security testing
play

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD - PowerPoint PPT Presentation

Jan 11, 2023 •172 likes •2.02k views

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1 Agenda for today Part I Latest security news Security vulnerabilities in Java

  1. Black vs. White box Testing • Black box – Unknown internal structure – Study Input → Output correlation – Generic technique – Requires end-to-end system – May miss components • White box – Known internal structure – Analysis of internal structure – GUI not necessarily required – Thorough testing and debugging – Time consuming 57

  2. Classes of Security Testing • Manual vs. Automated Testing • Static vs. Dynamic Testing • Black vs. White box Testing Manual Automated Static Dynamic Blackbox Whitebox Reverse Risk Code Engineering Analysis checking Dynamic Penetration Tainting Fuzzing validation testing 58

  3. Static Application Security Testing • Reverse engineering (System level) – Disassemble application to extract internal structure – Black box to White box – Useful for gaining information 59

  4. Static Application Security Testing • Reverse engineering (System level) • Risk-based testing (Business level) – Model worst case scenarios – Threat modelling for test case generation 60

  5. Static Application Security Testing • Reverse engineering (System level) • Risk-based testing (Business level) • Static code checker (Unit level) – Checks for rule violations via code structure – Parsers, Control Flow graphs, Data flow analysis – Identifies bad coding practices, potential security issues, etc. 61

  6. Classes of Security Testing • Manual vs. Automated Testing • Static vs. Dynamic Testing • Black vs. White box Testing Manual Automated Static Dynamic Blackbox Whitebox Reverse Risk Code Engineering Analysis checking Dynamic Penetration Tainting Fuzzing validation testing 62

  7. Dynamic Application Security Testing • Taint analysis – Tracking variable values controlled by user • Fuzzing – Bombard with garbage data to cause crashes • Dynamic validation – Functional testing based on requirements • Penetration testing – End-to-end black box testing Topic for next lecture 63

  8. Summary Part I • Java vulnerabilities have large attack surfaces • Crucial to adapt Secure SDLC • Threat modelling can drive test case generation • Static analysis checks code without executing it • Dynamic analysis executes code and observes behavior 64

  9. Quiz Time! Which type of testing aims to convert a black box system to white box? Reverse Engineering 65

  10. Quiz Time! Which vulnerability allows a remote attacker to change which instruction will be executed next? Remote Code Execution 66

  11. Quiz Time! Why is Java safe from buffer overflows? It’s not! 67

  12. Agenda for today • Part I – Latest security news – Security vulnerabilities in Java – Types of Security testing • SAST vs. DAST • Part II – SAST under the hood • Pattern Matching • Control Flow Analysis • Data Flow Analysis – SAST Tools performance 68

  13. Why doesn’t the perfect static analysis tool exist? 69

  14. Static Analysis • Soundness • Completeness 70

  15. Static Analysis • Soundness – No missed vulnerability (0 FNs) – No alarm → no vulnerability exists • Completeness 71

  16. Static Analysis • Soundness – No missed vulnerability (0 FNs) – No alarm → no vulnerability exists • Completeness – No false alarms (0 FPs) – Raises an alarm → vulnerability found 72

  17. Static Analysis • Soundness – No missed vulnerability (0 FNs) – No alarm → no vulnerability exists • Completeness – No false alarms (0 FPs) – Raises an alarm → vulnerability found • Ideally: ↑ Soundness + ↑ Completeness • Reality: Compromise on FPs or FNs 73

  18. Usable SAST Tools • ↓ FPs vs. ↓ FNs • ↑ Interpretability • ↑ Scalability 74

  19. SAST under the hood Pattern matching Regular expressions 75

  20. SAST under the hood Pattern matching Syntax analysis Abstract Syntax Tree Regular Control flow Data flow expressions graph analysis 76

  21. Pattern Matching • Look for predefined patterns in code – Regular Expressions – Finite State Automata 77

  22. Pattern Matching • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g !b 78

  23. Pattern Matching • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g bug !b 79

  24. Pattern Matching • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g bug !b 80

  25. Pattern Matching • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g bug !b 81

  26. Pattern Matching • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g bug !b 82

  27. Pattern Matching • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g bug !b 83

  28. Pattern Matching • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u Match! !g bug !b 84

  29. Pattern Matching via Regex • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g bag !b 85

  30. Pattern Matching via Regex • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g bag !b 86

  31. Pattern Matching via Regex • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g bag !b 87

  32. Pattern Matching via Regex • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g bag !b 88

  33. Pattern Matching via Regex • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “bug” g u b !u !g bag !b No Match! 89

  34. Pattern Matching via Regex • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “.*bug” g u b !u !g !b 90

  35. Pattern Matching via Regex • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “.*bug” g u b !b !u !g 91

  36. Pattern Matching via Regex • Look for predefined patterns in code – Regular Expressions – Finite State Automata • Find all instances of “.*bug.*” g u b anything !b !u !g 92

  37. Pattern Matching via Regex • Finds low hanging fruit – Misconfigurations (port 22 open for everyone) – Bad imports (System.io.*) – Call to dangerous functions (strcpy, memcpy) 93

  38. Pattern Matching via Regex • Finds low hanging fruit – Misconfigurations (port 22 open for everyone) – Bad imports (System.io.*) – Call to dangerous functions (strcpy, memcpy) • Shortcomings – Lots of FPs – Limited support 94

  39. Pattern Matching via Regex • Finds low hanging fruit – Misconfigurations (port 22 open for everyone) – Bad imports (System.io.*) – Call to dangerous functions (strcpy, memcpy) • Shortcomings – Lots of FPs – Limited support 95

