Security testing
•Télécharger en tant que PPTX, PDF•
2 j'aime•1,521 vues
this file is a presentation about software and security testing
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (8)
Similaire à Security testing
Similaire à Security testing (20)
Plus de Rihab Chebbah
Plus de Rihab Chebbah (10)
Dernier
Dernier (20)
Security testing
- 2. Contents Introduction SQL Injection Disclosure of sensitive data Unauthorized access Security flaws Types Methods Security Testing Conclusion
- 3. Introduction • Testing a partial verification process of a system. • Its main objective is to identify a maximum number of problematic behavior of the software in order to increase the quality
- 5. Security flaws SQL Injection Vulnerabilities: • Poor input validation in your Web applications • Unsafe, dynamically constructed SQL commands • Over-privileged application logins to the database • Weak permissions that fail to restrict the application's login to the database Countermeasures: • Constrain and sanitize input data. • Use type safe SQL parameters for data access.. • Use an account that has restricted permissions in the database.
- 6. Security flaws SQL Injection - Example 105 or 1=1UserID SELECT * FROM CreditCard WHERE UserID= 105 or 1=1
- 7. Security flaws Unauthorized Access Vulnerabilities: • Lack of authorization in data access code providing unrestricted access • Over-privileged database accounts Countermeasures: • Use principal permission demands to authorize the calling user. • Use code access security permission demands to authorize the calling code. • Use limited permissions to restrict the application's login to the database and to prevent direct table access.
- 9. Security flaws Disclosure of sensitive data Vulnerabilities: • Clear text credentials passed over the network during SQL authentication • Unencrypted sensitive application data sent to and from the database server Countermeasures: • Install a server certificate on the database server. • Use an SSL connection between the Web server and database server to protect sensitive application data. • Use an IPSec encrypted channel between Web and database server.
- 10. 4010 3190 9662 53594010 3190 9662 5359 Security flaws Disclosure of sensitive data - example
- 11. Security testing involves testing a software in order to identify any flaws and gaps from security and vulnerability point of view. Testing SecurityTesting
- 12. Security Testing Security Testing in the coding phase : Unit Tests ₪ Test isolation ₪ Operate at the method d and class level ₪ Written by developers ₪ Executed the most frequently Tests are run very quickly : issues are identified quickly High test coverage Not many security vulnerabilities can be tested
- 13. Security Testing Security Testing during the integration and validation phase : Integrated system Test & Operation Test ₪ Test integration between classes and modules ₪ Test integration between tiers ₪ Written by developers ₪ Executed often, but not as often as unit tests • Can test in the application server • Many security vulnerabilities can be tested : Injections, authentification flaws and authorization flaws • Some vulnerabilities may not easily tested : XSS, URL filtering performed by A web server or application firewall • Not executable as often as unit tests • Overhead of starting an application server Integrated system Test
- 14. Security Testing Security Testing during the integration and validation phase : Integrated system Test & Functional acceptance Test ₪ Performed on the external API ₪ Low test coverage ₪ Performed by quality assurance testers ₪ Executed the least frequently • Full testing of external API • Security consultants can use tools to script vulnerabilities : documents vulnerabilities easy retesting • Low test coverage • Developers aren’t include in testing Functional acceptance Test
- 15. Security Testing Methods Static test Dynamic test
- 16. Security Testing Methods Fuzzing Test Fuzzing is about injecting invalid or random inputs in order - to reveal unexpected behaviour - to identify errors and expose potential vulnerabilities.
- 17. Security Testing Methods Fuzzing Test - Process Input data preparation Definition of input data Program preparation Environment Preparation Setup Data transfer to application Reporting Monitoring
- 18. Observation of program behavior Logs Debuggers (!exploitable...) Files, processes and network monitors Virtualization (VMWare) Source code modifications (breakpoints) Additional techniques (Valgrind, GuardMalloc) Combined techniques Security Testing Types Fuzzing Test - Monitoring
- 19. Security Testing Types Fuzzing Test – Fuzzing Test and SDLC Initial analysis Design Implemen tation Testing Maintenance Fuzzing
- 20. Security Testing Types Fuzzing Test – Fuzzers Frameworks: Peach (http://peachfuzzer.com/) Sulley Specialized fuzzers: JBroFuzz (OWASP) WSFuzzer (OWASP) TAOF Wfuzz Spike Proxy WebFuzz
- 21. Security Testing Types Fuzzing Test – advantages and disadvantages Full automatization (in most cases) Fuzzers find real vulnerabilities Ability to identify bugs which are hard to find by manual testing Ability to quickly obtain satisfactory results (first bug) Inability to find logical bugs Inability to find complex bugs Time required for performing test is very hard to specify
- 22. Security test cases checklist Security Testing Input validation Buffer overflaws Injection attacks Disclosure of sensitive data …. Conduct all data validation on a trusted system (e.g., The server) Identify all data sources and classify them into trusted and untrusted. Validate all data from untrusted sources (e.g., Databases, file streams, etc.) There should be a centralized input validation routine for the application Specify proper character sets, such as UTF-8, for all sources of input Encode data to a common character set before validating All validation failures should result in input rejection Validate for expected data types Validate data range Validate data length Validate all input against a "white" list of allowed characters, whenever possible ….
