Enviar búsqueda
Cargar
Introduction to Application Security Testing
•
3 recomendaciones
•
2,230 vistas
Mohamed Ridha CHEBBI, CISSP
Seguir
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 38
Descargar ahora
Descargar para leer sin conexión
Recomendados
Security testing
Security testing
Rihab Chebbah
Security Testing
Security Testing
Qualitest
Web Application Security Testing Tools
Web Application Security Testing Tools
Eric Lai
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
Security testing fundamentals
Security testing fundamentals
Cygnet Infotech
Security Testing
Security Testing
Kiran Kumar
Cyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
Recomendados
Security testing
Security testing
Rihab Chebbah
Security Testing
Security Testing
Qualitest
Web Application Security Testing Tools
Web Application Security Testing Tools
Eric Lai
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
Security testing fundamentals
Security testing fundamentals
Cygnet Infotech
Security Testing
Security Testing
Kiran Kumar
Cyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
Penetration Testing
Penetration Testing
RomSoft SRL
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
Secure by design and secure software development
Secure by design and secure software development
Bill Ross
Penetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
shiriskumar
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
Application Security Risk Assessment
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
Web Application Security Testing
Web Application Security Testing
Marco Morana
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
Get Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
The road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
btpsec
Application Security
Application Security
Reggie Niccolo Santos
What is Penetration Testing?
What is Penetration Testing?
btpsec
Pen Testing Explained
Pen Testing Explained
Rand W. Hirt
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
Introduction to security testing
Introduction to security testing
Nagasahas DS
Security-testing presentation
Security-testing presentation
Ezhilan Elangovan (Eril)
Más contenido relacionado
La actualidad más candente
Penetration Testing
Penetration Testing
RomSoft SRL
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
Secure by design and secure software development
Secure by design and secure software development
Bill Ross
Penetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
shiriskumar
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
Application Security Risk Assessment
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
Web Application Security Testing
Web Application Security Testing
Marco Morana
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
Get Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
The road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
btpsec
Application Security
Application Security
Reggie Niccolo Santos
What is Penetration Testing?
What is Penetration Testing?
btpsec
Pen Testing Explained
Pen Testing Explained
Rand W. Hirt
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
La actualidad más candente
(20)
Penetration Testing
Penetration Testing
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Secure by design and secure software development
Secure by design and secure software development
Penetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Application Security Risk Assessment
Application Security Risk Assessment
Web Application Security Testing
Web Application Security Testing
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Get Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
The road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant mali
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
Application Security
Application Security
What is Penetration Testing?
What is Penetration Testing?
Pen Testing Explained
Pen Testing Explained
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Destacado
Introduction to security testing
Introduction to security testing
Nagasahas DS
Security-testing presentation
Security-testing presentation
Ezhilan Elangovan (Eril)
Codefest2015
Codefest2015
Denis Kolegov
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Tom Moore
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
Rochester Security Summit
TWK 2013_Fall_Final
TWK 2013_Fall_Final
Anastasia (Stasi) Richmond
Office cleaning
Office cleaning
Susan Roy
Security testing
Security testing
Tabăra de Testare
Security testing activities
Security testing activities
Dharmdev Maurya
Explore Security Testing
Explore Security Testing
shwetaupadhyay
Secure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
Security testing
Security testing
Khizra Sammad
Information Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
Security testing
Security testing
baskar p
Software quality assurance
Software quality assurance
Aman Adhikari
Introduction to Security Testing
Introduction to Security Testing
vodQA
1 Quality Assurance Presentation
1 Quality Assurance Presentation
guest337c19
Introduction To Software Quality Assurance
Introduction To Software Quality Assurance
ruth_reategui
QUALITY ASSURANCE
QUALITY ASSURANCE
Pharmaceutical
Slideshare ppt
Slideshare ppt
Mandy Suzanne
Destacado
(20)
Introduction to security testing
Introduction to security testing
Security-testing presentation
Security-testing presentation
Codefest2015
Codefest2015
