Presentation is loading. Please wait.

Presentation is loading. Please wait.

Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In.

Published byRaymond Reed Modified over 8 years ago

Similar presentations

Presentation on theme: "Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In."— Presentation transcript:

1 Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In collaboration with IBM

2 SSRG Members University of Ottawa Prof. Guy-Vincent Jourdan Prof. Gregor v. Bochmann Suryakant Choudhary(Master student) Emre Dincturk(PhD student) Khaled Ben Hafaiedh(PhD student) Seyed M. Mir Taheri(PhD student) Ali Moosavi (Master student) In collaboration with Research and Development, IBM ® Security AppScan ® Enterprise Iosif Viorel Onut (PhD)

3 IBM Rational AppScan Enterprise Edition Product overview IBM Security Solutions

4 IBM Rational AppScan Suite – Comprehensive Application Vulnerability Management 4 REQUIREMEN TS CODE BUILD PRE-PROD PRODUCTIO N QA AppScan Standard AppScan Source AppScan Tester Security Requirements Definition AppScan Standard Security / compliance testing incorporated into testing & remediation workflows Security requirements defined before design & implementation Outsourced testing for security audits & production site monitoring Security & Compliance Testing, oversight, control, policy, audits Build security testing into the IDE Application Security Best Practices – Secure Engineering Framework Automate Security / Compliance testing in the Build Process SECURITY AppScan Build AppScan Enterprise AppScan Reporting Console AppScan onDemand Dynamic Analysis/Blackbox – Static Analysis/Whitebox -

5 AppScan Enterprise Edition capabilities Large scale application security testing Client-server architecture designed to scale Multiple users running multiple assessments Centralized repository of all assessments Scheduling and automation of assessments REST-style API for automation and integrations Enterprise visibility of security risk High-level dashboards Detailed security issues reports, advisories and fix recommendations Correlation of results discovered using dynamic and static analysis techniques Over 40 compliance reports like PCI, GLBA, SOX Governance & collaboration User roles & access permissions Test policies Issue management Defect tracking systems integration 5

6 6 AppScan Enterprise Information Security  Schedule and automate assessments  Conduct assessments with AppScan Standard and AppScan Source and publish findings for remediation and trending Build automation  Source code analysis for security issues as part of build verification  Publish findings for remediation and trending Tools:  AppScan Standard Edition  AppScan Source Edition AppScan Enterprise Workflows Tools:  AppScan Source for Automation  AppScan Standard Edition CLI Compliance Officers  Review compliance reports Management  Review most common security issues  View trends  Assess risk  Evaluate progress Development & QA  Conduct assessments  View assessment results  Remediate issues  Assign issue status

7 7 View detailed security issues reports Security Issues Identified with Static Analysis Security Issues Identified with Dynamic Analysis Aggregated and correlated results Remediation Tasks Security Risk Assessment

8 8 Obtain a high-level view of the security of your applications Compare the number of issues across teams and applications Identify top security issues and risks View trending of the number of issues by severity over time Monitor the progress of issue resolution

9 9 Assess regulatory compliance risk Over 40 compliance reports, including: ▫The Payment Card Industry Data Security Standard (PCI) ▫VISA CISP ▫Children Online Privacy Protection Act (COPPA) ▫Financial Services (GLBA) ▫Healthcare Services (HIPAA) ▫Sarbanes-Oxley Act (SOX)

10 Introduction: Traditional Web Applications Navigation is achieved using the links (URLs) Synchronous communication

11 Introduction : Rich Internet Applications More interactive and responsive web apps ▫Page changes via client-side code (JavaScript) ▫Asynchronous communication

12 Crawling and web application security testing All parts of the application must be discovered before we analyze for security. Why automatic crawling algorithm are important for security testing ? ▫Most RIAs are too large for manual exploration ▫Efficiency ▫Coverage

13 What we present… Techniques and Approaches to make web application security assessment tools perform better How to improve the performance? ▫Make them efficient by analysing only what’s important and ignore irrelevant information ▫Making rich internet applications accessible to them.

14 Web application crawlers Main components: ▫Crawling strategy  Algorithm which guides the crawler ▫State equivalence  Algorithm which indicates what should be considered new

15 State Equivalence Client states Decides if two client states of an application should be considered different or the same. Why important? ▫Infinite runs or state explosion ▫Incomplete coverage of the application

16 Techniques Load-Reload: Discovering non-relevant dynamic content of web pages Identifying Session Variables and Parameters

17 1. Load-Reload: Discovering non-relevant dynamic content of web pages Extracting the relevant information from a page.

18 What we propose Reload the web page (URL) to determine the parts of the content that are relevant. Calculate Delta (X): Content that changed between the two loads.

19 Delta(X): X is any web page and Delta(X) is collection of xpaths of the contents that are not relevant E.g. Delta(X) = {html\body\div\, html\body\a\@href} What we propose (2)

20 Example

21 Example (2)

22 What we propose (3) Delta (X)  Is purpose and application dependent  Few computing techniques:  Use proxies  Manual identification to supplement automatic detection algorithm etc.

