ภาพนิ่ง 1

626 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
626
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ภาพนิ่ง 1

  1. 1. Security Testing 30th June 2009 K. Krongrat Kamtasila K. Nutdanai Wiangwang
  2. 2. Agenda • Basic Security • Security break incidents • Security Testing • Secure Programming • Software Security Model • Security Testing approach • Limitation • Software Security Assurance
  3. 3. Basic security in home & office Malware - Viruses, Worms and Trojans Web Browsing Network Connection Email
  4. 4. Basic security in home & office Malware - Viruses, Worms and Trojans Patch Web Browsing Data Application Network Connection Email
  5. 5. Security Objectives • Confidentiality • Integrity • Availability The National Institute of Standards and Technology (NIST) adds • Accountability • Assurance
  6. 6. Security Break incidents
  7. 7. TJX: The worst ever loss of personal data • In 2007, TJX's 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. • Scott broke into the TJX network in July 2005 through two wireless access points at a TJX-owned Marshall's store in Miami. He used the access he gained to download various commands onto TJX servers containing payment card data. • Scott later established a VPN connection between a TJX payment card transaction processing server and a malicious server which he then used to upload various sniffer programs for capturing transaction data as it was being processed. In all, Scott received about $400,000 for his role in the thefts • Scott admitted to conspiracy, unauthorized access to computer systems, access device fraud and identity theft. He faces a maximum of 22 years in prison and a US$1 million fine. Scott also will forfeit the $400,000 or so that he made in profits from the payment card thefts
  8. 8. TJX Lesson Learned Criminal hackers are part of a very mature and multi-billion dollar industry that reaches around the world. No organization is immune to the threat.
  9. 9. British Airways giveaway Hoax This hoax email promises free air travel in exchange for forwarding emails. British Airways is NOT running any such media campaign. The company has been inundated with calls about this "campaign" since the email began spreading.
  10. 10. British Airways Lesson Learned Hoaxers usually try every means available to make their lies believable -- e.g., mimicking a journalistic style, attributing the text to a 'legitimate' source, or implying that powerful corporate or government interests have tried to keep the information from you. Be skeptical and Don’t reveal your privacy information to unreliable sources. More hoax examples http://www.hoax-slayer.com/megafortune-lottery-international.html http://www.hoax-slayer.com/tsunami-nigerian-scam.html
  11. 11. Defense in depth concepts Data Security Application Security Authentication and password security Host Security Biometrics Network Security Antivirus software Firewalls (hardware or software) Perimeter Security Routers and Switches Physical Security Policies, standards, procedures and awareness
  12. 12. Security Testing
  13. 13. Basic concept Product = House How much secure this door should be? House Door
  14. 14. Basic concept Product = Car How much secure this door should be?
  15. 15. Basic concept Product = Refrigerator How much secure this door should be?
  16. 16. Basic Concept Security is depends on the purpose of the products
  17. 17. Level of Security Security level Dog house Department Store/ e-shop Safety deposit box
  18. 18. Security for assets or privacy?
  19. 19. Security Testing Approaches Performing risk-based security Testing security mechanisms to testing motivated by ensure that their functionality is understanding and simulating the properly implemented, attacker’s approach. QA Staff Expert and experienced QA Staff Who can think like an attacker
  20. 20. Security in Non Functional Testing Non Functional Testing: how good the product functions? – Usability – Reliability – Performance Door Case Functional Testing Non Functional Testing - Can it open/close? - Is the lock located in proper position? - Does the lock works with the pin/key? - What is the response time after enter pin? - Pin verification reliability is acceptable? - Robustness
  21. 21. Type of Security Testing • Dynamic security testing (run-time testing) • Static security testing (static code analysis) • Penetration Testing and Vulnerability Scanning
  22. 22. Dynamic security testing Dynamic Analysis, or "data tainting," involves • Tagging actual data within a running program received from un-trusted sources as "tainted," • Propagating the taintedness to any data derived from tainted data • Detecting when tainted data is used in dangerous circumstances. example, data tainting would detect when any data derived from unsanitized GET request parameters is outputted within HTML
  23. 23. Static security testing Static Analysis involves • Performing data-flow analysis directly on source code to detect when certain kinds of security vulnerabilities are possible uses a data tainting model to study all possible code paths within a program to identify potential problems
  24. 24. Penetration Testing and Vulnerability Scanning Goal: To assess the overall security of a network by attempting to compromise that system using an attackers techniques. Confusion about the difference between a vulnerability scan and a penetration test Vulnerability scan (passive) Penetration test (active) Identifies the problems which may have already It is able to attack a system and measure its occurred rather than evaluating against a real attack readiness like penetration testing does. A penetration test is an authorized attempt to It does not address the implications of a successful breach the architecture of a system using attacker intrusion and only lists what the potential techniques vulnerabilities may be; without probing deeper to reveal the true threat to assets.
  25. 25. Why secure programming matters?
  26. 26. Initiatives BSI (Build Security In) Software Assurance strategic initiative of the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security. The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team and other contributors develop and collect software assurance and software security information that helps to create secure systems. • A collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development. • BSI content is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software development life cycle.
