Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Vulnerabilities	
  Are	
  Bugs	
  
Let’s	
  Test	
  for	
  Them!
VAddy...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Web Security Tests
• White-­‐box	
  testing	
  
• Analyze	
  source	
 ...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Current Issues with Web Security Tests
3
Development	
  team
External	...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Current Issues with Web Security Tests
[Scenario:	
  Using	
  a	
  Sec...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
5
We	
  need	
  
continuous	
  
security	
  tests
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
6
Run	
  from	
  the	
  beginning	
  of	
  
development	
  until	
  re...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
What Are Continuous Web Security Tests?
7
Development	
  team
External...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Issues with Continuous Web Security Tests
• Existing	
  scanning	
  to...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Important Points
9
It’s	
  important	
  to	
  tell	
  your	
  scanning...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Important Points
10
For	
  example:	
  
If,	
  while	
  testing	
  an	...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Important Points
11
You	
  need	
  to	
  configure	
  your	
  tools	
 ...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
12
This	
  keeps	
  you	
  from	
  focusing	
  on	
  
business-­‐criti...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
13
Simple	
  setup	
  
Maintenance	
  free

Effective	
  scanning

CI	...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
14
Continuous Web Security Testing Service
Vulnerability	
  Assessment...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
15
Continuous Web Security Testing Service
http://vaddy.net	
  
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
VAddy s Features
• No	
  tool	
  to	
  install	
  (SaaS)	
  
• Unlimit...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Common Configurations
17
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
VAddy s Features
18
VAddy	
  can	
  figure	
  out	
  how	
  your	
  
a...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
VAddy s Policy
19
Software	
  developers	
  should	
  
focus	
  on	
  ...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
VAddy s Features
20
Proprietary	
  security	
  scanning	
  
engine	
  ...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
VAddy s List of Scan Results
21
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Types of Vulnerabilities and Vulnerable Parameters
22
You	
  can	
  se...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Request Data for Reproducing Attacks
23
VAddy	
  shows	
  you	
  the	
...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
Currently Supported Scans (SQLi, XSS)
• GET/POST/PUT/DELETE	
  paramet...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
25
Continuous	
  security	
  tests	
  are	
  
an	
  up-­‐and-­‐coming	...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
26
Twitter:	
  @vaddy_support	
  
Email:	
  	
  	
  	
  	
  info@vaddy...
Copyright	
  (c)	
  	
  Bitforest	
  Co.,	
  Ltd.
 
27
http://vaddy.net	
  
Upcoming SlideShare
Loading in …5
×

of

Vulnerabilities are bugs, Let's Test For Them! Slide 1 Vulnerabilities are bugs, Let's Test For Them! Slide 2 Vulnerabilities are bugs, Let's Test For Them! Slide 3 Vulnerabilities are bugs, Let's Test For Them! Slide 4 Vulnerabilities are bugs, Let's Test For Them! Slide 5 Vulnerabilities are bugs, Let's Test For Them! Slide 6 Vulnerabilities are bugs, Let's Test For Them! Slide 7 Vulnerabilities are bugs, Let's Test For Them! Slide 8 Vulnerabilities are bugs, Let's Test For Them! Slide 9 Vulnerabilities are bugs, Let's Test For Them! Slide 10 Vulnerabilities are bugs, Let's Test For Them! Slide 11 Vulnerabilities are bugs, Let's Test For Them! Slide 12 Vulnerabilities are bugs, Let's Test For Them! Slide 13 Vulnerabilities are bugs, Let's Test For Them! Slide 14 Vulnerabilities are bugs, Let's Test For Them! Slide 15 Vulnerabilities are bugs, Let's Test For Them! Slide 16 Vulnerabilities are bugs, Let's Test For Them! Slide 17 Vulnerabilities are bugs, Let's Test For Them! Slide 18 Vulnerabilities are bugs, Let's Test For Them! Slide 19 Vulnerabilities are bugs, Let's Test For Them! Slide 20 Vulnerabilities are bugs, Let's Test For Them! Slide 21 Vulnerabilities are bugs, Let's Test For Them! Slide 22 Vulnerabilities are bugs, Let's Test For Them! Slide 23 Vulnerabilities are bugs, Let's Test For Them! Slide 24 Vulnerabilities are bugs, Let's Test For Them! Slide 25 Vulnerabilities are bugs, Let's Test For Them! Slide 26 Vulnerabilities are bugs, Let's Test For Them! Slide 27
Upcoming SlideShare
Automating security tests for Continuous Integration
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Vulnerabilities are bugs, Let's Test For Them!

