3. There IS free breakfast!
Key Takeaways
Security is easy when done right
Basic Web Application vulnerability assessment
Basic Mobile (Android and iOS) vulnerability assessment
1
2
3
4
5
Basic network vulnerability assessment
4. Why use any security assessment tool during SDLC?
Agenda Overview
What do you need to assess (secure)?
Web Application Security Assessment Tool – OWASP ZAP
Android Application Security Assessment Tool - Qark
iOS Application Security Assessment Tool - Needle
1
2
3
4
5
6
Questions?7
Network Security Assessment tool - OpenVAS
5. Why use any security assessment tool?
• Detecting “low-hanging fruits”
before release
• Detection of vulnerabilities in early
development phase
• Open Source Tools:
‒ Free!!
Image Source: Kaspersky Security Bulletin 2015
Distribution of exploits used in cyberattacks, by type of application attacked,
2015
6. What do you need to assess (secure)?
• Network
• Web application
• Mobile Application
‒ Android
‒ iOS
7. Network Security Assessment tool - OpenVAS
• Open Vulnerability Assessment System
• Network Vulnerability Tests (NVTs)
• Simple to install and use
• Web interface
‒ Launch scans
‒ View reports
• Alternatives: Nessus, nmap
• Get Started! : OpenVAS setup and start
guide
15. Web Application Security Assessment Tool – OWASP
ZAP
• Ideal for devs, esp. for automated security tests
• Cross platform, easy to install and use
• Main features: Intercepting Proxy, Traditional and
Ajax Spiders, WebSockets support, Forced Browsing
(DirBuster), Fuzzing etc.
• Point-n-shoot
• Plug-n-hack add-on
• Get started !! : Zed Attack Proxy
17. Android Application Security Assessment Tool - Qark
• Quick Android Review Kit (created by LinkedIn)
• Some important vulns QARK finds:
‒ Apps supporting outdated API versions, with
known vulnerabilities
‒ Tapjacking
‒ Activities which may leak data
‒ …and many more.
• QARK GitHub
23. Conclusions:
Use OpenVAS to find network vulnerabilities
Use OWASP Zap to find web app vulnerabilities
Use Needle to find iOS app vulnerabilities
Use Box for the most awesome and secure platform
1
2
3
4
5
Use QARK to find Android app vulnerabilities
24. Why use any security assessment tool during SDLC?
Agenda Overview
What do you need to assess (secure)?
Web Application Security Assessment Tool – OWASP ZAP
Android Application Security Assessment Tool - Qark
iOS Application Security Assessment Tool - Needle
1
2
3
4
5
6
Questions?7
Network Security Assessment tool - OpenVAS
Editor's Notes
Add a key-takeaways slide and a conclusion slide
Low hanging fruits – very simple vulnerabilities which can be easy to fix but can have disastrous consequences.
Requires lower set skills by a malicious user to exploit.
Open source advantages: They are FREE!
Exploits contributions from all around
Flexibility
Community support
Documentation
Scanners have the capability to cause disruption. It is safer to run these tools in dev rather than prod.
Or configuration must match what the prod can handle (?)
We have tuned these scanners to run on prod.
Type of vulns found:
bad network configurations such as an open telnet port on the main server
unpatched host OS and libraries with known exploits
data leakage from back end by methods such as brute forcing
First screen
you add a “Task” which is basically a scan that you want to run
in next few steps you configure the scan or Task
Scanners have the capability to cause disruption. It is safer to run these tools in dev rather than prod.
Or configuration must match what the prod can handle (?)
We have tuned these scanners to run on prod.
Choose the configuration wisely
If in doubt it is always safe to go easy
Specify targets –
it could be just one web server that is supporting your app or multiple ones
Once the task is added, you can start the scan by clicking the Play button
You can track the progress as the scan finishes
The report variety range from very executive to very techincal
type of report can be selected depending on the needs
Reports are breakdown of individual hosts or vulnerabilities
most of these tools offer recommendations on fixing the vulnerabilities found
a word of caution here: these recomms are VERY generic
taking these recommendation more as a guideline to fix the vulnerability than the fix itself is a safe option
Talk a little OWASP
Open Web Application Security Project (or OWASP for short).
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software.
very well contributed organisation
Vulns found:
web application vunerabilities like
XSS,
SQLi,
CSRF,
bad cookie handling such as no secure flag
bad session handling
All these are generally easy to fix but difficult to spot
A small demo
Enter the URL of your web application (point and attack)
Highly customizable – plugins can be written
Decompiles Android apps to raw source code
No rooted device needed
Vulns it finds:
old unsupported api versions with known exploits
activites that can leak data
tapjacking - Like ClickJacking on the web, TapJackingoccurs when a malicious application displays a fake user interface that seems like it can be interacted with, but actually passes interaction events such as finger taps to a hidden user interface behind it.
I will leave the full video available for a more step by step instruction and walk through
Due to time contraints I will be skipping some sections here though.
Launch and selecting the apk – 0:00 to 0:06
Decompiling the apk – 0:36
Performing basic vulnerability checks - 2:57
Basic report that is generate – 5:28
Jailbroken device needed!!!!
The "show modules" command can be used to list all the modules currently available in the framework.
Once selected, the "info" command can be used to show details of a particular module. Very similar to metasploit
When all the options are set as preferred, the "run" command can be used to start the module's execution. If a target app has not been selected yet (with the global option "TARGET_APP" still unset), Needle will first launch a wizard that will help the user in selecting a target.