Approaches to Automated Security Testing

Bill Shelton (no initials – no hacker alias)MXUnit.orgtheguys@mxunit.org@virtix – Twitter

OneBigAss

Problem!

Programmer Security guy

Programmer Security guy

Break it

Disassemble, Discover, Discard

+ Webdriver + + ==

Ok … Now what?

It’s T-shirt time! What’s wrong with the following code?

StaticAnalysis

Trust Boundaries

Validation

Output

Encoding

Black List

White List

Validate this, punk …

http://foo.com/myapp/profile.cfm?id=123

Direct Object Reference

Indirect

Object

Reference

Take Away

• Think securely from the first line of code -Far better to write securely from the start rather than fix it later

• Use black box tools to help to grab low hanging fruit

• Use your knowledge to dig in and find and fix vulnerabilities – gray and white box approaches

• Learn the trust boundaries• Validate and encode correctly

Test Be Happy

Stuff to Read

• OWASP - http://www.owasp.org/index.php/Main_Page

• SANS Institute - http://www.sans.org/

• SANS Top 25 of 2009 - - http://www.sans.org/top25errors/

• Secure Programming with Static Analysis – Brian Chess & Jacob West

• OWASP:Software Assurance Maturity Model - http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project

• Software Security: Building Security In – Gary McGraw

• Exploiting Software: How to Break Code – Gary McGraw

• Hackers.org - http://ha.ckers.org/

• Free Stock Photos - http://www.sxc.hu/