SlideShare a Scribd company logo

OWASP

Pen Testeronyguy
Pen Testeronyguy

This document discusses security testing approaches for the OWASP Top 10 vulnerabilities. It argues that superficial security tests that only examine the user interface provide an illusion of knowledge and security. To fully understand risks, tests need to examine the entire application stack, including the backend, and consider vulnerabilities like security misconfiguration, missing access controls, and use of vulnerable components. Examples are given showing how vulnerabilities can remain undetected if the full scope of the application is not tested, including the code, configurations, dependencies and infrastructure. A holistic approach to security testing that incorporates reverse engineering is advocated to have a realistic understanding of risks.

Internet
1 of 45
Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula
OWASP Top 10 2013 OWASP Top 10 – 2013 has evolved: • 2013-A1 – Injection • 2013-A2 – Broken Authentication and Session Management • 2013-A3 – Cross Site Scripting (XSS) • 2013-A4 – Insecure Direct Object References • 2013-A5 – Security Misconfiguration • 2013-A6 – Sensitive Data Exposure • 2013-A7 – Missing Function Level Access Control • 2013-A8 – Cross-Site Request Forgery (CSRF) • 2013-A9 – Using Known Vulnerable Components (NEW) • 2013-A10 – Unvalidated Redirects and Forwards
OWASP Top 10 2013 OWASP Top 10 – 2013 Resources: • https://www.owasp.org/index.php/Top_10_2013- Top_10 • OWASP Top 10 2013 presentation by Dave Wichers, on the OWASP web site
Mapping Top 10: From 2010 to 2013 Source: OWASP Top 10 2013 presentation by Dave Wichers
Assumptions • In Information Security – several top 10 exist – OWASP Top 10 is dominant • “Top 3”: we all know about XSS’s Injections, CSRF’s etc. • Most organizations are well aware of these issues
Assumptions • OK. What now? • “Top 6” = (“Top 3”) + (“we test what we can”): – Broken authentication and session management – Unvalidated redirects and forwards – Insecure direct object references • Most organizations are aware of these issues • OK, What now?
What did we miss? • Security misconfiguration – A5. • Missing Function Level access control – A7. • Using known vulnerable components – A9 • A6 – sensitive data exposure now includes a merge of: – Insufficient transport layer protection (2010 – A9) – Insecure cryptographic storage (2010-A7)
What did we miss? • Security misconfiguration – A5. – (almost) not Web Application but: Application/system • Missing Function Level access control – A7. – Partial Web Application, Partial Application/system • Using known vulnerable components – A9 – (almost) not Web Application but: Application/syste
What did we miss? • A6 – sensitive data exposure now includes a merge of: – Insufficient transport layer protection (2010 – A9) – Insecure cryptographic storage (2010-A7) • Is this just Web Application? • Is the problem more severe once we look below the Web Layer?
What did we miss? Example Security misconfiguration – A5 + Using known vulnerable components – A9 = Perimeter is not working
The Problem Image: Hubble Telescope: The cat’s eye nebula
Over Complexity • Too much data • Endless attack possibilities • Too many security solutions, vendors, products • No homogenous approach
The Attack Vectors – Any system – Any infrastructure – Any communication – Any language – Any architecture – Any component – Any information, any data – Any physical layer – Any logical layer – Any storage device / facility – Any (communication) channel – Any interface – Any encryption – Any environment – Any site (including DR) – Any transaction – Any log and audit trail – Any archive – Any process (operations, ongoing, development)
The Attack Types Takeover Data theft – Any system – Any infrastructure – Any communication – Any language – Any architecture – Any component – Any information, any data – Any physical layer – Any logical layer – Any storage device / facility – Any (communication) channel – Any interface – Any encryption – Any environment – Any site (including DR) – Any transaction – Any log and audit trail – Any archive – Any process (operations, ongoing, development) Data tampering System integrity disruption Business Logic manipulation Eavesdropping Backdoors – built in by design Backdoors – creation by attackers Unintentional attacks Intentional by authorized entities Attacks by non-human entities Denial of Service De Facto Denial of Service Authorization bypass Access bypass Smuggling, Splitting and evasion-type attacks
The Problem Even the simplified security areas present a demanding challenge. For example - XSS: • Very difficult to detect all variants in modern systems • Almost impossible to retain high security level once achieved
Common Solutions • Superficial security tests. – Many “good reasons”: • Budget • Time constraints • Lack of understanding • Over complexity
Common Solutions • Impacts of superficial security tests in the long run? – Partial to no security – Poor security practices – These organizations effect the security market, pulling downwards! – Loss or partial integrity of security professionals –Worse still: false sense of security
Where Did That Got Us? • Ludicrous security warnings: – January 2013: Department of Homeland Security: Do not use Java. Remove the JRE. – April 2014: Department of Homeland Security: Versions 6 – 11 of IE are not to be used. – April 2014: OpenSSL is insecure
Where Did That Got Us? • Poor security in design and architecture • (Almost) no security in Agile/Continuous Delivery developed code
Modern Systems Common Pitfall • Modern systems are more secured. ??? 20
Where Did That Got Us? • Challenging security presentations: – In-Depth Security is dead (RSA conference 2011) – Security is dead (Rugged coding - RSA conference 2012) • Ignorance is bliss….
Security Testing Image: Hubble Telescope: The cat’s eye nebula
How to Test? • This is messy. VERY messy. • There are shortcuts
