Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

QA Fest 2019. Ирина Бондарук. Breaking into information security

27 views

Published on

ІТ безпека — це не тільки окрема професія, це щоденні обов’язки усіх, хто працює з комп’ютерними системами.
У наш час перевірка ПО на безпеку стає все акутальнішою, і ця галузь стрімко розвивається.
Я розповім про базові поняття ІТ безпеки, розберемось з яких процесів складається тестування і які кроки потрібно зробити для того, щоб почати займатись перевіркою безпеки ПО.

Published in: Education
  • Be the first to comment

  • Be the first to like this

QA Fest 2019. Ирина Бондарук. Breaking into information security

  1. 1. Тема доклада Тема доклада Тема доклада KYIV 2019 IRYNA BONDARUK BREAKING INTO INFORMATION SECURITY QA CONFERENCE #1 IN UKRAINE
  2. 2. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Security QA QA CONFERENCE #1 IN UKRAINE KYIV 2019
  3. 3. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Data Properties QA CONFERENCE #1 IN UKRAINE KYIV 2019
  4. 4. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Million of records per month in 2019 vs 2018 QA CONFERENCE #1 IN UKRAINE KYIV 2019 0. 750. 1500. 2250. 3000. January March May July Million records leaked 2019 Million records leaked 2018 Lewis Morgan https://www.itgovernance.co.uk/blog/author/lmorgan/
  5. 5. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Security Testing QA CONFERENCE #1 IN UKRAINE KYIV 2019 Security Testing is a variant of Software Testing which ensures, that system and applications in an organization, are free from any loopholes that may cause a big loss. Security testing of any system is about finding all possible loopholes and weaknesses of the system which might result into a loss of information at the hands of the employees or outsiders of the Organization.
  6. 6. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Security Testing in SDLC QA CONFERENCE #1 IN UKRAINE KYIV 2019 SDLS Security Analysis Requirements Security Test Plan Design Coding & Unit Testing Security White Box Testing Black Box & Vulnerability Scanning Integration Testing Implementation System Testing Impact Analysis System Testing Support Black Box Testing Penetration Testing & Vulnerability Scanning
  7. 7. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Need to Know QA CONFERENCE #1 IN UKRAINE KYIV 2019 ● Vulnerability- is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. ● Attack - Attacks are the techniques that attackers use to exploit the vulnerabilities in applications ● Injection - a type of attack ○ SQL injection, XSS injection, XML injection … ● Payload - is the part of transmitted data that is the actual intended message ● Exploit - s a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized) ○ https://www.exploit-db.com ○ https://0day.today
  8. 8. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Ethical Hacking QA CONFERENCE #1 IN UKRAINE KYIV 2019 ● The first mention was in the 1960s at MIT ● A person who was coined to mean someone dedicated to solving technical problems in machines in a different, more creative fashion than what is set out in a manual ● Around the early 1980s, the ethics of hacking were solidified: “It was never about attacks and never about monetary gain. The underlying principle was to understand the system and make some kind of logic out of the chaos ● In the late 80s and early 90s, the term was very popular, but it acquired a negative connotation synonymous with “digital trespasser.” ● First hacker was arrested on February 15, 1995
  9. 9. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY White Hat vs Black Hat QA CONFERENCE #1 IN UKRAINE KYIV 2019
  10. 10. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Test Approaches QA CONFERENCE #1 IN UKRAINE KYIV 2019
  11. 11. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Security Testing Methodologies QA CONFERENCE #1 IN UKRAINE KYIV 2019 The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations are able to make informed decisions. The penetration testing execution standard (PTES) covers everything related to a penetration test - from the initial communication and reasoning behind a pentest, through the intelligence gathering and threat modeling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation. The Web Application Security Consortium (WASC) is a worldwide organization devoted to the establishment, refinement and promotion of Internet security standards. The consortium, which was founded in January 2004, consists of independent members as well as those associated with corporations, government agencies and academic institutions.
