SlideShare una empresa de Scribd logo

Creating Practical Security Test-Cases for Web Applications

Rafal Los
Rafal Los

This is the talk given at the StarEast 2009 software quality conference on May 7th, 2009.

Tecnología
1 de 31
Creating Practical Security Test-Cases for Web Applications Rafal M. Los HP ASC Sr. Security Solutions Expert 7 May 2009 1
Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 2
Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 3
Background Why do QA teams care about security? • Traditionally security is left to the security team • Security issues must be addressed throughout SDL • QA teams add missing element QA teams are crucial to security • Understand application test-cases • Understand application workflows • Security is a natural extension of quality 7 May 2009 4
QA – Security Relationship Similarities – core principles • Testing web application logic • Functional testing on live code • Specific data-sets used Differences – outlying goals • Stress-test vs. break test • Positive vs. negative data sets • Reinforcing positive vs. uncovering negative 7 May 2009 5
The “Hacker” Mindset  Why would anyone want to break an application?  Fun  Malice  Profit  Attack users  Attack systems  Mentality difference  QA asks – How does it perform?  Hacker asks – How can I break it? 7 May 2009 6
Whose Problem is Security?  Many components to the security “problem”  Policy  Development frameworks/standards  Audit  Metrics  Security is a pillar of overall quality  Does it function?  Does it perform?  Is it secure? 7 May 2009 7
Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 8
Negative Testing Overview What is negative testing?  Testing for unintended features  Testing using unintended data sets  Testing for unintended logic flow “Negative testing involves understanding the application, and finding ways to manipulate the code to perform in ways as to create unintended exposures” 7 May 2009 9
Negative Testing Overview Selection bias  Confirmation bias  Testing to confirm desired results  Testing using known desired data and flows  Testing which completely misses the point… “…confirmation bias is a tendency to search for or interpret new information in a way that confirms one's preconceptions and to avoid information and interpretations which contradict prior beliefs” 7 May 2009 10
Negative Testing Mindset Traditional QA: proving the positive • Prove certain activity functions as defined by business case • Requirements are easily defined in application flow and function Negative testing: finding the negative • Find negative (unintended) functions/results • No way to clearly define “bad stuff” as a requirement to test against 7 May 2009 11
Negative Testing - Data Types of negative data depends on purpose • Exploit a client • Client-side script or technology • Corrupt or crash a system • Database control characters • Non-native character sets, system characters • System commands • Retrieve data from the system • Database queries, control language • System commands 7 May 2009 12
Negative Testing - Flow Goal is to manipulate application logic Identify “breakable” application logic • Create a race condition • Break application control-flow • Force an out of process action • Inject a rogue process Test-cases based off of proper application logic flows Requires in-depth knowledge of application flow 7 May 2009 13
Negative Testing - Tools Tools are an integral part of negative testing • Manual tools • Flow diagrams • Data sets • Logic charts • Automated tools • Black-box scanners • Manu-matic framework tools 7 May 2009 14
Negative Testing - Tools Automated tools *cannot* perform all testing • Workflow-base vulnerabilities • Complex attacks • Multi-stage • Business logic Human beings must… • Analyze the application logic and data • Guide tools • Interpret results 7 May 2009 15
Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 16
Building the Test Phase 1 Phase 2 Phase 3 Phase 4 Mapping the Tools-Based Manual-Based Analysis & Application Testing Testing Correlation •Business logic •Tools-generated •Workflow defect •Analyze results data-set testing tests of automated & •Application flow manual results •Automated •Business logic •Application •Correlate P2/P3 crawler-based tests surface testing results •Complex •Application •Known defects attacks entry-points 7 May 2009 17
