SlideShare a Scribd company logo

Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People

POSSCON, profile picture
POSSCON

This document discusses application security testing techniques and tools that can be used on a limited budget. It recommends establishing security governance through policies, standards and guidelines to provide structure for a security program. It introduces the Open Web Application Security Project (OWASP) as an open source community and lists some of their key resources like the Open Software Assurance Maturity Model (OpenSAMM) for evaluating security practices, and tools like AntiSamy and CSRFGuard for protecting against common vulnerabilities. The document advocates threat modeling to identify risks and provides examples of tools for static analysis and dynamic testing of applications to identify security issues before attackers.

Technology
1 of 73
Downloaded 32 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Application Security on a Dime Open Technologies, Tools, and Techniques for Running an Blossoming InfoSec Program POSSCON – Columbia, SC April 2015
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Anyone run Wordpress? Wordpress  hacks  are  boun0ful.    Secure  them  using  latest  hardening   guidelines  h9p://codex.wordpress.org/Hardening_WordPress       Test  #WordPress  using   WPScan   h9p://wpscan.org/;  blackbox   vuln  scanner  #posscon   #appsec  
Open Source Security Facilitated By…
And especially….. A  hacker’s  gateway  drug  to  online  perdi0on......or  just  a  really  helpful   search  engine.  
Who am I? Why should you listen | care?   20 years of IT / InfoSec experience   Utility | Fed | Banking | Retail | Healthcare | Information Services | Hosting | Financial Services | Manufacturing | Insurance | Real Estate   Former developer | sysadmin | network engineer | iso | security engineer | security architect | security assessor | security director | ciso |   Author ‘Risk Centric Threat Modeling’, Wiley Life Sciences 2015 – comprehensive walk through security principles   Started security consulting firm in 2007 – www.versprite.com   Presentation based upon hands-on work and global travels working with both large enterprises and SMB
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
SECURITY CULTURE BEGINS W/ GOVERNANCE Establish  a  framework  and  ecosystem  of  security  processes  and  tools.  
  Establish Governance   Security Requirements & Resources   Implementation of S- SDLC   Use Security Frameworks   Test and Test Early   Track Defects Before you begin, know inherent challenges Challenges in AppSec   Isolated SDLC Efforts   Anti-Security Culture   Expanding heterogeneous tech stack   Decentralizing management   Security is not built into IT functions early on   Targeted attacks   Open intel on application components Sound Solutions
A BIT ABOUT OWASP Open  Web  Applica;on  Security  Project  
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Intro to OWASP §  Open Web Application Security Project §  Community driven; 11 years old §  Dedicated to openness of all content & materials §  International community focused on AppSec §  X-cultural, X-industry related challenges exposed and addressed. §  Massively supportive and responsive. §  Follow @OWASP
Intro to OWASP §  Open Web Application Security Project §  Community driven; 11 years old §  Dedicated to openness of all content & materials §  International community focused on AppSec §  X-cultural, X-industry related challenges exposed and addressed. §  Massively supportive and responsive. §  Follow @OWASP
GOVERNANCE Without governance, your security program will sink.
Unless you have this appear on all your servers…
…governance is the better starting point Security   Governance   Opera0ons   Risk   Management   Compliance   Although  a  key  business  driver,  don’t  let  Compliance  eclipse  Security.  #POSSCON   Provides   structure  to  a   security   program.   Makes  security   ac0onable  but   can  be  known   to  be  black  hole   to  security  $$$.     Everyone’s   security  threat   is  not  yours.     Don’t  believe   the  FUD;  make   risk  based   security   decisions.  
Policies, Standards, Guidelines   Policies provide accountability   Standards govern technology   Guidelines provide “best practices”   Framework for enterprise operations   Creates baseline of what is ‘secure’ and ‘acceptable’ in terms of risk
Each Security Component Can Warrant Governance {Program}   Governance   Incident   Response   Secure   Development   Security   Tes0ng   Security   Awareness   NIST  800-­‐100   NIST  800-­‐39   OpenSAMM   NIST  800-­‐53r4   NIST  800-­‐61r2   NIST  CSF     NIST  800-­‐100   NIST  800-­‐39   OpenSAMM   OWASP  ASVS   OWASP  Tes0ng   Guide  v4   PTES   Mostly  tool   based  
OWASP Open SAMM ! The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. ! Benefits " Evaluate your organization's existing software security practices " Build a balanced software security program in well- defined iterations. " Demonstrating concrete improvements http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Wide Scope Covered by OpenSAMM ! Supports a Security Plan or Roadmap ! Establish governance ! Perform against assessments ! Test and Report ! Enhance Security Operations ! Building a S-SDLC Initiative ! Measures success/ shortcomings ! Provides metrics for reporting http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
OpenSAMM Key Links   Main link to OpenSAMM gateway of resources https://www.owasp.org/index.php/ Category:Software_Assurance_Maturity_Model   Latest on the global initiative https://docs.google.com/document/d/ 1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/ edit
SECURE CODING & SECURITY ARCHITECTURE Simple considerations of secure coding & security architecture can lay a foundation of security for your development efforts.
