Cf.Objective.2009

357 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
357
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
1
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cf.Objective.2009

  1. 1. Approaches to Automated Security Testing Bill Shelton (no initials – no hacker alias) MXUnit.org theguys@mxunit.org @virtix – Twitter
  2. 2. One Big Ass Probl em!
  3. 3. Programmer Security guy
  4. 4. Programmer Security guy
  5. 5. Break it
  6. 6. Disassemble, Discover, Discard
  7. 7. + Webdriver + + ==
  8. 8. Ok … Now what?
  9. 9. It’s T-shirt time! What’s wrong with the following code?
  10. 10. Static Analysis
  11. 11. Trust Boundaries
  12. 12. Validation
  13. 13. Output Encoding
  14. 14. White List Black List
  15. 15. Validate this, punk …
  16. 16. Direct Object Reference / yapp / pr of i l e . c f m i d = 123 ht t p : / / f o o . c om m ?
  17. 17. Indirect Object Reference
  18. 18. Take Away • Think securely from the first line of code -Far better to write securely from the start rather than fix it later • Use black box tools to help to grab low hanging fruit • Use your knowledge to dig in and find and fix vulnerabilities – gray and white box approaches • Learn the trust boundaries • Validate and encode correctly
  19. 19. Test Be Happy
  20. 20. Stuff to Read • OWASP - http://www.owasp.org/index.php/Main_Page • SANS Institute - http://www.sans.org/ • SANS Top 25 of 2009 - - http://www.sans.org/top25errors/ • Secure Programming with Static Analysis – Brian Chess & Jacob West • OWASP:Software Assurance Maturity Model - http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project • Software Security: Building Security In – Gary McGraw • Exploiting Software: How to Break Code – Gary McGraw • Hackers.org - http://ha.ckers.org/ • Free Stock Photos - http://www.sxc.hu/

×