How to Test? • Actually – most is quiet easy to test. • Go back to theory. • Forget about the payloads.
The Fallback Common Option • Test the GUI • Black Box testing methodology • Exclude the difficult stuff from scope • This is a “good” solution: it fits organizations and security professionals
The Fallback Common Option • “The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.” ― Stephen Hawking • Testing just the GUI illusion of knowledge • Testing just the FE illusion of security • Increasingly often we are requested to test much less than the actual scope. • Consider carefully prior to testing – what should be the actual testing scope
How to test? • “Supreme excellence consists in breaking the enemy's resistance without fighting.” Sun Tzu • Common Mobile WCF architecture – Where is the presentation layer? – Which entities are granted access to business logic?
How to test? • OWASP top 10 – mobile: Source: OWASP Top 10 Mobile project
The Oracle Exadata Example • Oracle Exadata simplified: – Data Warehouse platform – Consolidation/Grid platform – Storage platform • Exadata security best practices consist of: – The “regular stuff” – Database standard security – Data Warehouse specialized security – Consolidation/Grid specialized security
The Oracle Exadata Example • Oracle Exadata (as a database platform) Security Testing Benchmark: – Organization A tested: • The databases • The environments • The Data Warehouse specialized security • The Exadata itself – Organization B tested: • Just some deployed databases • Partial security testing for each database • Worse still: Exadata not to be tested as a policy • Who said: 2013-A5 Security Misconfiguration?
Testing A5, A7, A9 • “If you know the enemy and know yourself you need not fear the results of a hundred battles”, Sun Tzu • Do we really know ourselves? • Where are A5, A7 and A9 implemented? • Not testing the BE  illusion of knowing
The Windows XP Example • Organization C, defines and enforces strict development and deployment security standards towards all its suppliers/customers. • Over 60 pages of procedures and instructions. • Insisting on supporting Windows XP based systems. • Who said: 2013-A9 Using Known Vulnerable Components?
2013-A9 Using known Vulnerable Components • A vendor offers DBAAS – Excellent: beat the market offering *AAS something... • How can the organization trust the security of DBAAS? – Will separation be enforced? – Will compartmentalization be enforced? • Did we really tested and can trust the Cloud on which the DBAAS is based?
Declarative Security • What? • One of the foundations of modern languages run-time security. • Mostly ignored or bypassed. • Who said: Security misconfiguration – A5, Missing Function Level access control – A7?
Declarative Security • “Deployment descriptors must provide certain structural information for each component if this information has not been provided in annotations or is not to be defaulted.” (Oracle docs.)
Declarative Security • “Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.” Sun Tzu • Lack or weak declarative security: Once code access achieved – the extraordinary will be feasible.
Declarative Security • Poor design due to no design • Cancelling off declarative security or ignoring declarative security  revoking language security fundamentals. • Common real life deployment descriptors: // Do what you will. Totally permissive policy file. grant { permission java.security.AllPermission; }; •  Killing my own code!
Reverse Engineering (A5, A6, A9) • What for? • Why for Mobile security testing ONLY? • From Wikipedia: – Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.
Testing A2, A5, A6 • 2013 A6 – Sensitive data exposure • 2013 A5 – Security misconfiguration • 2013 A2 – Broken authentication • Too much use of “third singulars” – The actual minute details of the tested object dissolve
2013-A5 Security Misconfiguration • There is no external access! • The intended users will only perform intended actions… • Virtualization  Separation 40
2013-A5 Security Misconfiguration • How do organizations secure legacy unsecured systems? • Install terminals (e.g. Citrix) as the presentation layer / access control layer. • Challenge: manage multiple users across multiple systems. • Result: the terminals are partially secure. – Too many terminals to manage over long periods – Some insecure – The insecure terminals are the attacker entry points.
Critical Thinking Takeover Data theft – Any system – Any infrastructure – Any communication – Any language – Any architecture – Any component – Any information, any data – Any physical layer – Any logical layer – Any storage device / facility – Any (communication) channel – Any interface – Any encryption – Any environment – Any site (including DR) – Any transaction – Any log and audit trail – Any archive – Any process (operations, ongoing, development) Data tampering System integrity disruption Business Logic manipulation Eavesdropping Backdoors – built in by design Backdoors – creation by attackers Unintentional attacks Intentional by authorized entities Attacks by non-human entities Denial of Service De Facto Denial of Service Authorization bypass Access bypass Smuggling, Splitting and evasion-type attacks
Critical Thinking • Critical thinking is the ability to think clearly and rationally. This requires reflective and independent thinking. (Philosophy field) • For organization security is too difficult: over complexity, too much to orchestrate, etc. • Increasingly often we are requested to test much less than the actual scope. • Some organizations will not be educated. • Push the industry back up with those organizations that can be educated.
Critical Thinking • For the security professionals, security is a challenge. Hence, always employ critical thinking and review the process of testing itself. – Flexibility under varying technologies – Use automated testing tools to the max AND be always aware of their limitations – Scoping accurately is mandatory
Qustions? Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula

Recommended

Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 

Recommended

Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOpsIrina Kostina
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?Christopher Grayson
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringAaron Rinehart
 
Practioners Guide to SOC
Practioners Guide to SOCPractioners Guide to SOC
Practioners Guide to SOCAlienVault
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringAaron Rinehart
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016jtmelton
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
3,2,1 Despegamos!!!
3,2,1 Despegamos!!!3,2,1 Despegamos!!!
3,2,1 Despegamos!!!macaluna
 
Have You Turns Your Lights Off Today?
Have You Turns Your Lights Off Today?Have You Turns Your Lights Off Today?
Have You Turns Your Lights Off Today?Brookebrady
 

More Related Content

What's hot

Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringAaron Rinehart
 
Practioners Guide to SOC
Practioners Guide to SOCPractioners Guide to SOC
Practioners Guide to SOCAlienVault
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringAaron Rinehart
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016jtmelton
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 

What's hot (20)

SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
 
Practioners Guide to SOC
Practioners Guide to SOCPractioners Guide to SOC
Practioners Guide to SOC
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos Engineering
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 

Viewers also liked

3,2,1 Despegamos!!!
3,2,1 Despegamos!!!3,2,1 Despegamos!!!
3,2,1 Despegamos!!!macaluna
 
Have You Turns Your Lights Off Today?
Have You Turns Your Lights Off Today?Have You Turns Your Lights Off Today?
Have You Turns Your Lights Off Today?Brookebrady
 
Página fija de inicio
Página fija de inicioPágina fija de inicio
Página fija de inicioEmagister
 
Viaje a la luna
Viaje a la lunaViaje a la luna
Viaje a la lunavanessaa99
 
Jaarverslag Heembouw 2015 - Wij creëren plekken waar mensen willen zijn
Jaarverslag Heembouw 2015 - Wij creëren plekken waar mensen willen zijnJaarverslag Heembouw 2015 - Wij creëren plekken waar mensen willen zijn
Jaarverslag Heembouw 2015 - Wij creëren plekken waar mensen willen zijnHeembouw
 
marlene%20reference%2093
marlene%20reference%2093marlene%20reference%2093
marlene%20reference%2093Lily Boyce
 
TABLE OF SPECIFICATION
TABLE OF SPECIFICATIONTABLE OF SPECIFICATION
TABLE OF SPECIFICATIONfloriejean
 
University of California, Santa Barbara_Full Written Case
University of California, Santa Barbara_Full Written CaseUniversity of California, Santa Barbara_Full Written Case
University of California, Santa Barbara_Full Written CaseTara O'Neil
 

Viewers also liked (12)

3,2,1 Despegamos!!!
3,2,1 Despegamos!!!3,2,1 Despegamos!!!
3,2,1 Despegamos!!!
 
Have You Turns Your Lights Off Today?
Have You Turns Your Lights Off Today?Have You Turns Your Lights Off Today?
Have You Turns Your Lights Off Today?
 
