Web Applications (Part 2) The Hackers New Target

Similar documents
Hacking 102 Integrating Web Application Security Testing into Development

IBM Rational Software

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Name Aaron Clark. Title: Security Shifts to the Application

SAMPLE QUESTIONS for: Test C , Security Dynamic and Static Applications V2, Fundamentals

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

Trustwave Managed Security Testing

Chapter 5: Vulnerability Analysis

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners

Security Solution. Web Application

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

The Challenge of Managing WebSphere Farm Configuration. Rational Automation Framework for WebSphere

Micro Focus Fortify Application Security

Integrate IBM Rational Application Developer and IBM Security AppScan Source Edition

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Build the application using Rational Build Forge

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

RiskSense Attack Surface Validation for Web Applications

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Automated, Real-Time Risk Analysis & Remediation

Manual Testing. Software Development Life Cycle. Verification. Mobile Testing

Continuously Discover and Eliminate Security Risk in Production Apps

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

How to Secure Your Cloud with...a Cloud?

Building Security Into Applications

J2EE Application Development : Conversion and Beyond Osmond Ng

Micro Focus Security Fortify Audit Assistant

Protect your apps and your customers against application layer attacks

WHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family

Automating the Top 20 CIS Critical Security Controls

IBM Proventia Management SiteProtector Sample Reports

RiskSense Attack Surface Validation for IoT Systems

Testing with Soap UI. Tomaš Maconko

Penetration testing.

IBM Rational Application Developer for WebSphere Software, Version 7.0

8 Must Have. Features for Risk-Based Vulnerability Management and More

Cybersecurity The Evolving Landscape

90% of data breaches are caused by software vulnerabilities.

Ensure Quality in Development

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

CSWAE Certified Secure Web Application Engineer

Oliopäivät Modelling Now and in the Future, with Acronyms or without = RSA

A Strategic Approach to Web Application Security

MARCH Secure Software Development WHAT TO CONSIDER

CoreMax Consulting s Cyber Security Roadmap

Vulnerability Management

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

SECURITY TRAINING SECURITY TRAINING

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

SECURITY TESTING PROCESS IN SDLC

Advanced Security Tester Course Outline

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Product Security Program

Managed Application Security trends and best practices in application security

Hacking by Numbers OWASP. The OWASP Foundation

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Reinvent Your 2013 Security Management Strategy

Presentation Overview

IBM Internet Security Systems Proventia Management SiteProtector

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

Code Reviews. James Walden Northern Kentucky University

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Threat Centric Vulnerability Management

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Secure Development Lifecycle

Effective Threat Modeling using TAM

ForeScout Extended Module for Qualys VM

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Imperva Incapsula Website Security

IBM WebSphere Studio Asset Analyzer, Version 5.1

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

Qualys Cloud Platform

Software Updating: Hitting the Mark

locuz.com SOC Services

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Security Solutions. Overview. Business Needs

Security Challenges: Integrating Apple Computers into Windows Environments

Micro Focus Security Fortify. Application Security

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

ShiftLeft. Real-World Runtime Protection Benchmarking

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017

Development*Process*for*Secure* So2ware

THE CONTRAST ASSESS COST ADVANTAGE

Solutions Business Manager Web Application Security Assessment

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting

Web Applications Security. Radovan Gibala F5 Networks

Security Testing. John Slankas

THE FOUR PILLARS OF MODERN VULNERABILITY MANAGEMENT

SIEMLESS THREAT MANAGEMENT

10 Things Every Auditor Should Do Before Performing a Security Audit

Discover, Relate, Model, and Integrate Data Assets with Rational Data Architect

Transcription:

Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1

How does Application Security Testing work? Explore source code and/or web site to detect structure Identify Vulnerabilities ranked after severity and show how it was identified Advanced remediation, fix recommendations and security enablement 2

Black-box (Discovering SQL Injection) ****** SELECT * from tusers where userid= AND password= foobar 3

How BB Scanners Work Stage 1: Crawling as an honest user http://mysite/ http://mysite/login.jsp http://mysite/feedback.jsp http://mysite/editprofile.jsp http://mysite/logout.jsp 4

How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests 5

White-box (Discovering SQL Injection) //... String username = request.getparameter("username"); String password = request.getparameter("password"); //... String query = "SELECT * from tusers where " + "userid='" + username + "' " + "AND password='" + password + "'"; //... ResultSet rs = stmt.executequery(query); Source a method returning tainted string User can change executed SQL commands Sink - a potentially dangerous method 6

White-box (Discovering SQL Injection) String username = request.getparameter("username"); //... String username = request.getparameter("username"); String password = request.getparameter("password"); //... String query = "SELECT * from tusers where " +' "userid='" + username + "' " + "AND password='" + password + "'"; String query = "SELECT " + username //... ResultSet rs = stmt.executequery(query); ResultSet rs = stmt.executequery(query); 7

