Security Testing: What Testers Can Do
-
Upload
techwellpresentations -
Category
Software
-
view
29 -
download
1
Transcript of Security Testing: What Testers Can Do
4/23/15
1
Test and Verification Solutions
Security Testing: What Testers Can Do
Delivering Tailored Solutions for Hardware Verification and Software Testing
STAR East - Florida 7th May 2015 Declan O’Riordan
Copyright TVS Limited | Private & Confidential | Page 2
What is driving security?
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
CO
BIT, ITIL, C
MM
I, ISO
17799, OC
TAVE
, OS
STM
M
ISO
270
05, I
SO
270
33, I
SO
277
99, I
SO
154
89
ISO/IEC 13335, ISO/IEC 22301:2012 & PAS77, ISO 9000, ISO 27006, ISO 15408
4/23/15
2
Copyright TVS Limited | Private & Confidential | Page 3
Threat growth Source: Verizon
2014 - Commercial cyber security spending $46 billion 2013 - 20% more breaches 2012 - 30% higher cost per breach
Copyright TVS Limited | Private & Confidential | Page 4
Why is Application Security important?
Make that 153m accounts /
4/23/15
3
Copyright TVS Limited | Private & Confidential | Page 5
What is Application Security?
It is NOT Building, or Network Security!
84% of a(acks target the applica4ons (Source: HP) 90% of sites are vulnerable to applica4on a(acks (Watchfire)
1.7% of security budget is spent on Applications.
(OWASP 2014)
Copyright TVS Limited | Private & Confidential | Page 6
Reactive Perimeter Defences
w.w.w. data is exploding: 2010 = 1.2 zettabytes 2015 = 7.9 zettabytes 2020 = 82 zettabytes?
1.2 million variants of malware per day
20%-30% of malware is caught by anti-virus
4/23/15
4
Copyright TVS Limited | Private & Confidential | Page 7
The Web was not designed to be secure in the beginning. Security features are afterthoughts.
Source: OWASP
Copyright TVS Limited | Private & Confidential | Page 8
‘The’ OWASP Top 10 Web-App Risks
4/23/15
5
Copyright TVS Limited | Private & Confidential | Page 9
Free Application Security Testing Procedures & Development Guidelines
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
Copyright TVS Limited | Private & Confidential | Page 10
The Security Testing Lifecycle
Review SDLC Process
Review Policy Review Standards
Review Requirements Review Design Review Models
Review Code Code Walkthrough
Unit & System Test
Penetra4on Test
Config. Mgt. Review
Unit & System Test
Acceptance Test
Change Verifica4on
Health Checks
Opera4onal Reviews
Regression Tests
Before Development
Defini0on & Design
Development
Deployment
Maintenance
4/23/15
6
Copyright TVS Limited | Private & Confidential | Page 11
Threat Assessment
Copyright TVS Limited | Private & Confidential | Page 12
Compliance with the Standard
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
4/23/15
7
Copyright TVS Limited | Private & Confidential | Page 13
Verify 168 security checkpoints
Copyright TVS Limited | Private & Confidential | Page 14
The login screen
4/23/15
8
Copyright TVS Limited | Private & Confidential | Page 15
Authentication: What can you do now?
§ Bad passwords § Verbose failure messages § Password change func4onality § Forgo(en password func4onality § User impersona4on func4onality § Non-‐unique usernames § Predictable usernames § Incomplete valida4on of creden4als
Copyright TVS Limited | Private & Confidential | Page 16
Incomplete validation of credentials
Full valida4on of all password characters
1. Length 2. Case 3. Unusual characters
4/23/15
9
Copyright TVS Limited | Private & Confidential | Page 17
Authentication: What may need help?
§ Vulnerable creden4als transmission § “Remember me” func4onality § Predictable ini4al passwords § Insecure distribu4on of creden4als § Fail-‐open login mechanisms § Mul4-‐stage login defects § Insecure storage of creden4als § Brute-‐forcible login
(failedlogins=1) Copyright TVS Limited | Private & Confidential | Page 18
Access controls: What can you do now?
§ Completely unprotected func4onality § Direct access to methods § Iden4fier-‐based func4ons § Mul4-‐stage func4ons § Sta4c files § Pla]orm mis-‐configura4on § Insecure access control methods § Parameter / referer / loca4on-‐based access control
4/23/15
10
Copyright TVS Limited | Private & Confidential | Page 19
Completely unprotected functionality
No one will know that sensi4ve func4on / resource URL. It’s secret!
But URLs appear in logs, browser histories, and are displayed on-‐screen. They can be emailed, bookmarked, and wri(en down. A(ackers find them in client-‐side JavaScript, brute-‐force the names / iden4fiers (response codes 302, 400, 401, 403, 500), inference from published content, search engines, web archives, and leveraging the web server. Copyright TVS Limited | Private & Confidential | Page 20
Session Management: who does what?
§ Disclosure of session tokens in logs § Vulnerable session termina4on § Weak session token genera4on § Weak session token handling § Disclosure of tokens § Meaningful tokens § Encrypted tokens § ECB & CBC ciphers § Vulnerable token mapping § Client exposure to token hijacking § Liberal cookie scope § Predictable session tokens
4/23/15
11
Copyright TVS Limited | Private & Confidential | Page 21
Meaningful session tokens
HTTP is stateless. Each request-response message pair is an independent transaction. Dynamic web-application functionality requires a SESSION to link user requests. Typically this is implemented by issuing each user a unique session token which is resubmitted by the user to link sequences of requests. Set-Cookie: ASP.NET_SessionId=75 73 65 72 3d 64 65 63 6c 61 6e 3b 61 70 70 3d 61 64 6d 69 6e 3b 64 61 74 65 3d 30 35 2f 30 37 2f 32 30 31 35 user=declan;app=admin;date=05/07/2015
Copyright TVS Limited | Private & Confidential | Page 22
Predictable session tokens
Concealed sequences Weak random number generation Time dependencies 56543-1424798254115 56544-1424798303925 ? 56546-1424798337916 The first component is an incrementing sequence. The second component is the time in milliseconds. The missing value was issued to another user and can be predicted / brute forced within the range of possibilities.
4/23/15
12
Copyright TVS Limited | Private & Confidential | Page 23
Make efficient use of experts & tools
Copyright TVS Limited | Private & Confidential | Page 24
What Testers can do
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
• Security skills are within the project team capability • Recognize which security tests you can do now • Effectively manage the experts who are helping you