SlideShare una empresa de Scribd logo

Tour-based Testing: Identify Application Landmarks Like Hackers

Rafal Los
Rafal Los

This talk is geared towards QA Analysts who want to start to understand the mindset of the 'hacker', and start thinking about web application security testing concepts.

Tecnología
1 de 46
Tour-based Testing:The Hacker's Landmark Tour Rafal Los SME Web App Security v3 - 2010
A Quick abstract Growing application complexity, coupled with the exploding increase in application surface area, has resulted in new quality challenges for testers. Some test teams are adopting a tour-based testing methodology because it’s incredibly good at breaking down testing into manageable chunks. However, hackers are paying close attention to systems and developing new targeted attacks to stay one step ahead. Rafal Los takes you inside the hacker’s world, identifying the landmarks hackers target within applications and showing you how to identify the defects they seek out. Learn what “landmarks” are(1), how to identify them from functional specifications(2), and how to tailor negative testing strategies to different landmark categories(3). Test teams, already choked for time and resources and now saddled with security testing, will learn how to pinpoint the defect—from the mountains of vulnerabilities often uncovered in security testing—that could compromise the entire application.
CLOSE YOUR EYES
The Basics Modern application complexity is increasing “Web 2.0”: creating complex applications High complexity == High risk “Too big to fully test” is a common complaint “Too complex to fully test” too!
Why landmark testing Why does landmark-based testing make sense? Testing Optimization Testers’ limited resources Time CPU cycles Manpower
Dirty little secret “Isn’t security testing …security’s job?” Actually…no. Testers bring application knowledge traditional security testing lacks.
Disclosure of Limitations Every process and methodology has limitations Tour-based testing is subjective Testers are notsecurity experts (or hackers) A cooperativeapproach is required
What is a landmark?
Identifying landmarks Just pretend you’re a tourist! Landmarks are “points of significance”- Draw your attention Invite deeper investigation
Identifying landmarks Hackers look for landmarks a little differently – but with the same principles as common tourists
5 Key Landmarks
Social reach Attackers know they are more likely to be successful in a client-targeted attack if they can send it to you from a trusted source. You trustyour friends …right? Links sent in tweets [or FaceBook messages] from your friends A company you trust says “this is our latest FREE product!” Google/Bing ads for fake Anti-Virus rampant…
Application i/o Attackers target the input/output points of an application because there are often weaknesses in the validation mechanisms File upload [or download] functionality Interaction with client systems (desktop) ,[object Object]
“Browser Helper Objects” or plug-insInteraction with remote systems (servers) ,[object Object]
“Remote file includes”,[object Object]
Authentication Manipulating an authentication system to allow free access is almost as big a target as faking the authentication scheme Bypassing authentication mechanisms Privilege escalation (horizontal & vertical) Faking authentication schemes (phishing for auth) So many ways this could go wrong
Data access The ultimate goal for an attacker is to get some one-on-one quality time with your data-store SQL Injection (#1 threat to online datastores) Poorly coded client-side programs (Flash…) RESTful web services WebService endpoints …
Ready to try this method out?
Change in mindset Can you think like a hacker? Take a look at the following web page.
Can you name 3 landmarks on that page? A quick test…
What draws your attention?
What draws your attention? Site search functionality is often unvalidated input 2 prime examples of hacker targets
Let’s see some real life examples
What jumps out at you?
Did you see these landmarks?
What jumps out at you?
Did you see these landmarks?
What jumps out at you?
Did you see these landmarks?
landmark testing IQ How well did you do? The Crossover Attackers look for “exploitable functionality” Functional testers understand “use cases”
Deriving landmarks from functional specifications
Purpose of functional specifications: Lay out application functionality Provide use-cases Business map of application Answer: “What does it do?” Functional specifications
QA testers don’t instinctively think like hackers… Work from functional specifications Hints for finding hacker landmarks: Look for changes in privilege or trust Look for application interaction points Look for opportunistic data interaction Follow the money (commerce) Getting the clues
Additional tidbits Functional specifications define the what not the howof applications ,[object Object]
Focus tools on priorities
Understand what then focustools on the howAll clear? Or clear as …
Tailoring (negative) testing strategies
This is not a secret... Security testing is overwhelming Most QA teams never test for security defects Security defect testing defaults to “kitchen sink” approach Too many results, too much noise in current testing Failure to test, increase in risk Testing strategies must change
Shift your mind to a hacker touring your site or application.
Assess your current testing Perform regular analysis of your testing strategy – How does negative testing fit in? Do you have the resources? Are your teams equipped? Can you think like a hacker?
Build an application tourist map Map the application ,[object Object]
Highlight interesting functionality
Cross-reference “functional areas” with “interesting features”
Review: 5 key landmarks 5 key areas attackers focus Commerce Social Reach Data Access Authentication Application I/O
Distill Application map Interesting Landmarks User registration User login Catalog search Cart checkout Account data entry Functional requirements Browse catalog User registration User login Shopping cart Account management Pay bill online Track shipping Manage preferences

Recomendados

The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the thingsJerod Brennen
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 

Recomendados

The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the thingsJerod Brennen
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Source Conference
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Baselining Logs
Baselining LogsBaselining Logs
Baselining LogsAnton Chuvakin
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Cigital
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinWhat PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinAnton Chuvakin
 
Vulnerability management today and tomorrow
Vulnerability management today and tomorrowVulnerability management today and tomorrow
Vulnerability management today and tomorrowJonathan Sinclair
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton Chuvakin
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesChris Nickerson
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 

Más contenido relacionado

La actualidad más candente

Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Source Conference
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Cigital
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinWhat PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinAnton Chuvakin
 
Vulnerability management today and tomorrow
Vulnerability management today and tomorrowVulnerability management today and tomorrow
Vulnerability management today and tomorrowJonathan Sinclair
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton Chuvakin
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 

La actualidad más candente (20)

Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
 
Baselining Logs
Baselining LogsBaselining Logs
Baselining Logs
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinWhat PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
 
Vulnerability management today and tomorrow
Vulnerability management today and tomorrowVulnerability management today and tomorrow
Vulnerability management today and tomorrow
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard Of
 

Similar a Tour-based Testing: Identify Application Landmarks Like Hackers

Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesChris Nickerson
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals211 Check
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration TestingBluechip Gulf IT Services
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools usedZoe Gilbert
 
mastering_web_testing_how_to_make_the_most_of_frameworks.pptx
mastering_web_testing_how_to_make_the_most_of_frameworks.pptxmastering_web_testing_how_to_make_the_most_of_frameworks.pptx
mastering_web_testing_how_to_make_the_most_of_frameworks.pptxsarah david
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
mastering_web_testing_how_to_make_the_most_of_frameworks.pdf
mastering_web_testing_how_to_make_the_most_of_frameworks.pdfmastering_web_testing_how_to_make_the_most_of_frameworks.pdf
mastering_web_testing_how_to_make_the_most_of_frameworks.pdfsarah david
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxAfour tech
 

Similar a Tour-based Testing: Identify Application Landmarks Like Hackers (20)

Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment Services
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
 
mastering_web_testing_how_to_make_the_most_of_frameworks.pptx
mastering_web_testing_how_to_make_the_most_of_frameworks.pptxmastering_web_testing_how_to_make_the_most_of_frameworks.pptx
mastering_web_testing_how_to_make_the_most_of_frameworks.pptx
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
mastering_web_testing_how_to_make_the_most_of_frameworks.pdf
mastering_web_testing_how_to_make_the_most_of_frameworks.pdfmastering_web_testing_how_to_make_the_most_of_frameworks.pdf
mastering_web_testing_how_to_make_the_most_of_frameworks.pdf
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docx
 

Más de Rafal Los

The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityRafal Los
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)Rafal Los
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security MetricsRafal Los
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning warsRafal Los
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Rafal Los
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Rafal Los
 

Más de Rafal Los (20)

The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security Metrics
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in Business
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI Model
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3
 

Último

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Último (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Tour-based Testing: Identify Application Landmarks Like Hackers

  • 1. Tour-based Testing:The Hacker's Landmark Tour Rafal Los SME Web App Security v3 - 2010
  • 2. A Quick abstract Growing application complexity, coupled with the exploding increase in application surface area, has resulted in new quality challenges for testers. Some test teams are adopting a tour-based testing methodology because it’s incredibly good at breaking down testing into manageable chunks. However, hackers are paying close attention to systems and developing new targeted attacks to stay one step ahead. Rafal Los takes you inside the hacker’s world, identifying the landmarks hackers target within applications and showing you how to identify the defects they seek out. Learn what “landmarks” are(1), how to identify them from functional specifications(2), and how to tailor negative testing strategies to different landmark categories(3). Test teams, already choked for time and resources and now saddled with security testing, will learn how to pinpoint the defect—from the mountains of vulnerabilities often uncovered in security testing—that could compromise the entire application.
  • 4. The Basics Modern application complexity is increasing “Web 2.0”: creating complex applications High complexity == High risk “Too big to fully test” is a common complaint “Too complex to fully test” too!
  • 5. Why landmark testing Why does landmark-based testing make sense? Testing Optimization Testers’ limited resources Time CPU cycles Manpower
  • 6. Dirty little secret “Isn’t security testing …security’s job?” Actually…no. Testers bring application knowledge traditional security testing lacks.
  • 7. Disclosure of Limitations Every process and methodology has limitations Tour-based testing is subjective Testers are notsecurity experts (or hackers) A cooperativeapproach is required
  • 8. What is a landmark?
  • 9. Identifying landmarks Just pretend you’re a tourist! Landmarks are “points of significance”- Draw your attention Invite deeper investigation
  • 10. Identifying landmarks Hackers look for landmarks a little differently – but with the same principles as common tourists
  • 12. Social reach Attackers know they are more likely to be successful in a client-targeted attack if they can send it to you from a trusted source. You trustyour friends …right? Links sent in tweets [or FaceBook messages] from your friends A company you trust says “this is our latest FREE product!” Google/Bing ads for fake Anti-Virus rampant…
  • 13.
  • 14.
  • 15.
  • 16. Authentication Manipulating an authentication system to allow free access is almost as big a target as faking the authentication scheme Bypassing authentication mechanisms Privilege escalation (horizontal & vertical) Faking authentication schemes (phishing for auth) So many ways this could go wrong
  • 17. Data access The ultimate goal for an attacker is to get some one-on-one quality time with your data-store SQL Injection (#1 threat to online datastores) Poorly coded client-side programs (Flash…) RESTful web services WebService endpoints …
  • 18. Ready to try this method out?
  • 19. Change in mindset Can you think like a hacker? Take a look at the following web page.
  • 20.
  • 21. Can you name 3 landmarks on that page? A quick test…
  • 22. What draws your attention?
  • 23. What draws your attention? Site search functionality is often unvalidated input 2 prime examples of hacker targets
  • 24. Let’s see some real life examples
  • 25. What jumps out at you?
  • 26. Did you see these landmarks?
  • 27. What jumps out at you?
  • 28. Did you see these landmarks?
  • 29. What jumps out at you?
  • 30. Did you see these landmarks?
  • 31. landmark testing IQ How well did you do? The Crossover Attackers look for “exploitable functionality” Functional testers understand “use cases”
  • 32. Deriving landmarks from functional specifications
  • 33. Purpose of functional specifications: Lay out application functionality Provide use-cases Business map of application Answer: “What does it do?” Functional specifications
  • 34. QA testers don’t instinctively think like hackers… Work from functional specifications Hints for finding hacker landmarks: Look for changes in privilege or trust Look for application interaction points Look for opportunistic data interaction Follow the money (commerce) Getting the clues
  • 35.
  • 36. Focus tools on priorities
  • 37. Understand what then focustools on the howAll clear? Or clear as …
  • 39. This is not a secret... Security testing is overwhelming Most QA teams never test for security defects Security defect testing defaults to “kitchen sink” approach Too many results, too much noise in current testing Failure to test, increase in risk Testing strategies must change
  • 40. Shift your mind to a hacker touring your site or application.
  • 41. Assess your current testing Perform regular analysis of your testing strategy – How does negative testing fit in? Do you have the resources? Are your teams equipped? Can you think like a hacker?
  • 42.
  • 44. Cross-reference “functional areas” with “interesting features”
  • 45. Review: 5 key landmarks 5 key areas attackers focus Commerce Social Reach Data Access Authentication Application I/O
  • 46. Distill Application map Interesting Landmarks User registration User login Catalog search Cart checkout Account data entry Functional requirements Browse catalog User registration User login Shopping cart Account management Pay bill online Track shipping Manage preferences
  • 47. Mix in security testing Functional Testing Landmark 1 Function A = “User Registration” Security Testing Performance Testing Analysis
  • 48. 3 pillars of quality Each defect type is critical and equal Does it function? Does it perform? Is it secure?
  • 50. Be a T.A.D. more secure Are you ready? Think – change your mindset Assess – assess your current testing Do – start “hacker landmark” testing
  • 51. Rafal LosSecurity Evangelist – HP ASCDirect: (765) 247-2325Email: Rafal@hp.comTwitter: Twitter.com/Wh1t3RabbitBlog: hp.com/go/white-rabbit

Notas del editor

  1. Close your eyes, and imagine you’re in Paris for the first time.You wake up in your hotel room in the early morning, and are preparing to take everything inHow will you plan your next few days in Paris?The answer is that you will likely plan your trip very carefully and deliberately, making sure you hit the high points, tourist locations, and landmarksWeb application software testing is just like this … let’s talk about why.
  2. Attackers target specific things…“Social Reach” – ways to communicate with othersUse your site’s identity to SPAMUse your site’s reputation to SPAMManipulate “friends” networksManipulate “professional” networks“Application I/O” – each input is a possible way to push malicious data into the applicationCross-site scripting {{ DEMO XSS }}CSRF – cross-site request forgeriesSQL Injection“Commerce”Product for free?Manipulate other people’s data/carts“Authentication”If you can break authentication … the game is all but lostAuthentication often only security measure (AuthN)Most likely little authorization (AuthZ)“Data Access”Points where queries are made to a data storeCross-application data retrieval (mash-ups)Encryption, algorithms, etc (especially if stored locally…){{ THE DATA IS THE ULTIMATE TARGET }}