Presentation is loading. Please wait.

Presentation is loading. Please wait.

Approaches to Application Security – DSM

Published byAllen Briggs Modified over 8 years ago

Similar presentations

Presentation on theme: "Approaches to Application Security – DSM"— Presentation transcript:

1 Approaches to Application Security – DSM
Maheshan C N

2 Agenda Sample illustration of a SQL Injection
Different Approaches to Security Testing Dynamic (Black Box) Vs Static (White Box) Vs Manual Summary

3 Sample illustration of a SQL injection

4 SQL Injection

5 Normal login for JSMITH
Username: jsmith Password: *******

6 Normal login for JSMITH

7 Username = Apostrophe? The start of a SQL injection attack
Password:

8 Step 1 – We have an error Syntax error in string query expression ‘username = “’ and password = “’

9 Step 2 – Try a more complete SQL statement
Username:’ or username like ‘s%’ or ‘ --

10 Now we are Sam!

11 Approaches to Security Testing

12 Dynamic, Static and Manual (DSM)
Potential Security Defects Manual Analysis Static Analysis or White Box Testing Or Code Review WB BB Dynamic Analysis or Black Box Testing

13 Static and Dynamic Analysis
Two types of security analysis: Static and Dynamic Dynamic Analysis Analyzes a running application Looks for issues both within the application and around it Web application scanners, run-time analyzers Users: “black-box” penetration testing specialists Static Analysis Analyzes source code Looks for security issues within the application source code Users: “white-box”, source code auditors, development teams

14 Dynamic (Black Box) Vs Static (White Box) Manual

15 How Dynamic (Black Box) Testing Works?

16 SQL Injection User input is embedded as-is in predefined SQL statements: jsmith demo1234 query = "SELECT * from tUsers where userid='" "' AND password='" "'"; iUserID iPassword John Smith demo1234 jsmith 1824 Name Password Username UserID SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234' Hacker supplies input that modifies the original SQL statement, for example: iUserID = ' or 1=1 -- Administrator $#kaoeFor56 admin 1 Name Password Username UserID SELECT * from tUsers where userid=' ' AND password='bar' ' AND password='bar'

17 Stage 1: Crawling as an honest user
How BB Scanners Work Stage 1: Crawling as an honest user

18 Stage 1: Crawling as an honest user
How BB Scanners Work Stage 1: Crawling as an honest user

19 How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests

20 How Static (White Box) Testing Works?

21 Detecting SQL Injection (White Box)
Source – a method returning tainted string // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executeQuery(query); User can change executed SQL commands Sink - a potentially dangerous method

22 Detecting SQL Injection (White Box)
String username = request.getParameter("username"); // ... Stringpassword = request.getParameter("password"); "userid='" +username + "' " + "AND password='" + password + "'"; Stringusername = request.getParameter("username"); Stringquery = "SELECT * from tUsers where " +' String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); ResultSet rs = stmt.executeQuery(query);

23 How WB Scanners Work Many injection problems: Sources: SQLi, XSS,
LogForging, PathTraversal, Remote code execution Sources: Sanitizers: Undecidable problem Sinks:

24 Pros and Cons of Black Box and White Box testing

25 Dynamic (Black) Vs Static (White)
Feature Dynamic (Black) Static(White) Paradigm Cleverly “guessing” behaviors that may introduce vulnerabilities Examines infinite numbers of behaviors in a finite approach Perspective Works as an attacker HTTP awareness only Works on the big picture Resembles code auditing Inspects the small details Hard to “connect the dots” Pre-Requisite Any deployed application Mainly used during testing stage Application code Mainly used in development stage Development Effort Oblivious to different languages Different communication protocols require attention Different languages require support Some frameworks too Oblivious to communication protocols

26 Dynamic (Black) Vs Static (White) contd
Feature Dynamic (Black) Static(White) Scope Scans the entire system Servers (Application, Http, DB, etc.) External interfaces Network, firewalls Identifies issues regardless of configuration Time/Accuracy Tradeoffs Crawling takes time Testing mutations takes (infinite) time Refined model consumes space and time… Analyzing only “important” code Approximating the rest Accuracy Challenges Challenge: Cover all attack vectors Eliminate non-exploitable issues

27 Manual Testing Pros and Cons
Cheaper than Automated solutions Can identify any form of issues (based on skill set!!!) Cons Lack of security knowledge Time consuming Inconsistent

28 Dynamic, Static and Manual (DSM)
Potential Security Defects Some Authentication Issues Business Logic Issues Some authorization Issues Manual Analysis Static Analysis or White Box Testing Or Code Review WB Dynamic Analysis or Black Box Testing BB Exception Handling Design Issues Threading Issues Potential NULL Derefrences Patch level issues Production Configuration Issues Cross Site Scripting (XSS) Some Configuration Issues SQL Injection

29 Summary White Box / static analysis covers 80% of your application specific vulnerabilities Black box / dynamic testing is really good for dynamic Vulnerabilities and Infrastructure based issues Manual testing would still be needed to resolve Application logic and authorization based vulnerabilities

30 Our Business Knowledge
Thank you Our Business Knowledge Your Winning Edge

Download ppt "Approaches to Application Security – DSM"

Similar presentations

Webgoat.

Webgoat.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Application Security

Introduction to Web Application Security
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

Similar presentations

Ads by Google