security testing: what testers can do

4/23/15

1

Test and Verification Solutions

Security Testing: What Testers Can Do

Delivering Tailored Solutions for Hardware Verification and Software Testing

STAR East - Florida 7th May 2015 Declan O’Riordan

Copyright TVS Limited | Private & Confidential | Page 2

What is driving security?

Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX

CO

BIT, ITIL, C

MM

I, ISO

17799, OC

TAVE

, OS

STM

M

ISO

270

05, I

SO

270

33, I

SO

277

99, I

SO

154

89

ISO/IEC 13335, ISO/IEC 22301:2012 & PAS77, ISO 9000, ISO 27006, ISO 15408

4/23/15

2


Threat growth Source: Verizon

2014 - Commercial cyber security spending $46 billion 2013 - 20% more breaches 2012 - 30% higher cost per breach


Why is Application Security important?

Make that 153m accounts /

4/23/15

3


What is Application Security?

It is NOT Building, or Network Security!

84% of a(acks target the applica4ons (Source: HP) 90% of sites are vulnerable to applica4on a(acks (Watchfire)

1.7% of security budget is spent on Applications.

(OWASP 2014)


Reactive Perimeter Defences

w.w.w. data is exploding: 2010 = 1.2 zettabytes 2015 = 7.9 zettabytes 2020 = 82 zettabytes?

1.2 million variants of malware per day

20%-30% of malware is caught by anti-virus

4/23/15

4


The Web was not designed to be secure in the beginning. Security features are afterthoughts.

Source: OWASP


‘The’ OWASP Top 10 Web-App Risks

4/23/15

5


Free Application Security Testing Procedures & Development Guidelines



The Security Testing Lifecycle

Review SDLC Process

Review Policy Review Standards

Review Requirements Review Design Review Models

Review Code Code Walkthrough

Unit & System Test

Penetra4on Test

Config. Mgt. Review

Unit & System Test

Acceptance Test

Change Verifica4on

Health Checks

Opera4onal Reviews

Regression Tests

Before Development

Defini0on & Design

Development

Deployment

Maintenance

4/23/15

6


Threat Assessment


Compliance with the Standard


4/23/15

7


Verify 168 security checkpoints


The login screen

4/23/15

8


Authentication: What can you do now?

§  Bad passwords §  Verbose failure messages §  Password change func4onality §  Forgo(en password func4onality §  User impersona4on func4onality §  Non-‐unique usernames §  Predictable usernames §  Incomplete valida4on of creden4als


Incomplete validation of credentials

Full valida4on of all password characters

1.  Length 2.  Case 3.  Unusual characters

4/23/15

9


Authentication: What may need help?

§  Vulnerable creden4als transmission §  “Remember me” func4onality §  Predictable ini4al passwords §  Insecure distribu4on of creden4als §  Fail-‐open login mechanisms § Mul4-‐stage login defects §  Insecure storage of creden4als §  Brute-‐forcible login

(failedlogins=1) Copyright TVS Limited | Private & Confidential | Page 18

Access controls: What can you do now?

§  Completely unprotected func4onality §  Direct access to methods §  Iden4fier-‐based func4ons § Mul4-‐stage func4ons §  Sta4c files §  Pla]orm mis-‐configura4on §  Insecure access control methods §  Parameter / referer / loca4on-‐based access control

4/23/15

10


Completely unprotected functionality

No one will know that sensi4ve func4on / resource URL. It’s secret!

But URLs appear in logs, browser histories, and are displayed on-‐screen. They can be emailed, bookmarked, and wri(en down. A(ackers find them in client-‐side JavaScript, brute-‐force the names / iden4fiers (response codes 302, 400, 401, 403, 500), inference from published content, search engines, web archives, and leveraging the web server. Copyright TVS Limited | Private & Confidential | Page 20

Session Management: who does what?

§  Disclosure of session tokens in logs §  Vulnerable session termina4on § Weak session token genera4on § Weak session token handling §  Disclosure of tokens § Meaningful tokens §  Encrypted tokens §  ECB & CBC ciphers §  Vulnerable token mapping §  Client exposure to token hijacking §  Liberal cookie scope §  Predictable session tokens

4/23/15

11


Meaningful session tokens

HTTP is stateless. Each request-response message pair is an independent transaction. Dynamic web-application functionality requires a SESSION to link user requests. Typically this is implemented by issuing each user a unique session token which is resubmitted by the user to link sequences of requests. Set-Cookie: ASP.NET_SessionId=75 73 65 72 3d 64 65 63 6c 61 6e 3b 61 70 70 3d 61 64 6d 69 6e 3b 64 61 74 65 3d 30 35 2f 30 37 2f 32 30 31 35 user=declan;app=admin;date=05/07/2015


Predictable session tokens

Concealed sequences Weak random number generation Time dependencies 56543-1424798254115 56544-1424798303925 ? 56546-1424798337916 The first component is an incrementing sequence. The second component is the time in milliseconds. The missing value was issued to another user and can be predicted / brute forced within the range of possibilities.

4/23/15

12


Make efficient use of experts & tools


What Testers can do


•  Security skills are within the project team capability •  Recognize which security tests you can do now •  Effectively manage the experts who are helping you