SlideShare a Scribd company logo
1 of 19
Session H5
Application Security Testing:
  How to Get the Results You Need


      Tuesday, March 10th, 2009
               9:45am


            Rafal M. Los
 Sr. Web Security Specialist –HP/ASC



                                       © HP Application Security Center 2009
Key Points

Understanding the need for security testing


      The case for negative-testing


   Static vs. Dynamic application testing


Security testing browser-based applications


   Arming yourself (tools & knowledge)


           Piecing it all together


                                              © HP Application Security Center 2009
Understanding the Need for Security Testing

Asking the big question


       Question:
   •


          Why do businesses need to spend time, money and
        •

          resources on additional testing measures to check the
          security of their web applications?

       Obvious answer:
   •


          Hackers are out to get you – your data and your customers
        •

          are subject to hijack and theft!




                                                              © HP Application Security Center 2009
Understanding the Need for Security Testing

A Business Perspective
   External compliance requirement
    • PCI – Payment Card Industry standard

   Internal compliance requirement
    • Corporate data privacy standards

   Mission-critical web-based applications
    • Web applications that drive your business

   Critical data in web-based applications
    • Cardholder data, patient records, personal information

   Company’s online brand is important
    • Defacements and hijacks repel current and future customers



                                                                   © HP Application Security Center 2009
Understanding the Need for Security Testing

More to the point

                Hackers have clear goals…

                       • Use your systems to launch attacks
      Your systems     • Host spam relays, distribute malware



                       • Databases contain payment information, customer data
        Your data      • Can you identify all data in your applications?



     Your customers’   • Distribute adware/trojan-ware to your customers
                       • http://cyberinsecure.com/businessweek-online-content-hit-by-sql-
          clicks         injection/ - The case of BusinessWeek.com


       Your good       • Industrial sabotage is real
                       • Users trust your websites… right? Remember Egghead.com?
       reputation

                                                                                 © HP Application Security Center 2009
Understanding the Need for Security Testing

Internal Challenges

                                                                        •PMs – Requirements
                                                                        •Developers – Code
                                                       Lack of          •QA – Quality
                                                     “Security”         •Auditors?
                                                      in SDLC




                                          “Semi-
                                         Custom”
                                           Apps
      •3rd party developed application
      •Custom integrations to internal
       and external systems
                                                             Legacy Systems

                                            •Systems developed before
                                             security concerns
                                            •Mainframe over HTTP?




                                                                                              © HP Application Security Center 2009
The Case for Negative-Testing

Let’s define Quality Assurance


       Quality Assurance defined
   •

           Quality assurance, or QA for short, refers to planned and
       •

           systematic production processes that provide confidence in
           a product's suitability for its intended purpose. It is a set of
           activities intended to ensure that products (goods and/or
           services) satisfy customer requirements in a systematic,
           reliable fashion. (Wikipedia)




                                                                    © HP Application Security Center 2009
The Case for Negative-Testing

Breaking down quality
                           • Perform only positive-testing
    Quality assurance is     • Test only “good” data the system is known to accept
                           • Tests only proper use of the system or application
        incomplete           • “Why would anyone want to purposely mis-use the system?”




                           • 999,999 buyers and a single hacker
      No account for         • The resource exhaustion example (1 hacker, total DoS)
                           • QA does not try to disprove hypothesis (like in science)
      malicious users        • Only attempts to prove positive




                           • 3 Pillars of Quality
     Quality assurance       • Does it function?
      must embrace           • Does it perform?
                             • Is it secure?
          security

                                                                               © HP Application Security Center 2009
The Case for Negative-Testing

Negative Testing is Critical
        How does the application behave in adversity?
    •


