Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Methodologies and Challenges DAST & SAST Auto + Manual (must)
Methodologies
OWASP’s Risk Picture
Application Security Cycle Architecture Blackbox WhiteboxDefense Architecture Review Design Review Technology Review Threa...
Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Fir...
Blackbox Footprinting & Discovery Profiling & Vulnerability assessment Manual Attacks Auto Attacks Defense Exploit
Review flow Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerabi...
Challenges • Technology fingerprinting • Hidden calls • Framework integration • Entry points are multiple • Traditional fu...
Whitebox Identified threats Identifying configuration and code blocks Configuration review Code review Security control Vu...
Review flow Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries...
Defense Vulnerabilities Identifying configuration and code blocks Code controls Configuration locks Defense strategies and...
Challenges • JavaScript code analysis • Logic on Client • Reverse engineering on code – Flash, Silverlight or Ajax • Serve...
Challenges • Filtering required for different streams • Code security on client side is needed as well • Browser and DOM s...
Web 2.0 Challenges • How to identify possible hosts running the application? – Cross Domain. • Identifying Ajax and RIA ca...
WhiteBox vs. BlackBox • Scope of coverage – Blackbox method uses crawling and spidering to determine all possible resource...
WhiteBox vs. BlackBox • Discovery and Detection – Blackbox testing uses signature analysis for vulnerability detection. Ex...
WhiteBox vs. BlackBox • Accuracy of Vulnerability – Accuracy of vulnerability is very important as well. – Blackbox is ina...
WhiteBox vs. BlackBox • Cause Identification – One of the major challenges is to identify actual cause of the vulnerabilit...
Conclusion
Upcoming SlideShare
Loading in …5
×

Assessment methodology and approach

1,895 views

Published on

This presentation covers DASt/SAST and Manual testing for web applciations.

Published in: Technology
no profile picture user

  • Be the first to comment

  • Be the first to like this

Assessment methodology and approach

  1. 1. Methodologies and Challenges DAST & SAST Auto + Manual (must)
  2. 2. Methodologies
  3. 3. OWASP’s Risk Picture
  4. 4. Application Security Cycle Architecture Blackbox WhiteboxDefense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlationSecure coding Configuration lockdown Content filtering Threat mitigation
  5. 5. Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning
  6. 6. Blackbox Footprinting & Discovery Profiling & Vulnerability assessment Manual Attacks Auto Attacks Defense Exploit
  7. 7. Review flow Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  8. 8. Challenges • Technology fingerprinting • Hidden calls • Framework integration • Entry points are multiple • Traditional fuzzing will not work • Auto assessment can be challenge • Behavioral assessment with Artificial intelligence
  9. 9. Whitebox Identified threats Identifying configuration and code blocks Configuration review Code review Security control Vulnerability detection
  10. 10. Review flow Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  11. 11. Defense Vulnerabilities Identifying configuration and code blocks Code controls Configuration locks Defense strategies and policies Content filtering
  12. 12. Challenges • JavaScript code analysis • Logic on Client • Reverse engineering on code – Flash, Silverlight or Ajax • Server side issues and source code analysis • Web Services a major concern and its source security
  13. 13. Challenges • Filtering required for different streams • Code security on client side is needed as well • Browser and DOM security • Web application firewall – web 2.0 stream protection • Overall new approach for entry point analysis
  14. 14. Web 2.0 Challenges • How to identify possible hosts running the application? – Cross Domain. • Identifying Ajax and RIA calls • Dynamic DOM manipulations points • Identifying XSS and XSRF vulnerabilities for Web 2.0 • Discovering back end Web Services - SOAP, XML-RPC or REST. • How to fuzz XML and JSON structures? • Web Services assessment and audit • Client side code review • Mashup and networked application points
  15. 15. WhiteBox vs. BlackBox • Scope of coverage – Blackbox method uses crawling and spidering to determine all possible resources – Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. – If one is using whitebox approach then not a single line of code will get missed and scope can be covered at 100%. Whitebox can do much better job when comes to covering the scope of the source.
  16. 16. WhiteBox vs. BlackBox • Discovery and Detection – Blackbox testing uses signature analysis for vulnerability detection. Example, it looks for ODBC error for SQL injection and so on. – If errrors are missing … – Blackbox fails in those cases – Whitebox good to go
  17. 17. WhiteBox vs. BlackBox • Accuracy of Vulnerability – Accuracy of vulnerability is very important as well. – Blackbox is inaccurate in some cases – Came up false +/-
  18. 18. WhiteBox vs. BlackBox • Cause Identification – One of the major challenges is to identify actual cause of the vulnerability. – Blackbox shows symptoms – Whitebox can pin point the cause
  19. 19. Conclusion

×