Application Software Security Testing

Is Software Security REALLY a Problem?

What’s the Fuss about Application Security?

Consensus Audit Guidelines (CAG)
CAG’s Three Guiding Principles:
Defenses must address most damaging attack activities.
Defenses should be automated where possible, and periodically or continuously measured.
Activities should produce a more consistent defense
Twenty critical controls comprise the SANS-CAG.

Real-Time Auditing for SANS Consensus Audit Guidelines (CAG)
7.) Application Software Security Control
Application software that is developed in-house must be developed in a manner to limit the possibility of vulnerabilities from programming errors that have been identified as common causes of security exposures. Third party libraries or other software that are used in the development process must be scanned to ensure they do not contain known vulnerabilities.

CWE 2009/SANS 25 Most Dangerous Programming Errors
Most of these errors are not well understood by programmers;
their avoidance is not widely taught by computer science programs;
and their presence is frequently not tested by organizations.
Protecting Your Web Apps: Two Big Mistakes,
Input-validation and Output Filtering Code,
and 12 Practical Tips to Avoid Them

Principles of Secure Development Application Security Maturity (ASM)
Published by (IN)SECURE Magazine, Issue 21, 6/2009, p.71

Principles of Secure Development Mapped to Vulnerabilities

SafeCode - Fundamental Practices for Secure Development
Minimize unsafe function use
Use the latest compiler toolset
Use static and dynamic analysis tools
Manual code review
Validate input and output
Use anti-cross site scripting libraries
Use canonical data formats
Avoid string concatenation for dynamic SQL
Eliminate weak cryptography
Use logging and tracing
Keep Web browsers, browser add-ons, and desktop software up to date. Always run the latest browser version.

Recommendations
Test in-house Applications in AIM Environment
Application Security Testing Tools:
Nessus for Web Application Testing
W3AF - Web Application Attack and Audit Framework
Samurai Web Testing Framework
OWASP Project: (CAL9000, OWASP Top 10, WebGoat)
HPDevinspect, HPQAInspect, HPWebInspect

References
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1348908,00.html
http://www.tenablesecurity.com/whitepapers/tenable_SANS-CAG_compliance.pdf
http://www.sans.org/cag/guidelines.php
http://cwe.mitre.org/top25/
http://www.sans.org/info/39723
http://www.securityninja.co.uk/blog/?p=132
http://www.net-security.org/dl/insecure/INSECURE-Mag-21.pdf
http://blog.tenablesecurity.com/2009/07/presentation-using-nessus-in-web-application-testing-presentation-using-nessus-in-web-application-testing.html
http://sourceforge.net/projects/w3af/files/
http://samurai.inguardians.com/
http://www.owasp.org/index.php/Category:OWASP_Project
http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
http://irongeek.com/
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
https://h10078.www1.hp.com/cda/hpdc/fetchPDF.do
http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf

Security Investment in the wrong place
The End

Application Software Security Testing

by James De Rienzo on Jun 29, 2011

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 2

Statistics

Application Software Security Testing Presentation Transcript