Successfully reported this slideshow.

Assessment methodology and approach

1

Share

Oct. 26, 2015
1 like 2,684 views
Upcoming SlideShare
Application fuzzing
Application fuzzing
Loading in …3
×
1 of 19
1 of 19

Assessment methodology and approach

Oct. 26, 2015
1 like 2,684 views

1

Share

Technology

This presentation covers DASt/SAST and Manual testing for web applciations.

This presentation covers DASt/SAST and Manual testing for web applciations.

Technology

Recommended

More Related Content

Viewers also liked

Owasp Top 10 A1: Injection
Michael Hendrickx
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Workshop : Application Security
Priyanka Aash
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
XSS and CSRF with HTML5
Shreeraj Shah
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
Common Web Application Attacks
Ahmed Sherif
Web Attacks - Top threats - 2010
Shreeraj Shah
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
Web application attacks
hruth
Securty Testing For RESTful Applications
Source Conference
Hacking web applications
Adeel Javaid
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
Secure Web Applications Ver0.01
Vasan Ramadoss
S5-Authorization
zakieh alizadeh
Vulnerabilities in modern web applications
Niyas Nazar
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
Applciation footprinting, discovery and enumeration
Blueinfy Solutions

Similar to Assessment methodology and approach

Application security testing an integrated approach
Idexcel Technologies
Shreeraj-Hacking_Web_2
guest66dc5f
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
EISA Considerations for Web Application Security
Larry Ball
UTM Unified Threat Management
Lokesh Sharma
Codec Networks is Present Training in Penetration testing,VAPT in Delhi,India.
cnetworks
Appsec2013 assurance tagging-robert martin
drewz lin
Protecting Against Web App Attacks
Alert Logic
AppsSec In a DevOps World
Parasoft
Web Application Security Testing
Marco Morana
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
Romulus OWASP
Grupo Gesfor I+D+i
Web Based Security
John Wiley
HP WebInspect
rohit_ta
Rapport X force 2014
Patrick Bouillaud
WEB APPLICATION SECURITY
yashwanthlavu
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
OWASP Ottawa
Leverage the Network to Detect and Manage Threats
Cisco Canada
Lightning talk owasp_top10in10
Ben Pick
SANS 2014 - Superbees Wanted
Malik Mesellem

More from Blueinfy Solutions

Mobile Application Scan and Testing
Blueinfy Solutions
Mobile security chess board - attacks & defense
Blueinfy Solutions
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
iOS Application Security Testing
Blueinfy Solutions
Html5 on mobile
Blueinfy Solutions
Android secure coding
Blueinfy Solutions
Android attacks
Blueinfy Solutions
Automation In Android & iOS Application Review
Blueinfy Solutions
Source Code Analysis with SAST
Blueinfy Solutions
XSS - Attacks & Defense
Blueinfy Solutions
Defending against Injections
Blueinfy Solutions
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
Blind SQL Injection
Blueinfy Solutions
SQL injection basics
Blueinfy Solutions
HTTP protocol and Streams Security
Blueinfy Solutions

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
System Identification: Tutorials Presented at the 5th IFAC Symposium on Identification and System Parameter Estimation, F.R. Germany, September 1979 Elsevier Books Reference
(4/5)
Free
Energy Conservation in Buildings: The Achievement of 50% Energy Saving: An Environmental Challenge? Elsevier Books Reference
(4/5)
Free
Young Men and Fire: Twenty-fifth Anniversary Edition Norman Maclean
(4.5/5)
Free
Longitude: The True Story of a Lone Genius Who Solved the Greatest Scientific Problem of His Time Dava Sobel
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free

Assessment methodology and approach

  1. 1. Methodologies and Challenges DAST & SAST Auto + Manual (must)
  2. 2. Methodologies
  3. 3. OWASP’s Risk Picture
  4. 4. Application Security Cycle Architecture Blackbox WhiteboxDefense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlationSecure coding Configuration lockdown Content filtering Threat mitigation
  5. 5. Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning
  6. 6. Blackbox Footprinting & Discovery Profiling & Vulnerability assessment Manual Attacks Auto Attacks Defense Exploit
  7. 7. Review flow Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  8. 8. Challenges • Technology fingerprinting • Hidden calls • Framework integration • Entry points are multiple • Traditional fuzzing will not work • Auto assessment can be challenge • Behavioral assessment with Artificial intelligence
  9. 9. Whitebox Identified threats Identifying configuration and code blocks Configuration review Code review Security control Vulnerability detection
  10. 10. Review flow Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  11. 11. Defense Vulnerabilities Identifying configuration and code blocks Code controls Configuration locks Defense strategies and policies Content filtering
  12. 12. Challenges • JavaScript code analysis • Logic on Client • Reverse engineering on code – Flash, Silverlight or Ajax • Server side issues and source code analysis • Web Services a major concern and its source security
  13. 13. Challenges • Filtering required for different streams • Code security on client side is needed as well • Browser and DOM security • Web application firewall – web 2.0 stream protection • Overall new approach for entry point analysis
  14. 14. Web 2.0 Challenges • How to identify possible hosts running the application? – Cross Domain. • Identifying Ajax and RIA calls • Dynamic DOM manipulations points • Identifying XSS and XSRF vulnerabilities for Web 2.0 • Discovering back end Web Services - SOAP, XML-RPC or REST. • How to fuzz XML and JSON structures? • Web Services assessment and audit • Client side code review • Mashup and networked application points
  15. 15. WhiteBox vs. BlackBox • Scope of coverage – Blackbox method uses crawling and spidering to determine all possible resources – Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. – If one is using whitebox approach then not a single line of code will get missed and scope can be covered at 100%. Whitebox can do much better job when comes to covering the scope of the source.
  16. 16. WhiteBox vs. BlackBox • Discovery and Detection – Blackbox testing uses signature analysis for vulnerability detection. Example, it looks for ODBC error for SQL injection and so on. – If errrors are missing … – Blackbox fails in those cases – Whitebox good to go
  17. 17. WhiteBox vs. BlackBox • Accuracy of Vulnerability – Accuracy of vulnerability is very important as well. – Blackbox is inaccurate in some cases – Came up false +/-
  18. 18. WhiteBox vs. BlackBox • Cause Identification – One of the major challenges is to identify actual cause of the vulnerability. – Blackbox shows symptoms – Whitebox can pin point the cause
  19. 19. Conclusion

×