SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT

Review by Rayna Burgess4/21/2011

COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

The Paper SelectionSecurity Testing is Important (Relevant)Security Testing is Different from Functional TestingSecurity Testing is Difficult

Security Engineer’s Tasks

Analyzing Security Risks

Types of Security Testing

Case Study: Java CardConclusion

Overview

4/21/2011 2 of 20


3 of 20

The Paper: Software Security Testing

4/21/2011

Gary McGraw, PhD, CTO of Cigital, Inc Series of Articles in IEEE Security &

Privacy


4 of 20

Security Testing is Important

4/21/2011


5 of 20

Security Testing is Different

4/21/2011

Malicious attacker Intelligent Adversary Vulnerabilities Exploited


6 of 20

Aaah! So many vulnerability lists!

4/21/2011


7 of 20

McGraw’s Vulnerability Taxonomy

4/21/2011


8 of 20

Vulnerability Name Dropping

4/21/2011

gets() (Buffer overflow problem, Morris Worm)

Race condition (time of check to time of use)

Insecure failure Transitive trust Trampoline Zero day exploits


9 of 20

SQL Injection Vulnerability

4/21/2011







Where are we?

4/21/2011 10 of 20


11 of 20

SW Security Engineer’s Tasks

4/21/2011


12 of 20


4/21/2011

Think like an attacker Vulnerability in weakest link can expose

the system Requires expertise Can practice/learn on

Webgoat DVWA Hacme Bank


13 of 20


4/21/2011

Functional Security Testing Risk-Based Security Testing (hostile

attacks) Black Box/White Box Static/Dynamic


14 of 20

Static Security Analysis

4/21/2011

Risk Analysis of Design and Architecture Static Security Analysis Tools

Source Code or Byte Code Good at finding patterns Numerous False Positives


15 of 20

Penetration Testing

4/21/2011

Performed on a running system Can be used on COTS software too Penetration testing tools

Network and OS vulnerability scanners Nmap, Nessus, Aircrack

Automated Penetration Testing Tools Metasploit, CoreImpact, Canvas

Other useful tools Fuzzing tools, WebScarab,

Quality of pen testing depends on the human!


16 of 20

Case Study: Java Card

4/21/2011

Operating System for Smart Cards GlobalPlatform (Java Card, MULTOS)

Used on Bank Cards, (also SIMs, ID Cards, Medical)

Two Types of Testing Functional security design tests Risk-based attack tests


17 of 20

Functional Security Testing

4/21/2011

Tests security functionality Crypto Commands Compliance Testing (GALITT 3/2011)

All cards passed!


18 of 20

Risk-Based Security Testing (Attacks)

4/21/2011

Hostile Attacks, based on risk assessment All cards failed some part of this testing! Analysis of Java Card Design Identify automic transaction processing as

area of interest Consequence is “printing money” (Very High

Risk) Put on Black Hat, Don’t follow the rules:

Abort, fail to commit, fill buffers, nest transactions Exposes vulnerabilities before issued to public







Almost done!

4/21/2011 19 of 20


20 of 20

Conclusion: SW Security Testing is…

4/21/2011

Important More software, more new attacks More functionality, more vulnerabilities Software is everywhere and connected!

Different Presence of a malicious, intelligent attacker Software Test Engineers have different skills

Difficult Exploits are subtle Automated static & dynamic tools insufficient Need a human!

“So now, when we face a choice between adding features and

resolving security issues, we need to choose security.”-Bill Gates

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

Documents

Transcript of SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.