Cf.Objective.2009
-
Upload
bill-shelton -
Category
Documents
-
view
226 -
download
0
Transcript of Cf.Objective.2009
Approaches to Automated Security Testing
Bill Shelton (no initials – no hacker alias)[email protected]@virtix – Twitter
OneBigAss
Problem!
Programmer Security guy
Programmer Security guy
Break it
Disassemble, Discover, Discard
+ Webdriver + + ==
Ok … Now what?
It’s T-shirt time! What’s wrong with the following code?
StaticAnalysis
Trust Boundaries
Validation
Output
Encoding
Black List
White List
Validate this, punk …
http://foo.com/myapp/profile.cfm?id=123
Direct Object Reference
Indirect
Object
Reference
Take Away
• Think securely from the first line of code -Far better to write securely from the start rather than fix it later
• Use black box tools to help to grab low hanging fruit
• Use your knowledge to dig in and find and fix vulnerabilities – gray and white box approaches
• Learn the trust boundaries• Validate and encode correctly
Test Be Happy
Stuff to Read
• OWASP - http://www.owasp.org/index.php/Main_Page
• SANS Institute - http://www.sans.org/
• SANS Top 25 of 2009 - - http://www.sans.org/top25errors/
• Secure Programming with Static Analysis – Brian Chess & Jacob West
• OWASP:Software Assurance Maturity Model - http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
• Software Security: Building Security In – Gary McGraw
• Exploiting Software: How to Break Code – Gary McGraw
• Hackers.org - http://ha.ckers.org/
• Free Stock Photos - http://www.sxc.hu/