OWASP Developer Guide https://github.com/ OWASP/DevGuide
OWASP Developer Cheat Sheets Clickjacking Defense Cheat Sheet   C-Based Toolchain Hardening Cheat Sheet   Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet   Cryptographic Storage Cheat Sheet   DOM based XSS Prevention Cheat Sheet   Forgot Password Cheat Sheet   HTML5 Security Cheat Sheet   Input Validation Cheat Sheet   JAAS Cheat Sheet   Logging Cheat Sheet   .NET Security Cheat Sheet   OWASP Top Ten Cheat Sheet   Password Storage Cheat Sheet   Pinning Cheat Sheet   Query Parameterization Cheat Sheet   Ruby on Rails Cheat sheet   REST Security Cheat Sheet  Session Management Cheat Sheet  SQL Injection Prevention Cheat Sheet  Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat Sheet  User Privacy Protection Cheat Sheet  Web Service Security Cheat Sheet  XSS (Cross Site Scripting) Prevention Cheat Sheet  Attack Surface Analysis Cheat Sheet  XSS Filter Evasion Cheat Sheet  REST Assessment Cheat Sheet  IOS Developer Cheat Sheet  Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender)  Virtual Patching Cheat Sheet
S-SDLC/ Building Security-In
OWASP Developer References Educate   OWASP  WebGoat   • Exercise  successful   implementa0on  of  OWAPSP   Countermeasures   OWASP  Top  Ten   • Ranks  top  web  app  related   risks   • Serves  as  a  good  scope  for   ini0al  tes0ng   Develop   OWASP  Code  Review   • Methodology  for  Source  Code   Reviews   OWASP  Development  Guide   • Establishes  a  process  for   secure  development  efforts   across  various  SDLCs   OWASP  Cheat  Sheet   Series   OWASP   Countermeasures   • OWASP  CSRFGuard   • OWASP  An0-­‐Samy   Test   OWASP  Zed  A9ack  Proxy   • Test  against  OWASP  Top  Ten   • Use  in  conformance  to   Tes0ng  Guide   OWASP  YASCA   • Leverages  FindBugs,  PMD,   JLint,  JavaScript  Lint,  PHPLint,   Cppcheck,  ClamAV,  RATS,  and   Pixy  to  scan  
OWASP Developer Guide https:// github.com/ OWASP/ DevGuide
OWASP Cheat Sheet Snippet Insecure Direct object references It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: https://example.com/account/325365436/transfer? amount=$100.00&toAccount=473846376 In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. https://example.com/invoice/2362365 In this case, it would be possible to get a copy of all invoices. Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010. Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^d{5}(-d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); } .. do what you want here, after its been validated .. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } }
OWASP XSS Cheat Sheet
OWASP AntiSamy ! OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. " API plus implementations " Java, .Net, Coldfusion, PHP (HTMLPurifier) ! Benefits " It helps you ensure that clients don't supply malicious code into your application " A safer way to allow for rich content from an application's users http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
OWASP CSRFGuard ! OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. " Java, .Net and PHP implementations " CSRF is considered the app sec sleeping giant ! Benefits " Provides code to generate unique request tokens to mitigate CSRF risks http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
SECURITY TESTING Testing insecurities before your adversaries do
Threat Modeling provides targeted scope   Purpose: Identify possible threat agents, threat motives, vulnerabilities in infrastructure, attack patterns, and possible countermeasures  Risk Centric (Process for Attack Simulation & Threat Analysis) – http://versprite.com/docs/PASTA_Abstract.pdf  Security Centric (e.g. - STRIDE threat categorization)  Software Centric – Microsoft Threat Modeling Tool http:// www.microsoft.com/en-us/download/details.aspx? id=42518   Some free solutions
Seasponge - http://mozilla.github.io/ seasponge/#/draw
Octotrike - http://octotrike.org/
! The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. " Covers automated and manual approaches for external testing and code review techniques " Recently created and already adopted by several companies and government agencies ! Benefits " Standardizes the coverage and level of rigor used to perform app sec assessments " Allows for better comparisons http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS - Security Assurance Methodology
OWASP Top Ten ! The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are. " Adopted by the Payment Card Industry (PCI) " Recommended as a best practice by many government and industry entities ! Benefits " Powerful awareness document for web application security " Great starting point and reference for developers http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Prescriptive Advice for Testing ! Simplify!!! ! Create Roadmap ! Standardize Testing ! Follow a Methodology!!! ! Metrics are actually important. Really. ! Tools.
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Sqlmap.py – Test for the dreaded SQLi ! Use in conjunction with Burp or Zed Attack Proxy. ! Capture POST request to web site via proxy ! Copy POST requests to text file ! http://sqlmap.org/
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
46
Static Analysis Options for Source Code Reviews Product License Type Languages Features FxCop 4 Open Source MS-PL VS Plugin .NET Security-specific static analysis, UI built into Visual Studio RIPS 7 Open-Source GPL Standalone PHP Professional user-interface, Security-specific analysis FlawFinder 19 Open-Source GPL Standalone Text-based C++ Security-specific analysis, Injections, Overflow, etc. Dangerous function analysis PreFast 20 Open-Source MS-PL VS Plugin C++ General static analysis, UI built into Visual Studio BrakeMan 21 Open-Source MIT Standalone Text-based Ruby Security-specific analysis Strong following
