SlideShare une entreprise Scribd logo

nullcon 2010 - Penetration Testing versus Source Code Review

n|u - The Open Security Community
n|u - The Open Security Community

nullcon 2010 Penetration Testing versus Source Code Review - by Nikhil Wagholikar http://nullcon.net http://null.co.in

Technologie
1  sur  3
Télécharger pour lire hors ligne
Penetration Testing versus Source Code Review 1. Penetration Testing vs. Source Code Review Within the domain of application security assessments, there are multiple approaches that can be considered. The most common ones are black-box penetration testing, application design review and source code reviews. Of course, more arcane ones such as reverse engineering or binary analysis can also be considered in specific situations. But for the moment, let’s focus on the two most common approaches to application security assessments – penetration testing and source code review. Currently, there is a debate raging within the information security community as to which approach is better, with some participants going so far as to say that penetration testing is dead! (ref). With the experience of having performed hundreds of penetration tests and dozens of source code reviews, I have come to the conclusion that each technique has its own place. It is also extremely worthwhile for the developer and security communities to be aware of the advantages and disadvantages of both the techniques. In fact, in my judgment a well-timed combination of both approaches can be extremely beneficial in identifying and fixing security issues at the earliest. Let’s look at some of the issues that we have discovered in penetration tests, which would be near to impossible to discover in a source code review. Penetration Testing Risk-based testing Nowadays, even penetration tests are becoming risk-based. This means, that we spend time learning about the business of the client and the risks to the business through the Internet based infrastructure – primarily web applications – in order to focus our penetration testing work in line with these risks. A source code review can never simulate the penetration testing approach, which requires building business-specific test cases, and then testing for those. For example, during the penetration test of a local search engine website, the business risk is not so much from a cross-site scripting, as it would be from someone running repeated search requests, downloading the HTML results, and then parsing the results to recreate the database – essentially an online data mining attack. Similarly, while pen-testing an ERP system, the emphasis would not be so much on unpatched vulnerabilities, as it would be on executing attacks that would simulate a financial fraud. For instance, can we violate the existing access controls to not only accept vendor quotations, but also to approve a selected vendor, under the guise of Confidential Page 1
Penetration Testing versus Source Code Review another user? So privilege escalation attacks would be of far greater consequence than regular SQL injection and cross-site scripting attacks. Search engine indexing faulty During a recent penetration test, we found a search functionality on the web application, and upon entering interesting words such as “password” and “administrator”, some very interesting documents were revealed. Upon further searching, we discovered that the terms “.jpg”, and “.bmp” revealed scanned copies of customers’ personal information such as driving licenses and passport copies. Again, it is difficult to imagine a source code review discovering these sorts of issues. Weak Authentication Mechanisms While static source code analysis tools would be able to discover weak authentication schemes (pages, which allow access without authentication), specific issues such as weak CAPTCHA implementations, or if the web application allows short and weak passwords to be selected, could be obtained from a penetration test more easily than from an automated source code review. A manual source code review would possibly be able to discover these flaws. Similarly, the ability to enumerate users due to different error messages (one when the username is incorrect, and another one when the password is incorrect), is also easily discovered in a penetration test. In another instance, we discovered that the credit card numbers were being shown up in plaintext. An automated source code review failed to show up these issues. {Other points yet to work on: Configuration issues with the web server and the operating system Manipulation of business rules, such as for web-based ERPs in terms of transaction processing controls being violated Source code not being available, of course means penetration testing is the only option Where it is a regulatory requirement – such as for Internet Banking} Source Code Reviews Code review is systematic examination of computer source code intended to find and fix mistakes and security vulnerabilities overlooked in the initial development phase, improving both the overall quality of software and the developers' skills. Largely source code developers encounter two typical errors/mistakes/issues/hurdles: Confidential Page 2
Penetration Testing versus Source Code Review Implementation errors: These quality-style defects in code are fairly atomic, and typically stand alone when identified, and remediation is applied. They are caused by bad or "loose" programming practices. Examples include buffer overflows, which result from mismanagement of memory, and race conditions, which result from call timing mismatches. Design errors: These include the failure to utilize or adequately implement security related functions. This includes authentication, encryption, and the use of insecure external code types, and validation of data input and application output. Source code reviews can be done in couple of ways – manual or automated. Even manual reviews cannot look through each line of code, but are supposed to identify key functions and then review those. An automated source code review looks through the call-tree using proprietary algorithms, and offers the following distinct advantages over a penetration test: Unlike PT, it’s more of a white box approach to testing the application. This gives the in-sight of the application security issues. Identify weak encryption algorithms or weak implementation of strong encryption algorithms, such as by choosing a shorter key length or insecure storage of the key Almost the complete set of cross-site scripting and SQL injection possible vulnerabilities. A penetration test in contrast ends up finding fewer of these, as some of them are missed out by both manual as well as automated pen-testing methods Getting down to the root-function that is vulnerable. A pen-test will typically identify the web page or form that is vulnerable, but a source code review will drill down to the common function or module, which when fixed, would end up resolving multiple security issues, thus providing for a tremendous savings in time and cost With source code reviews being embedded into IDEs, developers can identify and fix security issues almost immediately. This tremendously reduces the cost of fixing application security issues. SCR can also check whether secure coding practices and other development practices have been followed or not It could happen that in black box PT, the pen tester might miss out certain security vulnerabilities in the application. This possibility is very less in SCR, since the whole source is in-front. {Other points yet to be added here in support of source code reviews} Confidential Page 3