- 23. Security test cases checklist Security Testing Access Control Unauthorized access Disclosure of sensitive data Tampering DOS & DDOS Attacks … Restrict access to protected functions to only authorized users Restrict direct object references to only authorized users Restrict access to services to only authorized users Restrict access to application data to only authorized users Restrict access to user and data attributes and policy information used by access controls Access controls should fail securely Deny all access if the application cannot access its security configuration information Use only trusted system objects, e.g. server side session objects, for making access authorization decisions If state data must be stored on the client, use encryption and integrity checking on the server side to catch state tampering. ….
- 24. Security test cases checklist Security Testing Cryptography practices Network eavesdropping Disclosure of sensitive data ….. All cryptographic functions used to protect secrets from the application user must be implemented on a trusted system (e.g., The server) Protect master secrets from unauthorized access Cryptographic modules should fail securely All random numbers, random file names, random GUIDs, and random strings should be generated using the cryptographic module’s approved random number generator when these random values are intended to be un-guessable Cryptographic modules used by the application should be compliant to FIPS 140-2 or an equivalent standard. Establish and utilize a policy and process for how cryptographic keys will be managed
- 25. Security test cases checklist Security Testing Authentification and Password management Network eavesdropping Disclosure of sensitive data Unauthorized access …. Require authentication for all pages and resources, except those specifically intended to be public All authentication controls must be enforced on a trusted system (e.g., The server) Establish and utilize standard, tested, authentication services whenever possible Use a centralized implementation for all authentication controls, including libraries that call external authentication services Segregate authentication logic from the resource being requested and use redirection to and from the centralized authentication control All authentication controls should fail securely All administrative and account management functions must be at least as secure as the primary authentication mechanism …
- 26. Security test cases checklist Security Testing Data protection Network eavesdropping Disclosure of sensitive data Tampering Unauthorized access …. Implement least privilege, restrict users to only the functionality, data and system information that is required to perform their tasks Encrypt highly sensitive stored information, like authentication verification data, even on the server side. Always use well vetted algorithms, see "Cryptographic Practices" for additional guidance Protect server-side source-code from being downloaded by a user Do not store passwords, connection strings or other sensitive information in clear text or in any non-cryptographically secure manner on the client side Remove comments in user accessible production code that may reveal backend system or other sensitive information Do not include sensitive information in HTTP GET request parameters …
- 27. Security test cases checklist Security Testing Communication Security Network eavesdropping Disclosure of sensitive data Buffer overflow DOS attack Implement encryption for the transmission of all sensitive information TLS certificates should be valid and have the correct domain name, not be expired, and be installed with intermediate certificates when required Failed TLS connections should not fall back to an insecure connection Utilize TLS connections for all content requiring authenticated access and for all other sensitive information Utilize TLS for connections to external systems that involve sensitive information or functions Utilize a single standard TLS implementation that is configured appropriately Specify character encodings for all connections Filter parameters containing sensitive information from the HTTP referer, when linking to external sites
- 28. Testing tools Security Testing OWASP Zed Attack Proxy
- 29. Testing tools Security Testing OWASP WFuzz
- 30. Conclusion Security testing is an important and integral part of the software developmental process. You will need to conduct this test to find security loopholes and later close them with appropriate security measures and techniques
- 31. Thank you for your attention !!
