Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Security Review Process for Existing Software Applications

Published byFlorence Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "A Security Review Process for Existing Software Applications"— Presentation transcript:

1 A Security Review Process for Existing Software Applications
DRAFT Gabriele Garzoglio Computing Division, Fermilab

2 Overview Goal Involvement Focus Process to achieve the Goal
Identify technical risks and their impact Involvement Focus Process to achieve the Goal Application Review Abuse Cases Analysis Architectural Risk Analysis Code Review Application Tests Write Report Gabriele Garzoglio

3 Goal Identify technical risks associated with the application
Find vulnerabilities / flaws in application code / architecture Technical problems or complications … and the impact of these technical risks Unexpected system crashes Avoidance of security control Unauthorized data modification / disclosure Optionally: generate application quality metrics Number of defects Number of critical risks Gabriele Garzoglio

4 Who should be involved Application Developers
Application Administrators Management Security team Security reviewers Gabriele Garzoglio

5 Focus To achieve the goals, study the software application with the following in mind: what it does / what it protects (business context / risk) threat / exploit community (what does an exploiter gain) potential vulnerabilities (what defects can be exploited) risks (vulnerabilities x threats) Gabriele Garzoglio

6 Overview Goal Involvement Focus Process to achieve the Goal
Identify technical risks and their impact Involvement Focus Process to achieve the Goal Application Review Abuse Cases Analysis Architectural Risk Analysis Code Review Application Tests Write Report Gabriele Garzoglio

7 How to identify technical risks and their impact
Application review (interviews, documentation, etc.) Abuse Cases Analysis Architectural Risk Analysis Code Review Application tests (Security/Penetration) Write report Gabriele Garzoglio

8 How to conduct the "Application Review"
Study: General Functionalities Environment (Users, Security Policies, etc.) Use Cases Specific Features Architecture Project management practices Operation practices Risk Analysis / Security Requirements / Security Operations (if any) Gabriele Garzoglio

9 How to conduct the "Abuse Cases Analysis“ *
Misuse or abuse cases: Prepare for abnormal behavior (attack) Uncover exceptional cases Document what software will do in the face of illegitimate use Process: Start with attack patterns (see later), requirements, and use cases Build an attack model Determine misuses and abuse cases Talk to the developers: they might know possible system abuses “Software Security: Building Security in” by G. McGraw; Ed: Addison-Wesley “Exploiting Software: How to break the code” by G. Hoglund and G. McGraw; Ed: Addison-Wesley Gabriele Garzoglio

10 48 attack patterns* * “Exploiting Software: How to break the code”
Make the Client invisible Target Programs That Write to Privileged OS Resources Use a User-Supplied Configuration File to Run Commands That Elevate Privilege Make Use of Configuration File Search Paths Direct Access to Executable Files Embedding Scripts within Scripts Leverage Executable Code in Non-executable Files Argument Injection Command Delimiters Multiple Parsers and Double Escapes User-Supplied Variable Passed to File System Calls Postfix NULL Terminator and Backslash Relative Path Traversal Client-Controlled Environment Variables User-Supplied Global Variables (DEBUG=1, PHP Globals, etc.) Session ID, Resource 10, and Blind Trust Analog In-Band Switching Signals (aka "Blue Boxing") Attack Pattern Fragment: Manipulating Terminal Devices Simple Script Injection Embedding Script in Nonscript Elements XSS in HTTP Headers HTTP Query Strings User-Controlled Filename Passing Local Filenames to Functions That Expect a URL Meta-characters in Header File System Function Injection, Content Based Client-side Injection, Buffer Overflow Cause Web Server Misclassification Alternate Encoding the Leading Ghost Characters Using Slashes in Alternate Encoding Using Escaped Slashes in Alternate Encoding Unicode Encoding UTF-8 Encoding URL Encoding Alternative IP Addresses Slashes and URL.Encoding Combined Web Logs Overflow Binary Resource File Overflow Variables and Tags Overflow Symbolic Links MIME Conversion HTTP Cookies Filter Failure through Buffer Overflow Buffer Overflow with Environment Variables Buffer Overflow in API Calls Buffer Overflow in Local Command·-Line Utilities Parameter Expansion String Format Overflow in syslog() * “Exploiting Software: How to break the code” by G. Hoglund and G. McGraw Ed: Addison-Wesley Gabriele Garzoglio

11 How to conduct the "Architectural Risk Analysis“ *
Process: Build a one page overview Architectural analysis Attack resistance analysis (see attack patterns) Ambiguity analysis Weakness analysis Rank risks Build mitigations “Software Security: Building Security in” by G. McGraw; Ed: Addison-Wesley “Building Secure Software” by J. Viega & G. McGraw; Ed: Addison-Wesley Gabriele Garzoglio

12 How to conduct the "Code review“ *
Best if using automated tools Look out for: Input validation and representation API abuse Security features Time and state Error handling Code quality Encapsulation Environment “Software Security: Building Security in” by G. McGraw; Ed: Addison-Wesley “Building Secure Software” by J. Viega & G. McGraw; Ed: Addison-Wesley Gabriele Garzoglio

13 How to conduct the "Application tests“ *
Security Testing: Risk-based testing, Functional Security testing, Penetration testing, … Several Standards of compliance: CHECK, OSSTMM, OWASP, … Most appropriate for web applications is OWASP Select tests according to outcomes of previous analyses “Software Security: Building Security in” by G. McGraw; Ed: Addison-Wesley Gabriele Garzoglio

14 How to “write the report”
Write a summary of your findings for each of the process steps Application Review Abuse Cases Analysis Architectural Risk Analysis Code Review Application Tests Identify impact of technical risks Remember your “focus”: what it does / what it protects threat / exploit community potential vulnerabilities risks (vulnerabilities x threats) What are the business needs of the application? Availability, confidentiality, integrity, authenticity/non-repudiation, … Link the risks with the business needs Propose mitigation strategies for highest impact risks Gabriele Garzoglio

Download ppt "A Security Review Process for Existing Software Applications"

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google