Software Security Testing
                                          The Next Frontier



                                 ...
Software Security Is A Challenge



        The Trinity of Trouble                                                        ...
Web-based Application Vulnerability




                Software Security problems are in the application software

© 2007...
Software Security Touchpoints




© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.   Tuesday, May 01...
Example SQL Injection Vulnerability




                  Compose a dynamic query based on user input:
                  S...
Slide 10

JRM2       Brook: Explain why this is important to morgan.
           rmills, 11/6/2006
Software Security Testing – Call to Action
                  Types of problems (vulnerabilities)
                    Weakn...
Upcoming SlideShare
Loading in …5
×

Software Security Testing

440 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
440
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Software Security Testing

  1. 1. Software Security Testing The Next Frontier Software Confidence. Achieved. Scott Matsumoto Principal Consultant smatsumoto@cigital.com www.cigital.com info@cigital.com +1.703.404.9293 Tuesday, May 01, 2007 1 About Cigital A leading consulting firm specializing in helping organizations improve their software security and software quality posture Recognized experts in “Building Security In” Extensive Industry Standards, Best Practices, and Regulatory Compliance Experience © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 2 1
  2. 2. Software Security Is A Challenge The Trinity of Trouble …is this complex program Connectivity The network is the computer. The Internet is everywhere and most software is on it Complexity Networked, distributed, mobile code is hard Extensibility Systems evolve in .NET unexpected ways and are changed on the fly This simple interface… © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 3 Software Vulnerability Growth Reported Software Vulnerabilities 9000 8064 8000 7000 5690 6000 5000 4129 3784 3780 4000 3000 2437 2000 1090 1000 0 2000 2001 2002 2003 2004 2005 2006 Source: CERT © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 4 2
  3. 3. Web-based Application Vulnerability Software Security problems are in the application software © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 5 Top 4 Vulnerabilities in CVE Percentage distribution of top 4 vulnerabilities 25.00% 20.00% XSS 15.00% buf sql-inject 10.00% dot 5.00% 0.00% 2000 2001 2002 2003 2004 2005 2006 2007 © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 6 3
  4. 4. Software Security Touchpoints © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 7 SQL Injection Insert SQL commands into data fields to alter behavior of server Return different data Overwork server with unbounded queries and joins (denial of service) Alter data Execute blocks of arbitrary SQL statements © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 8 4
  5. 5. Example SQL Injection Vulnerability Compose a dynamic query based on user input: SELECT cc_type, cc_num FROM cc_data WHERE id=‘%s’ AND cc_type=‘%s’ Normal cc_type = ‘Visa’: SELECT cc_type, cc_num FROM cc_data WHERE id=‘123456789’ AND cc_type=‘VisaVisa’ Visa © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 9 JRM2 SQL Injection Insert SQL commands into data fields to alter behavior of application Example: Enter x’ OR ‘a’=‘a instead of “Visa” to produce SELECT cc_type, cc_num FROM cc_data WHERE id=‘123456789’ AND cc_type =‘x’ OR ‘a’ = ‘a’ Results in all credit card data being returned © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 10 5
  6. 6. Slide 10 JRM2 Brook: Explain why this is important to morgan. rmills, 11/6/2006
  7. 7. Software Security Testing – Call to Action Types of problems (vulnerabilities) Weaknesses, Vulnerability and Attack Patterns Tools and Techniques for Testing Penetration and Fuzzing tools Think like a bad guy Know your application Resources CWE/CVE – mitre.org OWASP – owasp.org Verify 2007 – verifyconference.com © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 11 Thank you for your time. © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 12 6

×