Is Software Security REALLY a Problem?<br />
What’s the Fuss about Application Security?<br />
Consensus Audit Guidelines (CAG)<br />CAG’s Three Guiding Principles:<br />Defenses must address most damaging attack acti...
Real-Time Auditing for SANS Consensus Audit Guidelines (CAG)<br />7.) Application Software Security Control<br />Applicati...
CWE 2009/SANS 25 Most Dangerous Programming Errors <br />Most of these errors are not well understood by programmers; <br ...
Principles of Secure Development Application Security Maturity (ASM)<br />Published by (IN)SECURE Magazine, Issue 21, 6/20...
Principles of Secure Development Mapped to Vulnerabilities<br />
SafeCode - Fundamental Practices for Secure Development<br /><ul><li>Minimize unsafe function use
Use the latest compiler toolset
Use static and dynamic analysis tools
Manual code review
Upcoming SlideShare
Loading in …5
×

Application Software Security Testing

1,322 views

Published on

Author: James W. De Rienzo
Date: August 2009

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,322
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Application Software Security Testing

  1. 1. Is Software Security REALLY a Problem?<br />
  2. 2. What’s the Fuss about Application Security?<br />
  3. 3. Consensus Audit Guidelines (CAG)<br />CAG’s Three Guiding Principles:<br />Defenses must address most damaging attack activities. <br />Defenses should be automated where possible, and periodically or continuously measured.<br />Activities should produce a more consistent defense <br />Twenty critical controls comprise the SANS-CAG.<br />
  4. 4. Real-Time Auditing for SANS Consensus Audit Guidelines (CAG)<br />7.) Application Software Security Control<br />Application software that is developed in-house must be developed in a manner to limit the possibility of vulnerabilities from programming errors that have been identified as common causes of security exposures. Third party libraries or other software that are used in the development process must be scanned to ensure they do not contain known vulnerabilities. <br />
  5. 5. CWE 2009/SANS 25 Most Dangerous Programming Errors <br />Most of these errors are not well understood by programmers; <br />their avoidance is not widely taught by computer science programs; <br />and their presence is frequently not tested by organizations.<br />Protecting Your Web Apps: Two Big Mistakes, <br />Input-validation and Output Filtering Code,<br />and 12 Practical Tips to Avoid Them<br />
  6. 6. Principles of Secure Development Application Security Maturity (ASM)<br />Published by (IN)SECURE Magazine, Issue 21, 6/2009, p.71<br />
  7. 7. Principles of Secure Development Mapped to Vulnerabilities<br />
  8. 8. SafeCode - Fundamental Practices for Secure Development<br /><ul><li>Minimize unsafe function use
  9. 9. Use the latest compiler toolset
  10. 10. Use static and dynamic analysis tools
  11. 11. Manual code review
  12. 12. Validate input and output
  13. 13. Use anti-cross site scripting libraries
  14. 14. Use canonical data formats
  15. 15. Avoid string concatenation for dynamic SQL
  16. 16. Eliminate weak cryptography
  17. 17. Use logging and tracing</li></ul>Keep Web browsers, browser add-ons, and desktop software up to date. Always run the latest browser version.<br />
  18. 18. Recommendations<br />Test in-house Applications in AIM Environment<br />Application Security Testing Tools:<br />Nessus for Web Application Testing<br />W3AF - Web Application Attack and Audit Framework<br />Samurai Web Testing Framework<br />OWASP Project: (CAL9000, OWASP Top 10, WebGoat) <br />HPDevinspect, HPQAInspect, HPWebInspect<br />
  19. 19. References<br />http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1348908,00.html<br />http://www.tenablesecurity.com/whitepapers/tenable_SANS-CAG_compliance.pdf<br />http://www.sans.org/cag/guidelines.php<br />http://cwe.mitre.org/top25/<br />http://www.sans.org/info/39723<br />http://www.securityninja.co.uk/blog/?p=132<br />http://www.net-security.org/dl/insecure/INSECURE-Mag-21.pdf<br />http://blog.tenablesecurity.com/2009/07/presentation-using-nessus-in-web-application-testing-presentation-using-nessus-in-web-application-testing.html<br />http://sourceforge.net/projects/w3af/files/<br />http://samurai.inguardians.com/<br />http://www.owasp.org/index.php/Category:OWASP_Project<br />http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br />http://irongeek.com/<br />http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project<br />https://h10078.www1.hp.com/cda/hpdc/fetchPDF.do<br />http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf<br />
  20. 20. Security Investment in the wrong place<br />The End<br />

×