            Test the application against known possible attacks
        •


            Attack vectors such as hacking, DoS, DDoS, and more
        •



        Intentional mis-use
    •


            Test against malicious use-cases
        •


            Testers must have a library of known attack data
        •



        Unintended functionality
    •


            Test for unintended functionality in the application
        •


            Test for logic flaws, race conditions, others
        •




                                                                   © HP Application Security Center 2009
Building a Business Case

Putting the pieces together
       You now understand the need  why?
   •


           Web applications must be resilient to attacks
       •


           Attacks are a fact of life and business
       •



       You now understand the requirement  what?
   •


           QA is inadequate as-is
       •


           Negative testing (security testing) must be added
       •



       You must now learn the methods  how?
   •


           What are the basics of negative-testing?
       •


           What are the challenges of proper execution?
       •




                                                               © HP Application Security Center 2009
Static vs. Dynamic Application Testing

Differing testing methods
       Static Analysis  execution path analysis
   •


           Typically through source code analysis
       •


           Testing without actual data
       •


           Analyze all possible execution branches of code
       •



       Dynamic Analysis  data-driven analysis
   •


           Typically through black-box testing tools
       •


           Testing with pre-defined test data sets
       •


           Analyze behavior when different data sets are used
       •



       Key point  Each of these is incomplete…
   •


           Why?
       •




                                                                © HP Application Security Center 2009
Static vs. Dynamic Application Testing

Clearly we need both
                           Dynamic                                      Static


                   Lower false-positive rate                Absolutely complete analysis
    Pros




                Well-established testing tools        Identify the issues directly in source code

               Ability to execute layered testing     Pre-defined patterns identified in source

           Incomplete (impossible to guess whole of
                                                          Potential for many false-positives
                           data set)
    Cons




           Cannot point to source-code where errors
                                                       Extremely resource intensive analysis
                             exist
                Prone to inconsistency issues              Inability to contextualize issues




                                                                                          © HP Application Security Center 2009
Security Testing Browser-Based Applications

Think outside the browser
       Hackers rarely limit themselves to a browser
   •


           Testing requires analyzing the application at a lower-level
       •




       Think like a                                                              3rd party
         hacker…                                                                 systems
                                                                   Database      integration
                                                                   queries and
                                                                   information
                                                 Session & state   stores
                                                 management

                                Authentication
                                systems


                Input sanitization and
                client-data handling




                                                                                               © HP Application Security Center 2009
Security Testing Browser-Based Applications

Testing with tools
   When is automation appropriate?
    Tools have limitations
   •

           A tools-based approach is confined to matching patterns
       •


           Tools cannot (yet) understand complex logic
       •


           People build tools, people aren’t perfect
       •


       Tools are absolutely necessary
   •

           Every trade has evolved to using tools
       •


           Tools make mundane, repetitive tasks quick
       •


           Tools address the 80/20 rule nicely
       •


       Diversify your toolbox
   •

           Open-source community-supported tools
       •


           Closed-source vendor-supported tools
       •


           Custom scripts and such
       •




                                                                 © HP Application Security Center 2009
Arming Yourself (with Tools & Knowledge)

Knowledge
       Open Web Application Security Project (OWASP)
   •


           Free.
       •


           Community-based projects to address web application
       •

           security in a vendor-neutral fashion
       Blogs, expert websites & mailing lists
   •


           Great wealth of information on the blog-o-sphere
       •


           Check the Security Blogger’s Network on FeedBurner
       •


           Ask … I can direct you to more blogs/resources
       •



       Community Experts
   •


           Be careful who’s advice you buy…
       •




                                                            © HP Application Security Center 2009
Arming Yourself (with Tools & Knowledge)

Tools of the trade
       No shortage of controversy over security testing tools
   •


           Pros/Cons can be debated, but never dismissed
       •


           Depending on who you ask, you get biased responses
       •



       Bottom-line: tools decrease risk, increase efficiency
   •


           There is no magic silver-bullet to make you “secure”
       •


           Understand there are false-positives and false-negatives
       •


           Risk-reduction benefit from tools use is undeniable
       •


           Even the experts and hard-core hackers use tools
       •


           Black-box, white-box, hybrid-mode… all fill a need
       •




                                                               © HP Application Security Center 2009
Piecing It All Together

Everything we’ve learned


    So far we know…
    • Your business’ online presence is/will be attacked
    • Negative testing is necessary to assure security
    • Static and dynamic testing must be employed together
    • Security testing browser-based applications is a maturing
      market
    • Many available tools are open to you


    Now the prestige…

                                                              © HP Application Security Center 2009
Piecing It All Together

Enterprise grade secrets
   First assess your existing infrastructure
    • Risk is highest with legacy applications
    • Use risk metrics to leverage funding for a formal security program
   Work hard towards standardization of process
    • Experience proves there is no substitute for a strong process
    • SDLC integration will outlive your tenure
   Quick fixes are a myth
    • Security can not be bolted on
    • “Fix it in a patch later” is a lost cause
   Never buy a “magic fix”
    • Security is a process, never actually achieving end-state


