Download presentation
Presentation is loading. Please wait.
Published byRuth Anderson Modified over 9 years ago
1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Asia Pacific Conference 2008 Considerations for application security testing in enterprise projects Jean-Marie Abighanem OWASP – Melbourne Chapter President Deloitte Touche Tohmatsu Director – Security & Privacy Services jabighanem@deloitte.com.au Mobile: 04 3311 8551 28 February 2008
2
OWASP 2 Agenda What is online application? Security Testing Scope When to test? How do you test web applications? Regression testing Test data Defect management Finer points for application pen testing
3
OWASP What is online application? 3
4
OWASP 4 What can consumers do online these days? Financial Services Pay a bill with Internet Banking Buy and sell some shares Change your superannuation portfolio allocation Choose your health insurer by a search of costs and features Consumer Business Purchase of goods or services from web site at fixed price Purchase of goods or services via auction (e.g. ebay) Advertising (e.g. trading post) Telecommunications, Media and Technology Sign up for and change mobile phone and internet plans Retrieve and pay bills Transport, Hospitality and Leisure Book a flight Book a hotel Track a flight’s arrival in real-time! Energy, Mining and Resources Retrieve and pay bills Public Sector Lodge your tax return Pay a parking fine Pay council rates Find lost super
5
OWASP 5 What can business do online these days? Financial Services Sell financial products via extranet and brokers Consumer Business Outsource product delivery in real time to a logistics partner Telecommunications, Media and Technology Resell available international bandwidth to third parties Transport, Hospitality and Leisure Modify costs and prices of flights and accommodation in real time Energy, Mining and Resources Tender electronically for the supply of goods and services amongst business partners Public Sector Centralise change of name and address amongst agencies and departments
6
OWASP Security Testing Scope 6
7
OWASP 7 Security Testing Scope State what you will and will not cover e.g. DoS Write it down Delineate between functional and security testing authentication authorisation and access control session management input validation Etc Define boundaries between web application and supporting infrastructure e.g. two factor authentication, Active Directory
8
OWASP When to test? 8
9
OWASP Classic approach to testing Last brick in foundation after building built Gatekeeper/rubberstamping role maybe? At what stage should security testing be done? Define Design Develop Deploy Maintain 9 When to test?
10
OWASP 10 When to test? User Acceptan ce Testing Project Based Development Project Based Development Functiona l Testing Functiona l Testing Non- Function al Testing Pilot Pre Production Production Thank God its gone live party. Feature requests TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? BAU development BAU testing
11
OWASP 11 When to test? Costs of bug fixing usually go up Source: OWASP Testing Guide v2
12
OWASP 12 When to test? Inverse relationship between fixing costs and security testing costs
13
OWASP How do you test Web Applications? 13
14
OWASP 14 How do you test web applications? Source code reviews: Pros Possibly more complete Possibly faster Cons Presumes code availability False positives and false negatives Cannot find run-time bugs easily Requires skilled resources
15
OWASP 15 How do you test web applications? Application security scanners: Pros Faster Provide useful reporting tools Good for testing input validation Limited skill sets required by tester Cons Limitations around business logic testing as each application is unique False positives Only tests what is accessible
16
OWASP 16 How do you test web applications? Manual penetration testing Pros: Looks at dynamic code Tests the code that is actually running Can examine business logic Cons: Effectiveness depends on skill of tester Done at tail end of project Only tests what is accessible
17
OWASP 17 How do you test web applications? All techniques have their place “…you need a hammer, saw and tape to build a house…neither is more important than the other…imagine a house only built using a hammer?” [Paraphrasing Jeff Williams, OWASP Chair http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project]
18
OWASP 18 Regression testing Fixing security defects in one area may create defects in other areas Test cases should be re-performed when impacted by defect remediation elsewhere in application Need to discuss what was changed with developers and how
19
OWASP 19 Test data Don’t use production data! Privacy implications (NPP #2 and NPP #9 from http://privacy.gov.au/publications/npps01.html) http://privacy.gov.au/publications/npps01.html PCI-DSS requirement 6.4 specifically prohibits use of production data in testing Use accounts with varying privileges Consider use of a test administrator account to do password resets or permission changes during testing
20
OWASP 20 Defect management Communicate your assessment of potential likelihood and impact of attack Document defects for repeatability Let application owner decide the fate of defects Record decisions made If app already in production, monitor for attacks or pull app Restrict access to defect information
21
OWASP 21 Finer points for application pen testing Which browser are you using to test? Track the application version which was tested Use an end-to-end environment for testing Vulnerabilities in commercial off the shelf applications (‘COTS’) can be researched Customised code usually has the highest frequency of bugs/flaw Think outside the box
22
OWASP 22 Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.