Application Software Security Testing
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Application Software Security Testing

  • 1,300 views
Uploaded on

Author: James W. De Rienzo ...

Author: James W. De Rienzo
Date: August 2009

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,300
On Slideshare
1,298
From Embeds
2
Number of Embeds
1

Actions

Shares
Downloads
14
Comments
0
Likes
0

Embeds 2

http://www.linkedin.com 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Is Software Security REALLY a Problem?
  • 2. What’s the Fuss about Application Security?
  • 3. Consensus Audit Guidelines (CAG)
    CAG’s Three Guiding Principles:
    Defenses must address most damaging attack activities.
    Defenses should be automated where possible, and periodically or continuously measured.
    Activities should produce a more consistent defense
    Twenty critical controls comprise the SANS-CAG.
  • 4. Real-Time Auditing for SANS Consensus Audit Guidelines (CAG)
    7.) Application Software Security Control
    Application software that is developed in-house must be developed in a manner to limit the possibility of vulnerabilities from programming errors that have been identified as common causes of security exposures. Third party libraries or other software that are used in the development process must be scanned to ensure they do not contain known vulnerabilities.
  • 5. CWE 2009/SANS 25 Most Dangerous Programming Errors
    Most of these errors are not well understood by programmers;
    their avoidance is not widely taught by computer science programs;
    and their presence is frequently not tested by organizations.
    Protecting Your Web Apps: Two Big Mistakes,
    Input-validation and Output Filtering Code,
    and 12 Practical Tips to Avoid Them
  • 6. Principles of Secure Development Application Security Maturity (ASM)
    Published by (IN)SECURE Magazine, Issue 21, 6/2009, p.71
  • 7. Principles of Secure Development Mapped to Vulnerabilities
  • 8. SafeCode - Fundamental Practices for Secure Development
    • Minimize unsafe function use
    • 9. Use the latest compiler toolset
    • 10. Use static and dynamic analysis tools
    • 11. Manual code review
    • 12. Validate input and output
    • 13. Use anti-cross site scripting libraries
    • 14. Use canonical data formats
    • 15. Avoid string concatenation for dynamic SQL
    • 16. Eliminate weak cryptography
    • 17. Use logging and tracing
    Keep Web browsers, browser add-ons, and desktop software up to date. Always run the latest browser version.
  • 18. Recommendations
    Test in-house Applications in AIM Environment
    Application Security Testing Tools:
    Nessus for Web Application Testing
    W3AF - Web Application Attack and Audit Framework
    Samurai Web Testing Framework
    OWASP Project: (CAL9000, OWASP Top 10, WebGoat)
    HPDevinspect, HPQAInspect, HPWebInspect
  • 19. References
    http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1348908,00.html
    http://www.tenablesecurity.com/whitepapers/tenable_SANS-CAG_compliance.pdf
    http://www.sans.org/cag/guidelines.php
    http://cwe.mitre.org/top25/
    http://www.sans.org/info/39723
    http://www.securityninja.co.uk/blog/?p=132
    http://www.net-security.org/dl/insecure/INSECURE-Mag-21.pdf
    http://blog.tenablesecurity.com/2009/07/presentation-using-nessus-in-web-application-testing-presentation-using-nessus-in-web-application-testing.html
    http://sourceforge.net/projects/w3af/files/
    http://samurai.inguardians.com/
    http://www.owasp.org/index.php/Category:OWASP_Project
    http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
    http://irongeek.com/
    http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
    https://h10078.www1.hp.com/cda/hpdc/fetchPDF.do
    http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf
  • 20. Security Investment in the wrong place
    The End