The bare minimum you should know about software security ... · The bare minimum you should know...
Transcript of The bare minimum you should know about software security ... · The bare minimum you should know...
![Page 1: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/1.jpg)
The bare minimum you should know about web application security
testing in 2016
Ken De Souza KWSQA, April 2016
V. 1.0
![Page 2: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/2.jpg)
Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
![Page 3: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/3.jpg)
![Page 4: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/4.jpg)
GET
https://[redacted].com/orchestration_1111/gdc/BatteryStatusRecordsRe
quest.php?RegionCode=NE&lg=no-
NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&TimeFr
om=2014-09-27T09:15:21
![Page 5: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/5.jpg)
![Page 6: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/6.jpg)
GET
https://[redacted].com/orchestration_1111/gdc/BatteryStatusRecordsRe
quest.php?RegionCode=NE&lg=no-
NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&TimeFr
om=2014-09-27T09:15:21
![Page 7: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/7.jpg)
Source: https://youtu.be/Nt33m7G_42Q
![Page 8: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/8.jpg)
http://1drv.ms/1xNOWV7
http://bit.ly/Wn2Xdz
https://goo.gl/Ir2vAQ
Source: https://freedom-to-tinker.com/blog/vitaly/gone-in-six-characters-short-urls-considered-harmful-for-cloud-services/
![Page 9: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/9.jpg)
![Page 10: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/10.jpg)
This topic is HUGE
Doing this from my experiences...
![Page 11: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/11.jpg)
Common terminology
Learn something about the threats
Demos of tools
Explain the risks to stake holders
Where to go next
![Page 12: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/12.jpg)
Small companies don’t have $$$ to spend on all the latest tools, like BurpSuite, etc.
There are excellent tools.
The tools don’t replace thinking.
![Page 13: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/13.jpg)
"security, just like disaster recovery, is a lifestyle, not a checklist"
This is not a black and white problem
Source: https://news.ycombinator.com/item?id=11323849
![Page 14: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/14.jpg)
![Page 15: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/15.jpg)
Source: http://www.amanhardikar.com/mindmaps/webapptest.html
![Page 16: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/16.jpg)
This is a practical / experience talk.
These are the tools I use on a daily(ish) basis when I'm testing software.
Your mileage may vary.
![Page 17: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/17.jpg)
The Tools
STRIDE (identification)
DREAD (classification)
OWASP Top 10 (attack vectors)
Wireshark / tcpdump (network analysis)
OWASP ZAP (application analysis)
MS Threat Modeling (communication)
![Page 18: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/18.jpg)
STRIDE
Spoofing Tampering Repudiation
Information Disclosure
DoS Elevation of
Privilege
Source:
![Page 19: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/19.jpg)
Source:c https://www.owasp.org/index.php/Application_Threat_Modeling
Type Security Control
Spoofing Authentication
Tampering Integrity
Repudiation Non-Repudiation
Information disclosure Confidentiality
Denial of service Availability
Elevation of privilege Authorization
![Page 20: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/20.jpg)
DREAD
Damage Reproducibility Exploitability
Affected users Discoverability
Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx
![Page 21: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/21.jpg)
Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Developer point of view…. DREAD Parameter
Rating
Rationale
Damage Potential
5 An attacker could read and alter data in the product database.
Reproducibility 10 Can reproduce every time.
Exploitability 2 Easily exploitable by automated tools found on the Internet.
Affected Users 1 Affects critical administrative users
Discoverability 1 Affected page “admin.aspx” easily guessed by an attacker.
Overall Rating 3.8
![Page 22: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/22.jpg)
Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Tester point of view… DREAD Parameter
Rating
Rationale
Damage Potential
10 An attacker could read and alter data in the product database.
Reproducibility 10 Can reproduce every time.
Exploitability 10 Easily exploitable by automated tools found on the Internet.
Affected Users 10 Affects critical administrative users
Discoverability 10 Affected page “admin.aspx” easily guessed by an attacker.
Overall Rating 10
![Page 23: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/23.jpg)
STRIDE / DREAD
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
![Page 24: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/24.jpg)
OWASP Top 10
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
![Page 25: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/25.jpg)
OWASP TOP 10
A1: Injection http://example.com/app/accountView?id='
A2: Broken Authentication and Session Management
http://example.com/sale/saleitems?sessioni
d=268544541&dest=Hawaii
A3: Cross Site Scripting (XSS) <script>alert('test');</script>
A4: Insecure Direct Object References
http://example.com/app/accountInfo?acct=
notmyacct
A5: Security Misconfiguration Default admin account enabled; directories
shown on site;
Stack traces shown to users;
Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
![Page 26: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/26.jpg)
OWASP TOP 10
A6: Sensitive Data Exposure SSL not being used
Heartbleed
Bad programming (Obamacare)
A7: Missing Function Level Access Control
Access areaswhereyoushouldn’tbeable
to access
A8: Cross-Site Request Forgery
<img
src="http://example.com/app/transferFunds
?amount=1500&destinationAccount=attack
ersAcct#" width="0" height="0" />
A9: Using Components with known vulnerability
Not patching your 3rd party sh*t
A10: Unvalidated redirects and forwards
http://www.example.com/redirect.jsp?url=ev
il.com
Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
![Page 27: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/27.jpg)
Vulnerability Tool
A1: Injection SQLMap or ZAP
A2: Broken Authentication and Session Management
ZAP
A3: Cross Site Scripting (XSS) ZAP
A4: Insecure Direct Object References ZAP
A5: Security Misconfiguration OpenVAS
A6: Sensitive Data Exposure Your brain…
A7: Missing Function Level Access Control OpenVAS
A8: Cross-Site Request Forgery ZAP
A9: Using Components with known vulnerability OpenVAS
A10: Unvalidated redirects and forwards ZAP
![Page 28: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/28.jpg)
Demos: Setup
Virtualbox running “OWASP Broken Web Apps”
This VM has LOTS of broken web applications that are designed to learn from.