FlawFinder   Works on C++ source-code.   Console-based and specifically targets security vulnerabilities.   Uses a built-in database of C/C++ functions  (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random())”. 19
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
RIPS   Written in PHP and for PHP specifically to find vulnerabilities..   Can create a program model of the source code.   Detects vulnerable functions (sinks) that can be utilized by malicious user-input.  Audit framework is provided for further analysis in an IDE-style.   Detects XSS, SQL Injection, LFI/RFI, and RCE vulnerabilities.
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Real Time Code Coverage during Black Box Testing Follow  your  #blackbox  web  tes0ng  efforts  with  source  code  weakness  #visualiza0on   h9ps://www.owasp.org/index.php/OWASP_Code_Pulse_Project  #POSSCON  #OWASP  
SPARTA v1.0.2 Network Infra Testing   Run nmap from SPARTA or import nmap XML output.   Transparent staged nmap: get results quickly and achieve thorough coverage.   Configurable context menu for each service. You can configure what to run on discovered services. Any tool that can be run from a terminal, can be run from SPARTA.   You can run any script or tool on a service across all the hosts in scope, just with a click of the mouse.   Define automated tasks for services (ie. Run nikto on every HTTP service, or sslscan on every ssl service).   Default credentials check for most common services. Of course, this can also be configured to run automatically.   Identify password reuse on the tested infrastructure. If any usernames/passwords are found by Hydra they are stored in internal wordlists which can then be used on other targets in the same network (breaking news: sysadmins reuse passwords).   Ability to mark hosts that you have already worked on so that you don’t waste time looking at them again.   Website screenshot taker so that you don’t waste time on less interesting web servers.
Weeding out Bad Hash   Bad hashes have plagued news in recent #breaches. Validate your #hash http:// code.google.com /p/hash-identifier/ #appsec   Hash ID: Python based hash validator
The Zed Attack Proxy •  Released September 2010 •  Ease of use a priority •  Comprehensive help pages •  Free, Open source •  Cross platform •  A fork of the well regarded Paros Proxy •  Involvement actively encouraged •  Adopted by OWASP October 2010
ZAP Overview •  ZAP is:  Easy to use (for a web app pentest tool;)  Ideal for appsec newcomers  Ideal for training courses  Being used by Professional Pen Testers  Easy to contribute to (and please do!)  Improving rapidly
The Main Features   All the essentials for web application testing •  Intercepting Proxy •  Active and Passive Scanners •  Spider •  Report Generation •  Brute Force (using OWASP DirBuster code) •  Fuzzing (using OWASP JBroFuzz code)
The Additional Features   Auto tagging   Port scanner   Smart card support   Session comparison   Invoke external apps   BeanShell integration   API + Headless mode   Dynamic SSL Certificates   Anti CSRF token handling
ZAP Test Drive (Demo)
ZAP Summary •  ZAP has:  An active development community  An international user base  The potential to reach people new to OWASP and appsec, especially developers and functional testers •  ZAP is a key OWASP project •  Security Tool of the Year 2013
BurpSuite •  Enhance scanners to detect more vulnerabilities •  Extend API, better integration •  Fuzzing analysis •  Easier to use, better help •  More localization (all offers gratefully received!) •  Parameter analysis? •  Technology detection?
INCIDENT RESPONSE Knowing what to do during a fire is more important than the right tool(s)
Adopt a Robust Incident Response Framework   Computer Security Incident Handling Guide  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-61r2.pdf   Check security pages for respective Firewall companies on default DENY security configuration   Integrating Forensic Analysis to Incident Handling  http://csrc.nist.gov/publications/nistpubs/800-86/ SP800-86.pdf   Guide to IDS Management  http://csrc.nist.gov/publications/drafts/800-94-rev1/ draft_sp800-94-rev1.pdf
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Autopsy & The Sleuth Kit
OSSEC – Host IDS (HIDS)   performs log analysis,   file integrity checking,   policy monitoring,   rootkit detection,   real-time alerting   active response.
TAKE-AWAYS Only cost of security implementation is time and resources.
A Word on OpenSource Adoption 1.  Define scope of adoption 1.  Driven by _ _ _ _ _ _ _ (impact, criticality, etc.) 2.  Use cases/ Abuse cases 3.  Architecture 2.  Set up controlled adoption 3.  Test, decompile, review 4.  Become involved in dev forums
More Tools •  SET – Social Engineering Toolkit (http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)) •  BeEF – Browser Exploitation Framework (http://www.bindshell.net/tools/beef.html) •  Metasploit – http://www.metasploit.com/ •  Kali - http://www.kali.org/ •  Burp - http://portswigger.net/burp/ •  Recon-ng – full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng •  Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise
Closing Thoughts   Leverage Open Source sources to INFLUENCE your security program development/ management   Do NOT make your security program free and open, keep it close to the vest   Keep abreast of security news is a must – ever changing threat landscape   Need to tell management that security is a process, not a one time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program.   Learn how to measure and improve your security program using metrics over time.
Thanks! Follow  us/me  on  Twi2er:  @versprite                            @t0nyuv     Blog:  www.versprite.com/og  

