Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.

Slides:

Advertisements

Similar presentations

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Advertisements

Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

White-Box Cryptography

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Security Scanning OWASP Education Nishi Kumar Computer based training

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

CSCE 548 Secure Software Development Risk-Based Security Testing.

Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011.

Approaches to Application Security – DSM

A Framework for Automated Web Application Security Evaluation

May 2, 2007St. Cloud State University Software Security.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.

Software Security Testing Vinay Srinivasan cell:

10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.

SCAM Beijing (China)1 The Evolution and Decay of Statically Detected Source Code Vulnerabilities Massimiliano Di Penta Luigi Cerulo Lerina Aversano.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

Watching Software Run Brian ChessNov 18, Success is foreseeing failure. – Henry Petroski.

1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.

Application Security Testing A practitioner’s rambling advice & musings.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

An Ad Hoc Writable Rule Language for White-Box Security Scanners Author:Sebastian Schinzel Referent:Prof. Dr. Alexander del Pino Korreferent:Prof. Dr.

Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Static Analysis James Walden Northern Kentucky University.

Software Security Without The Source Code By Matt Hargett.

Web Applications Testing By Jamie Rougvie Supported by.

1 The current lesson plans provided for in Webgoatv2 include Http Basics How to Perform Database Cross Site Scripting (XSS) How to Spoof an Authentication.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Building Secure Web Applications With ASP.Net MVC.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Test Plan: Introduction o Primary focus: developer testing –Implementation phase –Release testing –Maintenance and enhancement o Secondary focus: formal.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Web Security Introduction to Ethical Hacking, Ethics, and Legality.

Application Communities Phase 2 (AC2) Project Overview Nov. 20, 2008 Greg Sullivan BAE Systems Advanced Information Technologies (AIT)

Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Conclusion.

Cyber Security – The Changing Landscape Erick Weber Department of Public Works Khaled Tawfik Cyber Security.

Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development.

FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.

Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.

CSCE 548 Student Presentation Ryan Labrador

CSCE 548 Secure Software Development Risk-Based Security Testing

Software Security Testing

Secure Software Confidentiality Integrity Data Security Authentication

Exploiting sandbox backdoor it with one evil Nikolay Klendar bsploit gmail.com.

Software Security.

Engineering Secure Software

Presentation transcript:

Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011

Todo Define gray-box testing Why black-box is insufficient What we built Examples Haters club

Definitions Black-box testing System-level tests No assumptions about implementation

Definitions White-box testing Examine implementation Test components in isolation

Definitions Gray-box testing System-level tests (like black-box) Examine implementation (like white-box)

The Software Security Game Objective Rules vs. Strategy Playing Field

OBJECTIVE: Protect everything OBJECTIVE: Exploit one vulnerability

Rules for the Defender 1.Don’t attack the attacker

Rules vs. Strategy Rules Don’t attack the attacker Strategy Emulate attacker’s techniques

Who wins? Technology Expertise

Who wins? Time Technology Expertise

Who wins? Technology Expertise Time

Changing the odds

The Defender’s Advantage Time Inside Access Technology Expertise

Prior Art 2005: Concolic testing: Sen, University of Illinois 2008: Microsoft SAGE: Godefroid, MSR 2008: Test Gen for Web Apps: Shay et al, U. Washington 2008: Accunetix: Accusensor

Access to the Software Allows for ‘Hybrid’ analysis Black-box ApproachWhite-box Approach

‘Hybrid’ Analysis Mostly Broken Correlation Engine

The ‘Real-Time Hybrid’ Approach Good Results Correlation Engine

Evolving to Integrated Analysis Application Real-time link Find More Fix Faster

Find More Reduce false negatives Automatic attack surface identification Understand effects of attacks Detect new types of vulnerabilities Privacy violation, Log Forging

Attack surface identification /login.jsp /pages/account.jsp /pages/balance.jsp /admin/admin.jsp File system Configuration-driven Programmatic

Understand effects of attacks /admin/admin.jsp ✗ Command Injection sysadmin$./sh ✔

Fix Faster Reduce False Positives Confirm vulnerabilities Provide Actionable Details Stack trace Line of code Collapse Duplicate Issues Tie to root cause

Reduce False Positives /admin/admin.jsp SQLi? ✔

Actionable Details /login.jsp

Collapse Duplicate Issues /login.jsp /pages/account.jsp /pages/balance.jsp 1Cross-Site Scripting23 1

JavaBB – Case Study Open Source Bulletin Board Additional Vulnerabilities Finds18 SQL Injection results Root cause analysis 18 SQL injection results have 1 root cause

Vulnerability Diagnosis Confirmed SQL Injection

Actionable Details Line of Code Parameters Stack Trace

Yazd – Case Study Open Source Forum Additional Attack Surface Discovers hidden ‘admin’ area 3 Additional Cross-Site Scripting results Root cause analysis Collapses 34 XSS into 24 root-cause vulnerabilities

Attack surface identification Hidden ‘admin’ area

Collapse Duplicate Issues

One More Case Study

Future Automated anti-anti automation

The Case Against “Hybrid” Hard to find attack surface with static analysis Static/dynamic correlation doesn’t work Doesn’t help with false positives / false negatives Nobody will run a software monitor (cheating!)

The Case for Gray-Box Testing Black-box is a losing game Find more Attack surface Vulnerability diagnosis Fix faster Root cause analysis Collapse duplicates

Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011