Download to read offline

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Vulnerabilities are bugs, Let's Test For Them!

  1. 1. Copyright  (c)    Bitforest  Co.,  Ltd.   Vulnerabilities  Are  Bugs   Let’s  Test  for  Them! VAddy Continuous Security Testing Service 1 Bitforest  Co.,  Ltd.   Yasushi  Ichikawa
  2. 2. Copyright  (c)    Bitforest  Co.,  Ltd.   Web Security Tests • White-­‐box  testing   • Analyze  source  code  (e.g.  with  brakeman)   • Black-­‐box  testing   • Send  HTTP  requests  with  attack  payloads  and   check  responses   • Examples:  VAddy,  OWASP  ZAP,  AppScan 2
  3. 3. Copyright  (c)    Bitforest  Co.,  Ltd.   Current Issues with Web Security Tests 3 Development  team External  security  firm   Internal  security  team Coding Unit  tests Integration  tests Vulnerability   assessment Development  team Revisions Release Current  practice  is  to  conduct  only  one   vulnerability  assessment  prior  to  release   ! • If  a  large  number  of  vulnerabilities  are   found  immediately  before  release,  they   will  have  a  big  impact  on  the  release   schedule   • From  both  a  time  and  cost  perspective,   it’s  difficult  to  conduct  vulnerability   assessments  for  every  revision  and  new   feature  introduced  after  an  application  is   released
  4. 4. Copyright  (c)    Bitforest  Co.,  Ltd.   Current Issues with Web Security Tests [Scenario:  Using  a  Security  Firm]   Cost:  Thousands  of  dollars  (or  more)   Duration: 4 This  is  difficult  to  do  continuously Over  one  week  until  the  results  of  an  
 investigation  are  delivered
  5. 5. Copyright  (c)    Bitforest  Co.,  Ltd.   5 We  need   continuous   security  tests
  6. 6. Copyright  (c)    Bitforest  Co.,  Ltd.   6 Run  from  the  beginning  of   development  until  release,   just  like  unit  tests
  7. 7. Copyright  (c)    Bitforest  Co.,  Ltd.   What Are Continuous Web Security Tests? 7 Development  team External  security  firm   Internal  security  team Coding Unit  tests Integration  tests Vulnerability   assessment Development  team Revisions Release Continuous  Security  Tests Development  team Coding Unit  tests Integration   tests Release Vulnerability   assessments Development  teams  can  run  security  tests  as  often  as  they  like.
  8. 8. Copyright  (c)    Bitforest  Co.,  Ltd.   Issues with Continuous Web Security Tests • Existing  scanning  tools   • are  difficult  to  add  to  continuous  integration   workflows   • cost  both  time  and  money  to  set  up  and   maintain  yourself   • have  many  settings  and  require  accumulated   expertise 8
  9. 9. Copyright  (c)    Bitforest  Co.,  Ltd.   Important Points 9 It’s  important  to  tell  your  scanning  tools   how  your  web  application  works
  10. 10. Copyright  (c)    Bitforest  Co.,  Ltd.   Important Points 10 For  example:   If,  while  testing  an  authenticated  page,   your  session  expires  and  you  are  returned   to  the  login  screen,  test  the  login  screen   and  continue
  11. 11. Copyright  (c)    Bitforest  Co.,  Ltd.   Important Points 11 You  need  to  configure  your  tools  to   behave  appropriately  when  their  sessions   expire  and  they  are  logged  out
