SlideShare a Scribd company logo

nullcon 2010 - Penetration Testing versus Source Code Review

n|u - The Open Security Community
n|u - The Open Security Community

nullcon 2010 Penetration Testing versus Source Code Review - by Nikhil Wagholikar http://nullcon.net http://null.co.in

Technology
1 of 3
Download to read offline
Penetration Testing versus Source Code Review 1. Penetration Testing vs. Source Code Review Within the domain of application security assessments, there are multiple approaches that can be considered. The most common ones are black-box penetration testing, application design review and source code reviews. Of course, more arcane ones such as reverse engineering or binary analysis can also be considered in specific situations. But for the moment, let’s focus on the two most common approaches to application security assessments – penetration testing and source code review. Currently, there is a debate raging within the information security community as to which approach is better, with some participants going so far as to say that penetration testing is dead! (ref). With the experience of having performed hundreds of penetration tests and dozens of source code reviews, I have come to the conclusion that each technique has its own place. It is also extremely worthwhile for the developer and security communities to be aware of the advantages and disadvantages of both the techniques. In fact, in my judgment a well-timed combination of both approaches can be extremely beneficial in identifying and fixing security issues at the earliest. Let’s look at some of the issues that we have discovered in penetration tests, which would be near to impossible to discover in a source code review. Penetration Testing Risk-based testing Nowadays, even penetration tests are becoming risk-based. This means, that we spend time learning about the business of the client and the risks to the business through the Internet based infrastructure – primarily web applications – in order to focus our penetration testing work in line with these risks. A source code review can never simulate the penetration testing approach, which requires building business-specific test cases, and then testing for those. For example, during the penetration test of a local search engine website, the business risk is not so much from a cross-site scripting, as it would be from someone running repeated search requests, downloading the HTML results, and then parsing the results to recreate the database – essentially an online data mining attack. Similarly, while pen-testing an ERP system, the emphasis would not be so much on unpatched vulnerabilities, as it would be on executing attacks that would simulate a financial fraud. For instance, can we violate the existing access controls to not only accept vendor quotations, but also to approve a selected vendor, under the guise of Confidential Page 1
Penetration Testing versus Source Code Review another user? So privilege escalation attacks would be of far greater consequence than regular SQL injection and cross-site scripting attacks. Search engine indexing faulty During a recent penetration test, we found a search functionality on the web application, and upon entering interesting words such as “password” and “administrator”, some very interesting documents were revealed. Upon further searching, we discovered that the terms “.jpg”, and “.bmp” revealed scanned copies of customers’ personal information such as driving licenses and passport copies. Again, it is difficult to imagine a source code review discovering these sorts of issues. Weak Authentication Mechanisms While static source code analysis tools would be able to discover weak authentication schemes (pages, which allow access without authentication), specific issues such as weak CAPTCHA implementations, or if the web application allows short and weak passwords to be selected, could be obtained from a penetration test more easily than from an automated source code review. A manual source code review would possibly be able to discover these flaws. Similarly, the ability to enumerate users due to different error messages (one when the username is incorrect, and another one when the password is incorrect), is also easily discovered in a penetration test. In another instance, we discovered that the credit card numbers were being shown up in plaintext. An automated source code review failed to show up these issues. {Other points yet to work on: Configuration issues with the web server and the operating system Manipulation of business rules, such as for web-based ERPs in terms of transaction processing controls being violated Source code not being available, of course means penetration testing is the only option Where it is a regulatory requirement – such as for Internet Banking} Source Code Reviews Code review is systematic examination of computer source code intended to find and fix mistakes and security vulnerabilities overlooked in the initial development phase, improving both the overall quality of software and the developers' skills. Largely source code developers encounter two typical errors/mistakes/issues/hurdles: Confidential Page 2
Penetration Testing versus Source Code Review Implementation errors: These quality-style defects in code are fairly atomic, and typically stand alone when identified, and remediation is applied. They are caused by bad or "loose" programming practices. Examples include buffer overflows, which result from mismanagement of memory, and race conditions, which result from call timing mismatches. Design errors: These include the failure to utilize or adequately implement security related functions. This includes authentication, encryption, and the use of insecure external code types, and validation of data input and application output. Source code reviews can be done in couple of ways – manual or automated. Even manual reviews cannot look through each line of code, but are supposed to identify key functions and then review those. An automated source code review looks through the call-tree using proprietary algorithms, and offers the following distinct advantages over a penetration test: Unlike PT, it’s more of a white box approach to testing the application. This gives the in-sight of the application security issues. Identify weak encryption algorithms or weak implementation of strong encryption algorithms, such as by choosing a shorter key length or insecure storage of the key Almost the complete set of cross-site scripting and SQL injection possible vulnerabilities. A penetration test in contrast ends up finding fewer of these, as some of them are missed out by both manual as well as automated pen-testing methods Getting down to the root-function that is vulnerable. A pen-test will typically identify the web page or form that is vulnerable, but a source code review will drill down to the common function or module, which when fixed, would end up resolving multiple security issues, thus providing for a tremendous savings in time and cost With source code reviews being embedded into IDEs, developers can identify and fix security issues almost immediately. This tremendously reduces the cost of fixing application security issues. SCR can also check whether secure coding practices and other development practices have been followed or not It could happen that in black box PT, the pen tester might miss out certain security vulnerabilities in the application. This possibility is very less in SCR, since the whole source is in-front. {Other points yet to be added here in support of source code reviews} Confidential Page 3

