^ About the.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

OWASP Application Security Verification Standard 2009
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Software Documentation Written By: Ian Sommerville Presentation By: Stephen Lopez-Couto.
Web Application Testing with AppScan Terry Labach.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
CASE Tools And Their Effect On Software Quality Peter Geddis – pxg07u.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
SEC835 Database and Web application security Information Security Architecture.
1 Software Testing (Part-II) Lecture Software Testing Software Testing is the process of finding the bugs in a software. It helps in Verifying and.
A Framework for Automated Web Application Security Evaluation
The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Quality Center 10.0 NOTE: Uninstall the current version of QC before downloading QC All QC 10.0 documents can be located on the BI Shared Services.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
COMP 208/214/215/216 – Lecture 8 Demonstrations and Portfolios.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP ESAPI SwingSet An introduction by Fabio Cerullo.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Database security Diego Abella. Database security Global connection increase database security problems. Database security is the system, processes, and.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Dynamic Testing.
HNDIT23082 Lecture 09:Software Testing. Validations and Verification Validation and verification ( V & V ) is the name given to the checking and analysis.
1 Phase Testing. Janice Regan, For each group of units Overview of Implementation phase Create Class Skeletons Define Implementation Plan (+ determine.
OWASP ASVS Levels1234 Tools Manual Test and Review Manual Design Review At higher levels in ASVS,the use of tools is encouraged. But to be effective,the.
T EST T OOLS U NIT VI This unit contains the overview of the test tools. Also prerequisites for applying these tools, tools selection and implementation.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.
Input Validation vulnerabilities in Android System Services Sukwon Choi scho668.
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
Securing Your Web Application in Azure with a WAF
Security Testing Methods
Chapter 5 – Requirements Engineering
Password Management Limit login attempts Encrypt your passwords
Prof. Dr. Marc Rennhard Head of Information Security Research Group
Putting It All Together
Putting It All Together
Finding and Fighting the Causes of Insecure Applications
Recall The Team Skills Analyzing the Problem
A Security Review Process for Existing Software Applications
Software Documentation
Roberta Roth, Alan Dennis, and Barbara Haley Wixom
Introduction to Software Testing
Lecture 09:Software Testing
OWASP Application Security Verification Standard 2009
Tour of OWASP’s projects
Fundamental Test Process
Unit 6: Application Development
CSE 303 Concepts and Tools for Software Development
Software Verification, Validation, and Acceptance Testing
Topic 5: Communication and the Internet
Finding and Fighting the Causes of Insecure Applications
OWASP Application Security Verification Standard
Applying Use Cases (Chapters 25,26)
Applying Use Cases (Chapters 25,26)
OWASP Application Security Verification Standard
OWASP Application Security Verification Standard
Presentation transcript:

^ About the

What questions does ASVS answer? How do I know how much trust can be placed in a web application or web service? How do I know what features to build into security controls used by a web application or web service? How do I acquire a web application or web service that is verified to have a certain range in coverage and level of rigor? ? ?

How is the ASVS intended to be used? It can be used to provide a yardstick with which to assess the degree of trust that can be placed in their web applications and services, It can be used to provide guidance to security control developers as to what to build into their commercial products in order to satisfy web application and service security requirements, and It can be used to provide a basis for specifying web application and web service security requirements in contracts.   

What is the status of the ASVS as an OWASP standard? OWASP SoC 08 RFP – March, 2008 ASVS proposal accepted – April, 2008 ASVS Alpha draft released – October, 2008

What does the ASVS look like? “Verification Levels” section “Detailed Verification Requirements” section “Verification Reporting Requirements” section

What are ASVS verification levels?

Earning a level… Security control behavior Is the control designed right? Security control use Is the control used right? Security control implementation Is the control implemented right? Security control verification What do you have to do to verify the control? Documentation How do you have to write it up?

Levels in more detail Level 1 – Automated Verification Level 1A – Dynamic Scans (Partial Automated Verification) Level 1B – Source Code Scans (Partial Automated Verification) Level 2 – Manual Verification Level 2A – Manual Pentesting (Partial Manual Verification) Level 2B – Manual Source Code Review (Partial Manual Verification) Level 3 – Design Verification Level 4 – Internal Verification

Breadth – Number of Requirements Coverage Depth – Level of Rigor No malicious developers The design has to be right The controls have to be right Scan  Breadth – Number of Requirements   

Level 1 in more detail Automated verification of a web application or web service treated as groups of components within single monolithic entity.