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
TWK 2013_Fall_Final
TWK 2013_Fall_Final
Office cleaning
Office cleaning
Security testing
Security testing
Security testing activities
Security testing activities
Explore Security Testing
Explore Security Testing
Secure Software Development Life Cycle
Secure Software Development Life Cycle
Security testing
Security testing
Information Security and the SDLC
Information Security and the SDLC
Security testing
Security testing
Software quality assurance
Software quality assurance
Introduction to Security Testing
Introduction to Security Testing
1 Quality Assurance Presentation
1 Quality Assurance Presentation
Introduction To Software Quality Assurance
Introduction To Software Quality Assurance
QUALITY ASSURANCE
QUALITY ASSURANCE
Slideshare ppt
Slideshare ppt
Similar a Introduction to Application Security Testing
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
ElanusTechnologies
Software security testing
Software security testing
nehabsairam
VSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service Profile
Vietnamese Network Security J.S.C
Information security software security presentation.pptx
Information security software security presentation.pptx
salutiontechnology
Ownux global March 2023.pdf
Ownux global March 2023.pdf
Bella Nirvana Center
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Arun Prabhakar
Secure development of code
Secure development of code
SalomeVictor
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
Mohd Anwar Jamal Faiz
Software Security Testing
Software Security Testing
ankitmehta21
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
Agile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
Security Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
Security Best Practices
Security Best Practices
Clint Edmonson
smpef
smpef
rsharmam
Building an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
Similar a Introduction to Application Security Testing
(20)
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
Software security testing
Software security testing
VSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service Profile
Information security software security presentation.pptx
Information security software security presentation.pptx
Ownux global March 2023.pdf
Ownux global March 2023.pdf
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Secure development of code
Secure development of code
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
Software Security Testing
Software Security Testing
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Agile and Secure Development
Agile and Secure Development
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Security Testing for Testing Professionals
Security Testing for Testing Professionals
Security Best Practices
Security Best Practices
smpef
smpef
Building an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Último
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Evaluating the top large language models.pdf
Evaluating the top large language models.pdf
ChristopherTHyatt
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
hans926745
Último
(20)
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Evaluating the top large language models.pdf
Evaluating the top large language models.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
Introduction to Application Security Testing
1.
Security Verified
Introducing Security Testing Mohamed Ridha Chebbi, CISSP ridha.chebbi@icodesecurity.com Mobile : +216 26 88 10 11 © 2012 iCode information security All rights reserved
2.
Analyzing Applications with
a Security Mindset Security Verified Testing the security of software requires a certain mindset, as a security test engineer needs to look at software from the perspective of someone who wants to attack it. Adopting this mindset involves understanding the main information sources for security testing and how input can affect software. Testing the security of a given piece of software often entails searching a very large set of inputs in order to find issues that can compromise that security. Automation plays an important role in this search. © 2012 iCode information security All rights reserved
3.
The Value of
Security Testing Security Verified In the past, Microsoft products used to be the primary targets for attackers. As a result of their prominent position in the industry, Microsoft operating systems received high scrutiny from the security community. This coupled with the fact that Microsoft products did contain a fair number of vulnerabilities, hackers and vulnerability finders had little need and interest in searching other platforms. The ubiquity of Microsoft products exacerbated this situation, as viruses and worms were able to cause epidemics by taking advantage of vulnerabilities in commonly used server and client applications. The Security Development Life Cycle (SDL) introduced at Microsoft in 2002 has raised the bar. Vulnerability finders have to work harder to penetrate Microsoft applications, and the focus of the security research community is now shifting to those vendors and platforms once considered to be secure. Well-engineered security testing plays a key role in the effectiveness of the SDL. Vulnerabilities found during the SDL have less chance of damaging customer confidence in Microsoft, and removing critical flaws before shipping leaves attackers with fewer reasons to focus on Microsoft. © 2012 iCode information security All rights reserved
4.
