As a part of the software industry, it is a basic necessity to create a secure application/product. Security testing is not only about hacking, and can be approached in a structured manner. This presentation will help you understand how to incorporate security in different phases and aspects of software development.
7. Background
Have food industry background
Known network of food critics
Business and Investment numbers
Start-up
Venture capital investment: ~$10mn
Number of employees: 50
Hired contractors for development
Application strategy
Food critics write and read reviews
In the future, plans to extend ads to hotels for revenue
Critical assets
Customers (food critics)
Credibility
13. Phases in our delivery lifecycle
Inception (Business Feasibility Study and Requirement Gathering)
Design thinking and tech analysis
Development
Testing
Release
16. High-level Threat modeling
Structured, shared understanding of what could go wrong
Incorporate security thinking throughout our software delivery
Vocabulary to record and talk about possible threats
Understand the security threats that your client is facing
Understand the stakeholders’ concerns
36. Assets
● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
Attackers
● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
(Sample List)
37. Assets
● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
Attackers
● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
(Sample List)
38. Assets
● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
Attackers
● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
(Sample List)
39. Assets
● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
Attackers
● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
(Sample List)
40. Assets
● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
Attackers
● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
(Sample List)
41. Assets
● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
Attackers
● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
(Sample List)
42. Assets
● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
Attackers
● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
(Sample List)
43. Assets
● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
Attackers
● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
(Sample List)
44. Assets
● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
Attackers
● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
(Sample List)
45. Assets
● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
Attackers
● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
(Sample List)
46. More terminologies
Mitigation : Ways to counterbalance a threat
Vulnerability : An un-mitigated or insufficiently mitigated threat
Risk : An onset of a threat on a vulnerability
Threat Vulnerability
Mitigation
48. Our Risk Magic Quadrant (examples)
Application User
giving unfair
reviews
Application user
misusing customer
data
Hotel Owner changing
reviews in favor of
themselves
Business competitors
bringing down Reputation
and Credibility
Hackers bring down
reputation and credibility
Probability
Impact
Firewall brings
down the server
Business competitor’s
catching hold of
investment details
Employees disclosing
customer data
51. Application Threat Modeling
Structured, shared understanding of what could go wrong in identified threats
Incorporate security thinking into user stories and design
Threat awareness for the delivery team
Understand protection mechanisms
But first, what ways can attackers attack in?
53. Application Threat Modeling : Attack Trees
Open safe
Break openLearn combinationPick lock
Find written
combination
Get combination from
someone
Look into emails/chats
Look into personal
diary/notebooks
Social engg PhishingCheck notes in laptop
Goal
Ways
54. What will bring Our business down?
Lose Customers
Lose Credibility
Targeted Marketing - By Competitors
Unrelated/Unfair reviews
Competitors release attractive features before YourFeedback.com
Application is not usable.
Application is not performing as expected.
Illegitimate/Offensive content posted on the site.
Business owners have lost personal credibility.
Has been proved to be hacked at least once.
55. Lets see how one of those goals can be achieved by
Attacker
56. Attack threats for you to pick up
Display unreliable reviews
Make application unusable for users
Offensive/illegitimate content posted on the sites
Targeted marketing (by competitors/hotel owners)
Competitors release attractive features before us
Application is not performing as expected for business
57. Make the App not usable by user
Make the App
not usable
Existing users are not
able to Login
Redirect to another
website
Bring the server down
Change Password
Delete User
Creating too much
load
Sending too many asynchronous
calls
Hide content on
page load
Stop users from
viewing/reading content of
website
Show popup on
page load
Getting access to DB server
Show pop up on
any click
Make website/browser
too slow
Access the DB through application
Creating load on Database
Show irrelevant
content on top of
actual page content
Running too many
scripts on page
load
58. Display unreliable reviews
Display unreliable
reviews
Login as existing
member
Phishing
Change directly in
database
Bypass login
Social engineering
Find password
Add new member
Bug in login
Get Password
Post wrong
reviews
59. Offensive/illegitimate content posted on the sites
Offensive/illegi
timate content
posted on the
sites
Offensive content in
the review section
Run a script with offensive
images
Login as existing
user and post
review
Add a new user and
post review
Add offensive content