More Related Content

PDF
Secure Coding For Java - Une introduction
Sebastien Gioria
 
PDF
42 minutes to secure your code....
Sebastien Gioria
 
PDF
OWASP Overview of Projects You Can Use Today - DefCamp 2012
DefCamp
 
PDF
Continuous Security Testing
Ray Lai
 
PDF
Secure Coding for Java - An Introduction
Sebastien Gioria
 
PDF
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
PDF
2014 09-04-pj
Sébastien GIORIA
 
PDF
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
Secure Coding For Java - Une introduction
Sebastien Gioria
 
42 minutes to secure your code....
Sebastien Gioria
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
DefCamp
 
Continuous Security Testing
Ray Lai
 
Secure Coding for Java - An Introduction
Sebastien Gioria
 
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
2014 09-04-pj
Sébastien GIORIA
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 

What's hot (19)

PDF
Using threat models to control project brief
Dinis Cruz
 
PPT
OWASP an Introduction
alessiomarziali
 
PPTX
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
PPTX
DevSecOps without DevOps is Just Security
Kevin Fealey
 
PDF
Waratek overview 2016
Waratek Ltd
 
PPT
Introduction To OWASP
Marco Morana
 
PDF
New Era of Software with modern Application Security (v0.6)
Dinis Cruz
 
PPTX
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
PPTX
20160211 OWASP Charlotte RASP
chadtindel
 
PDF
Athens Owasp workshop Athens Digital Week 2010
Poulopoulos Ioannis
 
PDF
Owasp and friends
Mažvydas Skuodas
 
PDF
DevSecOps at Agile 2019
Elizabeth Ayer
 
PDF
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
PDF
Demystifying DevSecOps
Archana Joshi
 
PDF
Harnessing the power of cloud for real security
Erkang Zheng
 
PDF
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
jerryhargrove
 
PPTX
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
PDF
Owasp top 10 2017 (en)
PrashantDhakol
 
PDF
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Using threat models to control project brief
Dinis Cruz
 
OWASP an Introduction
alessiomarziali
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Waratek overview 2016
Waratek Ltd
 
Introduction To OWASP
Marco Morana
 
New Era of Software with modern Application Security (v0.6)
Dinis Cruz
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
20160211 OWASP Charlotte RASP
chadtindel
 
Athens Owasp workshop Athens Digital Week 2010
Poulopoulos Ioannis
 
Owasp and friends
Mažvydas Skuodas
 
DevSecOps at Agile 2019
Elizabeth Ayer
 
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
Demystifying DevSecOps
Archana Joshi
 
Harnessing the power of cloud for real security
Erkang Zheng
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
jerryhargrove
 
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
Owasp top 10 2017 (en)
PrashantDhakol
 
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Ad

Viewers also liked (9)

PPTX
A DevOps Guide to Web Application Security
Imperva Incapsula
 
PPTX
CCIS short presentation - English version
Gry Helene Stavseng
 
PPTX
The Best Pairwise Testing Tool / Best Orthogonal Array Tool Just Got Better
Justin Hunter
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
PDF
Combinatorial software test design beyond pairwise testing
Justin Hunter
 
PDF
Real World Application Threat Modelling By Example
NCC Group
 
PDF
Application Security Guide for Beginners
Checkmarx
 
PDF
Threat Modeling for the Internet of Things
Eric Vétillard
 
PDF
Top 10 Essentials for Building a Powerful Security Dashboard
Tripwire
 
A DevOps Guide to Web Application Security
Imperva Incapsula
 
CCIS short presentation - English version
Gry Helene Stavseng
 
The Best Pairwise Testing Tool / Best Orthogonal Array Tool Just Got Better
Justin Hunter
 
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Combinatorial software test design beyond pairwise testing
Justin Hunter
 
Real World Application Threat Modelling By Example
NCC Group
 
Application Security Guide for Beginners
Checkmarx
 
Threat Modeling for the Internet of Things
Eric Vétillard
 
Top 10 Essentials for Building a Powerful Security Dashboard
Tripwire
 
Ad

Similar to Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People (20)