Security Testing and
the SDL Security Verified Anecdotal evidence indicates that engineers spend less time testing for security bugs in products covered by the SDL. As the design and coding for these products is more secure in the first place, security testing in the SDL is more concerned with verifying that the product is secure, rather than with finding and eliminating security bugs. The purpose of security testing in the SDL is to allow the product team to perform a thorough assessment of the security and privacy of their application. Performing security testing during the verification phase of the SDL allows the product team to: Perform adequate penetration testing activities on new and legacy code. Verify that the application is adequately reviewed for security vulnerabilities. Ensure that threats against the application are properly mitigated. Document the evidence indicating that users can trust the application. Perform a security push for those legacy components that were not covered by the SDL. © 2012 iCode information security All rights reserved
5.
Functional Testing vs
Security Testing Security Verified Security testing and functional testing differ in four main areas: Identifying helpful sources of information for test planning : Functional testing involves testing an application under realistic user scenarios, while in security testing the test engineer frequently deals with scenarios that may not be realistic for the common user. Choosing an appropriate set of inputs : During functional testing the test engineer will most commonly use expected inputs derived from use cases, whereas during security testing the test engineer is required to use unexpected and malicious inputs that may expose a security problem. Automating security tests. Interfaces that are not visible to the human eye are most interesting for security testing. In order to be viewed, such interfaces often require the use of specialized tools. Security test engineers must be familiar with these tools and their limitations. During functional testing it is simpler to automate a testing process, as results for a specific test are easily verified. Establishing whether a security defect has been triggered during security testing is much harder. Deciding when testing is complete : When carrying out functional testing, it is straightforward to determine when testing is complete. When carrying out security testing, however, deciding when to stop is more complicated because the test engineer needs to help to quantify the risk and decide whether enough testing has been done to declare the product "safe". © 2012 iCode information security All rights reserved
6.
Gathering Information for
Security Testing Security Verified The User Interface as a Source of Information : The user interface is the first place to investigate when planning security testing. The information on the screen is primarily directed at legitimate users, but it is important to remember that hackers are users as well, and they can learn quite a bit from this information. Identify the Field : When testing a Web application, testers should be aware of how their interactions with the client will affect the behavior of the server application Error Messages as a Source of Information : Many applications output error messages to their users to inform them on what the expected format of input is. This can provide very useful information to the tester on the possible assumptions that developers made on the type of data that are expected through a given input vector. Abuse Cases as a Source of Information : Whereas functional test engineers consider use cases, security test engineers must consider abuse cases. Abuse cases can often be gleaned from sources of historical information such as: CERT and Bugtraq, which contain security advisories and discussions about existing and new vulnerabilities. Black-hat literature. © 2012 iCode information security All rights reserved
7.
Considering Inputs with
a Security Testing Mindset Security Verified Identifying Entry Points of the Application : Not all inputs come from the keyboard or mouse. From a security perspective, the Graphical User Interface (GUI) is often the least of concerns, and testers need to worry more about input sources that are not quite so visible. In fact, a security tester has to learn not to think like a GUI tester. There are four sources of input that need to be considered when planning security testing : OS/RTE : Input from the OS and the Run-time Environment (RTE) includes input from the OS APIs and any run-time environment that is supporting the application, such as the Common Language Run-time (CLR). User Interface (UI) : Examples of user interfaces are a local GUI and a Web front-end. External Resource : A Web server and a database are examples of resources that are external to the application. File System : Input from the file system includes temporary files, registry values, and configuration files. © 2012 iCode information security All rights reserved
8.
Categorizing Inputs
Security Verified Categorizing Dangerous Inputs Lists of dangerous inputs are a key asset for security test engineers. Within an organization, such lists are often kept secret for fear that they may be used against a system by attackers. A group should be diligent about doing the necessary research to ensure it has a complete list, as well as ensuring that everyone in the organization is aware of such a list and utilizes it. Dangerous input can be categorized into the following groups: Long strings Format strings Numeric boundaries Scripts Code OS commands Control characters Error codes Return values Note that such lists are never static © 2012 iCode information security All rights reserved
9.