A Common Fix (not always the best for SQL Injection) //... String username = request.getparameter("username"); String password = request.getparameter("password"); //... String query = "SELECT * from tusers where " + "userid='" + Encode(username) + "' " + + "' " + "AND password='" + Encode(password) + "'"; + "'"; //... ResultSet rs = stmt.executequery(query); Sanitizer: a method returning a non-tainted string 8

BB vs. WB Paradigm BB Cleverly guessing behaviors that may introduce vulnerabilities WB Examines infinite numbers of behaviors in a finite approach 9

BB vs. WB - Perspective BB - Works as an attacker - HTTP awareness only - Works on the big picture WB - Resembles code auditing - Inspects the small details - Hard to connect the dots SQL Injection Found 10

BB vs. WB Prerequisite BB - Any deployed application - Easier to use in the testing stage - Where code is often unavailable WB - Application code - Can be used earlier during development - As soon as the application compiles Bank.war 11

BB vs. WB Development Effort BB - Oblivious to different languages - And most server-side technology - Affected by Client-Side Technology - Different communication protocols require attention WB - Different languages require support - As do some frameworks - Less affected by Client-Side Technology - Oblivious to communication protocols 12

BB vs. WB Time/Accuracy Tradeoffs BB - Crawling takes time - Testing mutations takes (infinite) time WB - Refined model consumes space - And time - Analyzing only important code - Approximating the rest 13

BB vs. WB Accuracy Challenges BB - Challenge: - Cover all attack vectors WB -Challenge: - Eliminate non-exploitable issues Hacking 102: Integrating Web Application Security Testing into Development 14

Black-box (Dynamic) Analysis Examining a system or software with no prior knowledge or application assets Strengths Testing real software allows for high confidence in findings No need for design specifications or source code Source code and environment agnostic Software is easily tested across a network Challenges Impossible to determine code coverage Logical design flaws are easily missed Requires deployed application 15

White-box (Static) Analysis All relevant information is known and available to tester Source code Architectural design Strengths Logical design flaws can be determined Entire attack surface can be examined Very effective at finding programming and implementation errors Challenges Poor coding practices may result in non-vulnerable finding (false positive) Access to source code is not always possible Some weaknesses are only exposed in deployment Software is not easily remotely tested 16

Automated vs. Manual Analysis Automated Strengths Low cost Repeatable Scalable Weaknesses Missing human intelligence Manual Weaknesses High cost Dependant on ability Not scalable Strengths Human intelligence IF time and cost were not a barrier to the organization, manual analysis would win out over automation every single time! Human intelligence can not be automated. Automated tools allow you to find the low hanging fruit and address the opportunistic vulnerabilities! 17

Security Analysis Techniques Black Box Manual Manual Proxy Netcat Threat Modelling Architectural Fuzzing Tools Web App Scanners Binary Analysis Database Scanners Automated Code Review Analysis Source Code Scanners White Box 18

Black-box Analysis Composite Analysis White-box Analysis Accuracy Code/path coverage Source free Limited to given code Code coverage More than HTTP validations HTTP awareness only Support partial applications Multi components support Support per language/framework Requires deployed application No need to deploy application Few Prerequisites Over approximation Works as a remote attacker Integration/deployment issues 19

Security Testing Technologies... Combination Delivers a Comprehensive Solution Static Code Analysis = Whitebox Scanning source code for security issues Total Potential Security Issues Dynamic Analysis = Blackbox Performing security analysis of a compiled application Static Analysis Best Coverage Dynamic Analysis

Secure code development and vulnerability management IBM Rational AppScan A market leader for Web application vulnerability scanning A leader in numerous industry bake offs Automatically scans Web applications for vulnerabilities SQL Injection Cross-site Scripting Provides clear recommendations on how to remediate identified vulnerabilities Scans Web sites for embedded malware Protect your Web site from distributing the next Conficker to every Web site visitor Powered by the IBM Internet Security Systems X- Force malware prevention system 21

IBM Rational AppScan Ecosystem AppScan Enterprise / Reporting Console / Source Ed Core AppScan Source Ed for Developer / Remediation AppScan Ent. QuickScan (web client) AppScan Source Ed for Automation (scanning agent) (QA clients) AppScan Tester Ed AppScan Enterprise user (web client) AppScan Standard Ed (desktop) Rational Application Developer Rational Software Analyzer Rational ClearCase Rational Build Forge Rational Quality Manager AppScan Source Ed for Security Rational ClearQuest / Issue Management CODE Build security testing into the IDE* BUILD Automate Security / Compliance testing in the Build Process QA Security / compliance testing incorporated into testing & remediation workflows SECURITY Security & Compliance Testing, oversight, control, policy, audits IBM Rational Web Based Training for AppScan