Recommandé

Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Matt Raible
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primern|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primaryn|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3n|u - The Open Security Community
 

Recommandé

Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Matt Raible
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primern|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primaryn|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logsn|u - The Open Security Community
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodann|u - The Open Security Community
 
Cloud security
Cloud security Cloud security
Cloud security n|u - The Open Security Community
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windowsn|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usagen|u - The Open Security Community
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Processn|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacksn|u - The Open Security Community
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackersn|u - The Open Security Community
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904n|u - The Open Security Community
 
XXE
XXEXXE
XXEn|u - The Open Security Community
 
News Bytes
News BytesNews Bytes
News Bytesn|u - The Open Security Community
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rulesn|u - The Open Security Community
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Social engineering
Social engineeringSocial engineering
Social engineeringn|u - The Open Security Community
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Contenu connexe

Plus de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Plus de n|u - The Open Security Community (20)

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904
 
XXE
XXEXXE
XXE
 
News Bytes
News BytesNews Bytes
News Bytes
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rules
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Social engineering
Social engineeringSocial engineering
Social engineering
 

Dernier

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Dernier (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

nullcon 2010 - Penetration Testing versus Source Code Review

  • 1. Penetration Testing versus Source Code Review 1. Penetration Testing vs. Source Code Review Within the domain of application security assessments, there are multiple approaches that can be considered. The most common ones are black-box penetration testing, application design review and source code reviews. Of course, more arcane ones such as reverse engineering or binary analysis can also be considered in specific situations. But for the moment, let’s focus on the two most common approaches to application security assessments – penetration testing and source code review. Currently, there is a debate raging within the information security community as to which approach is better, with some participants going so far as to say that penetration testing is dead! (ref). With the experience of having performed hundreds of penetration tests and dozens of source code reviews, I have come to the conclusion that each technique has its own place. It is also extremely worthwhile for the developer and security communities to be aware of the advantages and disadvantages of both the techniques. In fact, in my judgment a well-timed combination of both approaches can be extremely beneficial in identifying and fixing security issues at the earliest. Let’s look at some of the issues that we have discovered in penetration tests, which would be near to impossible to discover in a source code review. Penetration Testing Risk-based testing Nowadays, even penetration tests are becoming risk-based. This means, that we spend time learning about the business of the client and the risks to the business through the Internet based infrastructure – primarily web applications – in order to focus our penetration testing work in line with these risks. A source code review can never simulate the penetration testing approach, which requires building business-specific test cases, and then testing for those. For example, during the penetration test of a local search engine website, the business risk is not so much from a cross-site scripting, as it would be from someone running repeated search requests, downloading the HTML results, and then parsing the results to recreate the database – essentially an online data mining attack. Similarly, while pen-testing an ERP system, the emphasis would not be so much on unpatched vulnerabilities, as it would be on executing attacks that would simulate a financial fraud. For instance, can we violate the existing access controls to not only accept vendor quotations, but also to approve a selected vendor, under the guise of Confidential Page 1