  27. 27. Initiatives OWASP The Open Web Application Security Project A worldwide free and open community focused on improving the security of application software Mission: • To make application security Visible so that people and organizations can make informed decisions about true application security risks • Everyone is free to participate in OWASP and all of our materials are available under a free and open software license
  28. 28. Attacks at application level (OWASP Top 10) • A1 - Cross Site Scripting (XSS) • A2 - Injection Flaws • A3 - Malicious File Execution • A4 - Insecure Direct Object Reference • A5 - Cross Site Request Forgery (CSRF) • A6 - Information Leakage and Improper Error Handling • A7 - Broken Authentication and Session Management • A8 - Insecure Cryptographic Storage • A9 - Insecure Communications • A10 - Failure to Restrict URL Access
  29. 29. Software Security Model
  30. 30. Outside into Inside out Traditional approaches to computer and network security testing focus on network infrastructure, firewalls, and port scanning. The notion is to protect vulnerable systems (and software) from attack by identifying and defending a perimeter Internet Public network Hardware, firewall, usually part of a TCP/IP router Is it enough? Secure private network Public network Portable local area network
  31. 31. Attacking the network infrastructure vs. application Application attacker DB Firewall IDS Proxy Application attacker DB Firewall IDS Proxy
  32. 32. Statistics Gap Applications are the biggest IT spending priority for most businesses BUT Application security is the smallest spending priority for most organizations 92% of reported vulnerabilities are in applications not networks!
  33. 33. Defense in depth concepts Data Security Application Security Authentication and password security Host Security Biometrics Network Security Antivirus software Firewalls (hardware or software) Perimeter Security Routers and Switches Physical Security Policies, standards, procedures and awareness
  34. 34. How to approach Security Testing
  35. 35. Security and Risk Management Security is an exercise in risk management. Risk analysis, especially at the design level, can help us identify potential security Software security practitioners perform many different tasks to manage software security risks, including Creating security abuse/misuse cases; Listing normative security requirements; Performing architectural risk analysis; Building risk-based security test plans; Wielding static analysis tools; Performing security tests; Performing penetration testing in the final environment; Cleaning up after security breaches.
  36. 36. Why do we need to care? Relative Cost to Correct Defect Preliminary Detailed Code and Integrate Validate Operation Design Design Debug Case B Case A (Test doest not apply) (Test applied)
  37. 37. Security Activities in SDLC Security Policy & Design Security Require Review Unit ments Testing Risk- based Security Penetration Risk Threat Code Review & Test Testing Analysis Modeling Analysis Requirements Design Code Test Deployment
  38. 38. Limitation
  39. 39. Security Testing Limitation Lack of awareness Challenge: Understanding of security threats threat modeling Secure coding principles and best practices Lack of knowledge Challenge: Provide trainings Promote websites that provide info regarding Security Testing Lack of allocated time/resource Challenge: Automate Security Test Tools
  40. 40. Software Security Assurance
  41. 41. Software Security Assurance Process Identifying and Develop security requirements to address categorizing the access control, including network access and information by its physical access; data management and data sensitivity. access A security bug is a software bug that benefits someone other than intended beneficiaries in the intended ways. Security bugs introduce security vulnerabilities by compromising one or more of: • Authentication of users and other entities • Authentication of access rights and privileges • Data confidentiality • Data integrity
  42. 42. Security Testing Concepts Confidentiality: To ensure that the information is delivered to intended recipient Authentication: To ensure that the information is sent by intended sender Integrity: To ensure that the information is not manipulated, altered in transit Authorization: To ensure that the requester is allowed to receive a service or perform an operation Availability: To ensure that the information and communication services are available to authorized person when they need it Non-repudiation: to prevent the later denial that an action happened, or a communication that took place
  43. 43. Confidentiality To whanjai whanjai Internet wanchai whanpai What if confidentiality is broke?
  44. 44. Authentication British Airways Internet Fake British Airways Hoax mail What if authentication is broke?
  45. 45. Integrity Internet What if integrity is broke?
  46. 46. Authorization Finance Financial person Source code File Server Programmer What if authorization is broke?
  47. 47. Availability Finance Financial person Source code File Server Programmer What if availability is broke?
  48. 48. Non Repudiation Person A Person B Purchase Order What if non repudiation is broke?
  49. 49. 4 Kinds of Security Threats/Attacks Attacks on (b) availability Information Information (c) confidentiality Source Destination (d) integrity (a) Normal Flow (e) authenticity (b) Interruption (c) Interception (d) Modification (e) Fabrication
  50. 50. Reference • http://www.securityfocus.com/infocus/1504 • http://www.hoax-slayer.com/british-airways-giveaway-hoax.html • http://www.computerweekly.com/Articles/2009/05/15/236068/technologies- for-application-level-security.htm • https://buildsecurityin.us-cert.gov/daisy/bsi/articles/tools/code/263-BSI.html • http://www.archive.org/details/SecurityTesting • http://www.secguru.com/link/vulnerability_scanning_or_penetration_testing_ ppt • https://buildsecurityin.us-cert.gov/daisy/bsi/home.html • Application Level Security Assurance by Jarkko Holappa • http://www.tmap.net/Images/testingexperience_article_andreas_prins_tcm8- 53870.pdf • http://www.cigital.com/papers/download/bsi4-testing.pdf
  51. 51. Q&A
  52. 52. Contact Us Global Process Innovations (GPI) Asia 2 Ploenchit Center, G Floor, Sukhumvit Rd., Klongtoey, Klongtoey, Bangkok 10110 Tel: +66 (0)2 305 6612 Website: WWW.GPIASIA.NET GPI Asia: info@gpiasia.net

×