                                                                           © HP Application Security Center 2009
Q&A




Rafal M. Los
• Sr. Security Strategist
• Security Solutions Specialist, HP/Application Security Center
  • Email: rafal@hp.com
  • Direct: (404) 606-6056
  • Blog:
    http://www.communities.hp.com/securitysoftware/blogs/rafal/




                                                             © HP Application Security Center 2009

More Related Content

More from Rafal Los

SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)Rafal Los
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security MetricsRafal Los
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Rafal Los
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsRafal Los
 
A Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkA Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkRafal Los
 
Creating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsCreating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsRafal Los
 
Total Browser Pwnag3 V1.0 Public
Total Browser Pwnag3   V1.0 PublicTotal Browser Pwnag3   V1.0 Public
Total Browser Pwnag3 V1.0 PublicRafal Los
 

More from Rafal Los (20)

SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security Metrics
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in Business
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI Model
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
 
A Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkA Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 Talk
 
Creating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsCreating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web Applications
 
Total Browser Pwnag3 V1.0 Public
Total Browser Pwnag3   V1.0 PublicTotal Browser Pwnag3   V1.0 Public
Total Browser Pwnag3 V1.0 Public
 

Recently uploaded

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 

Recently uploaded (20)

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 

Application Security Testing Results You Need V1.0 Public

  • 1. Session H5 Application Security Testing: How to Get the Results You Need Tuesday, March 10th, 2009 9:45am Rafal M. Los Sr. Web Security Specialist –HP/ASC © HP Application Security Center 2009
  • 2. Key Points Understanding the need for security testing The case for negative-testing Static vs. Dynamic application testing Security testing browser-based applications Arming yourself (tools & knowledge) Piecing it all together © HP Application Security Center 2009
  • 3. Understanding the Need for Security Testing Asking the big question Question: • Why do businesses need to spend time, money and • resources on additional testing measures to check the security of their web applications? Obvious answer: • Hackers are out to get you – your data and your customers • are subject to hijack and theft! © HP Application Security Center 2009
  • 4. Understanding the Need for Security Testing A Business Perspective External compliance requirement • PCI – Payment Card Industry standard Internal compliance requirement • Corporate data privacy standards Mission-critical web-based applications • Web applications that drive your business Critical data in web-based applications • Cardholder data, patient records, personal information Company’s online brand is important • Defacements and hijacks repel current and future customers © HP Application Security Center 2009
  • 5. Understanding the Need for Security Testing More to the point Hackers have clear goals… • Use your systems to launch attacks Your systems • Host spam relays, distribute malware • Databases contain payment information, customer data Your data • Can you identify all data in your applications? Your customers’ • Distribute adware/trojan-ware to your customers • http://cyberinsecure.com/businessweek-online-content-hit-by-sql- clicks injection/ - The case of BusinessWeek.com Your good • Industrial sabotage is real • Users trust your websites… right? Remember Egghead.com? reputation © HP Application Security Center 2009
  • 6. Understanding the Need for Security Testing Internal Challenges •PMs – Requirements •Developers – Code Lack of •QA – Quality “Security” •Auditors? in SDLC “Semi- Custom” Apps •3rd party developed application •Custom integrations to internal and external systems Legacy Systems •Systems developed before security concerns •Mainframe over HTTP? © HP Application Security Center 2009
  • 7. The Case for Negative-Testing Let’s define Quality Assurance Quality Assurance defined • Quality assurance, or QA for short, refers to planned and • systematic production processes that provide confidence in a product's suitability for its intended purpose. It is a set of activities intended to ensure that products (goods and/or services) satisfy customer requirements in a systematic, reliable fashion. (Wikipedia) © HP Application Security Center 2009
  • 8. The Case for Negative-Testing Breaking down quality • Perform only positive-testing Quality assurance is • Test only “good” data the system is known to accept • Tests only proper use of the system or application incomplete • “Why would anyone want to purposely mis-use the system?” • 999,999 buyers and a single hacker No account for • The resource exhaustion example (1 hacker, total DoS) • QA does not try to disprove hypothesis (like in science) malicious users • Only attempts to prove positive • 3 Pillars of Quality Quality assurance • Does it function? must embrace • Does it perform? • Is it secure? security © HP Application Security Center 2009
