Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Penetration testing dont just leave it to chance


Published on

This presentation talks about the focus towards building security in the software development life cycle and covers details related to Reconnaissance, Scanning and Attack based test design and execution approach.

Published in: Engineering
  • Be the first to comment

Penetration testing dont just leave it to chance

  1. 1. Name of the Speakers :  Anish Cheriyan, Director Quality and Centre of Excellence-Cyber Security  Sriharsha Narayanam , Test Architect and Cyber Security Test Engineering -COE Team Company Name : Huawei Technologies India Private Limited
  2. 2. ● Introduction ● Principles of Security for Secure Products ● Security in Product Development Life Cycle ● Penetration Testing Approach ● Details of Pen Test ● Cyber Security- a mindset and some anti patterns ● Conclusion
  3. 3.
  4. 4. Just Attack Testing
  5. 5. Feather Touch Testing
  6. 6. http:// Time Bound Testing
  7. 7.
  8. 8.  Favor simplicity ◦ Use fail safe defaults ◦ Do not expect expert users  Trust with reluctance ◦ Employ a small trusted computing base ◦ Grant the least privilege possible  Promote privacy  Compartmentalize  Defend in Depth ◦ Use Community resource-no security by obscurity  Monitor and trace Reference: Reference: Software Security by Michael Hicks, Coursera
  9. 9. Reference: Reference: Software Security by Michael Hicks, Coursera
  10. 10.
  11. 11. Requirement Design Coding Testing Release •General Security Requirement Analysis •Attack Surface Analysis • Threat Modeling - STRIDE(Micro soft) •Testability Analysis •Secure Architecture and Design. •Security Design guidelines •Security Test Strategy and Test Case •Secure Coding Guidelines ( good reference) •Static Check Tools like Fortify, Coverity (Ref- •Code Reviews •Security Test Cases •Penetration Testing Approach (Reconnaissa nce, Scanning, Attack, Managing access) •Anti Virus •Continuous Delivery System (Inspection and Secure Test)
  12. 12. Reference: Identify assets. Identify the valuable assets that your systems must protect. Create an architecture overview. Use simple diagrams and tables to document the architecture of your application, including subsystems, trust boundaries, and data flow. Decompose the application. Decompose the architecture of your application, including the underlying network and host infrastructure design, to create a security profile for the application. Identify the threats. Keeping the goals of an attacker in mind, and with knowledge of the architecture and potential vulnerabilities of your application, identify the threats that could affect the application. Document the threats. Document each threat using a common threat template that defines a core set of attributes to capture for each threat. Rate the threats. Rate the threats to prioritize and address the most significant threats first.
  13. 13. Reference:
  14. 14. Reference:
  15. 15. Reference:
  16. 16. Reference: _WORK_IN_PROGRESS •Business Model •Data Essential •End Users •Third Party •Administrators •Regulations Business Requirements •Network •Systems •Infrastructure Monitoring •Virtualization and Externalization Infrastructure Requirements •Environments •Data Processing •Access •Application Monitoring •Application Design Application Requirements •Operations •Change Management •Software Development •Corporate Security Program Requirements
  17. 17. Reference: Input Validation Output Encoding Authn. & Pwd. Mgmt. Session Management Access Control Cryptographic Practices Error Handling and Logging Data Encryption Communicati on Security System Configuration File Management Memory Management Gen. Coding Practices
  18. 18. Further Reading: Threat Modeling- Frank Swiderski, Window Snyder, A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World - Trust boundary code (Threat Model) Static Tool Execution Manual Code Review While doing the code review we can take the inputs from the code in the trust boundary, issues from the static tools like Fortiy, Coverity etc and put the focus at the right place for the Code Review
  19. 19. •Information Gathering (About the system, environment etc.) •Scan the system •Threat Analysis •Usage of the Static analyzer (Run fortify, Coverity, Appscan, Nessus, NMAP etc) •Right tool usage •Vulnerability Analysis •Fuzz Testing •Penetration testing •Use /Develop right set of tools to attack •Raise Defects Reconnaiss ance Scanning Attack Managing Access Test Strategy
  20. 20. Picture Courtesy: everything--1.png
  21. 21. Understands the typical application scenario. Analyse the system topology, architecture etc. Analyse the Threat Model , Security design and identifies the trust boundaries., Apply Penetration Test Analysis and Design Review and Analyse the Open source and third party software Analyse report of non dynamic examination like Fortify, Coverity. Analyze the information like communication matrix, product manual. . etc Conduct the code verification from security perspective Conduct penetration testing (Information gathering, Scanning, Attack, Defects)
  22. 22. Web Security Network Security DB Security OS Security Mobile Security Open Source Security Password Security Tools to be used Code Vulnerabilities Validation Penetration Test Analysis and Design Top 3 Attacks to be Focused Customer Deployment Topology Threat Modeling based Scenarios Penetration Test Approach Attack Vectors / Surface Automation ? Country Specific Security Test Case Database Good practice inheritance from Security defects from past Security Test Strategy - What to Cover ?
  23. 23. Threat modeling Analysis Level Vulnerability analysis. System Level and Feature Tools & Version Analysis Gather Overall Information Inputs from Baseline Test Case from Test Scenarios Exploratory Pen Testing With designed Cases Perform Scanning Defect Based Test Cases Defects Analysis Manage Access Penetration Testing Analysis overall flow Output Penetration Test Scenarios Penetration Test Cases Defects 1. Damage potential Assessment 2. New Test Cases
