web application testing with appscan terry labach
Post on 24-Dec-2015
222 Views
Preview:
TRANSCRIPT
Web Application Testing with AppScan
Terry Labach
"If you spend more on coffee than on Web application security, you will be hacked. What's more, you deserve to be hacked"
- Richard Clarke, Former White House Advisor on Cyberterrorism and Cybersecurity
2010 | The Sky’s the Limit
Introduction
• What are the issues?
• How can UW support secure Web application development?
• How can involved parties work together?
2010 | The Sky’s the Limit
Outline
• The state of affairs
• Risks and attacks
• AppScan at UW
• AppScan scanning example
• Software engineering for the web
• Questions
2010 | The Sky’s the Limit
Web application security is no longer optional
• UW administration concerned about last IT audit
• IT professionalism now includes security
The old Web
2010 | The Sky’s the Limit
"First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII -- and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure."
- Douglas Adams
The new Web
2010 | The Sky’s the Limit
The new Web
• Shopping mall, office, movie theatre, communications hub, self-marketing firm
• We are expected to make more services available on the web
• Financial, medical, personal information increasingly used in web transactions
• Clients interact with our internal systems
2010 | The Sky’s the Limit
Risks on the new Web
2010 | The Sky’s the Limit
Risks
• Theft of personal information
• Identity theft
• Financial losses
• Intellectual Property losses
• Damage to UW's reputation
• Legal requirements to notify breach victims
2010 | The Sky’s the Limit
Vulnerabilities
• Technical• OS, server design flaws
• Logical• Application logic design flaws
• Failing to account for malicious/incompetent users
2010 | The Sky’s the Limit
Attacks
• Technical• XSS, SQL injection
• Logical • authorization errors
2010 | The Sky’s the Limit
SQL injection
2010 | The Sky’s the Limit
Cross-site scripting
2010 | The Sky’s the Limit
Authentication and authorization errors
2010 | The Sky’s the Limit
Why scan?
• Mimics the attack of the hacker
• No substitute for proper application development
2010 | The Sky’s the Limit
Scanning methods
• Manual
• Automatic
2010 | The Sky’s the Limit
Scanning methods
• Manual• Penetration (“pen”)
testing• Requires human
expert• Slow, error-prone• Can be insightful
2010 | The Sky’s the Limit
Scanning methods
• Automatic• Faster• Complete list of
tests• Not as perceptive
as human tester
2010 | The Sky’s the Limit
What scanning can do
• Black box scanning
• Works with any:• Language• Application server• Web server
2010 | The Sky’s the Limit
What scanning can't do
• White box scanning (can't help with source code issues without additional software)
• Can't be integrated early in the development process
• Requires functional web site
2010 | The Sky’s the Limit
IST Web application testing
2010 | The Sky’s the Limit
AppScan
2010 | The Sky’s the Limit
• IBM product
• Selected by IST in 2009 to provide testing services
• IST staff will scan your web application as part of your testing process
• No charge
Preparing your site for testing
• Test instance of application
• Be ready for disaster
• Backups of all code, data
• Allow access to scan server (firewall, .htaccess)
• Method to recreate the web site
2010 | The Sky’s the Limit
The scanning process
• Explore• Spider traverses site and learns about
structure
• Test• Attacks made on site
• Report findings
2010 | The Sky’s the Limit
AppScan demonstration
2010 | The Sky’s the Limit
• IBM provides sample web application to test• Altoro Mutual• http://demo.testfire.net• User: jsmith• Password: demo123
Running AppScan
2010 | The Sky’s the Limit
• URL
• Scan wizard• Login method
• Recorded - go through process for scan
• Prompt - record initial location, then enter as needed
• Automatic - use entered name, password when required
• None - when authentication not used (or ignored)
• Test policy
Running AppScan
2010 | The Sky’s the Limit
• Complete scan• full auto scan• auto explore• manual explore (embedded browser)
• allows limiting scan to part of site or ensuring it follows a set path
• scan later (scheduled)• scan expert
• does short scan to evaluate settings• may suggest configuration changes
Running AppScan
2010 | The Sky’s the Limit
• Scan results• Views
• Reports• Remediation• Regulatory• OWASP• Custom
Thoughts on software engineering for the web
• Basic SE principles still apply
• Development-Test-Production environments
• Use commercial solutions rather than coding your own where reasonable
• Application development must be planned and managed
2010 | The Sky’s the Limit
Thoughts on software engineering for the web
• Add security from the beginning
• Publish only desired files
• Define what is good input and limit to that, rather than trying to strip out bad input.
• “good enough” isn't – the risks are too great
2010 | The Sky’s the Limit
References
2010 | The Sky’s the Limit
IBM AppScan• http://www.ibm.com/software/awdtools/appscan/
standard/
• OWASP• http://www.owasp.org
• IST IT Security team• http://ist.uwaterloo.ca/security/
• Quotation of the Day• http://quotationofthedaylist.blogspot.com/
Questions?
2010 | The Sky’s the Limit
top related