Recommended

Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Matt Raible
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primern|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primaryn|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3n|u - The Open Security Community
 

Recommended

Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Matt Raible
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primern|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primaryn|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logsn|u - The Open Security Community
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodann|u - The Open Security Community
 
Cloud security
Cloud security Cloud security
Cloud security n|u - The Open Security Community
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windowsn|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usagen|u - The Open Security Community
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Processn|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacksn|u - The Open Security Community
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackersn|u - The Open Security Community
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904n|u - The Open Security Community
 
XXE
XXEXXE
XXEn|u - The Open Security Community
 
News Bytes
News BytesNews Bytes
News Bytesn|u - The Open Security Community
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rulesn|u - The Open Security Community
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Social engineering
Social engineeringSocial engineering
Social engineeringn|u - The Open Security Community
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

More Related Content

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904
 
XXE
XXEXXE
XXE
 
News Bytes
News BytesNews Bytes
News Bytes
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rules
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Social engineering
Social engineeringSocial engineering
Social engineering
 

Recently uploaded

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 

Recently uploaded (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

nullcon 2010 - Penetration Testing versus Source Code Review

  • 1. Penetration Testing versus Source Code Review 1. Penetration Testing vs. Source Code Review Within the domain of application security assessments, there are multiple approaches that can be considered. The most common ones are black-box penetration testing, application design review and source code reviews. Of course, more arcane ones such as reverse engineering or binary analysis can also be considered in specific situations. But for the moment, let’s focus on the two most common approaches to application security assessments – penetration testing and source code review. Currently, there is a debate raging within the information security community as to which approach is better, with some participants going so far as to say that penetration testing is dead! (ref). With the experience of having performed hundreds of penetration tests and dozens of source code reviews, I have come to the conclusion that each technique has its own place. It is also extremely worthwhile for the developer and security communities to be aware of the advantages and disadvantages of both the techniques. In fact, in my judgment a well-timed combination of both approaches can be extremely beneficial in identifying and fixing security issues at the earliest. Let’s look at some of the issues that we have discovered in penetration tests, which would be near to impossible to discover in a source code review. Penetration Testing Risk-based testing Nowadays, even penetration tests are becoming risk-based. This means, that we spend time learning about the business of the client and the risks to the business through the Internet based infrastructure – primarily web applications – in order to focus our penetration testing work in line with these risks. A source code review can never simulate the penetration testing approach, which requires building business-specific test cases, and then testing for those. For example, during the penetration test of a local search engine website, the business risk is not so much from a cross-site scripting, as it would be from someone running repeated search requests, downloading the HTML results, and then parsing the results to recreate the database – essentially an online data mining attack. Similarly, while pen-testing an ERP system, the emphasis would not be so much on unpatched vulnerabilities, as it would be on executing attacks that would simulate a financial fraud. For instance, can we violate the existing access controls to not only accept vendor quotations, but also to approve a selected vendor, under the guise of Confidential Page 1
