Transcript OWASPAU08_Session_3_Abighanem

OWASP Asia Pacific Conference 2008
Considerations for application
security testing in enterprise
projects
Jean-Marie Abighanem
OWASP – Melbourne Chapter President
OWASP
28 February 2008
Deloitte Touche Tohmatsu
Director – Security & Privacy Services
[email protected]
Mobile: 04 3311 8551
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Agenda
What is online application?
Security Testing Scope
When to test?
How do you test web applications?
Regression testing
Test data
Defect management
Finer points for application pen testing
OWASP
2
What is online application?
OWASP
3
What can consumers do online these days?
Financial Services
Consumer Business
Pay a bill with Internet Banking
Buy and sell some shares
Change your superannuation
portfolio allocation
Choose your health insurer by a
search of costs and features
Purchase of goods or services from
web site at fixed price
Purchase of goods or services via
auction (e.g. ebay)
Advertising (e.g. trading post)
Telecommunications, Media and
Technology
Transport, Hospitality and Leisure
Sign up for and change mobile
phone and internet plans
Retrieve and pay bills
Book a flight
Book a hotel
Track a flight’s arrival in real-time!
Energy, Mining and Resources
Public Sector
Retrieve and pay bills
Lodge your tax return
Pay a parking fine
Pay council rates
Find lost super
OWASP
4
What can business do online these days?
Financial Services
Sell financial products via extranet
and brokers
Consumer Business
Outsource product delivery in real
time to a logistics partner
Telecommunications, Media and
Technology
Transport, Hospitality and Leisure
Resell available international
bandwidth to third parties
Energy, Mining and Resources
Tender electronically for the supply of
goods and services amongst business
partners
Modify costs and prices of flights and
accommodation in real time
Public Sector
Centralise change of name and
address amongst agencies and
departments
OWASP
5
Security Testing Scope
OWASP
6
Security Testing Scope
 State what you will and will not cover e.g. DoS
 Write it down
 Delineate between functional and security testing
 authentication
 authorisation and access control
 session management
 input validation
 Etc
 Define boundaries between web application and
supporting infrastructure e.g. two factor authentication,
Active Directory
OWASP
7
When to test?
OWASP
8
When to test?
Classic approach to testing
Last brick in foundation after building built
Gatekeeper/rubberstamping role maybe?
At what stage should security testing be done?
Define
Design
Develop
Deploy
Maintain
OWASP
9
When to test?
Project Based
Development
TES
T
TES
T
TES
T
TES
T
HER
E?
HER
E?
HER
E?
HER
E?
Functiona
l
Testing
NonFunction
al Testing
User
Acceptan
ce
Testing
Pilot
Pre
Production
Production
TES
T
HER
E?
BAU
testing
Thank God its
gone live
party.
Feature
requests
BAU
development
OWASP
10
When to test?
Costs of bug fixing usually go up
Cost of bug fixing
25
Cost of fixing
20
15
10
5
0
Define
Design
Develop Deploy Maintain
SDLC phase
Source: OWASP Testing Guide v2
OWASP
11
When to test?
Inverse relationship between fixing costs and
security testing costs
Bug fixing cost
80
70
60
50
40
30
20
10
0
Security
testing
cost
2
3
5
7
10
OWASP
12
How do you test Web Applications?
OWASP
13
How do you test web applications?
Source code reviews:
Pros
Possibly more complete
Possibly faster
Cons
Presumes code availability
False positives and false negatives
Cannot find run-time bugs easily
Requires skilled resources
OWASP
14
How do you test web applications?
Application security scanners:
Pros
Faster
Provide useful reporting tools
Good for testing input validation
Limited skill sets required by tester
Cons
Limitations around business logic testing as each
application is unique
False positives
Only tests what is accessible
OWASP
15
How do you test web applications?
Manual penetration testing
Pros:
Looks at dynamic code
Tests the code that is actually running
Can examine business logic
Cons:
Effectiveness depends on skill of tester
Done at tail end of project
Only tests what is accessible
OWASP
16
How do you test web applications?
All techniques have their place
“…you need a hammer, saw and tape to build a
house…neither is more important than the
other…imagine a house only built using a
hammer?”
[Paraphrasing Jeff Williams, OWASP Chair
http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project]
OWASP
17
Regression testing
Fixing security defects in one area may create
defects in other areas
Test cases should be re-performed when
impacted by defect remediation elsewhere in
application
Need to discuss what was changed with
developers and how
OWASP
18
Test data
Don’t use production data!
Privacy implications (NPP #2 and NPP #9 from
http://privacy.gov.au/publications/npps01.html)
PCI-DSS requirement 6.4 specifically prohibits
use of production data in testing
Use accounts with varying privileges
Consider use of a test administrator account to
do password resets or permission changes
during testing
OWASP
19
Defect management
Communicate your assessment of potential
likelihood and impact of attack
Document defects for repeatability
Let application owner decide the fate of defects
Record decisions made
If app already in production, monitor for attacks
or pull app
Restrict access to defect information
OWASP
20
Finer points for application pen testing
Which browser are you using to test?
Track the application version which was tested
Use an end-to-end environment for testing
Vulnerabilities in commercial off the shelf
applications (‘COTS’) can be researched
Customised code usually has the highest
frequency of bugs/flaw
Think outside the box
OWASP
21
Questions?
OWASP
22