  24. 24.  Reconnaissance is a the first and the key phase of penetration testing where the information is gathered.  The more time you spend collecting information on your target, the more likely you are to be successful in the later phases. There can be a checklist based approach for information gathering but it need not be constrained to the list.  Information Gathering helps teams to think about the product properties upfront. ...So On Reconnaissance / Information Gathering Category Suggestive Informations to be gathered / verified Actual Information General Informatio n List of IP addresses that can be scanned Target OS and File permission information Information about the LOG FILE and their paths Information about the DATA FILE Location, and their format Storage mechanism of the USERNAME/PASSWORD of the application
  25. 25. Reconnaissance / Information Gathering Few Tools for WebApplication Reconnaissance  Wappalyzer  Passive Recon  Ground Speed [ presentation-at-the-owasp-nynj]
  26. 26. Software URL Description Maltego The defacto standard for mining data on individuals and companies. Comes in a free community version and paid version. Nessus A vulnerabilty scanning tool available in paid and free versions. Nessus is useful for finding and documenting vulnerabilities mostly from the inside of a given network. IBM AppScan http://www- IBM's automated Web application security testing suite. eEye Retina x Retina is an an automated network vulnerability scanner that can be managed from a single web-based console. It can be used in conjunction with Metasploit where if an exploit exists in Metasploit, it can be launched directly from Retina to verify that the vulnerability exists. Nexpose Nexpose is a vulnerability scanner from the same company that brings you Metasploit. Available in both free and paid versions that differ in levels of support and features. OpenVAS OpenVAS is a vulnerability scanner that originally started as a fork of the Nessus project. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 20,000 in total (as of January 2011) HP WebInspect pect.html HP WebInspect performs web application security testing and assessment for complex web applications. Supports JavaScript, Flash, Silverlight and others. HP SWFScan 2009/wwcampaign/1- 5TUVE/index.php?key=swf HP SWFScan is a free tool developed by HP Web Security Research Group to automatically find security vulnerabilities in applications built on the Flash platform. Useful for decompiling flash apps and finding hard-coded credentials, etc. THC IPv6 Attack Toolkit The largest single collection of tools designed to exploit vulnerabilities in the IPv6 and ICMP6 protocols. Pen Test Tools and Guidelines- Security Tools and Version Analysis Tools Analysis helps the teams to select the applicable tools upfront and build required competency to use them / acquire license , well before test execution phase.
  27. 27.  Scanning is the phase where the vulnerabilities and the weak areas in the system / target can be identified.  Tools to be finalized based on the application scope. • Based on the Threat Modeling Analysis, understand the Trust Boundary. – Analyze the present Risk Mitigation mechanism and derive test scenarios – Analysis the proposed Risk Mitigation mechanism and device the test scenarios • Threat Modeling analysis to be done both at System and at Sub system level ...So On ...So On System Scanning and further Analysis Test Scenarios from Threat Modeling Analysis Category Tool / Technique Applicability Analysis Scanning of the system under test using Static Code Analyzer Fortify , Coverity Determining if a system is alive Scanning Application AppScan , Acunetix, RSAS , QRADAR. . Entity or Process Threat Type Applicable ? Test Scenario based on Current Mitigation Test Scenario based on Proposed Mitigation Requirement 1 S Yes T No R I D E
  28. 28.  Vulnerability analysis is a process in which the vulnerability analysis of the system & Feature are conducted. The various ways in which it can be done are : ◦ Threat Modeling analysis ◦ Reconnaissance – Information Gathering ◦ System Level Vulnerability based on the Security area (Overlap with Threat Modeling Analysis) ◦ Feature level Vulnerability based on the Security area (Overlap with Threat Modeling Analysis) Security Area Does this Feature interact with Trust Boundary SSL Configuratio n used Encryption Algorithm used Anti- Attack Protection Identity Manageme nt Password Management System Level Analysis Feature 1 ...So On System and Feature level Vulnerability Analysis
  29. 29. Systematic Penetration Testing – Defects Examples Web Server version based Defects Web Server version based Defects Encryption issues Address ID issue Session ID bases Privilege Escalation CSRF issue – Form key User scenario Bases SQL injection
  30. 30. Penetration Testing Practice platforms
  31. 31.  Attack Surface analysis, Threat modeling not deeply practiced  Secure design and code practices not practiced well  Ignoring some errors of Fortify /Coverity and other tools. Sometimes considering them as false positives  Relying too much on Testing  “This is not a valid scenario. Customer would never test this way”.  “Innocent until Proven”- It should be “Guilty unless proven” Reference: Reference: Software Security by Michael Hicks, Coursera
  32. 32.  Build Security into the Life Cycle of product development  Focus on Security Competency  Assume Nothing, Believe Nobody, Check Everything.  Following Penetration Test Design Methods- Reconnaissance-Scanning-Attack-Manage Access.
  33. 33.    dots/cyber-security/  dots/cyber-security/hw- 401493.htm#.VV6DBfBCijM  us/security/aa570330.aspx  Building Secure Software –John Viega, Gary McGraw  Coursera Course - Software Security by Michael Hicks, University of Maryland
  34. 34. Organized by: UNICOM Trainings & Seminars Pvt. Ltd. Speaker Name: Anish Cheriyan , Sriharsha Narayanam Email ID:, @anishcheriyan