1 / 22

OWASP Austin Chapter August 2010

App Assessments Reloaded. OWASP Austin Chapter August 2010. Problems with Security in the SDLC. Waterfall versus Agile (Technical debt) Security backlogs, Hardening sprints Ratcheting is pen-testing for the SDLC. Testing in Prod. [Almost] Never test in production

temple
Download Presentation

OWASP Austin Chapter August 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. App Assessments Reloaded OWASP Austin ChapterAugust 2010

  2. Problems with Security in the SDLC • Waterfall versus Agile (Technical debt) • Security backlogs, Hardening sprints • Ratcheting is pen-testing for the SDLC

  3. Testing in Prod • [Almost] Never test in production • Configure temporary DNS/IP for test box • Run only test cases that require on-Internet

  4. AppSec Programs & App Assessments • Don’t blindly hire external pen-testers • Don’t blindly follow the maturity models • Lead with a tool, but instrumentation • Not app|code scanners, manual pen-tests

  5. Start with Instrumentation • DBI (Pintool, DynamoRIO, IDA+PaiMei/PyDbg) • Compiler-based (does only gcc support this?) • Actually is perfect for web applications • Fortify PTA, Aspect Security, Morcilla PHP

  6. TAOSSA Code-Audit Strategies • Instrumentation (CC5) takes care of inputs (filters/validation) and outputs (escaping) • Candidate-points mostly taken care of • CC1-4: Don’t worry about object-oriented • DGs: Use OOA&D with Patterns, EAI/Web2.0

  7. Which Apps to Test? • Don’t enumerate or discover web apps • Locate databases and understand data • Find where the data flows to • Threat-model and refactor to security patterns. Then do posture assessments

  8. How to Test Risky Apps • Do the manual penetration-testing • Reverse testing • Tiered testing • Make somebody else do it for you

  9. Dev-Test and SQE (Quality) • Leverage any existing test-harness • Outsource to large usability tests • Company-wide bug hunt days

  10. Leverage the Test Harness • Webapp: HtmlUnit, Selenium RC, JsTestDriver • Fatapp: Test|Fake client, Corpus distillation • RESTful apps: SoapUI, Unit testing frameworks • Continuous-prevention development

  11. Usability Outsourcing • E.g. Nielsen Norman Group • Testing Intranets • If you can’t do this, then do bug-hunts • Invite everybody

  12. Bug-Hunts • <configuration><sessionstate timeout=”1” /> (or 1 million) • </configuration> • Red-Gate, Exceptioneer, Lambda Probe, NetLoony, App Logs, Ounce Open (O2)

  13. Epic-Fail Guy (EFG) Revisited • Required static analysis doesn’t stop EFG • OWASP ESAPI doesn’t stop EFG • Appsec training doesn’t stop EFG • They are legion

  14. Static Analysis Tools Suck • Too expensive in both money and time • 3k/2wk/app, 30k/yr, 60k/yr • Security coverage costs 25k/yr • SATE 2009, ManVsAutoVulnAssessment

  15. Fuzzers and Scanners Suck • Software Security Testing & Quality Assurance • “… the fuzzers found, on average, over 50% more bugs than just running the most effective fuzzer by itself “ • “every 1% of code coverage = finding 1% more bugs” • Wivet and SQLiBENCH results are still poor

  16. Code Reviews Don’t Scale • Walkthroughs rarely happen/useful • Specs and Requirements rarely happen/useful • They are awesome though

  17. Pen-Tests Don’t Scale • All pen-tests should include free, automated regressions that can be run in e.g. cron and provided to the business with free support • The Appsec SaaS companies do this already

  18. Types of Pen-Testing • Peripheral (mostly point-and-shoot + reports) • Adversarial (threat-modeling required) • Still doesn’t scale, but pretty cool guy

  19. State of the Art AppSec Risk Management • Combine methods (SAST+DAST, VA+WAF, etc) • Threadfix, HoneyApps, O2, Aspect Security • Pen-test specific: The Dradis Framework • Vendor specific: 360, AMP, Hybrid 2.0

  20. The DevTest Security Analyst • aka Security Bugfixer aka “Security Buddy” • Uses test harness, HP Test Data Management • Reads InfoQ, Hacker News, SpotTheVuln • Stamps out classes of security bugs

  21. Tahnks

  22. Info @atdre andreg@gmail.com (Active GReader) http://www.agilegamedevelopment.com http://www.fortify.com/products/fortify-360/ (PTA and RTA) http://pintool.org The Art of Software Security Assessment (taossa.com) Advanced Object-Oriented Analysis and Design Using UML http://www.eaipatterns.com http://oreilly.com/catalog/9780596514433 http://www.nngroup.com http://www.useit.com/alertbox/outsource_recruiting.html http://www.securityacts.com/securityacts02.pdf

More Related