  • 2. Penetration Testing versus Source Code Review another user? So privilege escalation attacks would be of far greater consequence than regular SQL injection and cross-site scripting attacks. Search engine indexing faulty During a recent penetration test, we found a search functionality on the web application, and upon entering interesting words such as “password” and “administrator”, some very interesting documents were revealed. Upon further searching, we discovered that the terms “.jpg”, and “.bmp” revealed scanned copies of customers’ personal information such as driving licenses and passport copies. Again, it is difficult to imagine a source code review discovering these sorts of issues. Weak Authentication Mechanisms While static source code analysis tools would be able to discover weak authentication schemes (pages, which allow access without authentication), specific issues such as weak CAPTCHA implementations, or if the web application allows short and weak passwords to be selected, could be obtained from a penetration test more easily than from an automated source code review. A manual source code review would possibly be able to discover these flaws. Similarly, the ability to enumerate users due to different error messages (one when the username is incorrect, and another one when the password is incorrect), is also easily discovered in a penetration test. In another instance, we discovered that the credit card numbers were being shown up in plaintext. An automated source code review failed to show up these issues. {Other points yet to work on: Configuration issues with the web server and the operating system Manipulation of business rules, such as for web-based ERPs in terms of transaction processing controls being violated Source code not being available, of course means penetration testing is the only option Where it is a regulatory requirement – such as for Internet Banking} Source Code Reviews Code review is systematic examination of computer source code intended to find and fix mistakes and security vulnerabilities overlooked in the initial development phase, improving both the overall quality of software and the developers' skills. Largely source code developers encounter two typical errors/mistakes/issues/hurdles: Confidential Page 2
  • 3. Penetration Testing versus Source Code Review Implementation errors: These quality-style defects in code are fairly atomic, and typically stand alone when identified, and remediation is applied. They are caused by bad or "loose" programming practices. Examples include buffer overflows, which result from mismanagement of memory, and race conditions, which result from call timing mismatches. Design errors: These include the failure to utilize or adequately implement security related functions. This includes authentication, encryption, and the use of insecure external code types, and validation of data input and application output. Source code reviews can be done in couple of ways – manual or automated. Even manual reviews cannot look through each line of code, but are supposed to identify key functions and then review those. An automated source code review looks through the call-tree using proprietary algorithms, and offers the following distinct advantages over a penetration test: Unlike PT, it’s more of a white box approach to testing the application. This gives the in-sight of the application security issues. Identify weak encryption algorithms or weak implementation of strong encryption algorithms, such as by choosing a shorter key length or insecure storage of the key Almost the complete set of cross-site scripting and SQL injection possible vulnerabilities. A penetration test in contrast ends up finding fewer of these, as some of them are missed out by both manual as well as automated pen-testing methods Getting down to the root-function that is vulnerable. A pen-test will typically identify the web page or form that is vulnerable, but a source code review will drill down to the common function or module, which when fixed, would end up resolving multiple security issues, thus providing for a tremendous savings in time and cost With source code reviews being embedded into IDEs, developers can identify and fix security issues almost immediately. This tremendously reduces the cost of fixing application security issues. SCR can also check whether secure coding practices and other development practices have been followed or not It could happen that in black box PT, the pen tester might miss out certain security vulnerabilities in the application. This possibility is very less in SCR, since the whole source is in-front. {Other points yet to be added here in support of source code reviews} Confidential Page 3