PDF
Owasp top 10-2017
malvvv
 
PDF
OWASP_Top_10-2017_(en).pdf.pdf
SamSepiolRhodes
 
DOCX
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
gerardkortney
 
PPTX
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Ludovic Petit
 
PPT
OWASP - Building Secure Web Applications
alexbe
 
PPT
The Principles of Secure Development - David Rook
Security B-Sides
 
PDF
Owasp top 10 2013 - rc1
Ajay Ohri
 
ODP
OISF - AppSec Presentation
ThreatReel Podcast
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
PPTX
Securing your web applications a pragmatic approach
Antonio Parata
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
PDF
Owasp o
Sagar Nangare
 
PDF
Null singapore - Mobile Security Essentials
Sven Schleier
 
PDF
Owasp top 10
Pensamiento Libre
 
DOCX
Owasp top 10_proactive_controls_v3
RazaMehmood7
 
PPTX
Dev{sec}ops
Steven Carlson
 
PPTX
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
Owasp top 10-2017
malvvv
 
OWASP_Top_10-2017_(en).pdf.pdf
SamSepiolRhodes
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
gerardkortney
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Ludovic Petit
 
OWASP - Building Secure Web Applications
alexbe
 
The Principles of Secure Development - David Rook
Security B-Sides
 
Owasp top 10 2013 - rc1
Ajay Ohri
 
OISF - AppSec Presentation
ThreatReel Podcast
 
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Securing your web applications a pragmatic approach
Antonio Parata
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
Owasp o
Sagar Nangare
 
Null singapore - Mobile Security Essentials
Sven Schleier
 
Owasp top 10
Pensamiento Libre
 
Owasp top 10_proactive_controls_v3
RazaMehmood7
 
Dev{sec}ops
Steven Carlson
 
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 

More from POSSCON (20)

PDF
Why Meteor.JS?
POSSCON
 
PDF
Vagrant 101
POSSCON
 
PDF
Tools for Open Source Systems Administration
POSSCON
 
PPTX
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
POSSCON
 
PPTX
Accelerating Application Delivery with OpenShift
POSSCON
 
PDF
Openstack 101
POSSCON
 
ODP
Community Building: The Open Source Way
POSSCON
 
PPTX
I Know It Was MEAN, But I Cut the Cord to LAMP Anyway
POSSCON
 
PDF
Software Defined Networking (SDN) for the Datacenter
POSSCON
 
ODP
Why Your Open Source Story Matters
POSSCON
 
PDF
How YARN Enables Multiple Data Processing Engines in Hadoop
POSSCON
 
PPTX
Google Summer of Code
POSSCON
 
PDF
Introduction to Hadoop
POSSCON
 
PDF
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
POSSCON
 
PPTX
Cyber Security and Open Source
POSSCON
 
PDF
Intro to AngularJS
POSSCON
 
PDF
Docker 101: An Introduction
POSSCON
 
PDF
Graph the Planet!
POSSCON
 
PDF
Software Freedom Licensing: What You Must Know
POSSCON
 
PDF
Contributing to an Open Source Project 101
POSSCON
 
Why Meteor.JS?
POSSCON
 
Vagrant 101
POSSCON
 
Tools for Open Source Systems Administration
POSSCON
 
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
POSSCON
 
Accelerating Application Delivery with OpenShift
POSSCON
 
Openstack 101
POSSCON
 
Community Building: The Open Source Way
POSSCON
 
I Know It Was MEAN, But I Cut the Cord to LAMP Anyway
POSSCON
 
Software Defined Networking (SDN) for the Datacenter
POSSCON
 
Why Your Open Source Story Matters
POSSCON
 
How YARN Enables Multiple Data Processing Engines in Hadoop
POSSCON
 
Google Summer of Code
POSSCON
 
Introduction to Hadoop
POSSCON
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
POSSCON
 
Cyber Security and Open Source
POSSCON
 
Intro to AngularJS
POSSCON
 
Docker 101: An Introduction
POSSCON
 
Graph the Planet!
POSSCON
 
Software Freedom Licensing: What You Must Know
POSSCON
 
Contributing to an Open Source Project 101
POSSCON
 

Recently uploaded (20)

PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
KodekX | Application Modernization Development
KodekX
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Encapsulation theory and applications.pdf
gurumoop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 

Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People

  • 1. Application Security on a Dime Open Technologies, Tools, and Techniques for Running an Blossoming InfoSec Program POSSCON – Columbia, SC April 2015
  • 3. Anyone run Wordpress? Wordpress  hacks  are  boun0ful.    Secure  them  using  latest  hardening   guidelines  h9p://codex.wordpress.org/Hardening_WordPress       Test  #WordPress  using   WPScan   h9p://wpscan.org/;  blackbox   vuln  scanner  #posscon   #appsec  
  • 4. Open Source Security Facilitated By…
  • 5. And especially….. A  hacker’s  gateway  drug  to  online  perdi0on......or  just  a  really  helpful   search  engine.  
  • 6. Who am I? Why should you listen | care?   20 years of IT / InfoSec experience   Utility | Fed | Banking | Retail | Healthcare | Information Services | Hosting | Financial Services | Manufacturing | Insurance | Real Estate   Former developer | sysadmin | network engineer | iso | security engineer | security architect | security assessor | security director | ciso |   Author ‘Risk Centric Threat Modeling’, Wiley Life Sciences 2015 – comprehensive walk through security principles   Started security consulting firm in 2007 – www.versprite.com   Presentation based upon hands-on work and global travels working with both large enterprises and SMB
  • 8. SECURITY CULTURE BEGINS W/ GOVERNANCE Establish  a  framework  and  ecosystem  of  security  processes  and  tools.  
  • 9.   Establish Governance   Security Requirements & Resources   Implementation of S- SDLC   Use Security Frameworks   Test and Test Early   Track Defects Before you begin, know inherent challenges Challenges in AppSec   Isolated SDLC Efforts   Anti-Security Culture   Expanding heterogeneous tech stack   Decentralizing management   Security is not built into IT functions early on   Targeted attacks   Open intel on application components Sound Solutions
  • 10. A BIT ABOUT OWASP Open  Web  Applica;on  Security  Project  
  • 13. Intro to OWASP §  Open Web Application Security Project §  Community driven; 11 years old §  Dedicated to openness of all content & materials §  International community focused on AppSec §  X-cultural, X-industry related challenges exposed and addressed. §  Massively supportive and responsive. §  Follow @OWASP
  • 14. Intro to OWASP §  Open Web Application Security Project §  Community driven; 11 years old §  Dedicated to openness of all content & materials §  International community focused on AppSec §  X-cultural, X-industry related challenges exposed and addressed. §  Massively supportive and responsive. §  Follow @OWASP
  • 16. Unless you have this appear on all your servers…
  • 17. …governance is the better starting point Security   Governance   Opera0ons   Risk   Management   Compliance   Although  a  key  business  driver,  don’t  let  Compliance  eclipse  Security.  #POSSCON   Provides   structure  to  a   security   program.   Makes  security   ac0onable  but   can  be  known   to  be  black  hole   to  security  $$$.     Everyone’s   security  threat   is  not  yours.     Don’t  believe   the  FUD;  make   risk  based   security   decisions.  
  • 18. Policies, Standards, Guidelines   Policies provide accountability   Standards govern technology   Guidelines provide “best practices”   Framework for enterprise operations   Creates baseline of what is ‘secure’ and ‘acceptable’ in terms of risk
  • 19. Each Security Component Can Warrant Governance {Program}   Governance   Incident   Response   Secure   Development   Security   Tes0ng   Security   Awareness   NIST  800-­‐100   NIST  800-­‐39   OpenSAMM   NIST  800-­‐53r4   NIST  800-­‐61r2   NIST  CSF     NIST  800-­‐100   NIST  800-­‐39   OpenSAMM   OWASP  ASVS   OWASP  Tes0ng   Guide  v4   PTES   Mostly  tool   based  
  • 20. OWASP Open SAMM ! The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. ! Benefits " Evaluate your organization's existing software security practices " Build a balanced software security program in well- defined iterations. " Demonstrating concrete improvements http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
  • 22. Wide Scope Covered by OpenSAMM ! Supports a Security Plan or Roadmap ! Establish governance ! Perform against assessments ! Test and Report ! Enhance Security Operations ! Building a S-SDLC Initiative ! Measures success/ shortcomings ! Provides metrics for reporting http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
  • 24. OpenSAMM Key Links   Main link to OpenSAMM gateway of resources https://www.owasp.org/index.php/ Category:Software_Assurance_Maturity_Model   Latest on the global initiative https://docs.google.com/document/d/ 1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/ edit
  • 25. SECURE CODING & SECURITY ARCHITECTURE Simple considerations of secure coding & security architecture can lay a foundation of security for your development efforts.
