Application Security Testing:

A New ApproachDeclan O’Riordan

Declan@TestingIT.co.uk

@DeclanTestingIT

What is Security?

The word ‘security’ originates from Latin ‘securus’

meaning 'free from care'.

Mighty Oaks from Little Acorns

GrowSir Tim Berners-Lee Robert Cailliau

HTTP & HTMLFirst web serverFirst web browserFirst web siteFirst web editorWorld-Wide-WebURLs & URIs

A New World of Vulnerabilities

Web Browser

Authentication

Authorization

Web Server

Tiered Architecture

Shared / Cloud Hosting

Database

XSSRedirectionHTTP Header InjectionFrame InjectionRequest ForgeryJSON Hijacking

Session FixationAttacking ActiveX controlsAttacking Local PrivacyAdvanced attacks on AJAXAnti-DNS pinningBrowser exploitation

Attack Access Mechanisms

Exploiting Trust RelationshipsSubverting Other Tiers

Attacks BetweenApplications

Attack the ConfigurationBuffer OverflowPath TraversalFilter By-PassAttack Application LogicFinding Vulnerabilities in Source Code

Injecting into:Interpreted LanguagesSQL & 2nd-Order SQLO/S CommandsWeb Scripting LanguagesRemote File InclusionLocal File InclusionSOAPXPathSMTPLDAP

Application Security

Governance & ComplianceCOBIT, ITIL, CMMI, ISO17799, OCTAVE, OSSTMM, ISO 27005, ISO 27033, ISO 27799, ISO 15489, ISO 15408

ISO/IEC 13335, ISO/IEC 22301:2012 & PAS77, ISO 9000, ISO 27006

Process versus Outcomes

The Verizon Data Breach Investigations Report

2016

Application Security Testing Procedures

The Security GapProject Teams Security Experts

Project Developmentand Maintenance

Process Outcomes

Security – There’s a lot of it!

SecDevOps

Agile / DevOps Delivery Pipeline

Testers

Testing Tools

Skills shortage

Complicated, Slow, Inaccurate

Analysis of Black-box Web Vulnerability Scanners

Adam Doupe, Marco Cova, and Giovanni Vigna

University of California, Santa Barbara

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Marco Vieira, Nuno Antunes, and Henrique Madeira

CISUC, Department of Informatics Engineering, University of Coimbra –

Portugal

2015 OWASP Benchmark – 21,000 Security

Tests

The Java Metadata Facility

…it seems appropriate to add to the Java programming language a means of associating arbitrary attribute information with particular classes / interfaces / methods / fields. We refer to this mechanism as the Java programming language metadata facility.

Application Performance

Monitoring

Performance has shifted RIGHT

Performance Testing using Test data loads in Test

environments

Monitoring real Performance in

Production

Metadata Attribute Testing

Interactive Analysis Security Testing (IAST)