220 likes | 371 Views
Agenda. Application Assessments: PABP vs. Penetration Test / Code Review Introduction to Application Security Methodology Case Examples Conclusions. Application Assessments: PABP vs. Penetration Test / Code Review. Visa CISP PABP . Visa’s CISP PABP
E N D
Agenda • Application Assessments: PABP vs. Penetration Test / Code Review • Introduction to Application Security • Methodology • Case Examples • Conclusions
Application Assessments: PABP vs. Penetration Test / Code Review
Visa CISP PABP • Visa’s CISP PABP • A voluntary compliancy program for payment applications which validate a set of best practices.
Payment Application Best Practice • What is a Payment Application:PABP is applicable to any third-party payment application utilized by a merchant or service provider that is involved in authorization and settlement of credit or debit card transaction. • What are Best Practices:Recommended practices for software vendor to create secure payment applications to help their customers comply with CISP / PCI
Requirements • Do not retain full magnetic stripe or CVV2 data • Protect stored data • Provide secure password features • Log application activity • Develop secure applications • Protect wireless transmissions • Test applications to address vulnerabilities • Facilitate secure network implementation • For Internet-based applications, store cardholder data in internal network only • Facilitate secure remote software updates • Facilitate secure remote access to application • Encrypt sensitive traffic over public networks • Encrypt internal administrative access
Application Penetration Test/Code Review • Application Penetration Test • A thorough security assessment to determine if an application is vulnerable to application-level attacks from both external “hackers” and malicious authorized users. • Identify the maximum number of vulnerabilities that may be present in an application. • Code review • A detailed line-by-line analysis of source code where the goal is to identify coding errors which lead to application vulnerabilities.
PABP Methodology • Interviews and questionnaires completed by client personnel (i.e. developers, support staff, and managers) • Thorough functional and security testing of the application • Review of the application’s operating files, logs, databases, and storage of cardholder information
Code Review Methodology • Buffer overflow conditions • Unintended operation • Dynamic content creation issues • Potential manipulation of variables • Potential acceptance of external scripts or inputs • Failure conditions • Cryptographic weaknesses • Manipulation of back-end services or calls • SQL Insertion • Command Re-direction
Tools: Automated vs. Manual • Automated • Fast, especially for large applications • Good at finding low hanging fruit • Easy to use • Somewhat extensible, but increases learning curve • Expensive • Fallible – no human intelligence behind it
Tools: Automated vs. Manual • Manual • Inexpensive • Very extensible – scripts can call other scripts • As intelligent as the human using it • Best used in conjunction with one another
Tool Examples: • Non Web-based • Insure, Code Wizard, J-Test, Holodeck, BugScan, Filemon, Regmon, APISpy, IDAPro, SoftICE • Web-based • Wget, Paros, AppScan, WebDetective, SOATest, Burpe Suite, WebProxy, FxCop (free from Microsoft), Spike Proxy, Absinthe, Nikto • Combination • Spike, findstr and Ildasm, File-Fuzzer (Fuzzers in general)
Test Cases • Payment Application Best Practices: • Point of Sale System
Is the data encrypted? PAYMENT 10027 AUTHAMT 22.50 BATCHAMT 23.79 BATCHTIP 0.00 CARDTYPE VISA CARD 4227331003328562 EXP 0307 TRACK1 %B4227331003328562^GATES/COURTNEY F.MS^07031011000000397000000? TRACK2 ;4227331003328562=070310110000397? REF 138 APPROVED YES AUTH 012064 INFO E,0001,00,120304,135836,5,094338683164532,K35X
Test Cases • Application Testing • Source Code Review
Performing Text Searches • Search for Hard-Coded Strings • Scan through code and search for common string patterns such as the following: "key," "secret," "password," "pwd," and "connectionstring." • For example, to search for the string "password" in the Web directory of the application, use the Findstr tool from a command prompt as follows: findstr /S /M /I /d:c:\projects\yourweb "password" *.*
Automating Findstr • Automate Searches for Hard-Coded Strings • Create a text file with common search strings. • Findstr can then read the search strings from the text file. • Run the following command from a directory that contains .aspx files. • findstr /N /G:SearchStrings.txt *.aspx
Text searches in binary assemblies • Use the Findstr command in conjunction with the ildasm.exe utility to search binary assemblies for hard-coded strings • Example: Ildasm.exe secureapp.dll /text | findstr ldstr IL_000c: ldstr "RegisterUser" IL_0027: ldstr "@userName" IL_0046: ldstr "@passwordHash" IL_0065: ldstr "@salt" IL_008b: ldstr "Exception adding account. " IL_000e: ldstr "LookupUser" IL_0027: ldstr "@userName" IL_007d: ldstr "SHA1" IL_0097: ldstr "Exeception verifying password. " IL_0009: ldstr "SHA1" IL_003e: ldstr "Logon successful: User is authenticated" IL_0050: ldstr "Invalid username or password" IL_0001: ldstr "Server=AppServer;database=users; username='sa' password=password"