CV Fikri
CV FikriCV Fikri
CV Fikri
 
Resume Summary
Resume SummaryResume Summary
Resume Summary
 
HonorSociety.org Certificate - Copy
HonorSociety.org Certificate - CopyHonorSociety.org Certificate - Copy
HonorSociety.org Certificate - Copy
 
Página fija de inicio
Página fija de inicioPágina fija de inicio
Página fija de inicio
 
Viaje a la luna
Viaje a la lunaViaje a la luna
Viaje a la luna
 
Jaarverslag Heembouw 2015 - Wij creëren plekken waar mensen willen zijn
Jaarverslag Heembouw 2015 - Wij creëren plekken waar mensen willen zijnJaarverslag Heembouw 2015 - Wij creëren plekken waar mensen willen zijn
Jaarverslag Heembouw 2015 - Wij creëren plekken waar mensen willen zijn
 
Baloncesto
Baloncesto Baloncesto
Baloncesto
 
marlene%20reference%2093
marlene%20reference%2093marlene%20reference%2093
marlene%20reference%2093
 
TABLE OF SPECIFICATION
TABLE OF SPECIFICATIONTABLE OF SPECIFICATION
TABLE OF SPECIFICATION
 
University of California, Santa Barbara_Full Written Case
University of California, Santa Barbara_Full Written CaseUniversity of California, Santa Barbara_Full Written Case
University of California, Santa Barbara_Full Written Case
 

Similar to OWASP

Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Integration into the Secure SDLC Process.ppt
Integration into the Secure SDLC Process.pptIntegration into the Secure SDLC Process.ppt
Integration into the Secure SDLC Process.pptImam Halim Mursyidin
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applicationsDinis Cruz
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementPriyanka Aash
 
Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous TestingTechWell
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Secure software chapman
Secure software chapmanSecure software chapman
Secure software chapmanAdaCore
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityChris Muir
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Practical approaches to IoT security
Practical approaches to IoT securityPractical approaches to IoT security
Practical approaches to IoT securityTony Wilson
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Sailaja Tennati
 

Similar to OWASP (20)

Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Integration into the Secure SDLC Process.ppt
Integration into the Secure SDLC Process.pptIntegration into the Secure SDLC Process.ppt
Integration into the Secure SDLC Process.ppt
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio Management
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous Testing
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 
Secure software chapman
Secure software chapmanSecure software chapman
Secure software chapman
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for Security
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Practical approaches to IoT security
Practical approaches to IoT securityPractical approaches to IoT security
Practical approaches to IoT security
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter
 

Recently uploaded

audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkklolsDocherty
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyDamar Juniarto
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideVarun Mithran
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxlaozhuseo02
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxAnkitscribd
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?Linksys Velop Login
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxabhinandnam9997
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理aagad
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfSiskaFitrianingrum
 

Recently uploaded (13)

audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptx
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 

