Web Application Testing with AppScan

Terry Labach

"If you spend more on coffee than on Web application security, you will be hacked. What's more, you deserve to be hacked"

- Richard Clarke, Former White House Advisor on Cyberterrorism and Cybersecurity

2010 | The Sky’s the Limit

Introduction

• What are the issues?

• How can UW support secure Web application development?

• How can involved parties work together?

2010 | The Sky’s the Limit

Outline

• The state of affairs

• Risks and attacks

• AppScan at UW

• AppScan scanning example

• Software engineering for the web

• Questions

2010 | The Sky’s the Limit

Web application security is no longer optional

• UW administration concerned about last IT audit

• IT professionalism now includes security

The old Web

2010 | The Sky’s the Limit

"First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII -- and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure."

- Douglas Adams

The new Web

2010 | The Sky’s the Limit

The new Web

• Shopping mall, office, movie theatre, communications hub, self-marketing firm

• We are expected to make more services available on the web

• Financial, medical, personal information increasingly used in web transactions

• Clients interact with our internal systems

2010 | The Sky’s the Limit

Risks on the new Web

2010 | The Sky’s the Limit

Risks

• Theft of personal information

• Identity theft

• Financial losses

• Intellectual Property losses

• Damage to UW's reputation

• Legal requirements to notify breach victims

2010 | The Sky’s the Limit

Vulnerabilities

• Technical• OS, server design flaws

• Logical• Application logic design flaws

• Failing to account for malicious/incompetent users

2010 | The Sky’s the Limit

Attacks

• Technical• XSS, SQL injection

• Logical • authorization errors

2010 | The Sky’s the Limit

SQL injection

2010 | The Sky’s the Limit

Cross-site scripting

2010 | The Sky’s the Limit

Authentication and authorization errors

2010 | The Sky’s the Limit

Why scan?

• Mimics the attack of the hacker

• No substitute for proper application development

2010 | The Sky’s the Limit

Scanning methods

• Manual

• Automatic

2010 | The Sky’s the Limit

Scanning methods

• Manual• Penetration (“pen”)

testing• Requires human

expert• Slow, error-prone• Can be insightful

2010 | The Sky’s the Limit

Scanning methods

• Automatic• Faster• Complete list of

tests• Not as perceptive

as human tester

2010 | The Sky’s the Limit

What scanning can do

• Black box scanning

• Works with any:• Language• Application server• Web server

2010 | The Sky’s the Limit

What scanning can't do

• White box scanning (can't help with source code issues without additional software)

• Can't be integrated early in the development process

• Requires functional web site

2010 | The Sky’s the Limit

IST Web application testing

2010 | The Sky’s the Limit

AppScan

2010 | The Sky’s the Limit

• IBM product

• Selected by IST in 2009 to provide testing services

• IST staff will scan your web application as part of your testing process

• No charge

Preparing your site for testing

• Test instance of application

• Be ready for disaster

• Backups of all code, data

• Allow access to scan server (firewall, .htaccess)

• Method to recreate the web site

2010 | The Sky’s the Limit

The scanning process

• Explore• Spider traverses site and learns about

structure

• Test• Attacks made on site

• Report findings

2010 | The Sky’s the Limit

AppScan demonstration

2010 | The Sky’s the Limit

• IBM provides sample web application to test• Altoro Mutual• http://demo.testfire.net• User: jsmith• Password: demo123

Running AppScan

2010 | The Sky’s the Limit

• URL

• Scan wizard• Login method

• Recorded - go through process for scan

• Prompt - record initial location, then enter as needed

• Automatic - use entered name, password when required

• None - when authentication not used (or ignored)

• Test policy

Running AppScan

2010 | The Sky’s the Limit

• Complete scan• full auto scan• auto explore• manual explore (embedded browser)

• allows limiting scan to part of site or ensuring it follows a set path

• scan later (scheduled)• scan expert

• does short scan to evaluate settings• may suggest configuration changes

Running AppScan

2010 | The Sky’s the Limit

• Scan results• Views

• Reports• Remediation• Regulatory• OWASP• Custom

Thoughts on software engineering for the web

• Basic SE principles still apply

• Development-Test-Production environments

• Use commercial solutions rather than coding your own where reasonable

• Application development must be planned and managed

2010 | The Sky’s the Limit

Thoughts on software engineering for the web

• Add security from the beginning

• Publish only desired files

• Define what is good input and limit to that, rather than trying to strip out bad input.

• “good enough” isn't – the risks are too great

2010 | The Sky’s the Limit

References

2010 | The Sky’s the Limit

IBM AppScan• http://www.ibm.com/software/awdtools/appscan/

standard/

• OWASP• http://www.owasp.org

• IST IT Security team• http://ist.uwaterloo.ca/security/

• Quotation of the Day• http://quotationofthedaylist.blogspot.com/

Questions?

2010 | The Sky’s the Limit