Automating Security Testing
Security Verified The Value of Automated Security Testing Larger coverage : overage refers to the percentage of security-critical functions that are exercised by different inputs during a security test. Regression testing : During regression testing an application is tested for newly introduced bugs, usually by re-running previous tests and checking whether previously fixed faults have re-emerged Efficiency : Automated security tests are more efficient than manual testing. Automated tests are repeatable with no human intervention, as opposed to manual testing, which is far more time-consuming. Automation allows for more targeted manual testing as they disclose areas of potential weakness in various execution, trust, and I/O boundaries, which means the test engineer need not try to find all weaknesses manually, but can focus on key areas and provide feedback to threat modeling and other phases of SDL. © 2012 iCode information security All rights reserved
10.
Generating the Input
Security Verified In order to generate inputs that are dangerous to your application, a list detailing all possible inputs must be created. This list might be generated in real time as the software is being tested, manually or by using a fuzz test automation suite, or it may already be available to you from other security tests applied to similar products. If the latter, you must keep in mind that often a list is not cross-applicable, and you may need to modify it or create your own list. Some interfaces, such as the network and the file system, lend themselves well to automation. For other interfaces it might be more difficult to automate testing because the instrumentation of them is more difficult and/or because their outputs are harder to observe. © 2012 iCode information security All rights reserved
11.
Software you Actually
Build Security Verified The actual behavior of an application, as coded by developers, rarely matches perfectly with the intended software behavior, as specified in the design documents. Most security bugs are found in the area where behavior that was not part of the application’s intended behavior has been inadvertently implemented by developers. © 2012 iCode information security All rights reserved
12.
Quantifying the Risk
Security Verified Quantifying the Risk : To help quantify the risk, you have to ask the following: Was the process which was established to prevent and detect security flaws fully implemented? How many unmitigated vulnerabilities are currently extant? Is additional testing necessary? What can we do to make this product safer? Assigning Severity: To help test engineers assign severity to defects, the SDL has established four different levels of severity: Critical : Remote, anonymous user escalation of privilege Arbitrary code execution Important DoS (low bandwidth attack, blue-screen, or long duration) Local elevation of privilege Information disclosure with privacy implications Tampering with user data Spoofing a user or computer Moderate Temporary DoS Information disclosure, general Low Non-persistent or hard-to-replicate issues © 2012 iCode information security All rights reserved
13.
Review the Process
Security Verified Collecting the Proper Metrics: To make a well-informed decision on whether to stop testing requires relevant metrics. questions need to be asked : How well did the team: - Create required documentation? - Adhere to best practices? - Use all appropriate tools? - Respond to problems that arose? How well did the testing team test: - Untrusted interfaces? resources? protocols? files? How well did the testing team cover the: -Threat model? -Set of possible attacks that apply to the application? © 2012 iCode information security All rights reserved
14.
Security Verified
Security Assurance Mohamed Ridha Chebbi, CISSP © 2012 iCode information security All rights reserved
15.
Security Assurance Maturity
Security Verified High Typical Progression Curve Tools & Technology Low Panic Scramble Pit of Despair Security as Core Business Process Low High People & Process © 2012 iCode information security All rights reserved
16.
Stage 1 :
Reactionary Security Verified © 2012 iCode information security All rights reserved
17.
Stage 2 :
Apply Band Aids Security Verified © 2012 iCode information security All rights reserved
18.
Stage 3 :
Beyond Badness-Ometer Security Verified © 2012 iCode information security All rights reserved
19.
Stage 4 :
Teach a Man to Fish Security Verified © 2012 iCode information security All rights reserved
20.