  • 2. Penetration Testing versus Source Code Review another user? So privilege escalation attacks would be of far greater consequence than regular SQL injection and cross-site scripting attacks. Search engine indexing faulty During a recent penetration test, we found a search functionality on the web application, and upon entering interesting words such as “password” and “administrator”, some very interesting documents were revealed. Upon further searching, we discovered that the terms “.jpg”, and “.bmp” revealed scanned copies of customers’ personal information such as driving licenses and passport copies. Again, it is difficult to imagine a source code review discovering these sorts of issues. Weak Authentication Mechanisms While static source code analysis tools would be able to discover weak authentication schemes (pages, which allow access without authentication), specific issues such as weak CAPTCHA implementations, or if the web application allows short and weak passwords to be selected, could be obtained from a penetration test more easily than from an automated source code review. A manual source code review would possibly be able to discover these flaws. Similarly, the ability to enumerate users due to different error messages (one when the username is incorrect, and another one when the password is incorrect), is also easily discovered in a penetration test. In another instance, we discovered that the credit card numbers were being shown up in plaintext. An automated source code review failed to show up these issues. {Other points yet to work on: Configuration issues with the web server and the operating system Manipulation of business rules, such as for web-based ERPs in terms of transaction processing controls being violated Source code not being available, of course means penetration testing is the only option Where it is a regulatory requirement – such as for Internet Banking} Source Code Reviews Code review is systematic examination of computer source code intended to find and fix mistakes and security vulnerabilities overlooked in the initial development phase, improving both the overall quality of software and the developers' skills. Largely source code developers encounter two typical errors/mistakes/issues/hurdles: Confidential Page 2
  • 3. Penetration Testing versus Source Code Review Implementation errors: These quality-style defects in code are fairly atomic, and typically stand alone when identified, and remediation is applied. They are caused by bad or "loose" programming practices. Examples include buffer overflows, which result from mismanagement of memory, and race conditions, which result from call timing mismatches. Design errors: These include the failure to utilize or adequately implement security related functions. This includes authentication, encryption, and the use of insecure external code types, and validation of data input and application output. Source code reviews can be done in couple of ways – manual or automated. Even manual reviews cannot look through each line of code, but are supposed to identify key functions and then review those. An automated source code review looks through the call-tree using proprietary algorithms, and offers the following distinct advantages over a penetration test: Unlike PT, it’s more of a white box approach to testing the application. This gives the in-sight of the application security issues. Identify weak encryption algorithms or weak implementation of strong encryption algorithms, such as by choosing a shorter key length or insecure storage of the key Almost the complete set of cross-site scripting and SQL injection possible vulnerabilities. A penetration test in contrast ends up finding fewer of these, as some of them are missed out by both manual as well as automated pen-testing methods Getting down to the root-function that is vulnerable. A pen-test will typically identify the web page or form that is vulnerable, but a source code review will drill down to the common function or module, which when fixed, would end up resolving multiple security issues, thus providing for a tremendous savings in time and cost With source code reviews being embedded into IDEs, developers can identify and fix security issues almost immediately. This tremendously reduces the cost of fixing application security issues. SCR can also check whether secure coding practices and other development practices have been followed or not It could happen that in black box PT, the pen tester might miss out certain security vulnerabilities in the application. This possibility is very less in SCR, since the whole source is in-front. {Other points yet to be added here in support of source code reviews} Confidential Page 3