Web Application Testing with AppScan Terry Labach.
-
Upload
edward-allen -
Category
Documents
-
view
222 -
download
0
Transcript of Web Application Testing with AppScan Terry Labach.
Web Application Testing with AppScan
Terry Labach
"If you spend more on coffee than on Web application security, you will be hacked. What's more, you deserve to be hacked"
- Richard Clarke, Former White House Advisor on Cyberterrorism and Cybersecurity
2010 | The Sky’s the Limit
Introduction
• What are the issues?
• How can UW support secure Web application development?
• How can involved parties work together?
2010 | The Sky’s the Limit
Outline
• The state of affairs
• Risks and attacks
• AppScan at UW
• AppScan scanning example
• Software engineering for the web
• Questions
2010 | The Sky’s the Limit
Web application security is no longer optional
• UW administration concerned about last IT audit
• IT professionalism now includes security
The old Web
2010 | The Sky’s the Limit
"First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII -- and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure."
- Douglas Adams
The new Web
2010 | The Sky’s the Limit
The new Web
• Shopping mall, office, movie theatre, communications hub, self-marketing firm
• We are expected to make more services available on the web
• Financial, medical, personal information increasingly used in web transactions
• Clients interact with our internal systems
2010 | The Sky’s the Limit
Risks on the new Web
2010 | The Sky’s the Limit
Risks
• Theft of personal information
• Identity theft
• Financial losses
• Intellectual Property losses
• Damage to UW's reputation
• Legal requirements to notify breach victims
2010 | The Sky’s the Limit
Vulnerabilities
• Technical• OS, server design flaws
• Logical• Application logic design flaws
• Failing to account for malicious/incompetent users
2010 | The Sky’s the Limit
Attacks
• Technical• XSS, SQL injection
• Logical • authorization errors
2010 | The Sky’s the Limit
SQL injection
2010 | The Sky’s the Limit
Cross-site scripting
2010 | The Sky’s the Limit
Authentication and authorization errors
2010 | The Sky’s the Limit
Why scan?
• Mimics the attack of the hacker
• No substitute for proper application development
2010 | The Sky’s the Limit
Scanning methods
• Manual
• Automatic
2010 | The Sky’s the Limit
Scanning methods
• Manual• Penetration (“pen”)
testing• Requires human
expert• Slow, error-prone• Can be insightful
2010 | The Sky’s the Limit
Scanning methods
• Automatic• Faster• Complete list of
tests• Not as perceptive
as human tester
2010 | The Sky’s the Limit
What scanning can do
• Black box scanning
• Works with any:• Language• Application server• Web server
2010 | The Sky’s the Limit
What scanning can't do
• White box scanning (can't help with source code issues without additional software)
• Can't be integrated early in the development process
• Requires functional web site
2010 | The Sky’s the Limit
IST Web application testing
2010 | The Sky’s the Limit
AppScan
2010 | The Sky’s the Limit
• IBM product
• Selected by IST in 2009 to provide testing services
• IST staff will scan your web application as part of your testing process
• No charge
Preparing your site for testing
• Test instance of application
• Be ready for disaster
• Backups of all code, data
• Allow access to scan server (firewall, .htaccess)
• Method to recreate the web site
2010 | The Sky’s the Limit
The scanning process
• Explore• Spider traverses site and learns about
structure
• Test• Attacks made on site
• Report findings
2010 | The Sky’s the Limit
AppScan demonstration
2010 | The Sky’s the Limit
• IBM provides sample web application to test• Altoro Mutual• http://demo.testfire.net• User: jsmith• Password: demo123
Running AppScan
2010 | The Sky’s the Limit
• URL
• Scan wizard• Login method
• Recorded - go through process for scan
• Prompt - record initial location, then enter as needed
• Automatic - use entered name, password when required
• None - when authentication not used (or ignored)
• Test policy
Running AppScan
2010 | The Sky’s the Limit
• Complete scan• full auto scan• auto explore• manual explore (embedded browser)
• allows limiting scan to part of site or ensuring it follows a set path
• scan later (scheduled)• scan expert
• does short scan to evaluate settings• may suggest configuration changes
Running AppScan
2010 | The Sky’s the Limit
• Scan results• Views
• Reports• Remediation• Regulatory• OWASP• Custom
Thoughts on software engineering for the web
• Basic SE principles still apply
• Development-Test-Production environments
• Use commercial solutions rather than coding your own where reasonable
• Application development must be planned and managed
2010 | The Sky’s the Limit
Thoughts on software engineering for the web
• Add security from the beginning
• Publish only desired files
• Define what is good input and limit to that, rather than trying to strip out bad input.
• “good enough” isn't – the risks are too great
2010 | The Sky’s the Limit
References
2010 | The Sky’s the Limit
IBM AppScan• http://www.ibm.com/software/awdtools/appscan/
standard/
• OWASP• http://www.owasp.org
• IST IT Security team• http://ist.uwaterloo.ca/security/
• Quotation of the Day• http://quotationofthedaylist.blogspot.com/
Questions?
2010 | The Sky’s the Limit