and image in the
information PDF
Load illegitimate
image on page load
Get password
Bug in login
Get access to DB
server
60. Targeted marketing (by competitors/hotel owners)
Targeted
marketing
Capture attention by
Ads
Call /email customers
directly
Get Customer Info
Posts Add in our
feedback App
Get customers to
visit competitor’s
sites
Social Engineering Get Customer Info
61. Competitors market new attractive features before Yourfeedback.com
Competitors
market new
features before
Yourfeedback.com
Get access to staging
or pre prod
environment
Get access to project
management system
Accessing development
branch to get active
code
70. Path Traversal
Access or execute command on restricted directories or files
Outside the web root folder
a.k.a. ‘dot-dot-slash’, ‘directory traversal’, ‘directory climbing’ or ‘backtracking’
72. Let’s test
Make the App
not usable
Existing users are not
able to Login
Redirect to another
website
Bring the server down
Change Password
Delete User
Creating too much
load
Sending too many Asynchronous
Calls
Hide actual page
content on Page
load
Stop users from
viewing/reading content of
website
Show popup on Page load
Getting access to DB server
Show pop up on any click
Make website/browser
too slow
Access the DB from the application
Creating load on Database
Show irrelevant
content on top of
actual page content
Running too many
scripts on page load
Access the DB from the application
Change Password
Delete User
Hide actual page
content on Page
load
Show popup on Page load
Redirect to another
website
73. Display unreliable reviews
Display unreliable
reviews
Login as existing
member
Phishing
Change directly in
database
Bypass login
Social engineering
Find password
Add new member
Bug in login
Get Password
Post wrong
reviews
74. Competitors market new attractive features before Yourfeedback.com
Competitors
market new
features before
Yourfeedback.com
Get access to staging
or pre prod
environment
Get access to project
management system
Accessing development
branch to get active
code
76. Mitigations/Suggestions
SQL Injections :
Input Validation, like use of ORM.
Limit Database Permission
Configure Error Reporting
Path Traversal :
Use of search function instead of
appending from URL.
XSS
CSP - Content Security Policy
Use AutoEscape
Input validation
77. Tool Examples
Zed Attack Proxy
BurpSuite
IronWASP
Fiddler
TamperData
Websecurify
XSS Me, SQL Inject Me etc.
We often approach security as a reactive measure. The idea is to be proactive and prevent security issues, instead of detecting them.
Pen-testing is not enough.
Security seems to be a big beast. Need a proper perspective.
Problems such as
where do you start ‘hacking’,
have you done enough security testing,
found a bug but what parameters do you prioritise them on
This is not the only way of approaching security
Business background:
Start up,
Venture capital investment,
investment amount:$10mn,
number of employees:50,
Strategy: Food critics are influenced by the network they respect, though they are highly opinionated people themselves.
future ideas
Critical assets
Biggest risks foreseen for business : Lose customers, lose credibility
Features and functionalities
User scenarios
Do we have any mandatory or optional participants?
profiling an attacker’s characteristics, skill-set, and motivation to exploit vulnerabilities
Write the threats in stickies
For reference
Could also use a Risk register
Do we have any mandatory or optional participants?
Discuss examples for each.
This is not the only wholesome solution. It is not a taxonomy
Examples:
Threat #1 A malicious user views or tampers with personal profile data en route from the Web server to the client or from the client to the Web server. (Tampering with data/Information disclosure)
Threat #2 A malicious user views or tampers with personal profile data en route from the Web server to the COM component or from the component to the Web server. (Tampering with data/Information disclosure)
Threat #3 A malicious user accesses or tampers with the profile data directly in the database. (Tampering with data/Information disclosure)
Threat #4 A malicious user views the Lightweight Directory Access Protocol (LDAP) authentication packets and learns how to reply to them so that he can act "on behalf of" the user. (Spoofing identity/Information disclosure/Elevation of privilege [if the authentication data used is that of an administrator])
Threat #5 A malicious user defaces the Web server by changing one or more Web pages. (Tampering with data)
Threat #6 An attacker denies access to the profile database server computer by flooding it with TCP/IP packets. (DoS)
Threat #7 An attacker deletes or modifies the audit logs. (Tampering with data/Repudiation)
Threat #8 An attacker places his own Web server on the network after killing the real Web server with a distributed DoS attack. (Spoofing identity; in addition, a particularly malicious user could instigate all threat categories by stealing passwords or other authentication data, deleting data, and so on.)
Spend 5 mins familiarising with the app
Example for sql injection
Add slides for sql, xss, path traversal, zap
Notes:
Existing users can not login - SQL injection to update password/Delete user from login page.
Delete users - How do you know the users? , "Lets hold on to it, till we get into the app.." then when we are in, we can script the UNION query and tell them " Now you know all the users"
Create load on DB - Insert huge number of rows in DB.
JS - Once logged in, create persistent XSS to do all of the above tasks.
Explain how you can get the column names of a table