  • 27. OWASP Developer Cheat Sheets Clickjacking Defense Cheat Sheet   C-Based Toolchain Hardening Cheat Sheet   Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet   Cryptographic Storage Cheat Sheet   DOM based XSS Prevention Cheat Sheet   Forgot Password Cheat Sheet   HTML5 Security Cheat Sheet   Input Validation Cheat Sheet   JAAS Cheat Sheet   Logging Cheat Sheet   .NET Security Cheat Sheet   OWASP Top Ten Cheat Sheet   Password Storage Cheat Sheet   Pinning Cheat Sheet   Query Parameterization Cheat Sheet   Ruby on Rails Cheat sheet   REST Security Cheat Sheet  Session Management Cheat Sheet  SQL Injection Prevention Cheat Sheet  Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat Sheet  User Privacy Protection Cheat Sheet  Web Service Security Cheat Sheet  XSS (Cross Site Scripting) Prevention Cheat Sheet  Attack Surface Analysis Cheat Sheet  XSS Filter Evasion Cheat Sheet  REST Assessment Cheat Sheet  IOS Developer Cheat Sheet  Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender)  Virtual Patching Cheat Sheet
  • 29. OWASP Developer References Educate   OWASP  WebGoat   • Exercise  successful   implementa0on  of  OWAPSP   Countermeasures   OWASP  Top  Ten   • Ranks  top  web  app  related   risks   • Serves  as  a  good  scope  for   ini0al  tes0ng   Develop   OWASP  Code  Review   • Methodology  for  Source  Code   Reviews   OWASP  Development  Guide   • Establishes  a  process  for   secure  development  efforts   across  various  SDLCs   OWASP  Cheat  Sheet   Series   OWASP   Countermeasures   • OWASP  CSRFGuard   • OWASP  An0-­‐Samy   Test   OWASP  Zed  A9ack  Proxy   • Test  against  OWASP  Top  Ten   • Use  in  conformance  to   Tes0ng  Guide   OWASP  YASCA   • Leverages  FindBugs,  PMD,   JLint,  JavaScript  Lint,  PHPLint,   Cppcheck,  ClamAV,  RATS,  and   Pixy  to  scan  
  • 31. OWASP Cheat Sheet Snippet Insecure Direct object references It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: https://example.com/account/325365436/transfer? amount=$100.00&toAccount=473846376 In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. https://example.com/invoice/2362365 In this case, it would be possible to get a copy of all invoices. Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010. Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^d{5}(-d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); } .. do what you want here, after its been validated .. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } }
  • 33. OWASP AntiSamy ! OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. " API plus implementations " Java, .Net, Coldfusion, PHP (HTMLPurifier) ! Benefits " It helps you ensure that clients don't supply malicious code into your application " A safer way to allow for rich content from an application's users http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
  • 34. OWASP CSRFGuard ! OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. " Java, .Net and PHP implementations " CSRF is considered the app sec sleeping giant ! Benefits " Provides code to generate unique request tokens to mitigate CSRF risks http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
  • 35. SECURITY TESTING Testing insecurities before your adversaries do
  • 36. Threat Modeling provides targeted scope   Purpose: Identify possible threat agents, threat motives, vulnerabilities in infrastructure, attack patterns, and possible countermeasures  Risk Centric (Process for Attack Simulation & Threat Analysis) – http://versprite.com/docs/PASTA_Abstract.pdf  Security Centric (e.g. - STRIDE threat categorization)  Software Centric – Microsoft Threat Modeling Tool http:// www.microsoft.com/en-us/download/details.aspx? id=42518   Some free solutions
  • 39. ! The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. " Covers automated and manual approaches for external testing and code review techniques " Recently created and already adopted by several companies and government agencies ! Benefits " Standardizes the coverage and level of rigor used to perform app sec assessments " Allows for better comparisons http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS - Security Assurance Methodology
  • 40. OWASP Top Ten ! The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are. " Adopted by the Payment Card Industry (PCI) " Recommended as a best practice by many government and industry entities ! Benefits " Powerful awareness document for web application security " Great starting point and reference for developers http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 41. Prescriptive Advice for Testing ! Simplify!!! ! Create Roadmap ! Standardize Testing ! Follow a Methodology!!! ! Metrics are actually important. Really. ! Tools.
  • 44. Sqlmap.py – Test for the dreaded SQLi ! Use in conjunction with Burp or Zed Attack Proxy. ! Capture POST request to web site via proxy ! Copy POST requests to text file ! http://sqlmap.org/
  • 46. 46
  • 47. Static Analysis Options for Source Code Reviews Product License Type Languages Features FxCop 4 Open Source MS-PL VS Plugin .NET Security-specific static analysis, UI built into Visual Studio RIPS 7 Open-Source GPL Standalone PHP Professional user-interface, Security-specific analysis FlawFinder 19 Open-Source GPL Standalone Text-based C++ Security-specific analysis, Injections, Overflow, etc. Dangerous function analysis PreFast 20 Open-Source MS-PL VS Plugin C++ General static analysis, UI built into Visual Studio BrakeMan 21 Open-Source MIT Standalone Text-based Ruby Security-specific analysis Strong following
  • 48. FlawFinder   Works on C++ source-code.   Console-based and specifically targets security vulnerabilities.   Uses a built-in database of C/C++ functions  (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random())”. 19
