t14
play

T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D - PDF document

BIO PRESENTATION T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D EER IN THE H EADLIGHTS ? Ryan English SPI Dynamics Inc International Conference On Software Testing Analysis and Review May 15-19, 2006 Orlando, Florida USA


  1. BIO PRESENTATION T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D EER IN THE H EADLIGHTS ? Ryan English SPI Dynamics Inc International Conference On Software Testing Analysis and Review May 15-19, 2006 Orlando, Florida USA

  2. Ryan English Ryan English is the group product manager for SPI Dynamics' QAInspect(tm) Quality Assurance Security testing product line, overseeing product strategy and direction for the company's five Quality Assurance products. Prior to joining SPI Dynamics, Ryan was responsible for product management at Live Oak Technologies, a quality assurance software company. In addition, Ryan was a project manager for the supply chain software company, VerticalNet, where he assisted in the strategic growth and development of their consulting division. Ryan has also led project management teams with MCI Worldcom and DayNine. Ryan is a seasoned speaker on the topic of security testing Web applications in QA and has spoken at several Quality Assurance industry events including Mercury World 2005.

  3. Do you feel Like a Deer in Headlights? Ryan English SPI Dynamics

  4. Simple Web Site Architecture (1996)

  5. Complex Web Architecture (2006)

  6. Web Applications Breach the Perimeter Trusted Corporate Internet DMZ Inside Inside ASP MS-SQL IIS .NET ORACLE SunOne J2EE DB2 Apache HTTP/HTTPS

  7. Examples of Application Security Vulnerabilities Application Application Application Mapping Adm inistration Adm inistration Buffer Overflow Backup Checking Brute Force Common File Checks Cookie Manipulation Data Extension Platform Checking Cookie Poisoning/ Theft Platform Directory Cross-site scripting Known Enumeration Vulnerabilities Custom Application Extension Checking Scripting BEA WebLogic Forceful Browsing Parameter Manipulation IBM WebSphere Hidden Web Paths Reverse Directory Transversal Path Truncation Microsoft IIS SQL Injection

  8. Recent Application Security Attacks

  9. Customers In the Field 100X System/Acceptance Testing 15X Integration Testing Unit Test 6.5X 1 X Design Development Testing Deployment

  10. Implications of Application Security 35 major identity theft cases reported in first half of 2005 . Personal information of over 9.6 million individuals was stolen. Web application hacking was the most common method used. -IDC

  11. Value Proposition • Regulatory compliance policies like HIPAA. SOX, PCI, and GLBA • Identify areas of your application vulnerable to hacking, identity theft and phishing attack vulnerabilities • Reduce cost of outsourced or manual security testing • Big ROI with security testing during quality process - Costs one-fifth as much to fix an application in QA then after deployment

  12. How Do Web Applications Communicate? Netw ork Layer • Client connects to the server • Client sends request to server • Server responds to client Server • Connection is disconnected w w w .m ybank.com – HTTP is stateless ( 6 4 .5 8 .7 6 .2 3 0 ) Client PC Port: 8 0 ( 1 0 .1 .0 .1 2 3 ) Request Response

  13. Securing the Network Layer • SSL ( Secure Sockets Layer) – Provided encryption of data between Server a client and server w w w .m ybank.com – Typically guarantees to client that server is who it asserts itself to be ( 6 4 .5 8 .7 6 .2 3 0 ) Client PC Port: 4 4 3 ( 1 0 .1 .0 .1 2 3 ) SSL Tunnel

  14. Securing the Network Layer SSL • • Firew alls – Allows or disallows traffic to pass from the external network to the internal network – Acts as a “ traffic cop ” Server – Port 80 (HTTP) and port 443 (HTTPS) w w w .m ybank.com travel freely through the firewall ( 6 4 .5 8 .7 6 .2 3 0 ) Client PC Port: 4 4 3 ( 1 0 .1 .0 .1 2 3 ) SSL Tunnel

  15. Securing the Network Layer • SSL • Firew alls • I DS ( I ntrusion Detection System ) – Monitors network for malicious activities Server – Typically signature based detection w w w .m ybank.com (similar to virus protection) ( 6 4 .5 8 .7 6 .2 3 0 ) – Blind to encrypted (SSL) traffic Port: 4 4 3 Client PC ( 1 0 .1 .0 .1 2 3 ) I DS SSL Tunnel