Stage 5 :
Homo Securous Security Verified © 2012 iCode information security All rights reserved
21.
Typical Level 5
SAMM Assessments in SDLC Security Verified Software Development Life Cycle Design Build Deploy Operate Code Review Build & Test Automation White Box Testing Black Box Testing Pen Test Decision Support & Process Optimization © 2012 iCode information security All rights reserved
22.
Security Verified
Security Testing Simplified Mohamed Ridha Chebbi, CISSP © 2012 iCode information security All rights reserved
23.
Automated Testing During
SDLC Security Verified Design Build Test Deploy Operate Internal Review Annually Static Testing … Dynamic Testing … PEN Testing New Versions/Releases © 2012 iCode information security All rights reserved
24.
Application Security Assurance
Security Verified Design Build Test Deploy Operate Internal Review Annually Static Assessment … Dynamic Assessment … PEN Testing New Versions/Releases © 2012 iCode information security All rights reserved
25.
Security Verified Static Testing
Vectors © 2012 iCode information security All rights reserved
26.
Static Assessment Vectors
Security Verified CWE ID CWE Name Directory Traversal 73 External Control of File Name or Path Untrusted Search Path 114 Process Control 426 Untrusted Search Path 427 Uncontrolled Search Path Element Buffer Overflow 121 Stack-based Buffer Overflow 122 Heap-based Buffer Overflow Buffer Management Errors 129 Unchecked Array Indexing 135 Incorrect Calculation of Multi-Byte String Length 170 Improper Null Termination 249 Often Misused: Path Manipulation 125 Out-of-bounds Read Format String 134 Uncontrolled Format String Numeric Errors 190 Integer Overflow or Wraparound 191 Integer Underflow (Wrap or Wraparound) 192 Integer Coercion Error 195 Signed to Unsigned Conversion Error 196 Unsigned to Signed Conversion Error 197 Numeric Truncation Error API Abuse 234 Failure to Handle Missing Parameter 243 Failure to Change Working Directory in chroot Jail 193 Off-by-one Error 245 J2EE Bad Practices: Direct Management of Connections 560 Use of umask() with chmod-style Argument © 2012 iCode information security All rights reserved
27.
Static Assessment Vectors
Security Verified CWE ID CWE Name Information Leakage 201 Information Leak Through Sent Data ✔ 209 Error Message Information Leak ✔ 215 Information Leak Through Debug Information ✔ 497 Information Leak of System Data ✔ 498 Information Leak through Class Cloning ✔ Dangerous Functions 242 Use of Inherently Dangerous Function ✔ Credentials Management 256 Plaintext Storage of a Password ✔ 259 Hard-Coded Password ✔ Authentication Issues 247 Reliance on DNS Lookups in a Security Decision ✔ Cryptographic Issues 311 Failure to Encrypt Sensitive Data ✔ 316 Plaintext Storage in Memory ✔ 321 Use of Hard-coded Cryptographic Key ✔ 326 Weak Encryption ✔ 331 Insufficient Entropy ✔ 347 Improper Verification of Cryptographic Signature ✔ 354 Improper Validation of Integrity Check Value ✔ Sensitive Cookie in HTTPS Session Without 614 'Secure' ✔ 310 Cryptographic Issues ✔ © 2012 iCode information security All rights reserved
28.
Static Assessment Vectors
Security Verified CWE ID CWE Name Race Conditions 364 Signal Handler Race Condition ✔ 367 Time-of-check Time-of-use (TOCTOU) Race Condition ✔ Time and State 377 Insecure Temporary File ✔ 378 Creation of Temporary File With Insecure Permissions ✔ 382 J2EE Bad Practices: Use of System.exit() ✔ 557 Concurrency Issues ✔ 708 Incorrect Ownership Assignment ✔ Session Fixation 384 Session Fixation ✔ Error Handling 391 Unchecked Error Condition ✔ Code Quality 111 Direct Use of Unsafe JNI ✔ Failure to Release Memory Before Removing Last 401 Reference ('Memory Leak') ✔ 404 Improper Resource Shutdown or Release ✔ 415 Double Free ✔ 416 Use After Free ✔ Use of Externally-Controlled Input to Select Classes or 470 Code ('Unsafe Reflection') ✔ 479 Unsafe Function Call from a Signal Handler ✔ 489 Leftover Debug Code ✔ 597 Use of Wrong Operator in String Comparison ✔ © 2012 iCode information security All rights reserved
29.
