Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vulnerabilities are bugs, Let's Test For Them!

7,082 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Vulnerabilities are bugs, Let's Test For Them!

  1. 1. Copyright  (c)    Bitforest  Co.,  Ltd.   Vulnerabilities  Are  Bugs   Let’s  Test  for  Them! VAddy Continuous Security Testing Service 1 Bitforest  Co.,  Ltd.   Yasushi  Ichikawa
  2. 2. Copyright  (c)    Bitforest  Co.,  Ltd.   Web Security Tests • White-­‐box  testing   • Analyze  source  code  (e.g.  with  brakeman)   • Black-­‐box  testing   • Send  HTTP  requests  with  attack  payloads  and   check  responses   • Examples:  VAddy,  OWASP  ZAP,  AppScan 2
  3. 3. Copyright  (c)    Bitforest  Co.,  Ltd.   Current Issues with Web Security Tests 3 Development  team External  security  firm   Internal  security  team Coding Unit  tests Integration  tests Vulnerability   assessment Development  team Revisions Release Current  practice  is  to  conduct  only  one   vulnerability  assessment  prior  to  release   ! • If  a  large  number  of  vulnerabilities  are   found  immediately  before  release,  they   will  have  a  big  impact  on  the  release   schedule   • From  both  a  time  and  cost  perspective,   it’s  difficult  to  conduct  vulnerability   assessments  for  every  revision  and  new   feature  introduced  after  an  application  is   released
  4. 4. Copyright  (c)    Bitforest  Co.,  Ltd.   Current Issues with Web Security Tests [Scenario:  Using  a  Security  Firm]   Cost:  Thousands  of  dollars  (or  more)   Duration: 4 This  is  difficult  to  do  continuously Over  one  week  until  the  results  of  an  
 investigation  are  delivered
  5. 5. Copyright  (c)    Bitforest  Co.,  Ltd.   5 We  need   continuous   security  tests
  6. 6. Copyright  (c)    Bitforest  Co.,  Ltd.   6 Run  from  the  beginning  of   development  until  release,   just  like  unit  tests
  7. 7. Copyright  (c)    Bitforest  Co.,  Ltd.   What Are Continuous Web Security Tests? 7 Development  team External  security  firm   Internal  security  team Coding Unit  tests Integration  tests Vulnerability   assessment Development  team Revisions Release Continuous  Security  Tests Development  team Coding Unit  tests Integration   tests Release Vulnerability   assessments Development  teams  can  run  security  tests  as  often  as  they  like.
  8. 8. Copyright  (c)    Bitforest  Co.,  Ltd.   Issues with Continuous Web Security Tests • Existing  scanning  tools   • are  difficult  to  add  to  continuous  integration   workflows   • cost  both  time  and  money  to  set  up  and   maintain  yourself   • have  many  settings  and  require  accumulated   expertise 8
  9. 9. Copyright  (c)    Bitforest  Co.,  Ltd.   Important Points 9 It’s  important  to  tell  your  scanning  tools   how  your  web  application  works
  10. 10. Copyright  (c)    Bitforest  Co.,  Ltd.   Important Points 10 For  example:   If,  while  testing  an  authenticated  page,   your  session  expires  and  you  are  returned   to  the  login  screen,  test  the  login  screen   and  continue
  11. 11. Copyright  (c)    Bitforest  Co.,  Ltd.   Important Points 11 You  need  to  configure  your  tools  to   behave  appropriately  when  their  sessions   expire  and  they  are  logged  out
  12. 12. Copyright  (c)    Bitforest  Co.,  Ltd.   12 This  keeps  you  from  focusing  on   business-­‐critical  software   development Scanning  tools  aren’t  very  effective  unless   you  continue  to  learn  how  to  configure  them Issues with Continuous Web Security Tests
  13. 13. Copyright  (c)    Bitforest  Co.,  Ltd.   13 Simple  setup   Maintenance  free
 Effective  scanning
 CI  cycle  automation
  14. 14. Copyright  (c)    Bitforest  Co.,  Ltd.   14 Continuous Web Security Testing Service Vulnerability  Assessment  is  your  Buddy
  15. 15. Copyright  (c)    Bitforest  Co.,  Ltd.   15 Continuous Web Security Testing Service http://vaddy.net  
  16. 16. Copyright  (c)    Bitforest  Co.,  Ltd.   VAddy s Features • No  tool  to  install  (SaaS)   • Unlimited  free  scanning   • Support  for  continuous  integration   • Web  API   • Jenkins  plugin   • Works  with  Travis,  CircleCI,  etc. 16
  17. 17. Copyright  (c)    Bitforest  Co.,  Ltd.   Common Configurations 17
  18. 18. Copyright  (c)    Bitforest  Co.,  Ltd.   VAddy s Features 18 VAddy  can  figure  out  how  your   application  works  and  scan  it  correctly   without  any  special  settings
  19. 19. Copyright  (c)    Bitforest  Co.,  Ltd.   VAddy s Policy 19 Software  developers  should   focus  on     software  development!
  20. 20. Copyright  (c)    Bitforest  Co.,  Ltd.   VAddy s Features 20 Proprietary  security  scanning   engine  that  uses  machine  learning
  21. 21. Copyright  (c)    Bitforest  Co.,  Ltd.   VAddy s List of Scan Results 21
  22. 22. Copyright  (c)    Bitforest  Co.,  Ltd.   Types of Vulnerabilities and Vulnerable Parameters 22 You  can  see  the  type  of  vulnerability  (e.g.  SQL  injection)  that   was  found  along  with  the  vulnerable  URL  and  parameter   name.   This  example  shows  that  there  is  a  SQL  injection  vulnerability   in  the  parameter  "ID"  used  at  the  URL  "search",  so  you  can   figure  out  which  lines  of  code  are  at  fault.
  23. 23. Copyright  (c)    Bitforest  Co.,  Ltd.   Request Data for Reproducing Attacks 23 VAddy  shows  you  the  request  data  it  sent  so  you   can  reproduce  the  attack  in  your  own   development  environment
  24. 24. Copyright  (c)    Bitforest  Co.,  Ltd.   Currently Supported Scans (SQLi, XSS) • GET/POST/PUT/DELETE  parameters   • Rest  APIs  with  JSON  parameters   • Parameters  in  URL  paths   • www.example.com/item/view/1   • Form  authentication  (login  screens)   • CSRF  tokens  (including  Angular.js)   • SSL  applications 24
  25. 25. Copyright  (c)    Bitforest  Co.,  Ltd.   25 Continuous  security  tests  are   an  up-­‐and-­‐coming  trend     in  software  development
  26. 26. Copyright  (c)    Bitforest  Co.,  Ltd.   26 Twitter:  @vaddy_support   Email:          info@vaddy.net   Contacts
  27. 27. Copyright  (c)    Bitforest  Co.,  Ltd.   27 http://vaddy.net  

×