Application Security Verification Techniques Find Vulnerabilities Using the Running Application Find Vulnerabilities Using the Source Code Manual Application Penetration Testing Manual Security Code Review Main Point All four techniques are required to perform an efficient and thorough review Teaching Points Automated tools will try 500 signatures for every 5 that a pen tester might try. Maybe the 450th signature is the successful attack Automated feeds the manual process Manual code review feed pen testing, Man pen testing feeds code review Automated code analysis feeds manual code review – limits the LOC that must be manually reviewed ALL 4 techniques feed each other. Examples, Demonstrations, Stories, Notes Note the overlap between manual and automated approaches as the most efficient activities. Automated Application Vulnerability Scanning Automated Static Code Analysis

Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true) Now everyone WANTS to buy a tool that will solve application security for them. Let me start by saying that we have extensive experience with the application security tools on the market. We’ve been hired by four different tool vendors. In fact, we even developed and sold a static analysis engine for Java and .NET bytecode to one of the companies here. But we don’t recommend starting with tools. And actually, neither do the tool vendors. Pretty much everyone agrees that you need to have a process in place that the tools can support. There are two key problems with tools. First is coverage. As you can see here, MITRE has identified about 695 types of security weaknesses. If you put ALL the tools together and add up what they CLAIM to be able to identify, you get about 45% coverage of the space. What’s worse is they don’t even find the right 45% - the ones that are riskiest to your organization. They find the 45% that is most amenable to finding automatically. And the tools simply aren’t smart enough to know what’s allowed and not allowed in your business logic. They can’t find most problems with authentication, authorization, logging, or encryption. The second problem is extracting value from the data. The tools generate lots of data. In a recent customer review we ran Ounce and it generated 15,000 items. We carefully reviewed all of this data and isolated about 20 real findings. This isn’t easy work – you really have to understand application security to do it. Of the 20 findings, 16 were duplicate instances of the same underlying flaw. So after a few days of work we ended up with about 4 real findings, none of which were critical. In that same time, another Aspect engineer on the project identified 13 real vulnerabilities including 2 criticals using code review and penetration testing. We can help you get value from the tools, but you’ll want a team to run the scans, lots of tailoring of signatures, and a process for extracting risks from all the data.

Level 2 Options Level 2A Manual Penetration Test Level 2B Manual Code Review Need BOTH to achieve a full level 2 But requirements can be filled by either

Level 2 in more detail Manual verification of a web application or web service organized into a high-level architecture.

Level 2 Options Level 2A Manual Penetration Test Level 2B Manual Code Review Need BOTH to achieve a full level 2 But requirements can be filled by either

Level 3 in more detail Design verification of a web application or web service organized into a high-level architecture.

Level 4 in more detail Internal verification by searching for malicious code (not malware) and examining how security controls work.

What are ASVS verification requirements? Security architecture verification requirements Security control verification requirements  Security architecture information puts verification results into context and helps testers and reviewers to determine if the verification was accurate and complete?

What are ASVS verification requirements? V1 – Security Architecture Verification Requirements V2 – Access Control Verification Requirements V3 – Authentication Verification Requirements V4 – Session Management Verification Requirements V5 – Input Validation Verification Requirements V6 – Output Encoding/Escaping Verification Requirements V7 – Cryptography Verification Requirements V8 – Error Handling and Logging Verification Requirements V9 – Data Protection Verification Requirements V10 – Communication Security Verification Requirements V11 – HTTP Verification Requirements V12 – Security Configuration Verification Requirements V13 – Malicious Code Search Verification Requirements V14 – Internal Security Verification Requirements

A positive approach Negative Positive The tester shall search for XSS holes Positive The tester shall verify that the application performs input validation and output encoding on all user input

Requirement Summary

What are ASVS reporting requirements? R1 – Report Introduction R2 – Application/Service Description R3 – Application/Service Security Architecture R4 – Verification Results  Is the report sufficiently detailed to make verification repeatable? Does the report have sufficient types of information to allow a reviewer to determine if the verification was accurate and complete? 

Where do I go from here? You can download a copy from the project web page: http://www.owasp.org/index.php/ASVS You can send comments and suggestions for improvement using the project mailing list: See “Mailing List/Subscribe” link on project web page.