AppScan Source Ed User Components AppScan Source Edition for Security is required in every deployment Security auditor/analyst is the primary user; can be used/deployed to anyone (ie. development leads) Requires connection to a Core Available as Authorized user only AppScan Source Edition for Developer IDE deployment: Eclipse versions 3.2, 3.3, and 3.4; IBM Rational Application Developer V7.0 and V7.5; Visual Studio.NET 2003, 2005, and 2008 Supported Project Files: Visual Studio.NET 2003, Visual Studio 2005, Visual Studio 2008, WebSphere Studio, Application Developer 5.1, Eclipse 3.1, 3.2, 3.3, IBM Rational Application Developer V6.0 and V7.0 Requires a connection to a Core AppScan Source Edition for Remediation Same plug-in as AppScan Source Edition for Developer except no ability to scan

Bug in APIs marked both Source, Tainted Callback 24

Type II No Trace: Where s the source? 25

Profiling for Sources Evaluating technologies in use APIs are marked as technologies Controlled by custom rules Enumerated in SmartAudit 36 email API usages (no trace info) 242 SOAP API usages (no trace info) 26

Profiling Gives You Knowledge to Ask Questions Why is there an email interface? Identifying critical assets Highlights usage in code Why is the application opening a socket? 27

AppScan Source Edition Reporting Integration with AppScan Enterprise / AppScan Reporting Console Add-on allows import of results from AppScan Source Ed Provides centralized security dashboard & trend reporting engine for blackbox and whitebox results Reporting Console reporting requirements are to be routed to either offering Clicking on the matrix cells changes the results list below AppScan Enterprise / Reporting Console AppScan Source Ed for Developer / Remediation AppScan Source Ed for Security

Hacking 102: Integrating Web Application Security Testing into Development 29

Basic Operational Responsibilities Set security requirements: A manager or security expert defines vulnerabilities and how to judge criticality Configure: Use the Project Configuration Wizard to get set up to scan your applications Scan: Scan large code bases and return results. Ounce s unique security compiler technology handles code complexity and size with maximum efficiency Triage: Separate real vulnerabilities from potential ones, allowing triage on critical issues to begin immediately. Resolve: Eliminate vulnerabilities by rewriting code, removing flaws, or adding security functions Verify fixes: Rescan the code to assure that vulnerabilities are eliminated

Rational AppScan Source Ed Deployment Overview Build Rational AppScan Source for Automation Functions: Rational AppScan Source Ed Core Development Rational AppScan Source Ed for Developer or for Remediation Security Rational AppScan Source Ed for Security 31

Enabling security testing across the SDLC AppScan Enterprise / Reporting Console AppScan Build Ed AppScan Tester Ed AppScan Developer Ed (desktop) AppScan Ent. QuickScan (Web client) (scanning agent) (scanning agent) (QA clients) AppScan Enterprise user (Web client) AppScan Standard Ed (desktop) Rational Application Developer Rational Software Analyzer Rational ClearCase Rational BuildForge Rational Quality Manager AppScan Express (desktop) Rational ClearQuest / Defect Management CODE Build security testing into the IDE* BUILD Automate Security / Compliance testing in the Build Process QA Security / compliance testing incorporated into testing and remediation workflows SECURITY Security and Compliance Testing, oversight, control, policy, audits IBM Rational Web Based Training for AppScan 32

Deployment and workflow should support your needs Managers Define security requirements Track development progress, review vulnerability data, and monitor remediation results Security Analysis Team Configure scanner for build integration Retrieve code for analysis Scan entire application Triage results Assign vulnerabilities to developers Developers Perform necessary remediation Check in code Hacking 102: Integrating Web Application Security Testing into Development 33

AppScan Source Edition Workflow Security Analyst Security Analyst, Reporting Console Configure, On_Board Automation Server, or Developer Plug-in Security Analyst Publish Scan Triage Security Analyst or Developer Plug-in Remediate Assign Security Analyst 34

Flexible Deployment Rational AppScan: -Source for Automation -Standard Ed Build QA Rational AppScan Tester Ed for RQM Development Rational AppScan: - Source Ed Developer - Source Ed Remediation - Enterprise QuickScan Functions: Rational AppScan Source Ed Core Rational AppScan Enterprise portal Security Rational AppScan: -Standard Ed -Source Ed for Security Compliance

Rational ALM Integrations Build Forge Build Rational AppScan: -Source for Automation -Standard Ed Application Developer QA Rational AppScan Tester Ed for RQM Development Rational AppScan: - Source Ed Developer - Source Ed Remediation - Enterprise QuickScan Rational AppScan Source Ed Core Rational AppScan Enterprise portal Quality Manager ClearQuest Security Rational AppScan: -Standard Ed -Source Ed for Security Compliance

AppScan Source Edition serves many stakeholders Insight & Assessment, with Trend Analysis Supports standards compliance Rapid prioritization of threats, full coverage of all assets Simplified analysis customization, provides guidance & confidence Focus on highest-severity threats Distributed reporting & annotated aggregation of results Profiles risk in IT and Audit oriented terms Audit-centric reports Provides critical metrics (Vdensity) to prioritize & track remediation Accepts bundled and annotated results from security analysts Provides full diagnostic capability on developer desktops Simplifies security remediation through extensive knowledgebase

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback