In this #PNSQC webinar, Bhushan Gupta discusses Requirements Based Web Application Security. He covers tools, techniques and things to watch out for and make sure you include in your security testing throughout the software development lifecycle.

1. PNSQC Summer Webinar Series
Requirements Based Web Application
Security Testing
Featuring Guest Speaker Bhushan Gupta
@PNSQC
#PNSQC17

2. PNSQC – The organization
• The oldest so3ware quality conference in North America
now in its 35th year.
• Annual conference held in Portland, Oregon.
• Non-profit organizaJon run by volunteers.
• PNSQC is an all volunteer conference that focuses on the
quality pracJJoner.
• Conference speakers and parJcipants are people
describing their own experiences, not by consultants.
• A range of topics and speakers - everything from
automaJon and distributed teams to agile, devops and
security. 2
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com

3. House Rules
§ ParJcipants other than the speakers are muted
§ QuesJons via the GoToWebinar control on the
right side of your screen or through TwiVer
@PNSQC
§ QuesJons may be asked throughout the webinar -
we’ll try to answer them at the end
§ You will receive info on recording and slides a3er
the webinar 3
Webinar Hashtag: #securetest
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com

4. Moderating Today for PNSQC
Philip Lew
PNSQC Board Member
• CEO, XBOSoft
• Relevant specialties and passions
o Software quality process,
evaluation, measurement and
improvement
o Software quality in use / UX
design
o Mobile User Experience and
usability
o Cycling and travel
4
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com

5. 5
• Over 20 years’ experience in SDLC, so3ware process
• Web ApplicaJon Security Researcher – Best PracJces
and Tools
• 10 Years in Academia, Faculty Member, OIT (1985 – 95),
Currently an Adjunct
• Leader, OWASP, Portland Chapter
• AcJve in PNSQC since 1998
• Frequent Author and Speaker
• CerJfied Six Sigma Black Belt (2007 – 2010)
• Dedicated Toastmaster
Principal, Gupta ConsulJng
bhushan@bgupta.com
Today’s Webinar
Requirements Based Web Application Security Testing
Bhushan B. Gupta
PNSQC 2016 Invited Speaker
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com

6. Achieving High Web Application Security
6
System Elements Relevant to Security
• ApplicaJon Plagorm – OperaJng System
• Development Environment – Plagorm (Java, J2EE), 3rd Party
So3ware including Open Source
• ApplicaJon development (SDLC) – From Requirements to
Release
• Best PracJces – ConfiguraJon, Hardening, Coding Standards
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com

7. Current Trend – Penetration (Pen) Testing
7
Ethical Hacking by Red Teams
OWASP Top 10 + Other VulnerabiliJes
Check the Periphery
and Secure It
• Bad guy never sleeps
• Limited development Jme
• More and cheaper Hacking
kits in the market
Challenges
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com

8. Alternative - Build Security In
8
• Follow SDLC best pracJces, and
• Check the Periphery and Secure It
Security is an AVribute of Quality!!
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com

9. ConfidenJality, Integrity, Availability
(CIA)Principles
@Gupta ConsulJng, LLC.
www.bgupta.com
9
9/07/2017

10. Security Triangle
Security
ConfidenJality Integrity
Availability
@Gupta ConsulJng, LLC.
www.bgupta.com
10
9/07/2017

11. Data Security Principles
• ConfidenJality – Maintaining data privacy (Access Control)
• Intended malicious access – External or Internal
• Unintended – someone made a mistake
• Integrity – Authorized ModificaJon of data and system
environment
• Availability – Usable during desired hours of service
Not all data is worth protecJng!
Protect data while staJonary and in moJon!
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
11

12. Web Application
Environment
Client browser using
client side resources
Internet/Network
Protocol
Backend System
(Database Server
ApplicaJons )
Data
HTTP
@Gupta ConsulJng, LLC.
www.bgupta.com
12
9/07/2017
WEB Server
The Weakest Link:
Access Control
Data in transit

13. ConOidentiality - Access
Control
• IdenJficaJon –
• A simple string of characters non-programmaJcally generated
(my dogs name)
• AuthenJcaJon – proof of legiJmacy
• Something specific you know (my cat’s birthday)
• Something specific you have (my driver’s license)
• A physical characterisJc – biometric (my finger or Irish scan)
• AuthorizaJon
• Resources you are allowed to access ( can not drive over the
speed limit like a police officer can)
• Audit
• Trail of acJviJes by an enJty for future reference
13
@Gupta ConsulJng, LLC.
www.bgupta.com
9/07/2017