Static Assessment Vectors
Security Verified CWE ID CWE Name OS Command Injection Failure to Preserve OS Command Structure ('OS Command 78 Injection') ✔ SQL Injection 89 Failure to Preserve SQL Query Structure ('SQL Injection') ✔ 564 SQL Injection: Hibernate ✔ Cross-Site Scripting (XSS) Improper Sanitization of Script-Related HTML Tags in a 80 Web Page (Basic XSS) ✔ CRLF Injection 93 Failure to Sanitize CRLF Sequences ('CRLF Injection') ✔ Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP 113 Response Splitting') ✔ 117 Improper Output Sanitization for Logs ✔ Encapsulation 494 Download of Code Without Integrity Check ✔ 501 Trust Boundary Violation Malicious ✔ Malicious Code 506 Embedded Malicious Code ✔ 511 Logic/time bomb ✔ Reliance on Security through Obscurity Untrusted 656 Initialization ✔ Untrusted Initialization 15 External Control of System or Configuration Setting ✔ Insufficient Input Validation 103 Struts: Incomplete validate() Method Definition ✔ 104 Struts: Form Bean Does Not Extend Validation Class ✔ 112 Missing XML Validation ✔ 601 URL Redirection to Untrusted Site ('Open Redirect') ✔ © 2012 iCode information security All rights reserved
30.
OWASP Top 10
Compliance Security Verified Automated Scanning •Cross Site Scripting (XSS) •Injection Flaws •Malicious File execution •Insecure Direct Object Reference •Information Leakage and Improper Error Handling •Insecure Cryptographic Storage Dynamic/Manual Testing Required to identify •Cross Site Request Forgery (CSRF) •Broken Authentication and Session Management •Insecure Communications •Failure to restrict URL access © 2012 iCode information security All rights reserved
31.
SANS Top 25
Compliance Security Verified Automated Scanning CWE-20: Improper Input Validation CWE-89: Failure to Preserve SQL Query Structure ('SQL Injection') CWE-78: Injection Flaws Failure to Preserve OS Command Structure (‘OS Command Injection’) CWE-209: Error Message Information Leak CWE-426: Untrusted Search Path CWE-494: Download of Code Without Integrity Check CWE-259: Hard-Coded Password CWE-330: Use of Insufficiently Random Values CWE-116: Improper Encoding or Escaping of Output CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting') CWE-362: Race Condition CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer CWE-404: Improper Resource Shutdown or Release CWE-682: Incorrect Calculation CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-73: External Control of File Name or Path © 2012 iCode information security All rights reserved
32.
SANS Top 25
Compliance Security Verified Dynamic/Manual Testing Required to identify CWE-319: Cleartext Transmission of Sensitive Information CWE-665: Improper Initialization CWE-285: Improper Access Control (Authorization) CWE-642: External Control of Critical State Data CWE-352: Cross Site Request Forgery (CSRF) CWE-94: Failure to Control Generation of Code (aka 'Code Injection‘) CWE-732: Insecure Permission Assignment for Critical Resource CWE-602: Client-Side Enforcement of Server-Side Security CWE-250: Execution with Unnecessary Privileges © 2012 iCode information security All rights reserved
33.
Security Verified Dynamic Testing
Vectors © 2012 iCode information security All rights reserved
34.