  • 50. RIPS   Written in PHP and for PHP specifically to find vulnerabilities..   Can create a program model of the source code.   Detects vulnerable functions (sinks) that can be utilized by malicious user-input.  Audit framework is provided for further analysis in an IDE-style.   Detects XSS, SQL Injection, LFI/RFI, and RCE vulnerabilities.
  • 52. Real Time Code Coverage during Black Box Testing Follow  your  #blackbox  web  tes0ng  efforts  with  source  code  weakness  #visualiza0on   h9ps://www.owasp.org/index.php/OWASP_Code_Pulse_Project  #POSSCON  #OWASP  
  • 53. SPARTA v1.0.2 Network Infra Testing   Run nmap from SPARTA or import nmap XML output.   Transparent staged nmap: get results quickly and achieve thorough coverage.   Configurable context menu for each service. You can configure what to run on discovered services. Any tool that can be run from a terminal, can be run from SPARTA.   You can run any script or tool on a service across all the hosts in scope, just with a click of the mouse.   Define automated tasks for services (ie. Run nikto on every HTTP service, or sslscan on every ssl service).   Default credentials check for most common services. Of course, this can also be configured to run automatically.   Identify password reuse on the tested infrastructure. If any usernames/passwords are found by Hydra they are stored in internal wordlists which can then be used on other targets in the same network (breaking news: sysadmins reuse passwords).   Ability to mark hosts that you have already worked on so that you don’t waste time looking at them again.   Website screenshot taker so that you don’t waste time on less interesting web servers.
  • 54. Weeding out Bad Hash   Bad hashes have plagued news in recent #breaches. Validate your #hash http:// code.google.com /p/hash-identifier/ #appsec   Hash ID: Python based hash validator
  • 55. The Zed Attack Proxy •  Released September 2010 •  Ease of use a priority •  Comprehensive help pages •  Free, Open source •  Cross platform •  A fork of the well regarded Paros Proxy •  Involvement actively encouraged •  Adopted by OWASP October 2010
  • 56. ZAP Overview •  ZAP is:  Easy to use (for a web app pentest tool;)  Ideal for appsec newcomers  Ideal for training courses  Being used by Professional Pen Testers  Easy to contribute to (and please do!)  Improving rapidly
  • 57. The Main Features   All the essentials for web application testing •  Intercepting Proxy •  Active and Passive Scanners •  Spider •  Report Generation •  Brute Force (using OWASP DirBuster code) •  Fuzzing (using OWASP JBroFuzz code)
  • 58. The Additional Features   Auto tagging   Port scanner   Smart card support   Session comparison   Invoke external apps   BeanShell integration   API + Headless mode   Dynamic SSL Certificates   Anti CSRF token handling
  • 59. ZAP Test Drive (Demo)
  • 60. ZAP Summary •  ZAP has:  An active development community  An international user base  The potential to reach people new to OWASP and appsec, especially developers and functional testers •  ZAP is a key OWASP project •  Security Tool of the Year 2013
  • 61. BurpSuite •  Enhance scanners to detect more vulnerabilities •  Extend API, better integration •  Fuzzing analysis •  Easier to use, better help •  More localization (all offers gratefully received!) •  Parameter analysis? •  Technology detection?
  • 62. INCIDENT RESPONSE Knowing what to do during a fire is more important than the right tool(s)
  • 63. Adopt a Robust Incident Response Framework   Computer Security Incident Handling Guide  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-61r2.pdf   Check security pages for respective Firewall companies on default DENY security configuration   Integrating Forensic Analysis to Incident Handling  http://csrc.nist.gov/publications/nistpubs/800-86/ SP800-86.pdf   Guide to IDS Management  http://csrc.nist.gov/publications/drafts/800-94-rev1/ draft_sp800-94-rev1.pdf
  • 68. OSSEC – Host IDS (HIDS)   performs log analysis,   file integrity checking,   policy monitoring,   rootkit detection,   real-time alerting   active response.
  • 69. TAKE-AWAYS Only cost of security implementation is time and resources.
  • 70. A Word on OpenSource Adoption 1.  Define scope of adoption 1.  Driven by _ _ _ _ _ _ _ (impact, criticality, etc.) 2.  Use cases/ Abuse cases 3.  Architecture 2.  Set up controlled adoption 3.  Test, decompile, review 4.  Become involved in dev forums
  • 71. More Tools •  SET – Social Engineering Toolkit (http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)) •  BeEF – Browser Exploitation Framework (http://www.bindshell.net/tools/beef.html) •  Metasploit – http://www.metasploit.com/ •  Kali - http://www.kali.org/ •  Burp - http://portswigger.net/burp/ •  Recon-ng – full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng •  Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise
  • 72. Closing Thoughts   Leverage Open Source sources to INFLUENCE your security program development/ management   Do NOT make your security program free and open, keep it close to the vest   Keep abreast of security news is a must – ever changing threat landscape   Need to tell management that security is a process, not a one time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program.   Learn how to measure and improve your security program using metrics over time.
  • 73. Thanks! Follow  us/me  on  Twi2er:  @versprite                            @t0nyuv     Blog:  www.versprite.com/og