14. Requirements - ConOidentiality
IdenJficaJon
• Each user have a unique ID that is extremely difficult to guess
• ID should follow a standard convenJon if needed
• A user ID is not shared with the other users
• ID value is not reflecJve of posiJon or role
• CAPTCHA (Completely Automated Public Turing test to tell
Computers and Humans Apart) if needed
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
14

15. Requirements - ConOidentiality
AuthenJcaJon
• Character string
• Complexity/crackability–
• Difficult to guess (minimal length, required character categories, prohibiJve
elements –last name, date of birth)
• Should not require extra efforts to remember to avoid noJng it down
• Failure/Recovery Process
• Number of aVempts before Time Out or Locking Out
• Use of security quesJons for first login aVempt from a new device
• Recovery Mechanism – controlled such as email mechanism or on the fly
(change it while on the site, not being sent in an email or only as a temporary
password)
• No email distribuJon
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
15

16. Requirements - ConOidentiality
AuthenJcaJon
• Character string
• Semi logoff or session ending a3er a period of no acJvity
• Longevity – password rotaJon
• Transmission over network
• Transport Layer Security (encrypted vs. plain text)
• Social Engineering – Shoulder Surfing
• OpJon to hiding password as being typed
• Storage – Plain text vs. Cryptographic Hash (a funcJon + Salt)
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
16

17. Requirements - ConOidentiality
AuthenJcaJon
• Biometric - Legally allowed human characterisJcs
• Irish
• ReJna
• Finger Prints
• Palm Scan
• Hand ConfiguraJon
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
17

18. Requirements - ConOidentiality
AuthorizaJon
• Policy to control access to objects – database servers
• Processes are also treated as subjects
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
18

19. Data Integrity
Integrity – Accuracy and validity
Can be threatened by modificaJon of data by unauthorized subjects or
by error.
Requirements:
• Integrity maintained while data is at rest or in transit
• Role based access control
• ValidaJon of data both at applicaJon and database level
• Any malicious aVempts logged with adequate tracking
• Recovery mechanisms are in place in the event the data integrity has
been compromised
• SeparaJon of duJes to prevent fraud and errors – any funcJon that is
subject to abuse
@Gupta ConsulJng, LLC.
www.bgupta.com
19
9/07/2017

20. Availability
Availability – Usable during desired hours of service
Requirements:
• Available as needed (24x7x365 or as per other criteria)
• Redundancy to reinforce availability
Vulnerability – DDoS aVack (Distributed Denial of Service)
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
20

21. Security Controls
Develop security controls based on the requirements
Example – Data Integrity
21
Requirement Control
Maintained during data transiJon
and at rest
Secure Transmission with strong
encrypJon algorithm
Role based access control Access validated both for users
and processes – Delete OperaJon
Data Accuracy Data Validated on both client and
server side
Malicious Logging AVempts Track every login event
Recovery Mechanisms Backup servers, data
SeparaJon of DuJes Controlled access rights
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com

22. Secure Design Principles – High Level
• Defense in Depth / layered defense
• If one layer of defense is compromised, there are other layers to stop the
complete breach
Example: Command Line InjecJon – poked through the system and can see directories
but you are not able to change your access level
• Fail Safe
• Maintain confidenJality, integrity, availability by returning to a secure state using
rapid recovery
• Least Privilege
• Lowest access level privilege to person or process
• Weakest Link
• ProtecJon of the weakest code
• Leveraging ExisJng Components
• Sharing of exisJng components does not increase aVack surface or vulnerabiliJes
And more …………
@Gupta ConsulJng, LLC.
www.bgupta.com
22
9/07/2017

23. Summary of Vulnerability Analysis
Vulnerability Root Cause Remedia?on
A1-InjecJon SQL Query ManipulaJon, System Call
ExecuJon, Lack of client code validaJon
Do not trust data, Do not use dynamic
queries, data validaJon, AuthorizaJon,
client side code validaJon
A2-Broken
AuthenJcaJon
Unsecure transport layer, password
handling and management, Session ID
management
Sound password policies and session
management process, patch and version
management
A3-XSS Lack of server side script validaJon Escape all untrusted HTML and Java Script
code
A4-Insecure DO
References
Object exposure to unauthorized clients AuthenJcate before providing access
A5-Security
MisconfiguraJon
Versioning, system hardening, access
control, verbose messaging (error,
Debug)
Sound patching and versioning, well defined
development pracJces
@Gupta ConsulJng, LLC.
www.bgupta.com
23
9/07/2017