Internal Security Vector
Security Verified 06-01 Application Path Disclosure 06-02 Browse HTTP from HTTPS 06-03 Brute Force Login 06-04 Auth Over HTTP Internal Security 06-05 Credit Card Disclosure 06-06 Document Caching 06-07 Find Pages 06-08 Flush Permissions 06-09 Form Caching 06-10 HTTP Parameter Pollution 06-11 Login Redirect 06-12 Non-masked Password 06-13 Plateform Path Disclosure 06-14 Privacy Notification 06-15 Private IP Disclosure 06-16 Remote File Inclusion 06-17 Social Insurance Disclosure 06-18 Social Security Disclosure 06-19 Username & Password in HTTP request © 2012 iCode information security All rights reserved
35.
Entry Validation Vector
Security Verified 07-01 Application Exception 07-02 Application Path Disclosure 07-03 Blind SQL Injection 07-04 Buffer Overflow Entry Validation 07-05 Cross-Site Scripting 07-06 Format String 07-07 Frame Injection 07-08 GET for POST 07-09 HTTP Parameter Pollution 07-10 HTTP Response Splitting 07-11 Integer Overflow 07-12 LDAP Exception 07-13 LDAP Injection 07-14 Open Redirect 07-15 Parameter Addition 07-16 PHP & Perl Code Injection 07-17 Remote File Inclusion 07-18 SQL Disclosure 07-19 SQL Error Message 07-20 SSI Injection 07-21 Unix Command Injection 07-22 Unix Relative Path 07-23 Windows Command Injection 07-24 Windows Relative Path © 2012 iCode information security All rights reserved
36.
Session Management Vector
Security Verified 09-01 Acquire Session ID 09-02 Authentication Bypass 09-03 Authorization Boundary Session Mgmt 09-04 Clickjacking 09-05 Cross Site Request Forgery 09-06 Ineffective Session Termination 09-07 Javascript Hijacking 09-08 Lockout 09-09 Password Change 09-10 Privilege Escalation 09-11 Register Password 09-12 Run Traversal Only 09-13 Session Fixation 09-14 Session Hijacking 09-15 Session ID Identification 09-16 Session ID in URL 09-17 Session ID Length 09-18 Session ID Randomness 09-19 Weak Password © 2012 iCode information security All rights reserved
37.
OWASP TOP 10
Compliance Security Verified 10-A01-01 Blind SQL Injection 10-A01-02 LDAP Exception 10-A01-03 LDAP Injection 10-A01-04 SQL Error Message 10-A01-05 SQL Disclosure 10-A01-06 Unix Command Injection 10-A01-07 Windows Command Injection 10-A02-01 Cross-Site Scripting 10-A03-01 Authentication Bypass 10-A03-02 Cookie Vulnerabilities 10-A03-03 Login Redirect OWASP Top 10 10-A03-04 Non-masked Password 10-A03-05 Non-SSL Password 10-A03-06 Password Autocomplete 10-A03-07 Session ID Randomness 10-A04-01 Frame Injection 10-A04-02 Remote File Inclusion 10-A06-01 Cross Site Request Forgery 10-A06-01 Application Exception 10-A06-02 Application Path Disclosure 10-A06-03 HTTP Methods 10-A06-04 Directory Browsing 10-A06-05 Plateform Path Disclosure 10-A06-06 Web Server Vulnerabilities 10-A08-01 File & Directory Discovery 10-A08-02 Unix Relative Path 10-A08-03 Windows Relative Path 10-A09-01 Browse HTTP from HTTPS 10-A09-02 Non-SSL Form 10-A09-03 SSL Checks 10-A10-01 Cross-Frame Scripting 10-A10-02 HTTP Response Splitting 10-A10-03 Open Redirect © 2012 iCode information security All rights reserved
38.
Security Verified
Thanks Mohamed Ridha Chebbi, CISSP ridha.chebbi@icodesecurity.com Mobile : +216 26 88 10 11 © 2012 iCode information security All rights reserved
Descargar ahora