Download presentation
Presentation is loading. Please wait.
Published byNaomi Wilkins Modified over 9 years ago
1
OUCC 2015 Inspiring Innovation Presentation: Secure Web Apps via Language Security Checklists, Project Management Principles, and Cyclic App Pen Testing Presenter: Patrick Matlock, U of Waterloo Date: May 5 th, 2015 Email: pmatlock@uwaterloo.ca
2
THANKS My Dad Jason Testart
3
MY DAY JOB Web penetration tester Security consultant Code reviews EA web security reference model VMs (developer; eater of Dog Food)
4
WEB PEN TEST CLIENTS UW Portal [OUCC 2015] UW OpenData [OUCC 2015] PeopleSoft HR Desire2Learn 190+ different vendors/systems
5
WHAT WAS THE PROBLEM ? btw: “require pen test/web pen test. Today” “end of project” ”Uhmmm. Software/system has some issues …” Hated throughout the land
6
Lets graph that!!
7
SPECIFIC TO GENERAL “end of project parade” However, web pen testing is set of variable tasks SDLC: inject IT security as early as possible Pro-active vs Reactive
8
SECURITY BY DESIGN SDLC (security development life cycle) “Spiral (waterfall; go back)” project management Get the risks correct (close) Language security checklist (deterministic) Web Pen test profiler rig (self serve, deterministic)
9
DATA LANGUAGE CHECKLISTS
10
CHECKLIST CONTENT Best practice, usage guide, DB, framework?, MUST, SHOULD, COULD Web Specific pieces per language Formal References
11
angularJS CHECKLIST
12
WEB PEN TEST PROFILER: why Light patrol of campus public web ( no WAFs, SAST./DAST/IAST/RASP ) Surgical vs brute force (time & $$$$$$) IST-ISS is campus resource; “manage what measure” API self-service *now* Pro-active
13
WEB PEN TEST PROFILER *TOOL * Arachni
14
WEB PEN TEST PROFILER 80/8080/443/4443 Script
15
WEB PEN TEST PROFILER MAIN URL
16
WEB PEN TEST PROFILER HOSTS
17
WEB PEN TEST PROFILER URL LIST
18
WEB PEN TEST PROFILER PLUGIN
19
WEB PEN TEST CONFIGURATION
20
WEB PEN TEST API XML
21
WEB PEN TEST API JSON
22
LOOKING FOR? XSS (Cross Site Scripting) CSRF (Cross Site Request Forgery missing SESSION cookie “secure” flag missing SESSION cookie “httpOnly” flag SQL* injection SESSION issues
23
HOW DO PROJECTS ROLL NOW? Initiate – Code? Plan - Checklist Execute – Follow? Monitor – Review Control – Pen test
24
Anything Else? Hey I have my kali/backbox pen test VM! Detailed “managed risk” reports [15pg. to 35pg.] IST-ISS, vendor*, client as risk partners Manage the web risk over longer time period Rinse & Repeat now
25
Lets graph that!!
26
Next for WEB Pen Test Rig/Checklists? 8? Flavours of “RESTful” like webservices Nonce based AuthN & AuthZ Perhaps some load test properties Formal Github project Checklists submitted as supported set to OWASP
27
THANKS! Questions & Answers
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.