  • 9. The Case for Negative-Testing Negative Testing is Critical How does the application behave in adversity? • Test the application against known possible attacks • Attack vectors such as hacking, DoS, DDoS, and more • Intentional mis-use • Test against malicious use-cases • Testers must have a library of known attack data • Unintended functionality • Test for unintended functionality in the application • Test for logic flaws, race conditions, others • © HP Application Security Center 2009
  • 10. Building a Business Case Putting the pieces together You now understand the need  why? • Web applications must be resilient to attacks • Attacks are a fact of life and business • You now understand the requirement  what? • QA is inadequate as-is • Negative testing (security testing) must be added • You must now learn the methods  how? • What are the basics of negative-testing? • What are the challenges of proper execution? • © HP Application Security Center 2009
  • 11. Static vs. Dynamic Application Testing Differing testing methods Static Analysis  execution path analysis • Typically through source code analysis • Testing without actual data • Analyze all possible execution branches of code • Dynamic Analysis  data-driven analysis • Typically through black-box testing tools • Testing with pre-defined test data sets • Analyze behavior when different data sets are used • Key point  Each of these is incomplete… • Why? • © HP Application Security Center 2009
  • 12. Static vs. Dynamic Application Testing Clearly we need both Dynamic Static Lower false-positive rate Absolutely complete analysis Pros Well-established testing tools Identify the issues directly in source code Ability to execute layered testing Pre-defined patterns identified in source Incomplete (impossible to guess whole of Potential for many false-positives data set) Cons Cannot point to source-code where errors Extremely resource intensive analysis exist Prone to inconsistency issues Inability to contextualize issues © HP Application Security Center 2009
  • 13. Security Testing Browser-Based Applications Think outside the browser Hackers rarely limit themselves to a browser • Testing requires analyzing the application at a lower-level • Think like a 3rd party hacker… systems Database integration queries and information Session & state stores management Authentication systems Input sanitization and client-data handling © HP Application Security Center 2009
  • 14. Security Testing Browser-Based Applications Testing with tools When is automation appropriate? Tools have limitations • A tools-based approach is confined to matching patterns • Tools cannot (yet) understand complex logic • People build tools, people aren’t perfect • Tools are absolutely necessary • Every trade has evolved to using tools • Tools make mundane, repetitive tasks quick • Tools address the 80/20 rule nicely • Diversify your toolbox • Open-source community-supported tools • Closed-source vendor-supported tools • Custom scripts and such • © HP Application Security Center 2009
  • 15. Arming Yourself (with Tools & Knowledge) Knowledge Open Web Application Security Project (OWASP) • Free. • Community-based projects to address web application • security in a vendor-neutral fashion Blogs, expert websites & mailing lists • Great wealth of information on the blog-o-sphere • Check the Security Blogger’s Network on FeedBurner • Ask … I can direct you to more blogs/resources • Community Experts • Be careful who’s advice you buy… • © HP Application Security Center 2009
  • 16. Arming Yourself (with Tools & Knowledge) Tools of the trade No shortage of controversy over security testing tools • Pros/Cons can be debated, but never dismissed • Depending on who you ask, you get biased responses • Bottom-line: tools decrease risk, increase efficiency • There is no magic silver-bullet to make you “secure” • Understand there are false-positives and false-negatives • Risk-reduction benefit from tools use is undeniable • Even the experts and hard-core hackers use tools • Black-box, white-box, hybrid-mode… all fill a need • © HP Application Security Center 2009
  • 17. Piecing It All Together Everything we’ve learned So far we know… • Your business’ online presence is/will be attacked • Negative testing is necessary to assure security • Static and dynamic testing must be employed together • Security testing browser-based applications is a maturing market • Many available tools are open to you Now the prestige… © HP Application Security Center 2009
  • 18. Piecing It All Together Enterprise grade secrets First assess your existing infrastructure • Risk is highest with legacy applications • Use risk metrics to leverage funding for a formal security program Work hard towards standardization of process • Experience proves there is no substitute for a strong process • SDLC integration will outlive your tenure Quick fixes are a myth • Security can not be bolted on • “Fix it in a patch later” is a lost cause Never buy a “magic fix” • Security is a process, never actually achieving end-state © HP Application Security Center 2009
  • 19. Q&A Rafal M. Los • Sr. Security Strategist • Security Solutions Specialist, HP/Application Security Center • Email: rafal@hp.com • Direct: (404) 606-6056 • Blog: http://www.communities.hp.com/securitysoftware/blogs/rafal/ © HP Application Security Center 2009