Building Data-Negative Tests All possible inputs Data- •Letters Negative Test unknown Situational •Numbers Data Refinement (unknown •Special characters impact) •Control characters •Database  SQLi •Client-side  XSS •XMLdb  X-Path.i Case- Allowed specific (positive) •Cross-site scripting malicious characters •SQL Injection •Overflows 7 May 2009 18
Building Data-Negative Tests  Manual human testing  Must build test data sets manually  Sniper approach (can be precise)  Often very slow, methodical  Identifies false-positives  Tools-based testing  Builds test data sets automatically  Shotgun approach (not precise)  Ability to be extremely fast  Trouble with false-positives 7 May 2009 19
Negative Data Sets Facts about negative data  Negative data sets are best generated by tools if the tester is not a security expert  Many pre-built negative data sets already exist  Sla.ckers.org – XSS cheat-sheet  Tools can point  click  test  Black-box testing tools save time & effort  Humans must analyze results  Must mix positive/negative data for completeness  Workflows often require good data to proceed  Automated negative-data testing fails without good data 7 May 2009 20
Flow Analysis Testing Can a process step be bypassed? Submit quote for someone Step 1 Step 2 Step 3 Step 4 else? Verify Identity Request quote Receive quote Submit for purchase Can a process step be injected? Step 1 Step 2 Step 3 Step 4 Verify Identity Request quote Receive quote Submit for purchase Injected! Modify quote 7 May 2009 21
Flow Analysis Testing  Manual human testing  Can analytically identify specific weak points  Distinguishes between success/failure readily  Often very slow, methodical  Ability to tailor testing to situation/process  Tools-based testing  Attacks every point, cannot distinguish  Difficulty distinguishing success/failure  Ability to be extremely fast  Cannot think therefore has limited abilities 7 May 2009 22
Flow Analysis Testing Facts about flow analysis testing  Tester must understand application flow  Proper application flow to turn into negative  “Random manipulation” rarely works  Focus on application control-points  Key points in application logic  Don’t leave your testing to tools-only  Most tools can’t identify control points, dive deep into flows  Human analyst has an obvious advantage (critical thinking) 7 May 2009 23
Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 24
Negative Testing Process Analyze Requirements New Functionality Execute Phase 1 Discovered? Execute Phase 4 Execute Phase 2 Execute Phase 3 7 May 2009 25
Testing Negative Data Identify all visible inputs (data “source”) 1. Input positive data i. Analyze behavior  Input negative data ii. Analyze behavior  Identify all hidden fields (data “source”) 2. Input positive data i. Analyze behavior  Input negative data ii. Analyze behavior  7 May 2009 26
Testing Negative Flow … as we’ve learned this will be manual work  Map out all control-flows  Identify a potentially weak logic element  Walk the positive-control flow path  Ensure proper positive path is understood  Map possible negative-control flow paths  Execute negative-control flow paths  Analyst difference between positive/negative attempts  Repeat if necessary to adjust/adapt until satisfied  Attempt at least 3-5 loop-repetitions 7 May 2009 27
Identify Weaknesses  How do you identify a weakness/defect  Undesired application reaction  Crash?  Skip control step?  Disclosure of unintended data  Debug information  Disclosure of internal data  Disclosure of controlled data 7 May 2009 28
Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 29
Looking Ahead  Addressing “deep” defects  Workflow-based security defects  Traditionally cannot be scanned for (with automated tools)  Analysis of Defects  When is a critical defect… not?  QA expertise  contextualized defects 7 May 2009 30
Questions? • Security Strategist • Application Security Specialist • Following the White Rabbit: http://www.communities.hp.com/securitysoftware/blogs/rafal • Digital Security SoapBox: http://preachsecurity.blogspot.com/ • Email: Rafal@hp.com • Direct: (404) 606-6056 7 May 2009 31