  40. Pattern Matching via Regex • Finds low hanging fruit – Misconfigurations (port 22 open for everyone) – Bad imports (System.io.*) – Call to dangerous functions (strcpy, memcpy) • Shortcomings – Lots of FPs – Limited support 96

  41. Syntactic Analysis • Performed via Parsers Parse Tree Stream Tokens Lexer Parser • Tokens → Hierarchal data structures – Parse Tree – Concrete representation – Abstract Syntax Tree – Abstract representation 97

  42. Abstract Syntax Tree (AST) 98

  43. Abstract Syntax Tree (AST) 99

  44. Abstract Syntax Tree (AST) SUB 5 1 100

Recommend

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied & Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
Continuous Application Security Testing Presented by:

Continuous Application Security Testing Presented by:

W14 Security Testing Wednesday, October 23rd, 2019 3:00 PM Continuous Application Security Testing Presented by: Josh Gibbs

306 views • 4 slides
Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI

Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI

Alain MERLE CESTI LETI CEA Grenoble Alain.merle@cea.fr Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI Abstract What are you doing in ITSEFs ? Testing, Security testing, Attacks,

809 views • 23 slides
Security Testing beyond Functional Tests David Basin ETH Zurich June, 2017 Associated

Security Testing beyond Functional Tests David Basin ETH Zurich June, 2017 Associated

Security Testing beyond Functional Tests David Basin ETH Zurich June, 2017 Associated Publication: Mohammad Torabi Dashti, David Basin: Security Testing Beyond Functional Tests. ESSoS 2016. Security Testing

722 views • 38 slides
Software Security Process & Testing a primer for quality professionals Fred Pinkett VP,

Software Security Process & Testing a primer for quality professionals Fred Pinkett VP,

Software Security Process & Testing a primer for quality professionals Fred Pinkett VP, Product Management Security Innovation About Security Innovation Application Security Experts 10+ years research on vulnerabilities Security

690 views • 49 slides
Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing Applying empirical results to reduce the cost of testing. Example: 2.5 year study ~ 20% lower test development cost and 20% - 50% better

479 views • 13 slides
Security Regression Addressing Security Regression by Unit Testing Christopher Grayson

Security Regression Addressing Security Regression by Unit Testing Christopher Grayson

Security Regression Addressing Security Regression by Unit Testing Christopher Grayson @_lavalamp Introduction WHOAMI ATL Web development Academic researcher Haxin all the things (but I rlllly like networks) Founder

472 views • 35 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director Image: computerworld.com.au Agenda Who am I and why am I interested in security testing DAB? Overview of DAB How do we broadcast DAB?

790 views • 33 slides
ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

Empowering Security Teams ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure EDSA Certification Communication/Network Robustness Testing (CRT) CRT examines the capability of the device to

859 views • 33 slides
Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz

Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz

Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz ramosblc@gmail.com Black Hat Europe 2009 Overview Give a brief overview of the emulation- based security testing Introduction to VEX Formalism

376 views • 26 slides
Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela

Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela

Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela E.Fourneret J.Jurjens P. Yousefi ARES 2011 OUTLINE Introduction Background UMLsec Model-based Testing Security in smart-card

356 views • 17 slides
802.11 Security & Pen Testing Fengwei Zhang Constantinos Kolias SUSTech CS 315 Computer

802.11 Security & Pen Testing Fengwei Zhang Constantinos Kolias SUSTech CS 315 Computer

802.11 Security & Pen Testing Fengwei Zhang Constantinos Kolias SUSTech CS 315 Computer Security 1 Wireless Communications: Advantages & Disadvantages Makes communication possible where cables dont reach Convenience

399 views • 17 slides
Topics in Security Testing [Reading assignment: Chapter 13, pp. 193-209. Note that many more

Topics in Security Testing [Reading assignment: Chapter 13, pp. 193-209. Note that many more

Topics in Security Testing [Reading assignment: Chapter 13, pp. 193-209. Note that many more topics are covered in these slides and in class.] Computer Security The goal of computer security is to protect computer assets ( e.g., servers,

1.53k views • 119 slides
CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed

391 views • 38 slides
CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed

657 views • 39 slides
NIST Combinatorial Testing project Goals reduce testing cost, improve cost-benefit ratio

NIST Combinatorial Testing project Goals reduce testing cost, improve cost-benefit ratio

Combinatorial Methods in Software Testing Rick Kuhn National Institute of Standards and Technology Gaithersburg, MD Federal Computer Security Managers Forum, Dec. 6, 2011 NIST Combinatorial Testing project Goals reduce testing cost,

491 views • 46 slides
CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019

CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019

CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between

503 views • 28 slides
Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda

Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda

Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda Introduction nodejS security Npm security packages Node Goat project Tools Node JS JavaScript in the backend Built on

762 views • 43 slides
A Strategy for Security Testing Industrial Firewalls Thuy D. Nguyen Steve C. Austin Cynthia E.

A Strategy for Security Testing Industrial Firewalls Thuy D. Nguyen Steve C. Austin Cynthia E.

A Strategy for Security Testing Industrial Firewalls Thuy D. Nguyen Steve C. Austin Cynthia E. Irvine Department of Computer Science Naval Postgraduate School December 10, 2019 Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 1

643 views • 35 slides
Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum

Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum

Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum Confidential McAfee Internal Use Only Security Testing Confidential McAfee Internal Use Only Cost Impact m suffered a heavy The TJX Company breach, which m

429 views • 20 slides

More recommend