OWASP

  • 1. Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula
  • 2. OWASP Top 10 2013 OWASP Top 10 – 2013 has evolved: • 2013-A1 – Injection • 2013-A2 – Broken Authentication and Session Management • 2013-A3 – Cross Site Scripting (XSS) • 2013-A4 – Insecure Direct Object References • 2013-A5 – Security Misconfiguration • 2013-A6 – Sensitive Data Exposure • 2013-A7 – Missing Function Level Access Control • 2013-A8 – Cross-Site Request Forgery (CSRF) • 2013-A9 – Using Known Vulnerable Components (NEW) • 2013-A10 – Unvalidated Redirects and Forwards
  • 3. OWASP Top 10 2013 OWASP Top 10 – 2013 Resources: • https://www.owasp.org/index.php/Top_10_2013- Top_10 • OWASP Top 10 2013 presentation by Dave Wichers, on the OWASP web site
  • 4. Mapping Top 10: From 2010 to 2013 Source: OWASP Top 10 2013 presentation by Dave Wichers
  • 5. Assumptions • In Information Security – several top 10 exist – OWASP Top 10 is dominant • “Top 3”: we all know about XSS’s Injections, CSRF’s etc. • Most organizations are well aware of these issues
  • 6. Assumptions • OK. What now? • “Top 6” = (“Top 3”) + (“we test what we can”): – Broken authentication and session management – Unvalidated redirects and forwards – Insecure direct object references • Most organizations are aware of these issues • OK, What now?
  • 7. What did we miss? • Security misconfiguration – A5. • Missing Function Level access control – A7. • Using known vulnerable components – A9 • A6 – sensitive data exposure now includes a merge of: – Insufficient transport layer protection (2010 – A9) – Insecure cryptographic storage (2010-A7)
  • 8. What did we miss? • Security misconfiguration – A5. – (almost) not Web Application but: Application/system • Missing Function Level access control – A7. – Partial Web Application, Partial Application/system • Using known vulnerable components – A9 – (almost) not Web Application but: Application/syste
  • 9. What did we miss? • A6 – sensitive data exposure now includes a merge of: – Insufficient transport layer protection (2010 – A9) – Insecure cryptographic storage (2010-A7) • Is this just Web Application? • Is the problem more severe once we look below the Web Layer?
  • 10. What did we miss? Example Security misconfiguration – A5 + Using known vulnerable components – A9 = Perimeter is not working
  • 11. The Problem Image: Hubble Telescope: The cat’s eye nebula
  • 12. Over Complexity • Too much data • Endless attack possibilities • Too many security solutions, vendors, products • No homogenous approach
  • 13. The Attack Vectors – Any system – Any infrastructure – Any communication – Any language – Any architecture – Any component – Any information, any data – Any physical layer – Any logical layer – Any storage device / facility – Any (communication) channel – Any interface – Any encryption – Any environment – Any site (including DR) – Any transaction – Any log and audit trail – Any archive – Any process (operations, ongoing, development)
  • 14. The Attack Types Takeover Data theft – Any system – Any infrastructure – Any communication – Any language – Any architecture – Any component – Any information, any data – Any physical layer – Any logical layer – Any storage device / facility – Any (communication) channel – Any interface – Any encryption – Any environment – Any site (including DR) – Any transaction – Any log and audit trail – Any archive – Any process (operations, ongoing, development) Data tampering System integrity disruption Business Logic manipulation Eavesdropping Backdoors – built in by design Backdoors – creation by attackers Unintentional attacks Intentional by authorized entities Attacks by non-human entities Denial of Service De Facto Denial of Service Authorization bypass Access bypass Smuggling, Splitting and evasion-type attacks
  • 15. The Problem Even the simplified security areas present a demanding challenge. For example - XSS: • Very difficult to detect all variants in modern systems • Almost impossible to retain high security level once achieved
  • 16. Common Solutions • Superficial security tests. – Many “good reasons”: • Budget • Time constraints • Lack of understanding • Over complexity
  • 17. Common Solutions • Impacts of superficial security tests in the long run? – Partial to no security – Poor security practices – These organizations effect the security market, pulling downwards! – Loss or partial integrity of security professionals –Worse still: false sense of security
  • 18. Where Did That Got Us? • Ludicrous security warnings: – January 2013: Department of Homeland Security: Do not use Java. Remove the JRE. – April 2014: Department of Homeland Security: Versions 6 – 11 of IE are not to be used. – April 2014: OpenSSL is insecure
  • 19. Where Did That Got Us? • Poor security in design and architecture • (Almost) no security in Agile/Continuous Delivery developed code
  • 20. Modern Systems Common Pitfall • Modern systems are more secured. ??? 20
  • 21. Where Did That Got Us? • Challenging security presentations: – In-Depth Security is dead (RSA conference 2011) – Security is dead (Rugged coding - RSA conference 2012) • Ignorance is bliss….
  • 22. Security Testing Image: Hubble Telescope: The cat’s eye nebula
  • 23. How to Test? • This is messy. VERY messy. • There are shortcuts
  • 24. How to Test? • Actually – most is quiet easy to test. • Go back to theory. • Forget about the payloads.
  • 25. The Fallback Common Option • Test the GUI • Black Box testing methodology • Exclude the difficult stuff from scope • This is a “good” solution: it fits organizations and security professionals
