Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

High level QA strategy for SQL Server enforcer
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.
Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Advanced Security Center Overview Northern Illinois University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 14 Systems Analysis and Design: The Big Picture.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
HTTP and Server Security James Walden Northern Kentucky University.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.
1. Topics to be discussed Introduction Objectives Testing Life Cycle Verification Vs Validation Testing Methodology Testing Levels 2.
Approaches to Application Security – DSM
A Framework for Automated Web Application Security Evaluation
A Security Review Process for Existing Software Applications
Testing – A Methodology of Science and Art. Agenda To show, A global Test Process which work Like a solution Black Box for an Software Implementation.
1 Software Development Configuration management. \ 2 Software Configuration  Items that comprise all information produced as part of the software development.
Software Testing Testing principles. Testing Testing involves operation of a system or application under controlled conditions & evaluating the results.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Reusability and Effective Test Automation in Telecommunication System Testing Mikael Mattas Supervisor: Professor Sven-Gustav Häggman Instructor: B.Sc.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
1 Software Construction and Evolution - CSSE 375 Exception Handling - Principles Steve Chenoweth, RHIT Above – Exception handling on the ENIAC. From
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
| ©2009, Cognizant Technology SolutionsConfidential All rights reserved. The information contained herein is subject to change without notice. ©2009, Cognizant.
Web Logic Vulnerability By Eric Jizba and Yan Chen With slides from Fangqi Sun and Giancarlo Pellegrino.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Role Of Network IDS in Network Perimeter Defense.
MIS Week 5 Site:
Tool Support for Testing
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
Software Engineering (CSI 321)
OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap
Security Testing Methods
Finding and Fighting the Causes of Insecure Applications
^ About the.
A Security Review Process for Existing Software Applications
Marking Scheme for Semantic-aware Web Application Security
Web Application Penetration Testing
HTML Level II (CyberAdvantage)
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
What is Software Testing?
Zach Garcia Keith Reiter
Finding and Fighting the Causes of Insecure Applications
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
White Box testing & Inspections
Presentation transcript:

Web Application Security Testing Automation.

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there? What does web application security assessment comprise? How much can tools help? Where is it best to use these tools? Agenda

What types of automated testing are there? 2

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.3 When can you test? User Acceptan ce Testing Project Based Development Project Based Development Functiona l Testing Functiona l Testing Non- Function al Testing Pilot Pre Production Production Thank God its gone live party. Performa nce & Volume Testing Feature requests TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? BAU development BAU testing

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.4 Raw Source Code Review Get the code and use software configured with rules to find exceptions and investigate them What types of automated testing are there? Source Code Rules Analysis Raw Results (means something to a developer) Human review Findings (means something to a project manager) Source Secure Programming with Static Analysis Chess & West

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.5 Integration into development environment Static analysis as you go Write some code, push to webserver, do some “black box testing” Hmm what’s the first thing the developer will skip when he is under pressure to ship code What types of automated testing are there?

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.6 Integration into test software Get some test data Capture some UAT test scripts Run those UAT scripts Use those test scripts to do some “black box” testing Try and persuade a developer that the defect is a defect Try and find some project managers to agree who is to pay to fix the defect Don’t expect your UAT test team to do security testing, they are usually lovely people, as they deal with the business What types of automated testing are there?

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.7 Assessment from network It’s ready to go, let’s do a final check.. With some test data walk the application logic, ALL of the application logic  Scan away Try and read the report before the project goes live Try and find a developer to educate? What types of automated testing are there?

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.8 Fuzzing Aka I’ve run out of ideas, lets just bash away until something weird happens with input validation or business logic What types of automated testing are there?

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.9 What types of automated testing are there? MethodProsCons Source Code Review Can be done at any time during/after development Access to source code required, think contractuals  Development Environment Integrated Can be leveraged by the developer to help educate them. Can only be done during development Test Environment Integrated Testing is when most test data is hopefully available Can only be done during testing If you find a major input validation problem during test you will have to repeat UAT testing! From Network Can be done at any time Can cause a Denial of Service to the application Fuzzing Application has to be operational Can be slow over the internet

How much can tools help? 10

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.11 What does the testing comprise? Web Application Security Assessment Typical Breakdown of Effort There is a lot of manual testing involved in web application security testing The majority of findings are related to poor implementation of role based access controls and “business logic flows”. Hence most effort is directed towards business logic testing.

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.12 What are we looking for? Incidence of 10 common web application vulnerabilities in applications recently tested by Deloitte in the UK. (Vulnerability classifications defined by the Open Web Application Security Project – % of tested Web Applications susceptible to vulnerability

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.13 How web application scanners work Thankfully stolen from usa-04/bh-win-04-grossman/bh-win-04-grossman-up.pdf usa-04/bh-win-04-grossman/bh-win-04-grossman-up.pdf

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.14 Requirement for test data due to multi-page sequences Dynamically produced content Single Sign On/Identity Management/NTLM/Kerberos wackiness Client side code (bad architect, bad architect!) Non standard error messages (good developer!) Denial of Service to application, system, network monitoring etc. Anti-automation Challenges of automated scanning

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.15 How much can tools help? Reduction in Effort Some aspects of testing can be automated and reduce effort Other aspects of testing from automation are improved by reduction in human errors

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.16 How good are they at finding defects? A1 - XSS A2 - Injection Flaws A3 - Malicious File Execution A4 - Insecure Direct Object Reference A5 - CSRF

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.17 How good are they at finding defects? A6 - Informati on leakage and improper error handling A7 - Broken Authenti cation and Session Manage ment A8 - Insecure cryptogr aphic storage A9 - Insecure communi cations A10 - Failure to restrict URL access Stolen with thanks from application-scan-o-meter.html application-scan-o-meter.html

Where is it best to use these tools? 18

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.19 Where to use? MethodA Good situation to use? Source Code Review Outsourced project development BAU development Development Environment Integrated Education of BAU developers? Test Environment Integrated Hmmm? From Network Scanning masses of brochure-ware sites for poor input validation and problems like XSS and SQL injection. Fuzzing Vulnerability research

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.20 Manual and Automated Testing complement each other MethodProsCons Manual Picks up business logic flaws. Flexible in the face of an unfinished/unreli able application or test environment Sample based approach may miss instances of “low hanging fruit”. Automa ted Checks for boring vulnerabilities so you don’t have to (e.g. information disclosure, backups of files, XSS) can be done more efficiently and comprehensively Doesn’t pick up the really important business logic flaws Inflexible if the application is not completed.

Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.21 Of the automated tools, source code review tools are most flexible as they can be used at any point in the development cycle Manual testing and automated testing complement each other Conclusion