  12. 12. Copyright  (c)    Bitforest  Co.,  Ltd.   12 This  keeps  you  from  focusing  on   business-­‐critical  software   development Scanning  tools  aren’t  very  effective  unless   you  continue  to  learn  how  to  configure  them Issues with Continuous Web Security Tests
  13. 13. Copyright  (c)    Bitforest  Co.,  Ltd.   13 Simple  setup   Maintenance  free
 Effective  scanning
 CI  cycle  automation
  14. 14. Copyright  (c)    Bitforest  Co.,  Ltd.   14 Continuous Web Security Testing Service Vulnerability  Assessment  is  your  Buddy
  15. 15. Copyright  (c)    Bitforest  Co.,  Ltd.   15 Continuous Web Security Testing Service http://vaddy.net  
  16. 16. Copyright  (c)    Bitforest  Co.,  Ltd.   VAddy s Features • No  tool  to  install  (SaaS)   • Unlimited  free  scanning   • Support  for  continuous  integration   • Web  API   • Jenkins  plugin   • Works  with  Travis,  CircleCI,  etc. 16
  17. 17. Copyright  (c)    Bitforest  Co.,  Ltd.   Common Configurations 17
  18. 18. Copyright  (c)    Bitforest  Co.,  Ltd.   VAddy s Features 18 VAddy  can  figure  out  how  your   application  works  and  scan  it  correctly   without  any  special  settings
  19. 19. Copyright  (c)    Bitforest  Co.,  Ltd.   VAddy s Policy 19 Software  developers  should   focus  on     software  development!
  20. 20. Copyright  (c)    Bitforest  Co.,  Ltd.   VAddy s Features 20 Proprietary  security  scanning   engine  that  uses  machine  learning
  21. 21. Copyright  (c)    Bitforest  Co.,  Ltd.   VAddy s List of Scan Results 21
  22. 22. Copyright  (c)    Bitforest  Co.,  Ltd.   Types of Vulnerabilities and Vulnerable Parameters 22 You  can  see  the  type  of  vulnerability  (e.g.  SQL  injection)  that   was  found  along  with  the  vulnerable  URL  and  parameter   name.   This  example  shows  that  there  is  a  SQL  injection  vulnerability   in  the  parameter  "ID"  used  at  the  URL  "search",  so  you  can   figure  out  which  lines  of  code  are  at  fault.
  23. 23. Copyright  (c)    Bitforest  Co.,  Ltd.   Request Data for Reproducing Attacks 23 VAddy  shows  you  the  request  data  it  sent  so  you   can  reproduce  the  attack  in  your  own   development  environment
  24. 24. Copyright  (c)    Bitforest  Co.,  Ltd.   Currently Supported Scans (SQLi, XSS) • GET/POST/PUT/DELETE  parameters   • Rest  APIs  with  JSON  parameters   • Parameters  in  URL  paths   • www.example.com/item/view/1   • Form  authentication  (login  screens)   • CSRF  tokens  (including  Angular.js)   • SSL  applications 24
  25. 25. Copyright  (c)    Bitforest  Co.,  Ltd.   25 Continuous  security  tests  are   an  up-­‐and-­‐coming  trend     in  software  development
  26. 26. Copyright  (c)    Bitforest  Co.,  Ltd.   26 Twitter:  @vaddy_support   Email:          info@vaddy.net   Contacts
  27. 27. Copyright  (c)    Bitforest  Co.,  Ltd.   27 http://vaddy.net  

Views

Total views

8,131

On Slideshare

0

From embeds

0

Number of embeds

5,600

Actions

Downloads

4

Shares

0

Comments

0

Likes

0

×