24. Summary of Vulnerability Analysis
Vulnerability Root Cause Remedia?on
A6–SensiJve Data
Exposure
Data format, encrypJon key
compromise, unsecure data transport
Sound encrypJon and data transport
policies
A7-Missing FuncJonal
Level Control
Access control to sensiJve request
handlers
Sound access control, log access failure
A8-CSRF Caused due by session cookie stealing Turn it on in the framework
A9-Using components
with known
VulnerabiliJes
ExploitaJon of vulnerable framework
components/libraries from 3rd party
Monitor security of components,
establish security policies, adding
security wrappers, use scanners for
version numbers and updates
A10-Unvalidated
Redirects and Forwards
AVacker redirects client to his site with
the home page look and steals the
login informaJon
Code review and checklist to make sure
redirects are properly handled
@Gupta ConsulJng, LLC.
www.bgupta.com
24
9/07/2017

25. Building a Secure System Requires
• Smart Development Environment
• Access Control - Objects & FuncJons
• Input ValidaJon
• Secure Data Transport – hVps,
EncrypJon
• Secure Storage - EncrypJon
• System Hardening - Sound Patching &
Versioning Processes
@Gupta ConsulJng, LLC.
www.bgupta.com
25
9/07/2017

26. SDLC Must Include:
• Well defined threat modeling process
• Access control – objects (users, so3ware enJJes ), FuncJons
• A repeatable process to measure aVack surface index (ASI)
• Strong encrypJon algorithm
• Server side environment hardening
• Secure data transport
• Strong applicaJon architecture to support component
isolaJon
• Client and server side input validaJon
• Use of tools – Scanners, SQLmap etc.
@Gupta ConsulJng, LLC.
www.bgupta.com
26
9/07/2017

27. What Should be My TesJng
Strategy??
@Gupta ConsulJng, LLC.
www.bgupta.com
27
9/07/2017

28. Multi-prong Approach
Prongs:
• Fagen Style Reviews/InspecJons - Design and Raw Code
• Compiled Code – StaJc Code Analysis
• Environment VerificaJon (System Hardening) – Human
InteracJon
• Code in ExecuJon:
• Security Focused TradiJonal QA TesJng – Against security controls
• Web Scanning using Scanners (ZAP, Burp Suite)
• Dynamic Code Analysis (Veracode, ForJfy)
• PenetraJon TesJng
@Gupta ConsulJng, LLC.
www.bgupta.com
28
9/07/2017
• Smart Development Environment
• Access Control - Objects & FuncJons
• Input ValidaJon
• Secure Data Transport – hVps, EncrypJon
• Secure Storage - EncrypJon
• System Hardening - Sound Patching & Versioning Processes

29. Fagen Style Reviews/Inspections
Targets:
• Development Environment
• Opsys and Language shortcomings – Buffer Overflow
• Process and User Access Rights, (Admin vs. normal user)
• Input ValidaJon – both on client and server side
• Coding PracJces - Use of prepared statements vs. dynamic
queries
• RunJme Environment VerificaJon – System Hardening
@Gupta ConsulJng, LLC.
www.bgupta.com
29
9/07/2017

30. Fagen Style Reviews/Inspections
LogisJcs:
• Team of Experts
• Make the docs available to the team
• Conduct review session
• Log issues
• Follow though on issue resoluJon
• Analyze impact of unresolved issues
@Gupta ConsulJng, LLC.
www.bgupta.com
30
9/07/2017

31. Fagen Style Reviews/Inspections
Pigalls:
• Requires broad experJse –
• OPSYS, Language, Coding PracJces
• Time consuming if an applicaJon is complex
Note: Will work well in agile development
@Gupta ConsulJng, LLC.
www.bgupta.com
31
9/07/2017

32. Static Code Analyzer
Automated Tool:
• Runs on compiled code with Debug on
• Analyzes warning relevant to security problems
• Provides a log of potenJal vulnerabiliJes
• Some analyzer gives you a numeric index
Commercially available tools: Veracode, ForJfy (HP)
@Gupta ConsulJng, LLC.
www.bgupta.com
32
9/07/2017

33. Static Code Analyzer
Shortcomings:
• False PosiJves
• Requires resources
@Gupta ConsulJng, LLC.
www.bgupta.com
33
9/07/2017