  12. 12. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY OWASP TOP 10 QA CONFERENCE #1 IN UKRAINE KYIV 2019 A1:2017-Injection A2:2017-Broken Authentication A3:2017-Sensitive Data Exposure A4:2017-XML External Entities (XXE) A5:2017-Broken Access Control A6:2017-Security Misconfiguration A7:2017-Cross-Site Scripting (XSS) A8:2017-Insecure Deserialization A9:2017-Using Components with Known Vulnerabilities A10:2017-Insufficient Logging&Monitoring
  13. 13. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Testing Stages QA CONFERENCE #1 IN UKRAINE KYIV 2019 Reporting Risk assessment Initialization Discovery Exploitation & Validation
  14. 14. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Initialization QA CONFERENCE #1 IN UKRAINE KYIV 2019 • Interfaces of application • Application protocols • Previous report • Technological stack • Defined critical resources • Attack Vector
  15. 15. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Discovery QA CONFERENCE #1 IN UKRAINE KYIV 2019 • Use BurpSuite/OwaspZAP for intercepting requests • Determine role model • Authentication type • Service list • Critical Resources List • Internal files Assessment Plan
  16. 16. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Exploitation & Validation QA CONFERENCE #1 IN UKRAINE KYIV 2019 • Try to actively exploit security weaknesses • Save all evidences: • Short description • Visual exploitation result • Affected URL • Request
  17. 17. Тема доклада Тема доклада Тема доклада Risk Assessment
  18. 18. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Reporting QA CONFERENCE #1 IN UKRAINE KYIV 2019 • Analyze the results of previous phases • Create step by step description for each finding • Describe vulnerabilities, add evidences • Add recommendations/mitigations
  19. 19. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Certifications QA CONFERENCE #1 IN UKRAINE KYIV 2019 eLearnSecurity is an information technology security company that develops and provides proprietary certifications with a practical focus. eLearnSecurity deliver course material electronically through the distance learning model The Offensive Security Certified Professional (OSCP) is the certification for Penetration Testing with Kali Linux training course and is completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process through 24 hour certification exam. The Certified Ethical Hacker program is the most desired information security training program any information security professional will ever want to be in. To master the hacking technologies, you will need to become one, but an ethical one! The accredited course provides the advanced hacking tools and techniques used by hackers and information security professionals alike to break into an organization.
  20. 20. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Resources for Studying QA CONFERENCE #1 IN UKRAINE KYIV 2019 ● Сodecademy, Сoursera ● OWASP testing guide ● OWASP Broken Web Applications Project, BeeWAPP, Vuln Hub ● Root-me.org ● Hackthis.co.uk ● Overthewire ● Hackthebox
  21. 21. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Web App Security QA CONFERENCE #1 IN UKRAINE KYIV 2019 ● The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws ● The Tangled Web: A Guide to Securing Modern Web Applications ● OWASP WAPT Testing Guide ● Hacker 101 ● PentesterLab Bootcamp ● HackerOne Hacktivity ● Bug Bounty Writeups ● James Kettle / albinowax Research ● Detectify Security Blog ● GracefulSecurity ● Apps for Testing & Practice ● SANS 2016 Holiday Hack Challenge ● Telegram channels: InSecure.UA, RalfHackerChannel, dataleak, w2hack, hackertoys
  22. 22. WITH PASSION TO QUALITY Code Review QA CONFERENCE #1 IN UKRAINE KYIV 2019 ● OWASP Code Review Introduction ● OWASP Code Review Project ● 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them ● Awesome Code Review ● Awesome Static Analysis ● Static Code Analysis Tools ● Codecademy ● Reading the Languages Docs ● Google… like serious guys!
  23. 23. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Pros and Cons to become Security QA QA CONFERENCE #1 IN UKRAINE KYIV 2019 High entry threshold Sooner or later you will have to learn programming Much smaller market in Security “Try HARDER” New field for self improvement A lot of information for studying Lack of security specialists You’ve already knew how to investigate and report an issue It’s interesting
  24. 24. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY Upcoming events QA CONFERENCE #1 IN UKRAINE KYIV 2019 1) OWASP Ukraine - Lviv, 5.10.2019 2) DC8044 :: BLACKOUT() - Kyiv, 28.09.2019, Belka Space.

×