SlideShare une entreprise Scribd logo

Assessment methodology and approach

B
Blueinfy Solutions

This presentation covers DASt/SAST and Manual testing for web applciations.

Technologie
1  sur  19
Methodologies and Challenges DAST & SAST Auto + Manual (must)
Methodologies
OWASP’s Risk Picture
Application Security Cycle Architecture Blackbox WhiteboxDefense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlationSecure coding Configuration lockdown Content filtering Threat mitigation
Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning
Blackbox Footprinting & Discovery Profiling & Vulnerability assessment Manual Attacks Auto Attacks Defense Exploit
Review flow Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
Challenges • Technology fingerprinting • Hidden calls • Framework integration • Entry points are multiple • Traditional fuzzing will not work • Auto assessment can be challenge • Behavioral assessment with Artificial intelligence
Whitebox Identified threats Identifying configuration and code blocks Configuration review Code review Security control Vulnerability detection
Review flow Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
Defense Vulnerabilities Identifying configuration and code blocks Code controls Configuration locks Defense strategies and policies Content filtering
Challenges • JavaScript code analysis • Logic on Client • Reverse engineering on code – Flash, Silverlight or Ajax • Server side issues and source code analysis • Web Services a major concern and its source security
Challenges • Filtering required for different streams • Code security on client side is needed as well • Browser and DOM security • Web application firewall – web 2.0 stream protection • Overall new approach for entry point analysis
Web 2.0 Challenges • How to identify possible hosts running the application? – Cross Domain. • Identifying Ajax and RIA calls • Dynamic DOM manipulations points • Identifying XSS and XSRF vulnerabilities for Web 2.0 • Discovering back end Web Services - SOAP, XML-RPC or REST. • How to fuzz XML and JSON structures? • Web Services assessment and audit • Client side code review • Mashup and networked application points
WhiteBox vs. BlackBox • Scope of coverage – Blackbox method uses crawling and spidering to determine all possible resources – Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. – If one is using whitebox approach then not a single line of code will get missed and scope can be covered at 100%. Whitebox can do much better job when comes to covering the scope of the source.
WhiteBox vs. BlackBox • Discovery and Detection – Blackbox testing uses signature analysis for vulnerability detection. Example, it looks for ODBC error for SQL injection and so on. – If errrors are missing … – Blackbox fails in those cases – Whitebox good to go
WhiteBox vs. BlackBox • Accuracy of Vulnerability – Accuracy of vulnerability is very important as well. – Blackbox is inaccurate in some cases – Came up false +/-
WhiteBox vs. BlackBox • Cause Identification – One of the major challenges is to identify actual cause of the vulnerability. – Blackbox shows symptoms – Whitebox can pin point the cause
Conclusion

Recommandé

Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 

Recommandé

Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud SecurityAWS Riyadh User Group
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
Microservices Technology Stack
Microservices Technology StackMicroservices Technology Stack
Microservices Technology StackEberhard Wolff
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development SecurityAlfred Ouyang
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
ASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with OverviewASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with OverviewShahed Chowdhuri
 
Cloud penetration testing
Cloud penetration testingCloud penetration testing
Cloud penetration testingvericlouds11
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 

Contenu connexe

Tendances

SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Microservices Technology Stack
Microservices Technology StackMicroservices Technology Stack
Microservices Technology StackEberhard Wolff
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development SecurityAlfred Ouyang
 
ASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with OverviewASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with OverviewShahed Chowdhuri
 
Cloud penetration testing
Cloud penetration testingCloud penetration testing
Cloud penetration testingvericlouds11
 

Tendances (20)

Security testing
Security testingSecurity testing
Security testing
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Mod security
Mod securityMod security
Mod security
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Microservices Technology Stack
Microservices Technology StackMicroservices Technology Stack
Microservices Technology Stack
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development Security
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
ASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with OverviewASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with Overview
 
Cloud penetration testing
Cloud penetration testingCloud penetration testing
Cloud penetration testing
 

Similaire à Assessment methodology and approach

Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Web Application Penetration Test
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Testmartinvoelk
 
Root conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbmRoot conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbmArjun BM
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...MrityunjayaHikkalgut1
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 
Web application security - Course overview
Web application security - Course overviewWeb application security - Course overview
Web application security - Course overviewSatish b
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development processJerod Brennen
 

Similaire à Assessment methodology and approach (20)

Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
Web Application Penetration Test
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Test
 
Root conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbmRoot conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbm
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
Web application security - Course overview
Web application security - Course overviewWeb application security - Course overview
Web application security - Course overview
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 

Plus de Blueinfy Solutions

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 

Plus de Blueinfy Solutions (20)

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application Review
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 

Dernier

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Dernier (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Assessment methodology and approach

  • 1. Methodologies and Challenges DAST & SAST Auto + Manual (must)
  • 4. Application Security Cycle Architecture Blackbox WhiteboxDefense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlationSecure coding Configuration lockdown Content filtering Threat mitigation
  • 5. Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning
  • 6. Blackbox Footprinting & Discovery Profiling & Vulnerability assessment Manual Attacks Auto Attacks Defense Exploit
  • 7. Review flow Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  • 8. Challenges • Technology fingerprinting • Hidden calls • Framework integration • Entry points are multiple • Traditional fuzzing will not work • Auto assessment can be challenge • Behavioral assessment with Artificial intelligence
  • 9. Whitebox Identified threats Identifying configuration and code blocks Configuration review Code review Security control Vulnerability detection
  • 10. Review flow Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  • 11. Defense Vulnerabilities Identifying configuration and code blocks Code controls Configuration locks Defense strategies and policies Content filtering
  • 12. Challenges • JavaScript code analysis • Logic on Client • Reverse engineering on code – Flash, Silverlight or Ajax • Server side issues and source code analysis • Web Services a major concern and its source security
  • 13. Challenges • Filtering required for different streams • Code security on client side is needed as well • Browser and DOM security • Web application firewall – web 2.0 stream protection • Overall new approach for entry point analysis
  • 14. Web 2.0 Challenges • How to identify possible hosts running the application? – Cross Domain. • Identifying Ajax and RIA calls • Dynamic DOM manipulations points • Identifying XSS and XSRF vulnerabilities for Web 2.0 • Discovering back end Web Services - SOAP, XML-RPC or REST. • How to fuzz XML and JSON structures? • Web Services assessment and audit • Client side code review • Mashup and networked application points
  • 15. WhiteBox vs. BlackBox • Scope of coverage – Blackbox method uses crawling and spidering to determine all possible resources – Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. – If one is using whitebox approach then not a single line of code will get missed and scope can be covered at 100%. Whitebox can do much better job when comes to covering the scope of the source.
  • 16. WhiteBox vs. BlackBox • Discovery and Detection – Blackbox testing uses signature analysis for vulnerability detection. Example, it looks for ODBC error for SQL injection and so on. – If errrors are missing … – Blackbox fails in those cases – Whitebox good to go
  • 17. WhiteBox vs. BlackBox • Accuracy of Vulnerability – Accuracy of vulnerability is very important as well. – Blackbox is inaccurate in some cases – Came up false +/-
  • 18. WhiteBox vs. BlackBox • Cause Identification – One of the major challenges is to identify actual cause of the vulnerability. – Blackbox shows symptoms – Whitebox can pin point the cause