SUBMISSION TITLE Srinivas Munigala & Principal QA Engineer Progress Software Pvt Ltd

Abstract Information is an asset for today’s organizations and individuals. Information may be less or more important and very often has a monetary value. The disclosure, improper modification, or unavailability of information may incur expenses (loss) or missed profits for the organization or the individual. Therefore, most organizations and individuals protect information to a certain extent. User identity and Authentication are the main security processes working together to provide access to assets in a controlled manner. Security testing is most trending and happening subject in IT. It is very important aspect of testing and tricky thing. Authentication and Authorization plays an vital role in security testing. This session gives complete understanding of Authentication and Authorization mechanisms that are available in application security, challenges in managing user identity in distributed environments and techniques to test them thoroughly.

Presentation Body

Agenda Overview of Application Security Importance of Authentication and Authorization Different threats to A & A Enterprise user Identification and Authentication Challenges Different techniques to secure your credentials Testing tips for Sensitive Data Exposure

Overview - History We are working on these slides

Overview - Now We are working on these slides

Overview - Cost of data breach

Overview – Security in different layers We are working on these slides

Overview – Security Types Application Security Identity Management Authentication Authorization Connection and Data Security Confidentiality Integrity Trust We are working on these slides

Authentication and Authorization We are working on these slides

Importance of Authentication and Authorization

Evaluation of A & A password Hardware tokens Software Tokens Single-sign-on Federated We are working on these slides

Enterprise user Identification and Authentication Challenges Yet to prepare slides

Different threats to A & A Bypassing Authentication Default Passwords Password Guessing Sniffing Credentials off the Network Replaying Authentication Session Hijacking Downgrading Authentication Strength

Different techniques to secure your credentials Secret Algorithm Secret Key Protection Keys Data Encryption Standard (DES / 3DES) Advanced Encryption Standard (AES) RC4 RSA Encryption Algorithm Encryption Message Integrity Code (MIC) Message Authentication Code (MAC) Data Integrity Yet to prepare slides

Authentication Testing Techniques – Areas to look into Data in rest and in transit Default credentials Lock out mechanism Bypassing authentication Remember password functionality Browser cache Password change /reset Yet to prepare slides

Use Case 1 - Sensitive Data Exposure Threat Agents Data at rest Data in transit Data in browsers Attack Vectors Steal Keys Man-in-the-middle attacks Steal clear text Security Weakness Clear text Old / Weak algorithm Weak crypto keys Tools Wireshark Fiddler Yet to prepare slides

Wireshark sample output for sensitive data

Use Case 2 - Broken Authentication and Session Management Threat Agents Anonymous Users with their accounts Attack Vectors Flaws in authentication Flaws in session management Security Weakness Log out Password management Timeouts Tools Burp Suite Jmeter Yet to prepare slides

References & Appendix

Author Biography Srinivas Munigala is a Principal Engineer at Progress Software Pvt Ltd, has working experience on different Progress products and has been associated with OpenEdge AppServer for last 7 years. He has good knowledge of Classic AppServer and its related Adapters (AIA, WSA, REST, sonicMQ and sonicESB), hands-on experience on developing ABL, REST and SOAP applications. His recent interests involve Security in AppServers and OpenEdge products where he did lot of exploration on SSL protocols, ciphers and authentication mechanisms.

Thank You!!!