Presentation is loading. Please wait.

Presentation is loading. Please wait.

OUCC 2015 Inspiring Innovation Presentation: Secure Web Apps via Language Security Checklists, Project Management Principles, and Cyclic App Pen Testing.

Published byNaomi Wilkins Modified over 9 years ago

Similar presentations

Presentation on theme: "OUCC 2015 Inspiring Innovation Presentation: Secure Web Apps via Language Security Checklists, Project Management Principles, and Cyclic App Pen Testing."— Presentation transcript:

1 OUCC 2015 Inspiring Innovation Presentation: Secure Web Apps via Language Security Checklists, Project Management Principles, and Cyclic App Pen Testing Presenter: Patrick Matlock, U of Waterloo Date: May 5 th, 2015 Email: pmatlock@uwaterloo.ca

2 THANKS My Dad Jason Testart

3 MY DAY JOB Web penetration tester Security consultant Code reviews EA web security reference model VMs (developer; eater of Dog Food)

4 WEB PEN TEST CLIENTS UW Portal [OUCC 2015] UW OpenData [OUCC 2015] PeopleSoft HR Desire2Learn 190+ different vendors/systems

5 WHAT WAS THE PROBLEM ? btw: “require pen test/web pen test. Today” “end of project” ”Uhmmm. Software/system has some issues …” Hated throughout the land

6 Lets graph that!!

7 SPECIFIC TO GENERAL “end of project parade” However, web pen testing is set of variable tasks SDLC: inject IT security as early as possible Pro-active vs Reactive

8 SECURITY BY DESIGN SDLC (security development life cycle) “Spiral (waterfall; go back)” project management Get the risks correct (close) Language security checklist (deterministic) Web Pen test profiler rig (self serve, deterministic)

9 DATA LANGUAGE CHECKLISTS

10 CHECKLIST CONTENT Best practice, usage guide, DB, framework?, MUST, SHOULD, COULD Web Specific pieces per language Formal References

11 angularJS CHECKLIST

12 WEB PEN TEST PROFILER: why Light patrol of campus public web ( no WAFs, SAST./DAST/IAST/RASP ) Surgical vs brute force (time & $$$$$$) IST-ISS is campus resource; “manage what measure” API self-service *now* Pro-active

13 WEB PEN TEST PROFILER *TOOL * Arachni

14 WEB PEN TEST PROFILER 80/8080/443/4443 Script

15 WEB PEN TEST PROFILER MAIN URL

16 WEB PEN TEST PROFILER HOSTS

17 WEB PEN TEST PROFILER URL LIST

18 WEB PEN TEST PROFILER PLUGIN

19 WEB PEN TEST CONFIGURATION

20 WEB PEN TEST API XML

21 WEB PEN TEST API JSON

22 LOOKING FOR? XSS (Cross Site Scripting) CSRF (Cross Site Request Forgery missing SESSION cookie “secure” flag missing SESSION cookie “httpOnly” flag SQL* injection SESSION issues

23 HOW DO PROJECTS ROLL NOW? Initiate – Code? Plan - Checklist Execute – Follow? Monitor – Review Control – Pen test

24 Anything Else? Hey I have my kali/backbox pen test VM! Detailed “managed risk” reports [15pg. to 35pg.] IST-ISS, vendor*, client as risk partners Manage the web risk over longer time period Rinse & Repeat now

25 Lets graph that!!

26 Next for WEB Pen Test Rig/Checklists? 8? Flavours of “RESTful” like webservices Nonce based AuthN & AuthZ Perhaps some load test properties Formal Github project Checklists submitted as supported set to OWASP

27 THANKS! Questions & Answers

Download ppt "OUCC 2015 Inspiring Innovation Presentation: Secure Web Apps via Language Security Checklists, Project Management Principles, and Cyclic App Pen Testing."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Testing Web Applications & Services Testing Web Applications & Web Services.

Testing Web Applications & Services Testing Web Applications & Web Services.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Introduction to Web Application Security

Introduction to Web Application Security
Penetration testing – W3AF Tool

Penetration testing – W3AF Tool
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Cost Effort Complexity Benefit Cloud Hosted Low Cost Agile Integrated Fully Supported.

Cost Effort Complexity Benefit Cloud Hosted Low Cost Agile Integrated Fully Supported.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University

Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011.

Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Similar presentations

Ads by Google