web application security testing automation.. copyright © 2008 deloitte touche tohmatsu. all rights...
TRANSCRIPT
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 2
What types of automated testing are there?What does web application security assessment comprise?How much can tools help?Where is it best to use these tools?
Agenda
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 4
When can you test?
User Acceptance
Testing
User Acceptance
Testing
Project BasedDevelopmentProject BasedDevelopment
FunctionalTesting
FunctionalTesting
Non-Functional Testing
Non-Functional Testing
PilotPre ProductionProduction
Thank God its gone live party.
Performance & Volume TestingPerformance & Volume Testing
Feature requests
TEST
HERE?
TEST
HERE?
TEST
HERE?
TEST
HERE?
TEST
HERE?
TEST
HERE?
TEST
HERE?
TEST
HERE?
TEST
HERE?
TEST
HERE?
BAUdevelopment
BAUtesting
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 5
•Raw Source Code Review• Get the code and use software configured with
rules to find exceptions and investigate them
What types of automated testing are there?
Source Code Rules
Analysis Raw Results
(means something to a developer)
Human review
Findings
(means something to
a project manager)
Source Secure Programming with Static Analysis Chess & West
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 6
•Integration into development environment
• Static analysis as you go• Write some code, push to webserver, do some
“black box testing”• Hmm what’s the first thing the developer will skip
when he is under pressure to ship code
What types of automated testing are there?
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 7
•Integration into test software• Get some test data• Capture some UAT test scripts• Run those UAT scripts• Use those test scripts to do some “black box”
testing• Try and persuade a developer that the defect is a
defect • Try and find some project managers to agree who
is to pay to fix the defect • Don’t expect your UAT test team to do security
testing, they are usually lovely people, as they deal with the business
What types of automated testing are there?
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 8
•Assessment from network• It’s ready to go, let’s do a final check..• With some test data walk the application logic, ALL
of the application logic • Scan away• Try and read the report before the project goes
live • Try and find a developer to educate?
What types of automated testing are there?
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 9
•Fuzzing• Aka I’ve run out of ideas, lets just bash away until
something weird happens with input validation or business logic
What types of automated testing are there?
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 10
What types of automated testing are there?
Method Pros Cons
Source Code Review
Can be done at any time during/after development
Access to source code required, think contractuals
Development Environment Integrated
Can be leveraged by the developer to help educate them.
Can only be done during development
Test EnvironmentIntegrated
Testing is when most test data is hopefully available
Can only be done during testingIf you find a major input validation problem during test you will have to repeat UAT testing!
From Network Can be done at any time
Can cause a Denial of Service to the application
Fuzzing Application has to be operational
Can be slow over the internet
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 12
What does the testing comprise?
Web Application Security Assessment Typical Breakdown of Effort
13%
13%
25%
49%
AuthenticationSession ManagementInput ValidationBusiness Logic
There is a lot of manual testing involved in web application security testing
The majority of findings are related to poor implementation of role based access controls and “business logic flows”. Hence most effort is directed towards business logic testing.
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 13
What are we looking for?
0%
10%
20%
30%
40%
50%
60%
70%u
nva
lida
ted
pa
ram
ete
rs
bro
ken
acc
ess
con
tro
l
bro
ken
au
the
ntic
atio
n &
sess
ion
mg
mt
cro
ss-s
itesc
riptin
g
bu
ffer
ove
rflo
ws
com
ma
nd
inje
ctio
n
vuln
era
ble
err
or
ha
nd
ling
inse
cure
cryp
tog
rap
hy
rem
ote
ad
min
serv
er
mis
con
figu
ratio
n
Incidence of 10 common web application vulnerabilities in applications recently tested by Deloitte in the UK. (Vulnerability classifications defined by the Open Web Application Security Project – www.owasp.org)
% o
f te
sted
Web
App
licat
ions
sus
cep
tible
to
vuln
era
bilit
y
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 14
How web application scanners work
• Thankfully stolen from http://www.blackhat.com/presentations/win-usa-04/bh-win-04-grossman/bh-win-04-grossman-up.pdf
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 15
•Requirement for test data due to multi-page sequences•Dynamically produced content•Single Sign On/Identity Management/NTLM/Kerberos wackiness•Client side code (bad architect, bad architect!)•Non standard error messages (good developer!)•Denial of Service to application, email system, network monitoring etc. •Anti-automation
Challenges of automated scanning
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 16
How much can tools help?
Reduction in Effort
0
20
40
60
80
100
120
Authe
ntica
tion
Sessio
n Man
agem
ent
Inpu
t Valid
ation
Manual Automated
Some aspects of testing can be automated and reduce effort
Other aspects of testing from automation are improved by reduction in human errors
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 17
How good are they at finding defects?
A1 - XSS A2 - Injection Flaws
A3 - Malicious File Execution
A4 - Insecure Direct Object Reference
A5 - CSRF
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 18
How good are they at finding defects?
A6 - Information leakage and improper error handling
A7 - Broken Authentication and Session Management
A8 - Insecure cryptographic storage
A9 - Insecure communications
A10 - Failure to restrict URL access
Stolen with thanks from http://jeremiahgrossman.blogspot.com/2007/05/web-application-scan-o-meter.html
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 20
Where to use?
Method A Good situation to use?
Source Code Review
Outsourced project developmentBAU development
Development Environment Integrated
Education of BAU developers?
Test EnvironmentIntegrated
Hmmm?
From Network Scanning masses of brochure-ware sites for poor input validation and problems like XSS and SQL injection.
Fuzzing Vulnerability research
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 21
Manual and Automated Testing complement each other
Method Pros Cons
Manual Picks up business logic flaws.Flexible in the face of an unfinished/unreliable application or test environment
Sample based approach may miss instances of “low hanging fruit”.
Automated
Checks for boring vulnerabilities so you don’t have to (e.g. information disclosure, backups of files, XSS) can be done more efficiently and comprehensively
Doesn’t pick up the really important business logic flaws
Inflexible if the application is not completed.
Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved. 22
•Of the automated tools, source code review tools are most flexible as they can be used at any point in the development cycle•Manual testing and automated testing complement each other
Conclusion