![Page 29: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/29.jpg)
What is Wireshark
Network packet / protocol analysis tool
Allows users to capture network traffic from any interface, like Ethernet, Wifi, Bluetooth, USB, etc
![Page 30: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/30.jpg)
Source: http://www.aboutdebian.com/mailfram.gif
![Page 31: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/31.jpg)
Why use Wireshark?
It is a great tool to debug your environment
Help to examine potential security problems
![Page 32: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/32.jpg)
Wireshark: Look at red/yellow lines between systems
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
![Page 33: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/33.jpg)
Wireshark Demo
![Page 34: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/34.jpg)
TCPDump: Look at red/yellow lines between systems
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
![Page 35: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/35.jpg)
Why use tcpdump?
Use this when you can’t use Wireshark
Great for servers
![Page 36: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/36.jpg)
Example
tcpdump -lnni eth0 \
-w dump -s 65535 host web01 \ and port 80
![Page 37: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/37.jpg)
TCPDump Demo
![Page 38: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/38.jpg)
What is OWASP ZAP?
Find security vulnerabilities in your web applications
Can be used both manually and in an automated manner
![Page 39: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/39.jpg)
Why use ZAP?
Can be used to find many of the top 10 exploits
Can be quick integrated into you manual or automated workflow
Can be used in active or passive mode
![Page 40: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/40.jpg)
OWASP ZAP
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
![Page 41: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/41.jpg)
![Page 42: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/42.jpg)
![Page 43: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/43.jpg)
![Page 44: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/44.jpg)
OWASP ZAP Demo
![Page 45: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/45.jpg)
What is SQLMap?
SQL injection tool
Takes a lot of the exploits available and automates them
![Page 46: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/46.jpg)
SQLMap
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
![Page 47: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/47.jpg)
SQLMap Demo
![Page 48: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/48.jpg)
Threat Modeling - What is it?
A way to analyze and communicate security related problems
This is a much larger topic than we have time for
… but I’ll give you the basics
![Page 49: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/49.jpg)
Threat Modeling - Why do this?
To explain to management
To explain to customers
To explain to developers, architects, etc.
With the tools I just showed you, you now have the basics to be able to build a model
![Page 50: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/50.jpg)
Threat Modeling: Communicating it…
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
![Page 51: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/51.jpg)
Threat Modeling
Step 1: Enumerate
– Product functionality
– Technologies used
– Processes
– Listening ports
– Process to port mappings
– Users processes that running
– 3rd party applications / installations
![Page 52: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/52.jpg)
Threat Modeling
Step 2: Data flow with boundaries
Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat-modeling-you-apps.aspx
![Page 53: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/53.jpg)
MS Threat Risk Modeling Tool Demo
![Page 54: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/54.jpg)
Threat Modeling
![Page 55: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/55.jpg)
Threat Modeling
Can be done at various stages of the SDLC
Source: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-a-case-study
![Page 56: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/56.jpg)
Other really good tools
nmap
netstat
nslookup
ps
browser dev tools
![Page 57: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/57.jpg)
All these tools, help to answer the question
Is your application secure?
![Page 58: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/58.jpg)
Where to go next?
![Page 59: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/59.jpg)
Full disclosure
![Page 60: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/60.jpg)
Read!
![Page 61: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/61.jpg)
OWASP Testing Guide
![Page 62: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/62.jpg)
![Page 63: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/63.jpg)
Bug bounties
![Page 64: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/64.jpg)
To conclude…
![Page 65: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/65.jpg)
Be aware and prepare yourself for the worst.
Coming up with a plan is important
Understanding vectors is important
![Page 66: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/66.jpg)
Thanks!
![Page 67: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/67.jpg)
![Page 68: The bare minimum you should know about software security ... · The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0](https://reader033.fdocuments.in/reader033/viewer/2022060211/5f04ed9b7e708231d41067e8/html5/thumbnails/68.jpg)
References
• Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
• Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/security-ninjas-opensource
• Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-a-case-study
• Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx
• Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http://www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-vulnerabilities
• Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-application-threat-modelling-by-example
• The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/