons – Easier to test and re-test – Test scripts offer repeatable demonstration of behavior • Types – Web Application Scanners – Unit Testing – Acceptance Testing 19
  • 21. Automated Testing: Web Application Scanners pp • Compare before and after results • Most modern application scanners will compare or trend results • Excellent choice if organizations have a scan template that is a “standard” 20
  • 22. Automated Testing: Unit Testing • Frameworks: – JUnit: www.junit.org – Nunit: www.nunit.org 21
  • 23. Automated Testing: Acceptance g Testing • Frameworks – Web Application Tests In Ruby: wtr.rubyforge.org – Web Application Tests In Java: www.watij.com – Web Application Tests In .NET: watin.sourceforce.net – Perl Mechanize: search.cpan.org/dist/WWW-Mechanize 22
  • 24. Remediation Testing Patterns • SQL Injection and Cross Site Scripting (XSS) – Fairly simple coding fixes – May be widespread – Before and after tests should be self explanatory • Authorization – S i t access to pages with diff Script t ith different roles t l • Parameter Tampering / Insecure Direct Object Reference – Testing will be data driven and specific to login 23
  • 25. Remediate • Now you actually get to make changes • Often the easiest phase • Do not forget about change control – Tag or branch source code repositories – Note before/after versions for policies and procedures 24
  • 26. Confirm • Run through test plan • Run automated tests • Capture the results – These will be used for reporting later • Separation of duties p – One individual or team should remediate – Another individual or team should confirm that remediation was effective 25
  • 27. Report • Who are the “clients” of the remediation? – Actual 3rd party client? – Security team – Internal/external audit – Executive sponsor • Different groups will have different needs and different reporting requirements • Repeatable output from automated scripts is often useful • Use U source control to provide li b li change l l id line-by-line h logs if necessary 26
  • 28. Deploy • Deploying security remediation updates should be treated as any other significant release 27
  • 29. Real World Concerns • Who is going to do the work? • How does remediation get prioritized alongside other efforts? 28
  • 30. Real World Concerns • Who is going to do the work? – In house developers • Do they have the requisite security knowledge? • Is it possible to allocate their time (versus existing projects)? – 3rd party • Can they learn enough about the application? • How will they get access to the code and environment? 29
  • 31. Real World Concerns • How does remediation get prioritized alongside other efforts? – Business decision for the organization – Often compliance or Service Level Agreement (SLA) issues making security remediation a priority 30
  • 32. Process Improvement • “Those who cannot remember the past are doomed to repeat it” (George Santayana) • If an organization does not learn from their security mistakes they will repeat those security mistakes • What to learn from remediated vulnerabilities? – Do coding standards need to be updated to help protect against technical application vulnerabilities? • (Does the organization need coding standards?) – What activities in the SDLC would have helped prevent the injection of these vulnerabilities or would have caught them sooner • Threat Modeling / Risk Assessment • Security code reviews 31
  • 33. Thoughts and Conclusions • Application security remediation must be business-focused because there is never enough time to fix everything perfectly • Communication is essential – what is going to be fixed and under what conditions? • Understand the constituencies up front so appropriate documentation and confirmation occurs • Automate testing wherever possible to facilitate iterative development as well as create repeatable demonstrations of progress 32
  • 34. Questions Dan Cornell dan@denimgroup.com (210) 572-4400 Web: www denimgroup com www.denimgroup.com Blog: denimgroup.typepad.com 33