1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Asia Pacific Conference 2008 Considerations for application security testing in enterprise projects Jean-Marie Abighanem OWASP – Melbourne Chapter President Deloitte Touche Tohmatsu Director – Security & Privacy Services jabighanem@deloitte.com.au Mobile: 04 3311 8551 28 February 2008

2. OWASP 2 Agenda  What is online application?  Security Testing Scope  When to test?  How do you test web applications?  Regression testing  Test data  Defect management  Finer points for application pen testing

3. OWASP What is online application? 3

4. OWASP 4 What can consumers do online these days? Financial Services  Pay a bill with Internet Banking  Buy and sell some shares  Change your superannuation portfolio allocation  Choose your health insurer by a search of costs and features Consumer Business  Purchase of goods or services from web site at fixed price  Purchase of goods or services via auction (e.g. ebay)  Advertising (e.g. trading post) Telecommunications, Media and Technology  Sign up for and change mobile phone and internet plans  Retrieve and pay bills Transport, Hospitality and Leisure  Book a flight  Book a hotel  Track a flight’s arrival in real-time! Energy, Mining and Resources  Retrieve and pay bills Public Sector  Lodge your tax return  Pay a parking fine  Pay council rates  Find lost super

5. OWASP 5 What can business do online these days? Financial Services  Sell financial products via extranet and brokers Consumer Business  Outsource product delivery in real time to a logistics partner Telecommunications, Media and Technology  Resell available international bandwidth to third parties Transport, Hospitality and Leisure  Modify costs and prices of flights and accommodation in real time Energy, Mining and Resources  Tender electronically for the supply of goods and services amongst business partners Public Sector  Centralise change of name and address amongst agencies and departments

6. OWASP Security Testing Scope 6

7. OWASP 7 Security Testing Scope  State what you will and will not cover e.g. DoS  Write it down  Delineate between functional and security testing  authentication  authorisation and access control  session management  input validation  Etc  Define boundaries between web application and supporting infrastructure e.g. two factor authentication, Active Directory

8. OWASP When to test? 8

9. OWASP Classic approach to testing  Last brick in foundation after building built  Gatekeeper/rubberstamping role maybe? At what stage should security testing be done?  Define  Design  Develop  Deploy  Maintain 9 When to test?

10. OWASP 10 When to test? User Acceptan ce Testing Project Based Development Project Based Development Functiona l Testing Functiona l Testing Non- Function al Testing Pilot Pre Production Production Thank God its gone live party. Feature requests TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? TES T HER E? BAU development BAU testing

11. OWASP 11 When to test? Costs of bug fixing usually go up Source: OWASP Testing Guide v2

12. OWASP 12 When to test? Inverse relationship between fixing costs and security testing costs

13. OWASP How do you test Web Applications? 13

14. OWASP 14 How do you test web applications? Source code reviews: Pros  Possibly more complete  Possibly faster Cons  Presumes code availability  False positives and false negatives  Cannot find run-time bugs easily  Requires skilled resources

15. OWASP 15 How do you test web applications? Application security scanners: Pros  Faster  Provide useful reporting tools  Good for testing input validation  Limited skill sets required by tester Cons  Limitations around business logic testing as each application is unique  False positives  Only tests what is accessible

16. OWASP 16 How do you test web applications? Manual penetration testing Pros:  Looks at dynamic code  Tests the code that is actually running  Can examine business logic Cons:  Effectiveness depends on skill of tester  Done at tail end of project  Only tests what is accessible

17. OWASP 17 How do you test web applications? All techniques have their place “…you need a hammer, saw and tape to build a house…neither is more important than the other…imagine a house only built using a hammer?” [Paraphrasing Jeff Williams, OWASP Chair http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project]

18. OWASP 18 Regression testing  Fixing security defects in one area may create defects in other areas  Test cases should be re-performed when impacted by defect remediation elsewhere in application  Need to discuss what was changed with developers and how

19. OWASP 19 Test data  Don’t use production data!  Privacy implications (NPP #2 and NPP #9 from http://privacy.gov.au/publications/npps01.html) http://privacy.gov.au/publications/npps01.html  PCI-DSS requirement 6.4 specifically prohibits use of production data in testing  Use accounts with varying privileges  Consider use of a test administrator account to do password resets or permission changes during testing

20. OWASP 20 Defect management  Communicate your assessment of potential likelihood and impact of attack  Document defects for repeatability  Let application owner decide the fate of defects  Record decisions made  If app already in production, monitor for attacks or pull app  Restrict access to defect information

21. OWASP 21 Finer points for application pen testing  Which browser are you using to test?  Track the application version which was tested  Use an end-to-end environment for testing  Vulnerabilities in commercial off the shelf applications (‘COTS’) can be researched  Customised code usually has the highest frequency of bugs/flaw  Think outside the box

22. OWASP 22 Questions?