OWASP ASVS Project Discussion & Reflection 1. The case study This is a real open source CMS system, albeit an older release from 2012 The only intentional.

Slides:



Advertisements
Similar presentations
11-Jun-14 The assert statement. 2 About the assert statement The purpose of the assert statement is to give you a way to catch program errors early The.
Advertisements

OWASP Secure Coding Practices Quick Reference Guide
Introduction to Maven 2.0 An open source build tool for Enterprise Java projects Mahen Goonewardene.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Web Vulnerability Assessments
Chapter 4 Quality Assurance in Context
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
1. Prelude Diebold’s electronic voting system source code was discovered and subsequently leaked due to it being on a Diebold web server. Although it.
SWE Introduction to Software Engineering
Component and Deployment Diagrams
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
1/25/2000 Active Names: Flexible Location and Transport of Wide-Area Resources Luis Rivera.
Spring Dynamic Modules. Startlocation: Documentation: /1.2.1/reference/html/
Static Code Analysis and Governance Effectively Using Source Code Scanners.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Test Design Techniques
Security Scanning OWASP Education Nishi Kumar Computer based training
A Scanner Sparkly Web Application Proxy Editors and Scanners.
United Nations Economic Commission for Europe Statistical Division Applying the GSBPM to Business Register Management Steven Vale UNECE
Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.
TGDC Meeting, December 2011 Michael Kass National Institute of Standards and Technology Update on SAMATE Automated Source Code Conformance.
Introduction to Application Penetration Testing
Rainbow Facilitating Restorative Functionality Within Distributed Autonomic Systems Philip Miseldine, Prof. Taleb-Bendiab Liverpool John Moores University.
Dr Andy Brooks1 FOR0383 Software Quality Assurance Lecture 1 Introduction Forkröfur/prerequisite: FOR0283 Programming II Website:
A Framework for Automated Web Application Security Evaluation
Introduction Telerik Software Academy Software Quality Assurance.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 9 Slide 1 Critical Systems Specification 2.
Software Testing Testing principles. Testing Testing involves operation of a system or application under controlled conditions & evaluating the results.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Watching Software Run Brian ChessNov 18, Success is foreseeing failure. – Henry Petroski.
Chapter 22 Developer testing Peter J. Lane. Testing can be difficult for developers to follow  Testing’s goal runs counter to the goals of the other.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Overview: 1. Discussion of the basic architecture of a web application. 2. Discussion of the relevance of using MySQL and PHP in a web application.
Variables and ConstantstMyn1 Variables and Constants PHP stands for: ”PHP: Hypertext Preprocessor”, and it is a server-side programming language. Special.
Axel Naumann. Outline  Static Code Analysis  Coverity  Reporting Tools, Report Quality  "Demo": Examples Axel Naumann Application Area Meeting2.
CSCE 522 Secure Software Development Best Practices.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Static Analysis James Walden Northern Kentucky University.
1 Test Selection for Result Inspection via Mining Predicate Rules Wujie Zheng
Code Reviews James Walden Northern Kentucky University.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 1: Fundamental of Testing Systems Testing & Evaluation (MNN1063)
Software testing techniques Software testing techniques Software Testability Presentation on the seminar Kaunas University of Technology.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Quality Assurance SOFTWARE DEFECT. Defect Repair Defect Repair is a process of repairing the defective part or replacing it, as needed. For example,
John Porter Sheng Shan Lu M. Gastil Gastil-Buhl With special thanks to Chau-Chin Lin and Chi-Wen Hsaio.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.
OWASP Secure Configuration Guide Alexander Antukh 25/11/2014.
OWASP ASVS Levels1234 Tools Manual Test and Review Manual Design Review At higher levels in ASVS,the use of tools is encouraged. But to be effective,the.
Module 9. Dealing with Generalization Course: Refactoring.
INF3110 Group 2 EXAM 2013 SOLUTIONS AND HINTS. But first, an example of compile-time and run-time type checking Imagine we have the following code. What.
Academic Writing Fatima AlShaikh. A duty that you are assigned to perform or a task that is assigned or undertaken. For example: Research papers (most.
CSCE 548 Secure Software Development Penetration Testing.
Code improvement: Coverity static analysis Valgrind dynamic analysis GABRIELE COSMO CERN, EP/SFT.
SOFTWARE TESTING TRAINING TOOLS SUPPORT FOR SOFTWARE TESTING Chapter 6 immaculateres 1.
CSCE 548 Secure Software Development Risk-Based Security Testing
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
^ About the.
Outline Introduction Characteristics of intrusion detection systems
Observations on assignment 3 - Reviews
OWASP Application Security Verification Standard 2009
Getting benefits of OWASP ASVS at initial phases
Traceability – Chapter 27
Presentation transcript:

OWASP ASVS Project Discussion & Reflection 1

The case study This is a real open source CMS system, albeit an older release from 2012 The only intentional defect in the code: re-inclusion of one vulnerability from the previous release So none of the code was not intentionally bad... [16] 2

The process Dividing the work by requirements / the code / tool? Or “agile” [5]? And/or by expertise or interest of the group members? Tools to support group process – gitlab, OWAAT..? Tools to support inspecting the code – editors & IDEs, eg Doxygen, PHPDoc, IntelliJ, PHPStorm...? Looking at running wesite as well as code? Ideally you’d like to check all this while developing the code, but then there may still have to be independent security evaluation afterwards 3

Attacker model One group considered diffferent attacker models – A: insider attacks – B: outsider attacks Shouldn’t attacker model get some attention in ASVS process? 4

test vs code review 5

Static Code Analysis Tools RATS, RIPS, Fortify, Checkmarx Usefulness? only “basic and blatant flaws”? (m)any true positives? unworkably many false positives? comparison [4] covering only small subset of possibel problems? [17] Improvements? more intelligence in the tool beyond just syntax (eg for “exec”) but: limits in understanding meaning/semantics by any tool 6

Dynamic analysis tools? OWASP ZAP Wapiti DirBuster sqlmap Skipfish Nessus OpenVAS... 7

code vs deployment/configuration/server source code of the application could be fine, but configuration could still screw things up in defence of ASVS: not meant for evaluation using just source code review Other ‘scoping’ issues: – do we have to look at libraries, frameworks,...? – what about dead code/unused part? (eg Curl) 8

ASVS problems missing requirements? unclear requirements/formulations? [16] – more explanation? – more context needed about the application policies & templates and business rules requirements with very wide scope? different leves of importance/impact? not giving enough hints on how to organize things – how rather than what (Some requirements, eg V1, only existed in earlier ASVS releases & since removed) 9

ASVS improvements it should also describe how to verify things – how rather than what distinguish – different levels of certainty – different levels of importance/relevance/impact Missing requirements, eg “SQL truncation & crypto setting”? [1] Should the ASVS specify when specific protection mechanism against say clickjacking (V11.8) is good enough? [14] Should the ASVS make explicit link with OWASP Top 10? [6] As side-product of doing a security assessment, produce a checklist with dependencies on libraries, interpreters, runtime, etc, so that anyone deploying the system knows that for these they should keep of security issues, updates, etc 10

NA Different meanings of Not Applicable (NA) and Not Relevant (NR) are used NA, so trivially passed NA, hence clearly failed we don’t really know – because the requirement is not clear, or – because the code is not clear we can’t really know, as this depends – on the configuration or the web server – on the context: policies and business rules 11

RSS issue with an empty line [2] Whose fault is this? 12

TestCMS 13

PHP 14

security assessment & assurance Different ways to do security assessment & get some assurance: 1.pen-test 2.doing OWASP ASVS review like you did 3.simply running Fortify & Checkmarx Would these draw similar conclusions about the overall security? finding the same/similar security flaws? draw same/similar conclusions & recommendations? 15

Anything else? about tools process ASVS TestCMS... 16

This group project itself did you learn anything/enough? is this a effective way to learn anything? 17