Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering Secure Software

Published byEeva-Kaarina Leppänen Modified over 5 years ago

Similar presentations

Presentation on theme: "Engineering Secure Software"— Presentation transcript:

1 Engineering Secure Software
Black Box Testing

2 The Power of Objectivity
Black box testing No knowledge of the source code Cursory knowledge of the architecture and protocols Often performed by a third-party Why limit our own knowledge? Objectivity Different blind spots than the developers Assumptions are closer to attackers Assessment Persuasive to upper management and customers If a naïve tester can get this far, who else can get this far? © Andrew Meneely

3 Exploratory & Penetration Testing
Exploratory testing Scope: entire attack surface Goals Enumerate areas of attack Find that low-hanging fruit Mostly outer defenses Drawback: results not always actionable Penetration testing Scope: small area of the attack surface Goals: Focus intently on a few features Determine exploitability (construct actual exploits) Evaluate defense in depth Drawback: proof by existence lack of vulnerabilities found != lack of vulnerabilities

4 Areas of Expertise Know the environment Know where to look
Networking (webapps, low-level protocols) Operating systems (mobile, desktop, & server) Database management Know where to look “Where there’s smoke, there’s fire” Bug in security feature is often a vulnerability Common assumptions Recognize a potential vulnerability Vague, system error messages Strange behavior Constructing exploits

5 In Practice… Exploratory and penetration testing are done simultaneously Start with exploratory testing Drill down with penetration testing When teams have security problems, they often just hire pen-testers Despite this being the least efficient approach (and too late) Many people confuse security expertise with penetration testing expertise Requires many hours of practice Start with known vulnerabilities How could I have recognized it? Try to construct an exploit for it Build your own tools

6 Exploratory: Fuzz Testing
Goal: Reveal the attack surface Look for candidates of pen-testing Examine how the system reacts, without going too deep Simulate the user Reverse-engineer common behavior Record a normal sequence of operations Identify & modify the inputs Explore beyond common behavior Automate the process Output: Vulnerability candidates Automatically constructing exploits is usually too much work

7 Tools of Exploratory Testing
Web applications HTML viewers & parsers: Firebug, developer tools Automate common operations: Greasemonkey Web client tampering tools Networking Discover local ports: netstat Discover remote ports: nmap Sniff the network: Wireshark, ngrep, tcpdump Operating system Find open file handles: lsof Process tree: ps

8 Tools of Penetration Testing
Reverse engineering Disassembly & Decompilation: IDA-pro, javap, Debuggers: gdb Networking Proxies: for intercepting & tampering traffic Custom fault injectors Password cracking Online guessing Offline cracks Buckets of tools Metasploit: database of specific exploits BackTrack: Linux distribution with tons of tools

9 Before You Start Define what is sensitive Control the environment
Test data: e.g. config files, sensitive records Environment information: e.g. server versions Database schema Control the environment e.g. use your own server Be ready to try different configurations Use virtualization to contain your exploits Ask for the keys To study defense in depth e.g. multiple authorizations to a test system Be ready to dive in… this will take a while

10 Don’t Forget the Feedback!
Transfer your knowledge back to developers Highlight the assumptions that they made Discuss what could have been done to avoid it Don’t just poke holes, help with the mitigation Egos are often bruised, at that point it’s time to help Fix the vulnerability, not block the exploit Focus on process improvement Checklists for future inspections Newly-identified assets Produce tests for similar features

Download ppt "Engineering Secure Software"

Similar presentations

Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Establishing an effective performance testing environment. Gordon McKeown www.facilita.com TMF 2010.

Establishing an effective performance testing environment. Gordon McKeown TMF 2010.
9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA.

9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.

09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
What we are going to talk about? New Version of Canape Released at Ruxcon What is the VMware ESXi management protocol? In Canape: – MitM – Traffic Parsing.

What we are going to talk about? New Version of Canape Released at Ruxcon What is the VMware ESXi management protocol? In Canape: – MitM – Traffic Parsing.
CSCE 548 Code Review. CSCE 548 - Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,
SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.

SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.

Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
SIGITE 2008: 16-18 Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

Similar presentations

Ads by Google