Download presentation
Presentation is loading. Please wait.
Published byEdward Allen Modified over 9 years ago
1
Web Application Testing with AppScan Terry Labach
2
"If you spend more on coffee than on Web application security, you will be hacked. What's more, you deserve to be hacked" - Richard Clarke, Former White House Advisor on Cyberterrorism and Cybersecurity 2010 | The Sky’s the Limit
3
Introduction What are the issues? How can UW support secure Web application development? How can involved parties work together? 2010 | The Sky’s the Limit
4
Outline The state of affairs Risks and attacks AppScan at UW AppScan scanning example Software engineering for the web Questions 2010 | The Sky’s the Limit
5
Web application security is no longer optional UW administration concerned about last IT audit IT professionalism now includes security 2010 | The Sky’s the Limit
6
The old Web 2010 | The Sky’s the Limit "First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII -- and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure." - Douglas Adams
7
The new Web 2010 | The Sky’s the Limit
8
The new Web Shopping mall, office, movie theatre, communications hub, self-marketing firm We are expected to make more services available on the web Financial, medical, personal information increasingly used in web transactions Clients interact with our internal systems 2010 | The Sky’s the Limit
9
Risks on the new Web 2010 | The Sky’s the Limit
10
Risks Theft of personal information Identity theft Financial losses Intellectual Property losses Damage to UW's reputation Legal requirements to notify breach victims 2010 | The Sky’s the Limit
11
Vulnerabilities Technical OS, server design flaws Logical Application logic design flaws Failing to account for malicious/incompetent users 2010 | The Sky’s the Limit
12
Attacks Technical XSS, SQL injection Logical authorization errors 2010 | The Sky’s the Limit
13
SQL injection 2010 | The Sky’s the Limit
14
Cross-site scripting 2010 | The Sky’s the Limit
15
Authentication and authorization errors 2010 | The Sky’s the Limit
16
Why scan? Mimics the attack of the hacker No substitute for proper application development 2010 | The Sky’s the Limit
17
Scanning methods Manual Automatic 2010 | The Sky’s the Limit
18
Scanning methods Manual Penetration (“pen”) testing Requires human expert Slow, error-prone Can be insightful 2010 | The Sky’s the Limit
19
Scanning methods Automatic Faster Complete list of tests Not as perceptive as human tester 2010 | The Sky’s the Limit
20
What scanning can do Black box scanning Works with any: Language Application server Web server 2010 | The Sky’s the Limit
21
What scanning can't do White box scanning (can't help with source code issues without additional software) Can't be integrated early in the development process Requires functional web site 2010 | The Sky’s the Limit
22
IST Web application testing 2010 | The Sky’s the Limit
23
AppScan 2010 | The Sky’s the Limit IBM product Selected by IST in 2009 to provide testing services IST staff will scan your web application as part of your testing process No charge
24
Preparing your site for testing Test instance of application Be ready for disaster Backups of all code, data Allow access to scan server (firewall,.htaccess) Method to recreate the web site 2010 | The Sky’s the Limit
25
The scanning process Explore Spider traverses site and learns about structure Test Attacks made on site Report findings 2010 | The Sky’s the Limit
26
AppScan demonstration 2010 | The Sky’s the Limit IBM provides sample web application to test Altoro Mutual http://demo.testfire.net User: jsmith Password: demo123
27
Running AppScan 2010 | The Sky’s the Limit URL Scan wizard Login method Recorded - go through process for scan Prompt - record initial location, then enter as needed Automatic - use entered name, password when required None - when authentication not used (or ignored) Test policy
28
Running AppScan 2010 | The Sky’s the Limit Complete scan full auto scan auto explore manual explore (embedded browser) allows limiting scan to part of site or ensuring it follows a set path scan later (scheduled) scan expert does short scan to evaluate settings may suggest configuration changes
29
Running AppScan 2010 | The Sky’s the Limit Scan results Views Reports Remediation Regulatory OWASP Custom
30
Thoughts on software engineering for the web Basic SE principles still apply Development-Test-Production environments Use commercial solutions rather than coding your own where reasonable Application development must be planned and managed 2010 | The Sky’s the Limit
31
Thoughts on software engineering for the web Add security from the beginning Publish only desired files Define what is good input and limit to that, rather than trying to strip out bad input. “good enough” isn't – the risks are too great 2010 | The Sky’s the Limit
32
References 2010 | The Sky’s the Limit IBM AppScan http://www.ibm.com/software/awdtools/appscan/standa rd/ OWASP http://www.owasp.org IST IT Security team http://ist.uwaterloo.ca/security/ Quotation of the Day http://quotationofthedaylist.blogspot.com/
33
Questions? 2010 | The Sky’s the Limit
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.