SlideShare a Scribd company logo

Cf.Objective.2009

Download as PPT, PDF
Bill Shelton
Bill Shelton
1 of 28
Approaches to Automated Security Testing Bill Shelton (no initials – no hacker alias) MXUnit.org theguys@mxunit.org @virtix – Twitter
One Big Ass Probl em!
Programmer Security guy
Programmer Security guy
Break it
Disassemble, Discover, Discard
+ Webdriver + + ==
Ok … Now what?
It’s T-shirt time! What’s wrong with the following code?
Static Analysis
Trust Boundaries
Validation
Output Encoding
White List Black List
Validate this, punk …
Direct Object Reference / yapp / pr of i l e . c f m i d = 123 ht t p : / / f o o . c om m ?
Indirect Object Reference
Take Away • Think securely from the first line of code -Far better to write securely from the start rather than fix it later • Use black box tools to help to grab low hanging fruit • Use your knowledge to dig in and find and fix vulnerabilities – gray and white box approaches • Learn the trust boundaries • Validate and encode correctly
Test Be Happy
Stuff to Read • OWASP - http://www.owasp.org/index.php/Main_Page • SANS Institute - http://www.sans.org/ • SANS Top 25 of 2009 - - http://www.sans.org/top25errors/ • Secure Programming with Static Analysis – Brian Chess & Jacob West • OWASP:Software Assurance Maturity Model - http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project • Software Security: Building Security In – Gary McGraw • Exploiting Software: How to Break Code – Gary McGraw • Hackers.org - http://ha.ckers.org/ • Free Stock Photos - http://www.sxc.hu/

Recommended

Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMEjeffmcjunkin
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingPunit Goswami
 
Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015lokeshpidawekar
 
Secure at Speed @ Solent.tech
Secure at Speed @ Solent.techSecure at Speed @ Solent.tech
Secure at Speed @ Solent.techStuart Gunter
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Getting involved in network security
Getting involved in network securityGetting involved in network security
Getting involved in network securityjeffmcjunkin
 
Computer Ethics
Computer EthicsComputer Ethics
Computer Ethicsguestbdea62
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelAlex Pinto
 

Recommended

Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMEjeffmcjunkin
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingPunit Goswami
 
Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015Hacker's Practice Ground - CarolinaCon - 2015
Hacker's Practice Ground - CarolinaCon - 2015lokeshpidawekar
 
Secure at Speed @ Solent.tech
Secure at Speed @ Solent.techSecure at Speed @ Solent.tech
Secure at Speed @ Solent.techStuart Gunter
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Getting involved in network security
Getting involved in network securityGetting involved in network security
Getting involved in network securityjeffmcjunkin
 
Computer Ethics
Computer EthicsComputer Ethics
Computer Ethicsguestbdea62
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelAlex Pinto
 
Test
TestTest
Testhappyadrian
 
Dialek
DialekDialek
DialekIrfan Aiman
 
Test Doubles
Test DoublesTest Doubles
Test DoublesBill Shelton
 
Homepage Reorg
Homepage ReorgHomepage Reorg
Homepage ReorgSheila Kearns
 
Building Inclusive Communities 6
Building Inclusive Communities 6Building Inclusive Communities 6
Building Inclusive Communities 6End Abuse Now
 
Email Signature Instructions
Email Signature InstructionsEmail Signature Instructions
Email Signature InstructionsMikeBSee
 
Learn Unit Testing and Improve Sexual Performance
Learn Unit Testing and Improve Sexual PerformanceLearn Unit Testing and Improve Sexual Performance
Learn Unit Testing and Improve Sexual PerformanceBill Shelton
 
Not Your Mommas Unit Tests - Parameterized Unit Tests
Not Your Mommas Unit Tests - Parameterized Unit TestsNot Your Mommas Unit Tests - Parameterized Unit Tests
Not Your Mommas Unit Tests - Parameterized Unit TestsBill Shelton
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingMuzaffar Ahmad
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application SecurityBruce Abernethy
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingMukul Agarwal
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hackingbaabtra.com - No. 1 supplier of quality freshers
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith Jones, PhD
 
Incorporating Threat Intelligence into Your Enterprise Communications Systems...
Incorporating Threat Intelligence into Your Enterprise Communications Systems...Incorporating Threat Intelligence into Your Enterprise Communications Systems...
Incorporating Threat Intelligence into Your Enterprise Communications Systems...EC-Council
 

More Related Content

Viewers also liked

Building Inclusive Communities 6
Building Inclusive Communities 6Building Inclusive Communities 6
Building Inclusive Communities 6End Abuse Now
 
Email Signature Instructions
Email Signature InstructionsEmail Signature Instructions
Email Signature InstructionsMikeBSee
 
Learn Unit Testing and Improve Sexual Performance
Learn Unit Testing and Improve Sexual PerformanceLearn Unit Testing and Improve Sexual Performance
Learn Unit Testing and Improve Sexual PerformanceBill Shelton
 
Not Your Mommas Unit Tests - Parameterized Unit Tests
Not Your Mommas Unit Tests - Parameterized Unit TestsNot Your Mommas Unit Tests - Parameterized Unit Tests
Not Your Mommas Unit Tests - Parameterized Unit TestsBill Shelton
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 

Viewers also liked (9)

Test
TestTest
Test
 
Dialek
DialekDialek
Dialek
 
Test Doubles
Test DoublesTest Doubles
Test Doubles
 
Homepage Reorg
Homepage ReorgHomepage Reorg
Homepage Reorg
 
Building Inclusive Communities 6
Building Inclusive Communities 6Building Inclusive Communities 6
Building Inclusive Communities 6
 
Email Signature Instructions
Email Signature InstructionsEmail Signature Instructions
Email Signature Instructions
 
Learn Unit Testing and Improve Sexual Performance
Learn Unit Testing and Improve Sexual PerformanceLearn Unit Testing and Improve Sexual Performance
Learn Unit Testing and Improve Sexual Performance
 
Not Your Mommas Unit Tests - Parameterized Unit Tests
Not Your Mommas Unit Tests - Parameterized Unit TestsNot Your Mommas Unit Tests - Parameterized Unit Tests
Not Your Mommas Unit Tests - Parameterized Unit Tests
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
 

Similar to Cf.Objective.2009

ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application SecurityBruce Abernethy
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith Jones, PhD
 
Incorporating Threat Intelligence into Your Enterprise Communications Systems...
Incorporating Threat Intelligence into Your Enterprise Communications Systems...Incorporating Threat Intelligence into Your Enterprise Communications Systems...
Incorporating Threat Intelligence into Your Enterprise Communications Systems...EC-Council
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingBugRaptors
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Lastline, Inc.
 
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...PROIDEA
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 

Similar to Cf.Objective.2009 (20)

ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
 
Incorporating Threat Intelligence into Your Enterprise Communications Systems...
Incorporating Threat Intelligence into Your Enterprise Communications Systems...Incorporating Threat Intelligence into Your Enterprise Communications Systems...
Incorporating Threat Intelligence into Your Enterprise Communications Systems...
 
Super1
Super1Super1
Super1
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
 
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 

Cf.Objective.2009