34. Dynamic Code Analyzer
Automated Tool:
• Works on Binary code
• Simulates vulnerable scenarios
• QuanJfies app vulnerability
@Gupta ConsulJng, LLC.
www.bgupta.com
34
9/07/2017

35. Environment Hardening
Reinforce your environment:
• ConfiguraJon management policy
• Versioning – apply updates immediately
• Change Control
• Login level – Admin vs user
• Principle of Least privilege
• Change Default Sewngs – File path, access rights, password
• Disabling unnecessary features
@Gupta ConsulJng, LLC.
www.bgupta.com
35
9/07/2017

36. Scanner - BeneOits
• Obtain a high level descripJon of exisJng vulnerabiliJes
• IniJal Assessment of a web site
• Complex site with a high ASI – to determine high risk areas
• Test planning – guidance for tesJng focus
• Support release decision to assess the final quality
Should not be the only way to test the applicaJon.
@Gupta ConsulJng, LLC.
www.bgupta.com
36
9/07/2017

37. Web Scanners – ZAP/Burp Suite
CharacterisJcs
• IntercepJng Proxy Tools
• Can be used as standalone or as a daemon process
• Inspects the packets and sends it to the browser
• Can work with another proxy running in your environment
@Gupta ConsulJng, LLC.
www.bgupta.com
37
9/07/2017
ApplicaJon Browser Tool
ApplicaJon Browser Tool Proxy

38. Scanners – Functions
• Web Spidering – Crawls page and forms
• Web Scanning – executes typical vulnerability aVacks against
a web site
• Brute forcing – find files even though there are no links for it
• Fuzzing (fuzz parameters)
• Auto Tagging
• Port Scanner
• Parameter Analysis – all the parameters that applicaJon uses
• Session Comparison for mulJple roles
@Gupta ConsulJng, LLC.
www.bgupta.com
38
9/07/2017

39. Scanner - Strengths & Shortcomings
Strengths:
• Simulate malicious user quickly and are fast
• Not language dependent
• Good for audits for iniJal assessment (internal)
Shortcomings:
• Hard to find the logical flaw using tools
• Only perform a pre-defined set of aVacks
• Can not test for social engineering
• Do not cover emerging technologies – JSON and complex workflow
such as CSRF and shopping cart
• Free tools do not get updated in a Jmely manner
@Gupta ConsulJng, LLC.
www.bgupta.com
39
9/07/2017

40. Attack Surface Analysis
Compare AVack Surface of
the Two Castles
@Gupta ConsulJng, LLC.
www.bgupta.com
40
9/07/2017

41. Attack Surface Analysis – Why?
Goal – Reduce the probability of an aVack and minimize impact
Development:
• Validate design against aVack vectors
• Validate code against design
• ComparaJve analysis – create a baseline
Quality
• EsJmate the effort involved in security tesJng
• Select adequate tools and scripts for tesJng
• Perform adequate tesJng
• Prepare quality documents to the downstream stakeholders
General
• Understand overall security risk
• Prepare for unfortunate circumstances if an aVack is successful
• ComparaJve security analysis of a product from two different vendors
@Gupta ConsulJng, LLC.
www.bgupta.com
41
9/07/2017

42. Attack Surface of a System
HTTP
Protocol Browser
ApplicaJon
OS
Web Server
ApplicaJons
Backend
Systems
Targets
Comm.
Channels +
Protocols
Access Rights
@Gupta ConsulJng, LLC.
www.bgupta.com
42
9/07/2017

43. Vector Measurement
Degree of distribuJon Tool - hVps://pentest-tools.com/informaJon-
gathering/find-subdomains-of-domain
Page creaJon method
(staJc or dynamic)
Data extracJon and display (text, image, AV)
Security mechanism TLS (HTTPS), SSL, HTTP
Input The type of inputs you can include in the URL
AcJve contents Contents being used on client and server side
Cookies Kept by the applicaJon and Foreign (hVp://
www.cookie-checker.com/)
User Roles Admin, Group, User
Rights Read, Write, Execute
@Gupta ConsulJng, LLC.
www.bgupta.com
43
9/07/2017
Measurements

44. Calculating AS Index – Example
ASI = SQRT (square of each AS element component)
ddist = 3.5
dyn = 1
Security = <1,10,0>
Input Vectors = < 1, 1, 1, 1, 2, 8>
AcJve Content = < 1, 1, 1, 1, 2, 8>
Cookies = 3
Access Control = 5
Rights = 5
ASI = SQRT ( 12.25 + 1 + 1+100+0 + 1+1+1+1+4+64+ 1+1+1+1++4+64 + 9 +25 +25)
= 19.2
Minimum = 0
Maximum = Index can range from 0 to 60.79
@Gupta ConsulJng, LLC.
www.bgupta.com
44
9/07/2017

