version 02u-1 computer security: art and science1 penetration testing by brad arkin scott stender...
TRANSCRIPT
Version 02U-1 Computer Security: Art and Science 1
Penetration Testing by
Brad Arkin Scott Stender
and Gary McGraw
Version 02U-1 Computer Security: Art and Science 2
Topics
IntroductionPenetration Testing TodayBetter ApproachSummary/Conclusion
Version 02U-1 Computer Security: Art and Science 3
Introduction
Testing for positives
Security testingTest for negatives
Version 02U-1 Computer Security: Art and Science 4
Penetration Testing Today
Attractive late life cycle activityToo little, too late an attempt to tackle security.
Use of security requirements, abuse cases, security risk knowledge, attack patterns in application design, analysis and testing are missing.
Version 02U-1 Computer Security: Art and Science 5
Penetration Testing Today (contd)
Attractive late life cycle activityResults Interpretation
A list of flaws, bugs and vulnerabilities
Doesn’t factor in the time-boxed nature of late lifecycle assessments.
Penetration testing as a way to declare victory
Version 02U-1 Computer Security: Art and Science 6
Penetration Testing in SDLC
Version 02U-1 Computer Security: Art and Science 7
A Better ApproachBase the testing activities on the security findings discovered and tracked from the beginning of the development life cycle.
Structure test according to perceived risk and offer some kind of metric relating risk measurement to software security’s posture at the time of the test.
Make Use of ToolsUse static analysis tools
Use dynamic analysis tools
Version 02U-1 Computer Security: Art and Science 8
A Better Approach (contd)
Benefits of ToolsTools can perform the routine work needed for basic software security analysis.
Tool output lends itself to metrics, which software development teams can use to track progress overtime.
Version 02U-1 Computer Security: Art and Science 9
A Better Approach (contd)
Test more than onceTest at the feature, component, unit and system level
Tests should attempt unauthorized misuse of, and access to, target assets as well as try to violate any assumptions the system might make relative to its components
Version 02U-1 Computer Security: Art and Science 10
A Better Approach (Contd)
Test more than onceComponent level testing
Use static and dynamic tools uniformly at the component level.The tool design should reflect the security test’s goal: to misuse the component’s assets, violate intercomponent assumptions, or probe risks.
Unit testingbreaks system security down into several discrete parts
Version 02U-1 Computer Security: Art and Science 11
A Better Approach (contd)
Test more than onceSystem level testing
system-level testing focuses on identifying intercomponent issues and assessing the security risk inherent at the design level.
– a component assumes that only trusted components have access to its assets, security testers should structure a test to attempt direct access to that component from elsewhere
– focus on aspects of the system that couldn’t be probed during unit testing.
Version 02U-1 Computer Security: Art and Science 12
A Better Approach (Contd) Integrate with development life cycle
Most common problem with penetration testing is the failure to identify lessons to be learned and propagated back into the organization’s SDLC.Mitigation strategy
Rather than simply fixing identified bugs, developers should perform a root-cause analysis of the identified vulnerabilitiesDevelopers and architects should devise mitigation strategies to address the identified vulnerabilities and any similar vulnerability in the code base.
– Buffer overflow example
Version 02U-1 Computer Security: Art and Science 13
A Better Approach (Contd)
Integrate with development life cycleUse test result information to measure progress against a goal.
Add tests for the mitigated vulnerability to the automated test suites
Employ iterative security penetration tests
Reveals fewer and less severe flaws in the system.
Version 02U-1 Computer Security: Art and Science 14
Summary
Penetration testing is the most commonly applied mechanism used to measure software security but it’s also the most misapplied mechanism as well. Apply penetration testing at the unit and system level, derive test cases from risk analysis, and incorporate the results back into the development life cycleIntegrate penetration testing into the development process to improve design, implementation and deployment practices
–Questions/Comments ???