1 / 21

Software Security Testing is Important, Different and Difficult

Software Security Testing is Important, Different and Difficult. Review by Rayna Burgess. Overview. The Paper Selection Security Testing is Important (Relevant) Security Testing is Different from Functional Testing Security Testing is Difficult Security Engineer’s Tasks

jarrett
Download Presentation

Software Security Testing is Important, Different and Difficult

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Security Testing is Important, Different and Difficult Review by Rayna Burgess

  2. Overview The Paper Selection Security Testing is Important (Relevant) Security Testing is Different from Functional Testing Security Testing is Difficult Security Engineer’s Tasks Analyzing Security Risks Types of Security Testing Case Study: Java Card Conclusion COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

  3. The Paper: Software Security Testing COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess Gary McGraw, PhD, CTO of Cigital, Inc Series of Articles in IEEE Security & Privacy

  4. Security Testing is Important COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

  5. Security Testing is Different COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess Malicious attacker Intelligent Adversary Vulnerabilities Exploited

  6. Aaah! So many vulnerability lists! COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

  7. McGraw’s Vulnerability Taxonomy COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

  8. Vulnerability Name Dropping COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess gets() (Buffer overflow problem, Morris Worm) Race condition (time of check to time of use) Insecure failure Transitive trust Trampoline Zero day exploits

  9. SQL Injection Vulnerability COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

  10. Where are we? The Paper Selection Security Testing is Important (Relevant) Security Testing is Different from Functional Testing Security Testing is Difficult Security Engineer’s Tasks Analyzing Security Risks Types of Security Testing Case Study: Java Card Conclusion COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

  11. SW Security Engineer’s Tasks COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

  12. Analyzing Security Risks COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess • Think like an attacker • Vulnerability in weakest link can expose the system • Requires expertise • Can practice/learn on • Webgoat • DVWA • Hacme Bank

  13. Types of Security Testing COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess Functional Security Testing Risk-Based Security Testing (hostile attacks) Black Box/White Box Static/Dynamic

  14. Static Security Analysis COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess • Risk Analysis of Design and Architecture • Static Security Analysis Tools • Source Code or Byte Code • Good at finding patterns • Numerous False Positives

  15. Penetration Testing COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess • Performed on a running system • Can be used on COTS software too • Penetration testing tools • Network and OS vulnerability scanners • Nmap, Nessus, Aircrack • Automated Penetration Testing Tools • Metasploit, CoreImpact, Canvas • Other useful tools • Fuzzing tools, WebScarab, • Quality of pen testing depends on the human!

  16. Case Study: Java Card COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess • Operating System for Smart Cards • GlobalPlatform (Java Card, MULTOS) • Used on Bank Cards, (also SIMs, ID Cards, Medical) • Two Types of Testing • Functional security design tests • Risk-based attack tests

  17. Functional Security Testing COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess • Tests security functionality • Crypto • Commands • Compliance Testing (GALITT 3/2011) • All cards passed!

  18. Risk-Based Security Testing (Attacks) COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess • Hostile Attacks, based on risk assessment • All cards failed some part of this testing! • Analysis of Java Card Design • Identify automic transaction processing as area of interest • Consequence is “printing money” (Very High Risk) • Put on Black Hat, Don’t follow the rules: • Abort, fail to commit, fill buffers, nest transactions • Exposes vulnerabilities before issued to public

  19. Almost done! The Paper Selection Security Testing is Important (Relevant) Security Testing is Different from Functional Testing Security Testing is Difficult Security Engineer’s Tasks Analyzing Security Risks Types of Security Testing Case Study: Java Card Conclusion COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess

  20. Conclusion: SW Security Testing is… COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess • Important • More software, more new attacks • More functionality, more vulnerabilities • Software is everywhere and connected! • Different • Presence of a malicious, intelligent attacker • Software Test Engineers have different skills • Difficult • Exploits are subtle • Automated static & dynamic tools insufficient • Need a human!

  21. “So now, when we face a choice between adding features and resolving security issues, we need to choose security.” -Bill Gates

More Related