Integration of the softscheck Security Testing Process into the V-Modell

Transcription

1 Integration of the softscheck Security Testing Process into the V-Modell Wilfried Kirsch, Prof. Dr. Hartmut Pohl softscheck GmbH Köln Büro: Bonnerstr Sankt Augustin www. softscheck.com

2 Products Tested

3 Reactive Strategy reactive Firewall Anti-Virus IDS/IPS SIEM

4 Proactive Strategy Application Security Controls Risk Assessment Training Security Requirements Threat Modeling Static Source Code Analysis Fuzzing Penetration Testing proactive reactive Firewall Anti-Virus IDS/IPS SIEM

5 V-Modell

6 Security Requriements Security Requirements

7 Threat Modeling Threat Modeling

8 Threat Modeling Analysis of the Softwaredesign to identify vulnerabilities Where are Entry Points, Assets, Open Ports, GUI,.. Identify potential threats Analysis of all dataflows Using documentation Asking clients

9 Threat Modeling - Example User Banking Server Google Play Store Registration Server

10 DFD (Context)

11 DFD (Level1)

12 Static Source Code Analysis Static Source Code Analysis

13 Static Source Code Analysis Automatic identification of vulnerabilities in source code Static Analysis no program execution Does way more than a compiler! Findings might contain false positives!

14 V-Modell and Fuzzing Fuzzing

15 Fuzzing Automated Security Testing Run-time Analysis (Dynamic) - Executable required Test using unexpected Random Inputs Very effective for binary Files/Protocols Goal: Identify unknown Vulnerabilities

16 Fuzzing Identify Input Interfaces Open/import file - Command line argument Network socket - User input Feed inputs with "random" Data "Random" Input Fuzzer Target Application Monitor for Crashes/Hangs

17 Fuzzer Classification Dumb Random Based Purely Random Data Smart Mutation Based Mutated Valid Data Generation Based Generated by Rules or Grammars Library Based Prepared Strings or Symbols

18 Fuzzing Process Generate input data Run test case Monitor After n iterations: n iterations Remove false positives/duplicates Analyze Crashes Determine exploitability When do we stop?

19 Code Coverage Degree to which Code has been executed Source code available Code instrumentation Binary only Binary instrumentation in Emulator Function coverage Decision coverage int foo (int x, int y) { int z = 0; if ((x > 0) && (y > 0)) { z = x; } return z; } Statement coverage

20 Real World Results - TCPdump Fuzzing of the current version of tcpdump (version 4.9) 4 t2.micro Instances with distributed fuzzing Runtime: 2 hours 64 Crashes/20 exploitable Vulnerabilities 1 unique Zero-Day Vulnerability for more information

21 V-Modell and Testing Process Penetration Testing

22 Penetration Testing Simulates a hacker attack Identifies security vulnerabilities Should be done from external companies

23 Classification Penetration Testing 1. Information base Black-Box White-Box 2. Aggressiveness Passive Cautious Calculated Aggressive 3. Scope Full Limited Focused 4. Approach Covert / Stealthy Overt / Noisy 5. Technique Network based Other communication Physical access Social engineering extern intern

24 Penetration Testing Process Preparation Information Gathering Vulnerability Assessment Exploitation Reporting Define Scope Inform Stakeholders Consult Data Protection Officer Intelligence Gathering Footprinting Enumeration Automated Scanning Manual Audit Fuzzing Prove Exploitability Eliminate False- Positives Do not exceed Scope Rate Vulnerabilities Assess Exploitation Likelihood and Consequences Show Mitigations

25 V-Modell and Testing Process Security Requirements Penetration Testing Threat Modeling Fuzzing Static Source Code Analysis

26 Integration of the softscheck Security Testing Process into the V-Modell Wilfried Kirsch, Prof. Dr. Hartmut Pohl softscheck GmbH Köln Büro: Bonnerstr Sankt Augustin www. softscheck.com