Presentation is loading. Please wait.

Presentation is loading. Please wait.

Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.

Published byElvin Daniel Modified over 9 years ago

Similar presentations

Presentation on theme: "Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw."— Presentation transcript:

1 Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw

2 Version 02U-1 Computer Security: Art and Science2 Topics Introduction Penetration Testing Today Better Approach Summary/Conclusion

3 Version 02U-1 Computer Security: Art and Science3 Introduction Testing for positives Security testing Test for negatives

4 Version 02U-1 Computer Security: Art and Science4 Penetration Testing Today Attractive late life cycle activity Too little, too late an attempt to tackle security. Use of security requirements, abuse cases, security risk knowledge, attack patterns in application design, analysis and testing are missing.

5 Version 02U-1 Computer Security: Art and Science5 Penetration Testing Today (contd) Attractive late life cycle activity Results Interpretation A list of flaws, bugs and vulnerabilities Doesn’t factor in the time-boxed nature of late lifecycle assessments. Penetration testing as a way to declare victory

6 Version 02U-1 Computer Security: Art and Science6 Penetration Testing in SDLC

7 Version 02U-1 Computer Security: Art and Science7 A Better Approach Base the testing activities on the security findings discovered and tracked from the beginning of the development life cycle. Structure test according to perceived risk and offer some kind of metric relating risk measurement to software security’s posture at the time of the test. Make Use of Tools Use static analysis tools Use dynamic analysis tools

8 Version 02U-1 Computer Security: Art and Science8 A Better Approach (contd) Benefits of Tools Tools can perform the routine work needed for basic software security analysis. Tool output lends itself to metrics, which software development teams can use to track progress overtime.

9 Version 02U-1 Computer Security: Art and Science9 A Better Approach (contd) Test more than once Test at the feature, component, unit and system level Tests should attempt unauthorized misuse of, and access to, target assets as well as try to violate any assumptions the system might make relative to its components

10 Version 02U-1 Computer Security: Art and Science10 A Better Approach (Contd) Test more than once Component level testing Use static and dynamic tools uniformly at the component level. The tool design should reflect the security test’s goal: to misuse the component’s assets, violate intercomponent assumptions, or probe risks. Unit testing breaks system security down into several discrete parts

11 Version 02U-1 Computer Security: Art and Science11 A Better Approach (contd) Test more than once System level testing system-level testing focuses on identifying intercomponent issues and assessing the security risk inherent at the design level. –a component assumes that only trusted components have access to its assets, security testers should structure a test to attempt direct access to that component from elsewhere –focus on aspects of the system that couldn’t be probed during unit testing.

12 Version 02U-1 Computer Security: Art and Science12 A Better Approach (Contd) Integrate with development life cycle Most common problem with penetration testing is the failure to identify lessons to be learned and propagated back into the organization’s SDLC. Mitigation strategy Rather than simply fixing identified bugs, developers should perform a root-cause analysis of the identified vulnerabilities Developers and architects should devise mitigation strategies to address the identified vulnerabilities and any similar vulnerability in the code base. –Buffer overflow example

13 Version 02U-1 Computer Security: Art and Science13 A Better Approach (Contd) Integrate with development life cycle Use test result information to measure progress against a goal. Add tests for the mitigated vulnerability to the automated test suites Employ iterative security penetration tests Reveals fewer and less severe flaws in the system.

14 Version 02U-1 Computer Security: Art and Science14 Summary Penetration testing is the most commonly applied mechanism used to measure software security but it’s also the most misapplied mechanism as well. Apply penetration testing at the unit and system level, derive test cases from risk analysis, and incorporate the results back into the development life cycle Integrate penetration testing into the development process to improve design, implementation and deployment practices –Questions/Comments ???

Download ppt "Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
OWASP CLASP Overview.

OWASP CLASP Overview.
INFORMATION SYSTEMS SECURITY ENGINEERING: A CRITICAL COMPONENT OF THE SYSTEMS ENGINEERING LIFECYCLE Kevin Behr SE 516 – Technical Article Presentation.

INFORMATION SYSTEMS SECURITY ENGINEERING: A CRITICAL COMPONENT OF THE SYSTEMS ENGINEERING LIFECYCLE Kevin Behr SE 516 – Technical Article Presentation.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Improving Process for Better Software. Who We Are An experiential learning program that provides technology solutions for our partners, and real- world.

Improving Process for Better Software. Who We Are An experiential learning program that provides technology solutions for our partners, and real- world.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
CSCE 548 Secure Software Development Risk-Based Security Testing.

CSCE 548 Secure Software Development Risk-Based Security Testing.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.

Software Quality Assurance Lecture #8 By: Faraz Ahmed.
Introduction to RUP Spring 2006. Sharif Univ. of Tech.2 Outlines What is RUP? RUP Phases –Inception –Elaboration –Construction –Transition.

Introduction to RUP Spring Sharif Univ. of Tech.2 Outlines What is RUP? RUP Phases –Inception –Elaboration –Construction –Transition.
IT Systems Analysis & Design

IT Systems Analysis & Design
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.

CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications
CSCE 548 Secure Software Development Test 1 Review.

CSCE 548 Secure Software Development Test 1 Review.

Similar presentations

Ads by Google