  • 26. The Fallback Common Option • “The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.” ― Stephen Hawking • Testing just the GUI illusion of knowledge • Testing just the FE illusion of security • Increasingly often we are requested to test much less than the actual scope. • Consider carefully prior to testing – what should be the actual testing scope
  • 27. How to test? • “Supreme excellence consists in breaking the enemy's resistance without fighting.” Sun Tzu • Common Mobile WCF architecture – Where is the presentation layer? – Which entities are granted access to business logic?
  • 28. How to test? • OWASP top 10 – mobile: Source: OWASP Top 10 Mobile project
  • 29. The Oracle Exadata Example • Oracle Exadata simplified: – Data Warehouse platform – Consolidation/Grid platform – Storage platform • Exadata security best practices consist of: – The “regular stuff” – Database standard security – Data Warehouse specialized security – Consolidation/Grid specialized security
  • 30. The Oracle Exadata Example • Oracle Exadata (as a database platform) Security Testing Benchmark: – Organization A tested: • The databases • The environments • The Data Warehouse specialized security • The Exadata itself – Organization B tested: • Just some deployed databases • Partial security testing for each database • Worse still: Exadata not to be tested as a policy • Who said: 2013-A5 Security Misconfiguration?
  • 31. Testing A5, A7, A9 • “If you know the enemy and know yourself you need not fear the results of a hundred battles”, Sun Tzu • Do we really know ourselves? • Where are A5, A7 and A9 implemented? • Not testing the BE  illusion of knowing
  • 32. The Windows XP Example • Organization C, defines and enforces strict development and deployment security standards towards all its suppliers/customers. • Over 60 pages of procedures and instructions. • Insisting on supporting Windows XP based systems. • Who said: 2013-A9 Using Known Vulnerable Components?
  • 33. 2013-A9 Using known Vulnerable Components • A vendor offers DBAAS – Excellent: beat the market offering *AAS something... • How can the organization trust the security of DBAAS? – Will separation be enforced? – Will compartmentalization be enforced? • Did we really tested and can trust the Cloud on which the DBAAS is based?
  • 34. Declarative Security • What? • One of the foundations of modern languages run-time security. • Mostly ignored or bypassed. • Who said: Security misconfiguration – A5, Missing Function Level access control – A7?
  • 35. Declarative Security • “Deployment descriptors must provide certain structural information for each component if this information has not been provided in annotations or is not to be defaulted.” (Oracle docs.)
  • 36. Declarative Security • “Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.” Sun Tzu • Lack or weak declarative security: Once code access achieved – the extraordinary will be feasible.
  • 37. Declarative Security • Poor design due to no design • Cancelling off declarative security or ignoring declarative security  revoking language security fundamentals. • Common real life deployment descriptors: // Do what you will. Totally permissive policy file. grant { permission java.security.AllPermission; }; •  Killing my own code!
  • 38. Reverse Engineering (A5, A6, A9) • What for? • Why for Mobile security testing ONLY? • From Wikipedia: – Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.
  • 39. Testing A2, A5, A6 • 2013 A6 – Sensitive data exposure • 2013 A5 – Security misconfiguration • 2013 A2 – Broken authentication • Too much use of “third singulars” – The actual minute details of the tested object dissolve
  • 40. 2013-A5 Security Misconfiguration • There is no external access! • The intended users will only perform intended actions… • Virtualization  Separation 40
  • 41. 2013-A5 Security Misconfiguration • How do organizations secure legacy unsecured systems? • Install terminals (e.g. Citrix) as the presentation layer / access control layer. • Challenge: manage multiple users across multiple systems. • Result: the terminals are partially secure. – Too many terminals to manage over long periods – Some insecure – The insecure terminals are the attacker entry points.
  • 42. Critical Thinking Takeover Data theft – Any system – Any infrastructure – Any communication – Any language – Any architecture – Any component – Any information, any data – Any physical layer – Any logical layer – Any storage device / facility – Any (communication) channel – Any interface – Any encryption – Any environment – Any site (including DR) – Any transaction – Any log and audit trail – Any archive – Any process (operations, ongoing, development) Data tampering System integrity disruption Business Logic manipulation Eavesdropping Backdoors – built in by design Backdoors – creation by attackers Unintentional attacks Intentional by authorized entities Attacks by non-human entities Denial of Service De Facto Denial of Service Authorization bypass Access bypass Smuggling, Splitting and evasion-type attacks
  • 43. Critical Thinking • Critical thinking is the ability to think clearly and rationally. This requires reflective and independent thinking. (Philosophy field) • For organization security is too difficult: over complexity, too much to orchestrate, etc. • Increasingly often we are requested to test much less than the actual scope. • Some organizations will not be educated. • Push the industry back up with those organizations that can be educated.
  • 44. Critical Thinking • For the security professionals, security is a challenge. Hence, always employ critical thinking and review the process of testing itself. – Flexibility under varying technologies – Use automated testing tools to the max AND be always aware of their limitations – Scoping accurately is mandatory
  • 45. Qustions? Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula