Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Testing with AppScan Terry Labach.

Published byEdward Allen Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Application Testing with AppScan Terry Labach."— Presentation transcript:

1 Web Application Testing with AppScan Terry Labach

2 "If you spend more on coffee than on Web application security, you will be hacked. What's more, you deserve to be hacked" - Richard Clarke, Former White House Advisor on Cyberterrorism and Cybersecurity 2010 | The Sky’s the Limit

3 Introduction What are the issues? How can UW support secure Web application development? How can involved parties work together? 2010 | The Sky’s the Limit

4 Outline The state of affairs Risks and attacks AppScan at UW AppScan scanning example Software engineering for the web Questions 2010 | The Sky’s the Limit

5 Web application security is no longer optional UW administration concerned about last IT audit IT professionalism now includes security 2010 | The Sky’s the Limit

6 The old Web 2010 | The Sky’s the Limit "First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII -- and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure." - Douglas Adams

7 The new Web 2010 | The Sky’s the Limit

8 The new Web Shopping mall, office, movie theatre, communications hub, self-marketing firm We are expected to make more services available on the web Financial, medical, personal information increasingly used in web transactions Clients interact with our internal systems 2010 | The Sky’s the Limit

9 Risks on the new Web 2010 | The Sky’s the Limit

10 Risks Theft of personal information Identity theft Financial losses Intellectual Property losses Damage to UW's reputation Legal requirements to notify breach victims 2010 | The Sky’s the Limit

11 Vulnerabilities Technical OS, server design flaws Logical Application logic design flaws Failing to account for malicious/incompetent users 2010 | The Sky’s the Limit

12 Attacks Technical XSS, SQL injection Logical authorization errors 2010 | The Sky’s the Limit

13 SQL injection 2010 | The Sky’s the Limit

14 Cross-site scripting 2010 | The Sky’s the Limit

15 Authentication and authorization errors 2010 | The Sky’s the Limit

16 Why scan? Mimics the attack of the hacker No substitute for proper application development 2010 | The Sky’s the Limit

17 Scanning methods Manual Automatic 2010 | The Sky’s the Limit

18 Scanning methods Manual Penetration (“pen”) testing Requires human expert Slow, error-prone Can be insightful 2010 | The Sky’s the Limit

19 Scanning methods Automatic Faster Complete list of tests Not as perceptive as human tester 2010 | The Sky’s the Limit

20 What scanning can do Black box scanning Works with any: Language Application server Web server 2010 | The Sky’s the Limit

21 What scanning can't do White box scanning (can't help with source code issues without additional software) Can't be integrated early in the development process Requires functional web site 2010 | The Sky’s the Limit

22 IST Web application testing 2010 | The Sky’s the Limit

23 AppScan 2010 | The Sky’s the Limit IBM product Selected by IST in 2009 to provide testing services IST staff will scan your web application as part of your testing process No charge

24 Preparing your site for testing Test instance of application Be ready for disaster Backups of all code, data Allow access to scan server (firewall,.htaccess) Method to recreate the web site 2010 | The Sky’s the Limit

25 The scanning process Explore Spider traverses site and learns about structure Test Attacks made on site Report findings 2010 | The Sky’s the Limit

26 AppScan demonstration 2010 | The Sky’s the Limit IBM provides sample web application to test Altoro Mutual http://demo.testfire.net User: jsmith Password: demo123

27 Running AppScan 2010 | The Sky’s the Limit URL Scan wizard Login method Recorded - go through process for scan Prompt - record initial location, then enter as needed Automatic - use entered name, password when required None - when authentication not used (or ignored) Test policy

28 Running AppScan 2010 | The Sky’s the Limit Complete scan full auto scan auto explore manual explore (embedded browser) allows limiting scan to part of site or ensuring it follows a set path scan later (scheduled) scan expert does short scan to evaluate settings may suggest configuration changes

29 Running AppScan 2010 | The Sky’s the Limit Scan results Views Reports Remediation Regulatory OWASP Custom

30 Thoughts on software engineering for the web Basic SE principles still apply Development-Test-Production environments Use commercial solutions rather than coding your own where reasonable Application development must be planned and managed 2010 | The Sky’s the Limit

31 Thoughts on software engineering for the web Add security from the beginning Publish only desired files Define what is good input and limit to that, rather than trying to strip out bad input. “good enough” isn't – the risks are too great 2010 | The Sky’s the Limit

32 References 2010 | The Sky’s the Limit IBM AppScan http://www.ibm.com/software/awdtools/appscan/standa rd/ OWASP http://www.owasp.org IST IT Security team http://ist.uwaterloo.ca/security/ Quotation of the Day http://quotationofthedaylist.blogspot.com/

33 Questions? 2010 | The Sky’s the Limit

34

Download ppt "Web Application Testing with AppScan Terry Labach."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Company LOGO WEB SYSTEM. Components of a Generic Web Application System.

Company LOGO WEB SYSTEM. Components of a Generic Web Application System.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Ethical Hacking Introduction.  What is Ethical Hacking?  Types of Ethical Hacking  Responsibilities of a ethical hacker  Customer Expectations  Skills.

Ethical Hacking Introduction.  What is Ethical Hacking?  Types of Ethical Hacking  Responsibilities of a ethical hacker  Customer Expectations  Skills.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.

Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.

Similar presentations

Ads by Google