Recomendados

TEA Presentation V 0.3
TEA Presentation V 0.3TEA Presentation V 0.3
TEA Presentation V 0.3Ian McDonald
 
Webinar #6 DFMEA
Webinar #6 DFMEAWebinar #6 DFMEA
Webinar #6 DFMEAProdeos
 
Product Development
Product DevelopmentProduct Development
Product DevelopmentMaRS Discovery District
 
Quality
QualityQuality
QualityNaren Kmar
 
Just Java2007 - Daniel Wildt - Tools For Java Test Automation
Just Java2007 - Daniel Wildt - Tools For Java Test AutomationJust Java2007 - Daniel Wildt - Tools For Java Test Automation
Just Java2007 - Daniel Wildt - Tools For Java Test AutomationDaniel Wildt
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 

Recomendados

TEA Presentation V 0.3
TEA Presentation V 0.3TEA Presentation V 0.3
TEA Presentation V 0.3Ian McDonald
 
Webinar #6 DFMEA
Webinar #6 DFMEAWebinar #6 DFMEA
Webinar #6 DFMEAProdeos
 
Product Development
Product DevelopmentProduct Development
Product DevelopmentMaRS Discovery District
 
Quality
QualityQuality
QualityNaren Kmar
 
Just Java2007 - Daniel Wildt - Tools For Java Test Automation
Just Java2007 - Daniel Wildt - Tools For Java Test AutomationJust Java2007 - Daniel Wildt - Tools For Java Test Automation
Just Java2007 - Daniel Wildt - Tools For Java Test AutomationDaniel Wildt
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
PHX Session #1: Development Best Practices And How Microsoft Helps
PHX Session #1: Development Best Practices And How Microsoft HelpsPHX Session #1: Development Best Practices And How Microsoft Helps
PHX Session #1: Development Best Practices And How Microsoft HelpsSteve Lange
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
Groovy Testing Aug2009
Groovy Testing Aug2009Groovy Testing Aug2009
Groovy Testing Aug2009guest4a266c
 
Agile Development Methodologies
Agile Development MethodologiesAgile Development Methodologies
Agile Development MethodologiesNainil Chheda
 
A Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
A Comparison of Three Bug-Finding Techniques and Their Relative EffectivenessA Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
A Comparison of Three Bug-Finding Techniques and Their Relative EffectivenessParasoft
 
Pivotal Labs Open View Presentation Quality Assurance And Developer Testing
Pivotal Labs Open View Presentation Quality Assurance And Developer TestingPivotal Labs Open View Presentation Quality Assurance And Developer Testing
Pivotal Labs Open View Presentation Quality Assurance And Developer Testingguestc8adce
 
Groovy Testing Sep2009
Groovy Testing Sep2009Groovy Testing Sep2009
Groovy Testing Sep2009Paul King
 
Unit Testing in Java
Unit Testing in JavaUnit Testing in Java
Unit Testing in Javaguy_davis
 
Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...
Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...
Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...Eric Ries
 
Using Pre selection tools in recruitment
Using Pre selection tools in recruitmentUsing Pre selection tools in recruitment
Using Pre selection tools in recruitmentwillcorder
 
Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...
Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...
Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...Compuware APM
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityAtlassian
 
2009 06 01 The Lean Startup Texas Edition
2009 06 01 The Lean Startup Texas Edition2009 06 01 The Lean Startup Texas Edition
2009 06 01 The Lean Startup Texas EditionEric Ries
 
Role of Retrospectives in Success of Agile Project
Role of Retrospectives in Success of Agile ProjectRole of Retrospectives in Success of Agile Project
Role of Retrospectives in Success of Agile ProjectNaresh Jain
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Test Expo 2009 Site Confidence & Seriti Consulting Load Test Case Study
Test Expo 2009 Site Confidence & Seriti Consulting Load Test Case StudyTest Expo 2009 Site Confidence & Seriti Consulting Load Test Case Study
Test Expo 2009 Site Confidence & Seriti Consulting Load Test Case StudyStephen Thair
 
The 7 Sins of Software Engineers in HEP
The 7 Sins of Software Engineers in HEPThe 7 Sins of Software Engineers in HEP
The 7 Sins of Software Engineers in HEPIoannis Baltopoulos
 
2009 05 21 The Lean Startup At SIPA
2009 05 21 The Lean Startup At SIPA2009 05 21 The Lean Startup At SIPA
2009 05 21 The Lean Startup At SIPAEric Ries
 
Behind The Scenes At My Spacecom
Behind The Scenes At My SpacecomBehind The Scenes At My Spacecom
Behind The Scenes At My SpacecomConSanFrancisco123
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityRafal Los
 

Más contenido relacionado

Similar a Creating Practical Security Test-Cases for Web Applications

PHX Session #1: Development Best Practices And How Microsoft Helps
PHX Session #1: Development Best Practices And How Microsoft HelpsPHX Session #1: Development Best Practices And How Microsoft Helps
PHX Session #1: Development Best Practices And How Microsoft HelpsSteve Lange
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
Groovy Testing Aug2009
Groovy Testing Aug2009Groovy Testing Aug2009
Groovy Testing Aug2009guest4a266c
 
Agile Development Methodologies
Agile Development MethodologiesAgile Development Methodologies
Agile Development MethodologiesNainil Chheda
 
A Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
A Comparison of Three Bug-Finding Techniques and Their Relative EffectivenessA Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
A Comparison of Three Bug-Finding Techniques and Their Relative EffectivenessParasoft
 
Pivotal Labs Open View Presentation Quality Assurance And Developer Testing
Pivotal Labs Open View Presentation Quality Assurance And Developer TestingPivotal Labs Open View Presentation Quality Assurance And Developer Testing
Pivotal Labs Open View Presentation Quality Assurance And Developer Testingguestc8adce
 
Groovy Testing Sep2009
Groovy Testing Sep2009Groovy Testing Sep2009
Groovy Testing Sep2009Paul King
 
Unit Testing in Java
Unit Testing in JavaUnit Testing in Java
Unit Testing in Javaguy_davis
 
Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...
Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...
Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...Eric Ries
 
Using Pre selection tools in recruitment
Using Pre selection tools in recruitmentUsing Pre selection tools in recruitment
Using Pre selection tools in recruitmentwillcorder
 
Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...
Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...
Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...Compuware APM
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityAtlassian
 
2009 06 01 The Lean Startup Texas Edition
2009 06 01 The Lean Startup Texas Edition2009 06 01 The Lean Startup Texas Edition
2009 06 01 The Lean Startup Texas EditionEric Ries
 
Role of Retrospectives in Success of Agile Project
Role of Retrospectives in Success of Agile ProjectRole of Retrospectives in Success of Agile Project
Role of Retrospectives in Success of Agile ProjectNaresh Jain
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Test Expo 2009 Site Confidence & Seriti Consulting Load Test Case Study
Test Expo 2009 Site Confidence & Seriti Consulting Load Test Case StudyTest Expo 2009 Site Confidence & Seriti Consulting Load Test Case Study
Test Expo 2009 Site Confidence & Seriti Consulting Load Test Case StudyStephen Thair
 
The 7 Sins of Software Engineers in HEP
The 7 Sins of Software Engineers in HEPThe 7 Sins of Software Engineers in HEP
The 7 Sins of Software Engineers in HEPIoannis Baltopoulos
 
2009 05 21 The Lean Startup At SIPA
2009 05 21 The Lean Startup At SIPA2009 05 21 The Lean Startup At SIPA
2009 05 21 The Lean Startup At SIPAEric Ries
 
Behind The Scenes At My Spacecom
Behind The Scenes At My SpacecomBehind The Scenes At My Spacecom
Behind The Scenes At My SpacecomConSanFrancisco123
 

Similar a Creating Practical Security Test-Cases for Web Applications (20)

PHX Session #1: Development Best Practices And How Microsoft Helps
PHX Session #1: Development Best Practices And How Microsoft HelpsPHX Session #1: Development Best Practices And How Microsoft Helps
PHX Session #1: Development Best Practices And How Microsoft Helps
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static Analysis
 
Groovy Testing Aug2009
Groovy Testing Aug2009Groovy Testing Aug2009
Groovy Testing Aug2009
 
Agile Development Methodologies
Agile Development MethodologiesAgile Development Methodologies
Agile Development Methodologies
 
A Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
A Comparison of Three Bug-Finding Techniques and Their Relative EffectivenessA Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
A Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
 
Pivotal Labs Open View Presentation Quality Assurance And Developer Testing
Pivotal Labs Open View Presentation Quality Assurance And Developer TestingPivotal Labs Open View Presentation Quality Assurance And Developer Testing
Pivotal Labs Open View Presentation Quality Assurance And Developer Testing
 
Groovy Testing Sep2009
Groovy Testing Sep2009Groovy Testing Sep2009
Groovy Testing Sep2009
 
Unit Testing in Java
Unit Testing in JavaUnit Testing in Java
Unit Testing in Java
 
Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...
Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...
Eric Ries Lean Startup Presentation For Web 2.0 Expo April 1 2009 A Disciplin...
 
Using Pre selection tools in recruitment
Using Pre selection tools in recruitmentUsing Pre selection tools in recruitment
Using Pre selection tools in recruitment
 
Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...
Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...
Achieving Peak User Experiences & Optimizing Web Performance - Load Testing, ...
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
 
2009 06 01 The Lean Startup Texas Edition
2009 06 01 The Lean Startup Texas Edition2009 06 01 The Lean Startup Texas Edition
2009 06 01 The Lean Startup Texas Edition
 
Role of Retrospectives in Success of Agile Project
Role of Retrospectives in Success of Agile ProjectRole of Retrospectives in Success of Agile Project
Role of Retrospectives in Success of Agile Project
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Test Expo 2009 Site Confidence & Seriti Consulting Load Test Case Study
Test Expo 2009 Site Confidence & Seriti Consulting Load Test Case StudyTest Expo 2009 Site Confidence & Seriti Consulting Load Test Case Study
Test Expo 2009 Site Confidence & Seriti Consulting Load Test Case Study
 
The 7 Sins of Software Engineers in HEP
The 7 Sins of Software Engineers in HEPThe 7 Sins of Software Engineers in HEP
The 7 Sins of Software Engineers in HEP
 
2009 05 21 The Lean Startup At SIPA
2009 05 21 The Lean Startup At SIPA2009 05 21 The Lean Startup At SIPA
2009 05 21 The Lean Startup At SIPA
 
Behind The Scenes At My Spacecom
Behind The Scenes At My SpacecomBehind The Scenes At My Spacecom
Behind The Scenes At My Spacecom
 

Más de Rafal Los

The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityRafal Los
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)Rafal Los
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security MetricsRafal Los
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning warsRafal Los
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Rafal Los
 

Más de Rafal Los (20)

The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security Metrics
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in Business
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI Model
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
 

Último

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 

Último (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 

Creating Practical Security Test-Cases for Web Applications

  • 1. Creating Practical Security Test-Cases for Web Applications Rafal M. Los HP ASC Sr. Security Solutions Expert 7 May 2009 1
  • 2. Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 2
  • 3. Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 3
  • 4. Background Why do QA teams care about security? • Traditionally security is left to the security team • Security issues must be addressed throughout SDL • QA teams add missing element QA teams are crucial to security • Understand application test-cases • Understand application workflows • Security is a natural extension of quality 7 May 2009 4
  • 5. QA – Security Relationship Similarities – core principles • Testing web application logic • Functional testing on live code • Specific data-sets used Differences – outlying goals • Stress-test vs. break test • Positive vs. negative data sets • Reinforcing positive vs. uncovering negative 7 May 2009 5
  • 6. The “Hacker” Mindset  Why would anyone want to break an application?  Fun  Malice  Profit  Attack users  Attack systems  Mentality difference  QA asks – How does it perform?  Hacker asks – How can I break it? 7 May 2009 6
  • 7. Whose Problem is Security?  Many components to the security “problem”  Policy  Development frameworks/standards  Audit  Metrics  Security is a pillar of overall quality  Does it function?  Does it perform?  Is it secure? 7 May 2009 7
  • 8. Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 8
  • 9. Negative Testing Overview What is negative testing?  Testing for unintended features  Testing using unintended data sets  Testing for unintended logic flow “Negative testing involves understanding the application, and finding ways to manipulate the code to perform in ways as to create unintended exposures” 7 May 2009 9
  • 10. Negative Testing Overview Selection bias  Confirmation bias  Testing to confirm desired results  Testing using known desired data and flows  Testing which completely misses the point… “…confirmation bias is a tendency to search for or interpret new information in a way that confirms one's preconceptions and to avoid information and interpretations which contradict prior beliefs” 7 May 2009 10
  • 11. Negative Testing Mindset Traditional QA: proving the positive • Prove certain activity functions as defined by business case • Requirements are easily defined in application flow and function Negative testing: finding the negative • Find negative (unintended) functions/results • No way to clearly define “bad stuff” as a requirement to test against 7 May 2009 11
  • 12. Negative Testing - Data Types of negative data depends on purpose • Exploit a client • Client-side script or technology • Corrupt or crash a system • Database control characters • Non-native character sets, system characters • System commands • Retrieve data from the system • Database queries, control language • System commands 7 May 2009 12
  • 13. Negative Testing - Flow Goal is to manipulate application logic Identify “breakable” application logic • Create a race condition • Break application control-flow • Force an out of process action • Inject a rogue process Test-cases based off of proper application logic flows Requires in-depth knowledge of application flow 7 May 2009 13
  • 14. Negative Testing - Tools Tools are an integral part of negative testing • Manual tools • Flow diagrams • Data sets • Logic charts • Automated tools • Black-box scanners • Manu-matic framework tools 7 May 2009 14
  • 15. Negative Testing - Tools Automated tools *cannot* perform all testing • Workflow-base vulnerabilities • Complex attacks • Multi-stage • Business logic Human beings must… • Analyze the application logic and data • Guide tools • Interpret results 7 May 2009 15
  • 16. Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 16
  • 17. Building the Test Phase 1 Phase 2 Phase 3 Phase 4 Mapping the Tools-Based Manual-Based Analysis & Application Testing Testing Correlation •Business logic •Tools-generated •Workflow defect •Analyze results data-set testing tests of automated & •Application flow manual results •Automated •Business logic •Application •Correlate P2/P3 crawler-based tests surface testing results •Complex •Application •Known defects attacks entry-points 7 May 2009 17
  • 18. Building Data-Negative Tests All possible inputs Data- •Letters Negative Test unknown Situational •Numbers Data Refinement (unknown •Special characters impact) •Control characters •Database  SQLi •Client-side  XSS •XMLdb  X-Path.i Case- Allowed specific (positive) •Cross-site scripting malicious characters •SQL Injection •Overflows 7 May 2009 18
  • 19. Building Data-Negative Tests  Manual human testing  Must build test data sets manually  Sniper approach (can be precise)  Often very slow, methodical  Identifies false-positives  Tools-based testing  Builds test data sets automatically  Shotgun approach (not precise)  Ability to be extremely fast  Trouble with false-positives 7 May 2009 19
  • 20. Negative Data Sets Facts about negative data  Negative data sets are best generated by tools if the tester is not a security expert  Many pre-built negative data sets already exist  Sla.ckers.org – XSS cheat-sheet  Tools can point  click  test  Black-box testing tools save time & effort  Humans must analyze results  Must mix positive/negative data for completeness  Workflows often require good data to proceed  Automated negative-data testing fails without good data 7 May 2009 20
  • 21. Flow Analysis Testing Can a process step be bypassed? Submit quote for someone Step 1 Step 2 Step 3 Step 4 else? Verify Identity Request quote Receive quote Submit for purchase Can a process step be injected? Step 1 Step 2 Step 3 Step 4 Verify Identity Request quote Receive quote Submit for purchase Injected! Modify quote 7 May 2009 21
  • 22. Flow Analysis Testing  Manual human testing  Can analytically identify specific weak points  Distinguishes between success/failure readily  Often very slow, methodical  Ability to tailor testing to situation/process  Tools-based testing  Attacks every point, cannot distinguish  Difficulty distinguishing success/failure  Ability to be extremely fast  Cannot think therefore has limited abilities 7 May 2009 22
  • 23. Flow Analysis Testing Facts about flow analysis testing  Tester must understand application flow  Proper application flow to turn into negative  “Random manipulation” rarely works  Focus on application control-points  Key points in application logic  Don’t leave your testing to tools-only  Most tools can’t identify control points, dive deep into flows  Human analyst has an obvious advantage (critical thinking) 7 May 2009 23
  • 24. Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 24
  • 25. Negative Testing Process Analyze Requirements New Functionality Execute Phase 1 Discovered? Execute Phase 4 Execute Phase 2 Execute Phase 3 7 May 2009 25
  • 26. Testing Negative Data Identify all visible inputs (data “source”) 1. Input positive data i. Analyze behavior  Input negative data ii. Analyze behavior  Identify all hidden fields (data “source”) 2. Input positive data i. Analyze behavior  Input negative data ii. Analyze behavior  7 May 2009 26
  • 27. Testing Negative Flow … as we’ve learned this will be manual work  Map out all control-flows  Identify a potentially weak logic element  Walk the positive-control flow path  Ensure proper positive path is understood  Map possible negative-control flow paths  Execute negative-control flow paths  Analyst difference between positive/negative attempts  Repeat if necessary to adjust/adapt until satisfied  Attempt at least 3-5 loop-repetitions 7 May 2009 27
  • 28. Identify Weaknesses  How do you identify a weakness/defect  Undesired application reaction  Crash?  Skip control step?  Disclosure of unintended data  Debug information  Disclosure of internal data  Disclosure of controlled data 7 May 2009 28
  • 29. Agenda Understanding the QA/Security Relationship Negative Testing 360° Building Negative Tests Implementation and Execution Looking Ahead 7 May 2009 29
  • 30. Looking Ahead  Addressing “deep” defects  Workflow-based security defects  Traditionally cannot be scanned for (with automated tools)  Analysis of Defects  When is a critical defect… not?  QA expertise  contextualized defects 7 May 2009 30
  • 31. Questions? • Security Strategist • Application Security Specialist • Following the White Rabbit: http://www.communities.hp.com/securitysoftware/blogs/rafal • Digital Security SoapBox: http://preachsecurity.blogspot.com/ • Email: Rafal@hp.com • Direct: (404) 606-6056 7 May 2009 31