23 2. Identifying Session Variables and Parameters What is a session? ▫A session is a conversation between the server and a client. ▫Why should a session be maintained? ▫HTTP is Stateless: When there is a series of continuous request and response from a same client to a server, the server cannot identify from which client it is getting requests.

24 Identifying Session Variables and Parameters (2) Session tracking methods: ▫User authorization ▫Hidden fields ▫URL rewriting ▫Cookies ▫Session tracking API Problems that are addressed: ▫Redundant crawling: Might result in crawler trap or infinite runs. ▫Session termination problem: Incomplete coverage of the application if application requires session throughout the access.

25 What we propose Two recordings of the log-in sequence are done on the same website, using the same user input (e.g. same user name and password) and the same user actions.

26 Example

27 3. Crawling Strategies For RIAs Crawling extracts a “model” of the application that consists of ▫States, which are “distinct” web pages ▫Transitions are triggered by event executions Strategy decides how the application exploration should proceed

28 Standard Crawling Strategies Breadth-First and Depth-First They are not flexible ▫They do not adapt themselves to the application Breadth-First often goes back to the initial page ▫Increases the number of reloads (loading the URL) Depth-First requires traversing long paths ▫Increases the number of event executions

29 What we propose Model Based Crawling  Model is an assumption about the structure of the application  Specify a good strategy for crawling any application that follows the model.  Specify how to adapt the crawling strategy in case that the application being crawled deviates from the model.

30 What we propose (2) Existing models: ▫Hypercube Model 1.Independent events 2.The set of enabled events at a state are the same as the initial state except the ones executed to reach it. ▫Probability Model  Statistics gathered about event execution results are used to guide the application exploration strategy

31 Conclusion Crawling is essential for automated security testing of web applications We introduced two techniques to enhance security testing of web applications ▫Identifying and ignoring irrelevant web page contents ▫Identifying and ignoring session information We have worked on new crawling algorithms

32 Thank You !

33 Demonstration Rich Internet Application Security Testing - IBM ® Security AppScan ® Enterprise

34 DEMO – IBM ® Security AppScan ® Enterprise IBM Security AppScan Enterprise is an automated web application scanner We added RIA crawling capability on a prototype of AppScan We will demo how the coverage of the tool increases with RIA crawling capability

35 DEMO – Test Site (Altoro Mutual)

36 DEMO – Results Without RIA Crawling

37 DEMO - Results With RIA Crawling

Download ppt "Solving Some Modeling Challenges when Testing Rich Internet Applications for Security Software Security Research Group (SSRG), University of Ottawa In."

Similar presentations

Performance Testing - Kanwalpreet Singh.

Performance Testing - Kanwalpreet Singh.
Program Management Portal: Overview for the Client

Program Management Portal: Overview for the Client
1 MDV, April 2010 Some Modeling Challenges when Testing Rich Internet Applications for Security Kamara Benjamin, Gregor v. Bochmann Guy-Vincent Jourdan,

1 MDV, April 2010 Some Modeling Challenges when Testing Rich Internet Applications for Security Kamara Benjamin, Gregor v. Bochmann Guy-Vincent Jourdan,
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Automated Software Testing: Test Execution and Review Amritha Muralidharan (axm16u)

Automated Software Testing: Test Execution and Review Amritha Muralidharan (axm16u)
HP Quality Center Overview.

HP Quality Center Overview.
SACM Terminology Nancy Cam-Winget, David Waltermire, March.

SACM Terminology Nancy Cam-Winget, David Waltermire, March.
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
Security Controls – What Works

Security Controls – What Works
Access 2007 Product Review. With its improved interface and interactive design capabilities that do not require deep database knowledge, Microsoft Office.

Access 2007 Product Review. With its improved interface and interactive design capabilities that do not require deep database knowledge, Microsoft Office.
SwE 434. Rational Quality Manager Rational Quality Manager is a collaborative, Web-based tool that offers comprehensive test planning, test construction,

SwE 434. Rational Quality Manager Rational Quality Manager is a collaborative, Web-based tool that offers comprehensive test planning, test construction,
eGovernance Under guidance of Dr. P.V. Kamesam IBM Research Lab New Delhi Ashish Gupta 3 rd Year B.Tech, Computer Science and Engg. IIT Delhi.

eGovernance Under guidance of Dr. P.V. Kamesam IBM Research Lab New Delhi Ashish Gupta 3 rd Year B.Tech, Computer Science and Engg. IIT Delhi.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Business & Enterprise Systems Introduction to Hewlett Packard (HP) Application Lifecycle Management.

I n t e g r i t y - S e r v i c e - E x c e l l e n c e Business & Enterprise Systems Introduction to Hewlett Packard (HP) Application Lifecycle Management.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.
Prof. Vishnuprasad Nagadevara Indian Institute of Management Bangalore

Prof. Vishnuprasad Nagadevara Indian Institute of Management Bangalore

Similar presentations

Ads by Google