Security Testing John Slankas jbslanka@ncsu.edu Course Slides adapted from OWASP Testing Guide v4 CSC 515 Software Security
What is Security Testing? Validate security controls operate as expected
What to Test? People Ensure there is adequate education and awareness Process Ensure there are adequate policies and standards and that people know how to follow these policies Technology Ensure that the product has been effective in its implementation OWASP Testing Guide v4
When to Perform Security Testing?
When to Perform Security Testing
When to Perform Security Testing
When to Perform Security Testing
When to Perform Security Testing
How to Perform Security Testing Manual Inspections Threat Modeling Source Code Review Penetration Testing Tool-based Testing Static Code Analyzers Dynamic Code Analyzers Fuzz Testing Security Test Suites
Manual Inspections Human reviews Analyze documentation, models, and other artifacts Interviews Advantages No technology needed Use throughout the SDLC Flexible Disadvantages Time consuming May not have supporting materials Requires significant security skill
Threat Modeling Diagram Validate Identify Threats Address Threats Advantages Attacker s point of view Early in the SDLC Disadvantages Good threat models don t automatically mean good software
Source Code Review Manually check the source code for security issues If you want to know what s really going on, go straight to the source Examples that can be found: Concurrency issues Flawed business logic Backdoors (Trojans, Easter Eggs) Weak cryptography. http://www.clipartbest.com/clipart-yikg7ajrt Advantages Complete, effective, accurate Disadvantages Requires skilled developers Can t find issues in 3 rd Party or compiled libraries May miss runtime issues
Penetration Testing aka Ethical Hacking Art of testing a running application remotely to find vulnerabilities Works extremely well for networks and operating systems Mixed results for applications Web applications are generally bespoke (made to order) Becomes more of a research effort Advantages Tests exposed code If you fail a penetration test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don t have a very bad problem. - Gary McGraw Lower skill set needed than for reviews Disadvantages Front impact testing only Late in the SDLC
Tool-based Testing Static Code Analyzers Adv: Find common patterns, low-effort to execute Dis: False-positives, time-consuming to evaluate, incomplete Dynamic Code Analyzers Adv: Low effort to execute, less false-positives Dis: Incomplete Fuzzers Adv: Low-effort to execute Dis: Incomplete
Kinds of Fuzzing Black Box Easy to use Explore only shallow states Grammar Based Input informed by a grammar More work to create the necessary grammar, but can explore state space much more exhaustively White Box New inputs informed by underlying source code Can be easy to use, but computational expensive
Fuzzing Inputs Mutation Take legal input and mutate it Generational Generate the input from scratch (e.g., from a grammar) Combinations Generate initial input, mutate, generate new inputs Generate mutations according to a grammar
Fuzzing: Dealing With Crashes A crash occurs. What was the root cause? Can the input be smaller -> more understandable Is it reproducible? Does the crash signal an exploitable vulnerability?
Different Testing Techniques, Different Information Technique Manual Reviews Static Code Analysis Dynamic Code Penetration Testing Information Sources Documentation, Models, Source Code Source Code HTTP Requests & Responses HTTP Requests & Responses, Application Behavior
Penetration Testing Passive: Information gathering Understand application Determine access points, inputs Active: Methodically test across a variety of controls Configuration and deployment management Identity, authentication, authorization session management Input validation Error handling Cryptography Business logic Client side evaluation
Security Testing Principles There is No Silver Bullet Think Strategically, not Tactically SDLC is King Test Early and Test Often Understand the Scope of Security Develop the Right Mindset Understand the Subject Use the Right Tools The Details are What Matters Use Source Code When Available Develop metrics Document the Test Results
Resources Technical Guide to Information Security and Assessment http://csrc.nist.gov/publications/nistpubs/800-115/sp800-115.pdf