Security Testing. John Slankas

Similar documents
Threat Landscape 2017

Penetration Testing and Fuzzing. John Slankas

Secure Development Processes

Integration of the softscheck Security Testing Process into the V-Modell

Development*Process*for*Secure* So2ware

BLACK HAT USA 2013 ADD A CLASS REQUEST FORM INSTRUCTIONS

10 FOCUS AREAS FOR BREACH PREVENTION

Certified Secure Web Application Engineer

Overview of Web Application Security and Setup

CSWAE Certified Secure Web Application Engineer

Black Hat Webcast Series. C/C++ AppSec in 2014

.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus

Trustwave Managed Security Testing

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

CSE 127 Computer Security

Application Security Approach

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Protect Your Organization from Cyber Attacks

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

90% of data breaches are caused by software vulnerabilities.

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

CEH: CERTIFIED ETHICAL HACKER v9

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

OWASP Romania Chapter

EC-Council C EH. Certified Ethical Hacker. Program Brochure

Procurement Language for Supply Chain Cyber Assurance

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

Tiger Scheme QST/CTM Standard

SECURITY TESTING. Towards a safer web world

SDLC Maturity Models

OWASP InfoSec Romania 2013

Is Your Web Application Really Secure? Ken Graf, Watchfire

Practical Guide to Securing the SDLC

MARCH Secure Software Development WHAT TO CONSIDER

Building Security Into Applications

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

What every IT professional needs to know about penetration tests

Hacker Academy UK. Black Suits, White Hats!

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

V Conference on Application Security and Modern Technologies

Web Applications (Part 2) The Hackers New Target

Session 5311 Critical Testing Programs for Security Operations

Software Security IV: Fuzzing

Continuously Discover and Eliminate Security Risk in Production Apps

Objectives of the Security Policy Project for the University of Cyprus

Product Security Program

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

OWASP Broken Web Application Project. When Bad Web Apps are Good

Hybrid 2.0 In search of the holy grail

How to implement SDL and don t turn gray. Andrey Kovalev, Security Engineer

International Journal of Computer Engineering and Applications, Volume XII, Special Issue, September 18, ISSN SOFTWARE TESTING

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Security Audit What Why

Security analysis and assessment of threats in European signalling systems?

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

ScienceDirect. Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology

Improving Security in the Application Development Life-cycle

Advanced Security Tester Course Outline

The Need for Confluence

Professional Services Overview

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

The Building Security In Maturity Model. Quality Assurance Perspective. Sammy Migues Principal Consultant, Cigital. Software Confidence. Achieved.

In-Memory Fuzzing in JAVA

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Tiger Scheme SST Standards Web Applications

How to perform the DDoS Testing of Web Applications

A Security Practice Evaluation Framework

The Value of Automated Penetration Testing White Paper

A Strategic Approach to Web Application Security

International Journal of Computer Engineering and Applications, Volume XII, Special Issue, April- ICITDA 18,

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Penetration Testing with Kali Linux

MBFuzzer - MITM Fuzzing for Mobile Applications

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Engineering Your Software For Attack

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

hidden vulnerabilities

TREND MICRO SMART PROTECTION SUITES

Secure Design Guidelines. John Slankas CSC 515

Building a Resilient Security Posture for Effective Breach Prevention

Ethical Hacking CERTIFIED ETHICAL HACKER. Xpert Infotech is the registered trademark of Xperia Technologies Pvt. Ltd.

EXAM PREPARATION GUIDE

TREND MICRO SMART PROTECTION SUITES

Unleashing Your Inner Code Warrior

Software defects and security

ShiftLeft. Real-World Runtime Protection Benchmarking

Maximum Security with Minimum Impact : Going Beyond Next Gen

IoT & SCADA Cyber Security Services

Internet infrastructure

How to Render SSL Useless. Render SSL Useless. By Ivan Ristic 1 / 27

Information Security In Pakistan. & Software Security As A Quality Aspect. Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)