  16. What is HTTP? HTML Page • HTML Page <a href=http://www.test.me>Click Here</a> < a href= http: / / www.test.me> Click Here< / a> Request • Request GET / HTTP/ 1.1 GET / HTTP/ 1.1 Accept: * / * Response Accept: * / * Accept-Language: en-us Accept-Encoding: identity Accept-Language: en-us User-Agent: Mozilla/ 4 .0 ( com patible; MSI E 6 .0 ; W indow s NT 5 .0 ; .NET CLR 1 .0 .3 7 0 5 ) HTTP/ 1 .1 2 0 0 OK Accept-Encoding: identity Host: w w w .spidynam ics.com Server: Microsoft-I I S/ 5 .0 User-Agent: Mozilla/ 4 .0 ( com patible; MSI E 6 .0 ; W indow s NT Connection: Keep-Alive Date: Mon, 07 Apr 2003 12: 52: 26 GMT 5 .0 ; .NET CLR 1 .0 .3 7 0 5 ) • Response Content-Length: 1 0 2 2 5 Host: w w w .spidynam ics.com Content-Type: text/ htm l Connection: Keep-Alive HTTP/ 1 .1 2 0 0 OK Cache-control: private Server: Microsoft-I I S/ 5 .0 Set-Cookie: Date: Mon, 07 Apr 2003 12: 52: 26 GMT Content-Length: 1 0 2 2 5 ASPSESSI ONI DCSCRRCBS= GODPKFJDPJNMHGGJDOEI DDMK ; path= / ; Content-Type: text/ htm l Cache-control: private < html> Set-Cookie: ASPSESSI ONI DCSCRRCBS= GODPKFJDPJNMHGGJDOEI DDMK ; path= / ; < body> < html> < body> Server Client PC Request Response

  17. How Does Your Application Work? • GET – Simple query string based request • POST – Contains POST data in the body of the request W eb Application HTTP Netw ork

  18. HTTP – GET With a Query String • HTML Page HTML Page <a href=http://www.test.me/ banklogin.asp?serviceName=FreebankCaastAccess&ID=5 >Click Here</a> <a href=http://www.test.me/ banklogin.asp?serviceName=Freebank • Request Request CaastAccess&ID=5 >Click Here</a> GET /banklogin.asp?serviceName=FreebankCaastAccess& GET / banklogin.asp?serviceNam e= FreebankCaastAccess&tem plateNam e= prod_ sel.forte&I D= 5 HTTP/ 1.1 Response Accept: * / * templateName=prod_sel.forte&ID=5 HTTP/1.1 Accept-Language: en-us Accept: */* Accept-Encoding: identity HTTP/1.1 200 OK User-Agent: Mozilla/ 4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Accept-Language: en-us Server: Microsoft-IIS/5.0 Host: www.company.com Accept-Encoding: identity Connection: Keep-Alive Date: Fri, 04 Apr 2003 15:17:50 GMT User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR Cookie: ASPSESSI ONI DCQABRCAA= DKBNDFFCLDKNPGFDDFJCLBDN Content-Length: 4183 1.0.3705) Content-Type: text/html Host: www.company.com • Response Cache-control: private Connection: Keep-Alive Set-Cookie: sessionid=25; path=/; Cookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN HTTP/ 1.1 200 OK Set-Cookie: state=GA; path=/; Server: Microsoft-IIS/ 5.0 Set-Cookie: username=MrUser; path=/; Date: Fri, 04 Apr 2003 15: 17: 50 GMT Content-Length: 4183 Set-Cookie: userid=1538; path=/; Content-Type: text/ html Cache-control: private <HTML> Set-Cookie: sessionid= 2 5 ; path= / ; Set-Cookie: state= GA; path= / ; <HEAD> Set-Cookie: usernam e= MrUser; path= / ; <TITLE></TITLE> Set-Cookie: userid= 1 5 3 8 ; path= / ; </HEAD> < HTML> <BODY> < HEAD> < TITLE> < / TITLE> < / HEAD> < BODY>

Recommend


More recommend