Notes de l'éditeur
- Good morning, the pupose of this presentation is to introduce security testing
- We will begin our presentation by an introduction, then we will present some security flaws as well as types and methods to test these flaws and we will finish by a conclusion
- Testing is an important part of software development and it is vital to start it as early as possible, its objectives is to find flaws and vulnerabilities of a system
- The database is a prime target for application level attacks. The top threats to data access code are: SQL injection Disclosure of configuration data Disclosure of sensitive application data Disclosure of database schema and connection details Unauthorized access Network eavesdropping
- An SQL injection attack consists of insertion of either a partial or complete SQL query via the data input or transmitted from the client to the web application. Common vulnerabilities that make your data access code susceptible to SQL injection attacks include: To counter SQL injection attacks, be sure to:
- For example, Let's say that the original purpose of the code was to create an SQL statement to select information about a user’s credit card, The SQL above is valid. It will return all rows from the table CreditCard, since WHERE 1equal1 is always true
- With inadequate authorization, users may be able to see another user's data and may be able to access other restricted data. Practices that can allow unauthorized access include: To prevent unauthorized access:
- This example has four users. The users select from a set of resources such as Public Share, Time Card Entry and Account Manager. Larry should not be allowed to access the Account Manager resource because Larry is not assigned to the required role. However in this example, Larry’s access is allowed in the application. The main issue is that the application does not implement the access control correctly to verify whether the user Larry is authorized to access Account Manager resource.
- The deployment architecture of most applications includes a physical separation of the data access code from the database server. As a result, sensitive data such as application-specific data or database login credentials must be protected from network eavesdroppers. The following practices increase vulnerability to network eavesdropping: To limit vulnerability to network eavesdropping:
- As shown above, while transmitting a sensitive data through the network , attackers could steal that information, Therefore we must secure our software, so how to test security software
- Security testing is basically a type of software testing that’s done to check whether the application or the product is secured or not. It checks to see if the application is vulnerable to attacks, if anyone hack the system or login to the application without any authorization.
- Unit test : test logic in classes by programmers to show code level correctness. They should be fast and not dependend on other parts of the system that you don't intend to test
- Integration test : Test communication paths between different parts of the module done by the test department or by developers to show that all modules work correctly together.
- Functional acceptance test : test use case scenario's on a limited (specially created) data set done by the test department to show that every specified scenario works as specified.
- We can find also other types of security testing such as static, dynamic Static test : it verifies the security of the software by analyzing either the source code or the compiled application without running the project Dynamic test : it tests the software in the running mode We can also find others method for testing software such as fuzzing test
- Fuzzing is a method of testing software to find security holes and unexpected behavior of an application, using semirandom data.
- The fuzzing process is defined as shown here, First, a generator produces test inputs. Second, the test inputs are delivered to the system under test. The delivery mechanism depends on the type of input that the system processes. Third, the system under test is monitored for crashes and other basic undesirable behavior. Also Reports describes the results of the test could be generated automatically
- One can monitor the target application in many ways. Such as monitor for event logs, monitor application crashes using debuggers, monitor using tools of virtualization like vmware etc ,,,
- application is tested by a previously prepared fuzzer. Test results are verified by testers. Next, they are sent to programmers. If any errors occur, programmers must fix the application. New build once again must pass the fuzzing process.
- Some frameworks are used the fuzzing test such as Peach and sulley, peach can test virtually any system for unknown vulnerabilities. From common test targets to complex proprietary systems, Peach is the fuzzer for the job. The goal of the framework sulley is to simplify not only data representation but to simplify data transmission and target monitoring as well. There are some tools specialized fuzzers such as …
- security test cases cheat list or check-list”, for example, can provide simple test cases and attack vectors that can be used by testers to validate exposure to common vulnerabilities, Input validation is the correct testing of any input; we should verify the data is strongly typed, correct syntax, within length boundaries, contains only permitted characters, or that numbers are correctly signed and within range boundaries Problems resulting from incorrect input validation :
- Access control policies can be specified in programming languages or policy specification languages and implemented in a particular access control implementation. Policies need to be carefully designed and implemented to prevent data from unauthorized access, diclosure of sensitive data dos and ddos attacks etc
- The Cryptography Policy sets out when and how encryption should (or should not) be used. It includes protection of personal, confidential and commercially sensitive information and communications, key management, and procedures to ensure encrypted information can be recovered by the organisation if necessary.
- Authentication is the process of verification that an individual, entity or website is who it claims to be, Session Management is a process by which a server maintains the state of an entity interacting with it. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict
- Limit access to data based on the least privilege principal. Encrypt sensitive data and information like stored passwords, connection strings and properly protect decryption keys. We should Make sure all cached or temporary copies of sensitive data are protected from unauthorized access and get purged as soon as they are no longer required,
- When transmitting sensitive information, at any tier of the application or network architecture, encryption-in-transit should be used. We should Use a trusted certificate authority to generate public and private keys whenever possible. Moreover, proper security controls must be in place to protect the private keys from unauthorized access.
- is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help to automatically find security vulnerabilities in web applications while developing and testing the applications. Its also a great tool for experienced pentesters to use for manual security testing
- Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
- Secure applications can ensure system safety and security. It can impede attacks by hackers. Security testing is one of the most important tests that you should conduct before introducing it to the commercial domain