SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
Secure Design Principles  secure the weakest link  reduce the attack surface  practice defense in depth  minimize privilege  compartmentalize  fail.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Bruce Schneier Lanette Dowell November 25, Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.
Vulnerability Analysis Borrowed from the CLICS group.
Compilation 2007 What Will You Learn? Michael I. Schwartzbach BRICS, University of Aarhus.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
A Scanner Sparkly Web Application Proxy Editors and Scanners.
Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
CSCE 548 Secure Software Development Risk-Based Security Testing.
Secure Software Development Risk-Based Security Testing Chapter 7 Rasool Jalili & A. Boorghani Dept. of Computer Engineering Spring 2012.
SCOTT KURODA ADVISOR: DR. FRANZ KURFESS Encouraging Secure Programming Practice in Academia.
Pen testing to ensure your security
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
A Framework for Automated Web Application Security Evaluation
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
A Security Review Process for Existing Software Applications
Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.
CSCE 548 Secure Software Development Test 1 Review.
CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,
May 2, 2007St. Cloud State University Software Security.
Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Watching Software Run Brian ChessNov 18, Success is foreseeing failure. – Henry Petroski.
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
An Ad Hoc Writable Rule Language for White-Box Security Scanners Author:Sebastian Schinzel Referent:Prof. Dr. Alexander del Pino Korreferent:Prof. Dr.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Delivering results that endure Delivering Results that Endure Managing Risks in the Software Acquisition Process GFIRST Conference June 2007 Stan Wisseman.
CSCE 522 Secure Software Development Best Practices.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
CSCE 548 Secure Software Development Taxonomy of Coding Errors.
CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,
CSCE 522 Secure Software Development Best Practices.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
CSCE 201 Secure Software Development Best Practices.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Ethical Hacking License to hack. OVERVIEW Ethical Hacking ? Why do ethical hackers hack? Ethical Hacking - Process Reporting Keeping It Legal.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
MIS Week 5 Site:
Cyber Security – The Changing Landscape Erick Weber Department of Public Works Khaled Tawfik Cyber Security.
Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Software Security Q: What does it mean to say that a program is secure? A: There is a sufficient amount of trust that the program maintains _____________,
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
CSCE 548 Secure Software Development Penetration Testing.
Secure Programming Dr. X
Web Application Security
CSCE 548 Secure Software Development Risk-Based Security Testing
Design for Security Pepper.
Security Testing Methods
Execution with Unnecessary Privileges
Software Security Testing
Secure Programming Dr. X
Software Security ITGD 2202 Supervision:- Assistant Professor
Network Exploitation Tool
A Security Review Process for Existing Software Applications
CSCE 548 Secure Software Development Test 1 Review
James Walden Northern Kentucky University
Engineering Secure Software
Binary and Protocol Security Assurance
Presentation transcript:

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011

The Paper Selection Security Testing is Important (Relevant) Security Testing is Different from Functional Testing Security Testing is Difficult Security Engineer’s Tasks Analyzing Security Risks Types of Security Testing Case Study: Java Card Conclusion Overview 4/21/ of 20 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

3 of 20 The Paper: Software Security Testing 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  Gary McGraw, PhD, CTO of Cigital, Inc  Series of Articles in IEEE Security & Privacy

4 of 20 Security Testing is Important 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

5 of 20 Security Testing is Different 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  Malicious attacker  Intelligent Adversary  Vulnerabilities Exploited

6 of 20 Aaah! So many vulnerability lists! 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

7 of 20 McGraw’s Vulnerability Taxonomy 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

8 of 20 Vulnerability Name Dropping 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  gets() (Buffer overflow problem, Morris Worm)  Race condition (time of check to time of use)  Insecure failure  Transitive trust  Trampoline  Zero day exploits

9 of 20 SQL Injection Vulnerability 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

The Paper Selection Security Testing is Important (Relevant) Security Testing is Different from Functional Testing Security Testing is Difficult Security Engineer’s Tasks Analyzing Security Risks Types of Security Testing Case Study: Java Card Conclusion Where are we? 4/21/ of 20 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

11 of 20 SW Security Engineer’s Tasks 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

12 of 20 Analyzing Security Risks 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  Think like an attacker  Vulnerability in weakest link can expose the system  Requires expertise  Can practice/learn on  Webgoat  DVWA  Hacme Bank

13 of 20 Types of Security Testing 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  Functional Security Testing  Risk-Based Security Testing (hostile attacks)  Black Box/White Box  Static/Dynamic

14 of 20 Static Security Analysis 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  Risk Analysis of Design and Architecture  Static Security Analysis Tools  Source Code or Byte Code  Good at finding patterns  Numerous False Positives

15 of 20 Penetration Testing 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  Performed on a running system  Can be used on COTS software too  Penetration testing tools  Network and OS vulnerability scanners Nmap, Nessus, Aircrack  Automated Penetration Testing Tools Metasploit, CoreImpact, Canvas  Other useful tools Fuzzing tools, WebScarab,  Quality of pen testing depends on the human!

16 of 20 Case Study: Java Card 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  Operating System for Smart Cards  GlobalPlatform (Java Card, MULTOS)  Used on Bank Cards, (also SIMs, ID Cards, Medical)  Two Types of Testing  Functional security design tests  Risk-based attack tests

17 of 20 Functional Security Testing 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  Tests security functionality  Crypto  Commands  Compliance Testing (GALITT 3/2011)  All cards passed!

18 of 20 Risk-Based Security Testing (Attacks) 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  Hostile Attacks, based on risk assessment  All cards failed some part of this testing!  Analysis of Java Card Design  Identify automic transaction processing as area of interest  Consequence is “printing money” (Very High Risk)  Put on Black Hat, Don’t follow the rules: Abort, fail to commit, fill buffers, nest transactions  Exposes vulnerabilities before issued to public

The Paper Selection Security Testing is Important (Relevant) Security Testing is Different from Functional Testing Security Testing is Difficult Security Engineer’s Tasks Analyzing Security Risks Types of Security Testing Case Study: Java Card Conclusion Almost done! 4/21/ of 20 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

20 of 20 Conclusion: SW Security Testing is… 4/21/2011 COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess  Important  More software, more new attacks  More functionality, more vulnerabilities  Software is everywhere and connected!  Different  Presence of a malicious, intelligent attacker  Software Test Engineers have different skills  Difficult  Exploits are subtle  Automated static & dynamic tools insufficient  Need a human!

“So now, when we face a choice between adding features and resolving security issues, we need to choose security.” -Bill Gates

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.