Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

OWASP CLASP Overview.

INFORMATION SYSTEMS SECURITY ENGINEERING: A CRITICAL COMPONENT OF THE SYSTEMS ENGINEERING LIFECYCLE Kevin Behr SE 516 – Technical Article Presentation.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

Improving Process for Better Software. Who We Are An experiential learning program that provides technology solutions for our partners, and real- world.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Computer Security: Principles and Practice

SEC835 Database and Web application security Information Security Architecture.

Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

CSCE 548 Secure Software Development Risk-Based Security Testing.

Software Quality Assurance Lecture #8 By: Faraz Ahmed.

Introduction to RUP Spring Sharif Univ. of Tech.2 Outlines What is RUP? RUP Phases –Inception –Elaboration –Construction –Transition.

IT Systems Analysis & Design

Information Systems Security Computer System Life Cycle Security.

CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.

A Security Review Process for Existing Software Applications

CSCE 548 Secure Software Development Test 1 Review.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

May 2, 2007St. Cloud State University Software Security.

Understand Application Lifecycle Management

Team Skill 6: Building the Right System From Use Cases to Implementation (25)

1 1 Vulnerability Assessment of Grid Software Jim Kupsch Associate Researcher, Dept. of Computer Sciences University of Wisconsin-Madison Condor Week 2006.

Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Chapter 13: Regression Testing Omar Meqdadi SE 3860 Lecture 13 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Software Assurance Session 13 INFM 603. Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security.

Software Engineering Chapter 3 CPSC Pascal Brent M. Dingle Texas A&M University.

CSCE 522 Secure Software Development Best Practices.

1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,

1 Vulnerability Assessment Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona

CSCE 522 Secure Software Development Best Practices.

Security Development Life Cycle Baking Security into Development September 2010.

Chapter 8 Lecture 1 Software Testing. Program testing Testing is intended to show that a program does what it is intended to do and to discover program.

PRJ566 Project Planning & Management Software Architecture.

CSCE 548 Secure Software Development Security Operations.

CSCE 201 Secure Software Development Best Practices.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

LOGO TESTING Team 8: 1.Nguyễn Hoàng Khánh 2.Dương Quốc Việt 3.Trang Thế Vinh.

Rational Unified Process Fundamentals Module 4: Core Workflows II - Concepts Rational Unified Process Fundamentals Module 4: Core Workflows II - Concepts.

Version 02U-1 Computer Security: Art and Science1 Correctness by Construction: Developing a Commercial Secure System by Anthony Hall Roderick Chapman.

HNDIT23082 Lecture 09:Software Testing. Validations and Verification Validation and verification ( V & V ) is the name given to the checking and analysis.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.

Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

CSCE 548 Secure Software Development Penetration Testing.

Tool Support for Testing

Presented by Rob Carver

CSCE 548 Secure Software Development Risk-Based Security Testing

Security Testing Methods

Software Security Testing

Software Security ITGD 2202 Supervision:- Assistant Professor

A Security Review Process for Existing Software Applications

Software Process Models

CSCE 548 Secure Software Development Test 1 Review

Lecture 09:Software Testing

Baisc Of Software Testing

White Box testing & Inspections

Presentation transcript:

Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw

Version 02U-1 Computer Security: Art and Science2 Topics Introduction Penetration Testing Today Better Approach Summary/Conclusion

Version 02U-1 Computer Security: Art and Science3 Introduction Testing for positives Security testing Test for negatives

Version 02U-1 Computer Security: Art and Science4 Penetration Testing Today Attractive late life cycle activity Too little, too late an attempt to tackle security. Use of security requirements, abuse cases, security risk knowledge, attack patterns in application design, analysis and testing are missing.

Version 02U-1 Computer Security: Art and Science5 Penetration Testing Today (contd) Attractive late life cycle activity Results Interpretation A list of flaws, bugs and vulnerabilities Doesn’t factor in the time-boxed nature of late lifecycle assessments. Penetration testing as a way to declare victory

Version 02U-1 Computer Security: Art and Science6 Penetration Testing in SDLC

Version 02U-1 Computer Security: Art and Science7 A Better Approach Base the testing activities on the security findings discovered and tracked from the beginning of the development life cycle. Structure test according to perceived risk and offer some kind of metric relating risk measurement to software security’s posture at the time of the test. Make Use of Tools Use static analysis tools Use dynamic analysis tools

Version 02U-1 Computer Security: Art and Science8 A Better Approach (contd) Benefits of Tools Tools can perform the routine work needed for basic software security analysis. Tool output lends itself to metrics, which software development teams can use to track progress overtime.

Version 02U-1 Computer Security: Art and Science9 A Better Approach (contd) Test more than once Test at the feature, component, unit and system level Tests should attempt unauthorized misuse of, and access to, target assets as well as try to violate any assumptions the system might make relative to its components

Version 02U-1 Computer Security: Art and Science10 A Better Approach (Contd) Test more than once Component level testing Use static and dynamic tools uniformly at the component level. The tool design should reflect the security test’s goal: to misuse the component’s assets, violate intercomponent assumptions, or probe risks. Unit testing breaks system security down into several discrete parts

Version 02U-1 Computer Security: Art and Science11 A Better Approach (contd) Test more than once System level testing system-level testing focuses on identifying intercomponent issues and assessing the security risk inherent at the design level. –a component assumes that only trusted components have access to its assets, security testers should structure a test to attempt direct access to that component from elsewhere –focus on aspects of the system that couldn’t be probed during unit testing.

Version 02U-1 Computer Security: Art and Science12 A Better Approach (Contd) Integrate with development life cycle Most common problem with penetration testing is the failure to identify lessons to be learned and propagated back into the organization’s SDLC. Mitigation strategy Rather than simply fixing identified bugs, developers should perform a root-cause analysis of the identified vulnerabilities Developers and architects should devise mitigation strategies to address the identified vulnerabilities and any similar vulnerability in the code base. –Buffer overflow example

Version 02U-1 Computer Security: Art and Science13 A Better Approach (Contd) Integrate with development life cycle Use test result information to measure progress against a goal. Add tests for the mitigated vulnerability to the automated test suites Employ iterative security penetration tests Reveals fewer and less severe flaws in the system.

Version 02U-1 Computer Security: Art and Science14 Summary Penetration testing is the most commonly applied mechanism used to measure software security but it’s also the most misapplied mechanism as well. Apply penetration testing at the unit and system level, derive test cases from risk analysis, and incorporate the results back into the development life cycle Integrate penetration testing into the development process to improve design, implementation and deployment practices –Questions/Comments ???