45. ASI Characteristics
• Accounts only for external threats
• Gray box method (observe applicaJon at run Jme)
• Vector weights are chosen according to relaJve importance of
a vector
• Can be effecJvely used by developers and quality assurance
group
• Scalable
@Gupta ConsulJng, LLC.
www.bgupta.com
45
9/07/2017

46. Vulnerability Severity - DREAD
@Gupta ConsulJng, LLC.
www.bgupta.com
46
9/07/2017

47. Quantifying and Comparing
Risk
Category Value = 0 Value = 5 Value = 10
Damage Impact (data) None Few users only EnJre system
Reproducibility Very hard Few steps required Use of web browser
Exploitability Advanced knowledge Use of kits Just a web bowser
Actual Users Impacted None Some but not all All users
Discoverability (applicaJon) Easy – apparent
Public Domain/Web
browser
Guessing Very hard (need special efforts)
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
47

48. Calculating Severity
DREAD Index = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY +
AFFECTED USERS + DISCOVERABILITY) / 5
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
48

49. Data Analysis and Reporting Results
Metrics
• Total Number of VulnerabiliJes found
• Baseline – against a test method and version
• Threat – exposure of vulnerability and the impact
• SDLC Phase – security defects found in each phase – tricky in
the agile development
• Risk Containment – how well are the counter-measures put in
place?
@Gupta ConsulJng, LLC.
www.bgupta.com
49
9/07/2017

50. Test Efforts in SDLC - Activities
@Gupta ConsulJng, LLC.
www.bgupta.com
50
9/07/2017

51. SDLC - AGILE
@Gupta ConsulJng, LLC.
www.bgupta.com
51
9/07/2017

52. Kickoff Planning
ObjecJves – Security Infrastructure Planning and IniJal Setup
EPICS:
1. Threat Model
2. Access Control – idenJficaJon, authenJcaJon, authorizaJon, and
audit management
3. ASI CharacterizaJon – vectors and scale definiJon
4. Server side hardening policy
5. Patch and version update policy
6. Design and code review management
7. Security criteria for release
8. Breach event handling / management
@Gupta ConsulJng, LLC.
www.bgupta.com
52
9/07/2017

53. Security Activities – Generic Iteration
Analyze if any new vulnerabiliJes added due to new stories
Update test plan
• AddiJonal review areas
• New configuraJons/Environmental hardening
• StaJc and Dynamic Code Analysis
• New scanning requirements
• Change in ASI Vectors
• Changes to penetraJon test scope
@Gupta ConsulJng, LLC.
www.bgupta.com
53
9/07/2017

54. Security Activities – Release Iteration
• Final ASI analysis
• Regression - PenetraJon TesJng
• Quality Assessment with respect to security
• Open Security defect analysis
• Probability of breech
• Breech impact – financial, legal, company image
• Proposed threat miJgaJon plan
@Gupta ConsulJng, LLC.
www.bgupta.com
54
9/07/2017

55. Security Acceptance Criteria
1. All PII informaJon presented concisely for easy review
2. Only business-necessary informaJon gathered from the client
3. Form is protected from any injecJon aVacks
4. User required to confirm the PII on submission for non-
repudiaJon
5. ConfidenJality of the data is maintained during transit
6. Integrity of the data is maintained during transit
7. Data stored in the database matches exactly with what was
provided by the user
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
55

56. Conclusions
• Understand Reconnaissance
• Be aware of how common vulnerabiliJes are explored
• Build a sound threat model
• Create a well structured SECURE SDLC
• Be aware of your vulnerabiliJes and potenJal breach
• Have a security breach conJngency plan (SIEM)
9/07/2017
@Gupta ConsulJng, LLC.
www.bgupta.com
56

57. ????????? Q&A
@Gupta ConsulJng, LLC.
www.bgupta.com
57
9/07/2017

58. Join Us This Fall #PNSQC17
Bhushan’s Technical Paper: Requirements Based Web Application Security
Testing – A Preemptive Approach!
Workshops: Pragmatic Web Application Security Testing
Essential Web Application Security Test Tools
www.pnsqc.org
Today’s webinar has been
recorded and will be available
via the PNSQC Youtube
Channel and via slideshare.
@PNSQC
#PNSQC17