Download presentation
Presentation is loading. Please wait.
1
Copyright Gupta Consulting, LLC. www.bgupta.com
AppSec Testing Beyond Pen Test Bhushan Gupta Gupta Consulting, LLC. 10/3/2018 Copyright Gupta Consulting, LLC.
2
Pen Testing – Some Observations
An art of finding known vulnerabilities and exploiting them Well suited for networks and operating systems Tools have limited effectiveness Way later in the SDLC Gary McGraw “If you fail a penetration test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don’t have a very bad problem” 4/11/2019 Copyright Gupta Consulting, LLC
3
Security 1. Categorize/ Determine Data Sensitivity 6. Monitor/
2. Select Baseline Controls 3. Implement Security Controls 4. Assess Security Controls 6. Monitor/ Track Internal External Changes 5. Determine Risk to Organization Security 10/3/2018 Copyright Gupta Consulting, LLC.
4
Data Security Principles
Confidentiality – Maintaining data privacy (Access Control) Integrity – Authorized Modification of data and system environment Availability – Usable during desired hours of service Not all data is worth protecting! Protect data while stationary and in motion! 10/3/2018 Copyright Gupta Consulting, LLC.
5
Copyright Gupta Consulting, LLC. www.bgupta.com
NIST (National Institute of Standards and Technology) Access Control Identification And Authentication (IA-Family) Least Privilege (AC-6) Separation Of Duties (AC-5) Session Lock (AC-11) Session Termination (AC-12) Unsuccessful Logon Attempts (AC-7) Access Enforcement (AC-3) Account Management (AC-2) System Use Notification (AC-8) – especially for Govt. applications 10/3/2018 Copyright Gupta Consulting, LLC.
6
STRIDE Approach to Vulnerability
Category Description Spoofing Gaining Access to the system using false identity Tampering Unauthorized modification of data Repudiation Ability to successfully deny an activity already taken place Information Disclosure Unwanted exposure of private data Denial of Service Making system unavailable for use Elevation of Privilege Assuming identity of a privileged user from limited privileges 10/3/2018 Copyright Gupta Consulting, LLC.
7
STRIDE MAP – Epic Sign UP
Story ID/ Vulnerability Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges STRIDE Score 1. Browse to Web Site No YES 1 2. Create user Profile Yes No (data stationary) Yes – social engineering 2 3. Create Login Id & Password 6. Login Yes (MitM) 5 10/3/2018 Copyright Gupta Consulting, LLC.
8
Quantifying and Comparing Risk – DREAD Method
DREAD Index = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5 10/3/2018 Copyright Gupta Consulting, LLC.
9
Quantifying and Comparing Risk
Category Value = 0 Value = 5 Value = 10 Damage Impact (data) None Few users only Entire system Reproducibility Very hard Few steps required Use of web browser Exploitability Advanced knowledge Use of kits Just a web bowser Actual Users Impacted Some but not all All users Discoverability (application) Easy – apparent Public Domain/Web browser Guessing Very hard (need special efforts) 10/3/2018 Copyright Gupta Consulting, LLC.
10
Copyright Gupta Consulting, LLC. www.bgupta.com
References OWASP Security Testing – Best Practices Testing Guide - V4 Attack Surface Analysis Quantifying the Attack Surface of a Web Application (2010) by Thomas Heumann , Jörg Keller , Sven Türpe 10/3/2018 Copyright Gupta Consulting, LLC.
Similar presentations