CSE484/CSE584 BLACK BOX TESTING AND FUZZING. Dr. Benjamin Livshits

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

Memory Safety (cont d) Software Security

CYBER SECURITY AND MITIGATING RISKS

When Hardware Attacks. Marc Witteman

Malware and Vulnerability Check Point. 1. Find Problems 2. Tell Vendors 3. Share with Community

Transcription:

Security Testing John Slankas jbslanka@ncsu.edu Course Slides adapted from OWASP Testing Guide v4 CSC 515 Software Security

What is Security Testing? Validate security controls operate as expected

What to Test? People Ensure there is adequate education and awareness Process Ensure there are adequate policies and standards and that people know how to follow these policies Technology Ensure that the product has been effective in its implementation OWASP Testing Guide v4

When to Perform Security Testing?

When to Perform Security Testing

When to Perform Security Testing

When to Perform Security Testing

When to Perform Security Testing

How to Perform Security Testing Manual Inspections Threat Modeling Source Code Review Penetration Testing Tool-based Testing Static Code Analyzers Dynamic Code Analyzers Fuzz Testing Security Test Suites

Manual Inspections Human reviews Analyze documentation, models, and other artifacts Interviews Advantages No technology needed Use throughout the SDLC Flexible Disadvantages Time consuming May not have supporting materials Requires significant security skill

Threat Modeling Diagram Validate Identify Threats Address Threats Advantages Attacker s point of view Early in the SDLC Disadvantages Good threat models don t automatically mean good software

Source Code Review Manually check the source code for security issues If you want to know what s really going on, go straight to the source Examples that can be found: Concurrency issues Flawed business logic Backdoors (Trojans, Easter Eggs) Weak cryptography. http://www.clipartbest.com/clipart-yikg7ajrt Advantages Complete, effective, accurate Disadvantages Requires skilled developers Can t find issues in 3 rd Party or compiled libraries May miss runtime issues

Penetration Testing aka Ethical Hacking Art of testing a running application remotely to find vulnerabilities Works extremely well for networks and operating systems Mixed results for applications Web applications are generally bespoke (made to order) Becomes more of a research effort Advantages Tests exposed code If you fail a penetration test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don t have a very bad problem. - Gary McGraw Lower skill set needed than for reviews Disadvantages Front impact testing only Late in the SDLC

Tool-based Testing Static Code Analyzers Adv: Find common patterns, low-effort to execute Dis: False-positives, time-consuming to evaluate, incomplete Dynamic Code Analyzers Adv: Low effort to execute, less false-positives Dis: Incomplete Fuzzers Adv: Low-effort to execute Dis: Incomplete

Kinds of Fuzzing Black Box Easy to use Explore only shallow states Grammar Based Input informed by a grammar More work to create the necessary grammar, but can explore state space much more exhaustively White Box New inputs informed by underlying source code Can be easy to use, but computational expensive

Fuzzing Inputs Mutation Take legal input and mutate it Generational Generate the input from scratch (e.g., from a grammar) Combinations Generate initial input, mutate, generate new inputs Generate mutations according to a grammar

Fuzzing: Dealing With Crashes A crash occurs. What was the root cause? Can the input be smaller -> more understandable Is it reproducible? Does the crash signal an exploitable vulnerability?

Different Testing Techniques, Different Information Technique Manual Reviews Static Code Analysis Dynamic Code Penetration Testing Information Sources Documentation, Models, Source Code Source Code HTTP Requests & Responses HTTP Requests & Responses, Application Behavior

Penetration Testing Passive: Information gathering Understand application Determine access points, inputs Active: Methodically test across a variety of controls Configuration and deployment management Identity, authentication, authorization session management Input validation Error handling Cryptography Business logic Client side evaluation

Security Testing Principles There is No Silver Bullet Think Strategically, not Tactically SDLC is King Test Early and Test Often Understand the Scope of Security Develop the Right Mindset Understand the Subject Use the Right Tools The Details are What Matters Use Source Code When Available Develop metrics Document the Test Results

Resources Technical Guide to Information Security and Assessment http://csrc.nist.gov/publications/nistpubs/800-115/sp800-115.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback