Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.

Published byMyles Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011."— Presentation transcript:

1 Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011

2

3

4 Todo Define gray-box testing Why black-box is insufficient What we built Examples Haters club

5 Definitions Black-box testing System-level tests No assumptions about implementation

6 Definitions White-box testing Examine implementation Test components in isolation

7 Definitions Gray-box testing System-level tests (like black-box) Examine implementation (like white-box)

8 The Software Security Game Objective Rules vs. Strategy Playing Field

9 OBJECTIVE: Protect everything OBJECTIVE: Exploit one vulnerability

10 Rules for the Defender 1.Don’t attack the attacker

11 Rules vs. Strategy Rules Don’t attack the attacker Strategy Emulate attacker’s techniques

12 Who wins? Technology Expertise

13 Who wins? Time Technology Expertise

14 Who wins? Technology Expertise Time

15 Changing the odds

16 The Defender’s Advantage Time Inside Access Technology Expertise

17 Prior Art 2005: Concolic testing: Sen, University of Illinois 2008: Microsoft SAGE: Godefroid, MSR 2008: Test Gen for Web Apps: Shay et al, U. Washington 2008: Accunetix: Accusensor

18 Access to the Software Allows for ‘Hybrid’ analysis Black-box ApproachWhite-box Approach

19 ‘Hybrid’ Analysis Mostly Broken Correlation Engine

20

21 The ‘Real-Time Hybrid’ Approach Good Results Correlation Engine

22 Evolving to Integrated Analysis Application Real-time link Find More Fix Faster

23 Find More Reduce false negatives Automatic attack surface identification Understand effects of attacks Detect new types of vulnerabilities Privacy violation, Log Forging

24 Attack surface identification /login.jsp /pages/account.jsp /pages/balance.jsp /admin/admin.jsp File system Configuration-driven Programmatic

25 Understand effects of attacks /admin/admin.jsp ✗ Command Injection sysadmin$./sh ✔

26 Fix Faster Reduce False Positives Confirm vulnerabilities Provide Actionable Details Stack trace Line of code Collapse Duplicate Issues Tie to root cause

27 Reduce False Positives /admin/admin.jsp SQLi? ✔

28 Actionable Details /login.jsp

29 Collapse Duplicate Issues /login.jsp /pages/account.jsp /pages/balance.jsp 1Cross-Site Scripting23 1

30 JavaBB – Case Study Open Source Bulletin Board Additional Vulnerabilities Finds18 SQL Injection results Root cause analysis 18 SQL injection results have 1 root cause

31 Vulnerability Diagnosis Confirmed SQL Injection

32 Actionable Details Line of Code Parameters Stack Trace

33 Yazd – Case Study Open Source Forum Additional Attack Surface Discovers hidden ‘admin’ area 3 Additional Cross-Site Scripting results Root cause analysis Collapses 34 XSS into 24 root-cause vulnerabilities

34 Attack surface identification Hidden ‘admin’ area

35 Collapse Duplicate Issues

36 One More Case Study

37 Future Automated anti-anti automation

38 The Case Against “Hybrid” Hard to find attack surface with static analysis Static/dynamic correlation doesn’t work Doesn’t help with false positives / false negatives Nobody will run a software monitor (cheating!)

39 The Case for Gray-Box Testing Black-box is a losing game Find more Attack surface Vulnerability diagnosis Fix faster Root cause analysis Collapse duplicates

40 Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011

Download ppt "Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011."

Similar presentations

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.

Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.
Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.
White-Box Cryptography

White-Box Cryptography
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.

Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.

09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Similar presentations

Ads by Google