Web Application Security Testing

Threat analysis as methodology for deriving risk-based security tests of web application software Marco Morana OWASP [email_address] IMI 2009 Security Summit

Presentation Agenda Security Testing 101 (In 10 steps) Security requirements derivation Security testing in the SDLC Security testing workflows, techniques and tools Security testing guides Security test reporting and metrics State of The Art Of Security Testing Effective testing, compliance driven testing, tool centric testing Risk Based Security Testing Methodology Deriving test cases from cyber-intelligence, attack tree analysis, attack vectors analysis, ATM/secure architecture analysis Security Risk Testing Strategy Q&A

Security Testing 101 (In 10 Steps)

Why Security Testing? How Security Testing Is Different From Traditional Quality Testing? Test that security controls function as designed with “positive” tests Test that security controls cannot be abused by exercising un-intended/abused functionality with “negative” tests Test to find vulnerabilities in applications with an application scan/pen test Test to find vulnerabilities in the source code with a source code analysis/secure code review Test to find security flaws in design with application threat modeling/secure architecture review

Testing For Software Security: Quality Assurance vs. Software Assurance http://www.ddj.com/184405196 Security faults: test as built for anything unexpected Quality faults: test as Designed for what we want to do

Step 1: Derive Security Requirements Functional requirements Validate security controls work as designed to function (e.g. authentication, authorization, encryption etc) Non functional requirements Validate there are no vulnerabilities and security flaws Security compliance requirements Validate compliance with FFIEC, GLBA, PCI-DSS, SB 1386, InfoSec, AppSec standards Threat mitigation requirements Validate mitigation against threats : Spoofing user identity, Tampering with the data, Repudiation, Information Disclosure, Denial of service, Elevation of privileges The application need to implement input filtering and output encoding to mitigate XSS attacks The authentication control should lock a user after 3 failed attempts Do not store CC authentication data protect CCH data in storage and mask CCN on display Mutually authenticate client and server to prevent repudiation attacks such as Man In the Middle (MiTM) attacks

Derivation Of Security Requirements To Validate Compliance With Security Standards [PCI-DSS] 6 Develop and Maintain Secure Systems and Applications All vulnerabilities must be corrected. The application must be re-evaluated after the corrections. The application firewall must detect and prevent web based attacks such as cross site scripting and SQL injection. [PCI-DSS] 11 Regularly Test Security Systems and Processes [PCI-DSS] 11.3.2 External application layer penetration test . For web applications, the tests should include, at a minimum, the following vulnerabilities: OWASP T10

Step 2: Use Security Requirement Engineering Techniques such as Use And Misuse Cases

Step 3: Identify Security Testing Tollgates Requirements and use cases Design Test plans Code Test results Field feedback Security requirements Threat and risk Modeling Risk-based security tests Static analysis (tools) Penetration testing Secure Design Review Iterative approach Code Review Risk = Threat x Vulnerability x Cost What do we need to test, And how Code review tools

Step 4: Integrate Security Testing In Developer’s Workflows Developers Security Tests Test security of functions, methods and classes Security unit/component tests Secure code reviews/security bugs testing Dynamic analysis (e.g. application scans) Main developer’s workflow test check-points Secure code reviews : validate compliance with secure coding standards during coding interactions Defect management : clean security bugs before check-in code in application builds

Step 5: Integrate Security Testing in Tester’s Workflows Testers Security Tests Test security in integrated application builds Validate application security requirements Assess and exploit vulnerabilities Test for secure configuration in operational environment Fuzz testing, reverse engineering Tester Workflow Check Points Validate application security requirements before release to QA or production : security assurance Remediate all HIGH RISK vulnerabilities before release to production according to compliance requirements

Step 6: Adopt Manual and Automated Security Testing Techniques Find Vulnerabilities Using the Running Application Find Vulnerabilities Using the Source Code Automated Vulnerability Scanning Automated Static Code Analysis Manual Penetration Testing Manual Code Review Combining All Four Techniques is Most Effective

Step 7: Decide Which Security Testing Tools To Use Vulnerability Scanning ISS, Foundscan, Nessus, Nikto Penetration Testing (Black Box Testing) Webinspect, Appscan, Hailstorm, Paros, Peach Binary Analysis/Reverse Engineering IDA Pro, @stake SmartRisk Source Code Analysis Fortify, Klockworks, Parasoft, Free Tools (e.g. FindBugs) Threat Modeling MS TAM, TRIKE, PTA Technologies Rootkit BackDoor Analysis ootkits.org and rootkit.nl

Step 8: Document Security Testing Cases Using Testing Guides The OWASP Testing Guide Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Testing Principles Testing Process Custom Web Applications Black Box Testing Grey Box Testing Risk and Reporting Appendix: Testing Tools Appendix: Fuzz Vectors

Step 9: Report The Findings http://www.owasp.org/index.php/How_to_write_the_report_of_the_testing_AoC

What I Should Put in The Testing Report? The security threat that can potentially exploit the vulnerability/defect The root cause of security issues (e.g., security bugs, security flaw) The testing technique being used (e.g. source code analysis, pen test, threat modeling, security test case) The remediation of the vulnerability/defect (requirement, design, code configuration change) The risk rating of the vulnerability (Critical, High, Medium, Low)

Step 10: Collect Security Testing Metrics Measurement Goals: Measure vulnerabilities found with pen-tests to validate that are closed before production release Measure vulnerabilities found with source code analysis and correlate with the ones found in pen tests Measure time it takes to fix vulnerabilities during coding and during validation tests Security Metrics: No. of High, Mediums for each application No. of vulnerabilities found in source code vs. the application Time (man/hours) required to close security issues

State of the Art Of Security Testing

Risk Based Security Testing The main objective is to assert threat mitigation: Mitigate attacks targeting different exposure factors : internet, extranet, intranet Mitigate attacks targeting different threats : fraud, confidential PII, credit card data, denial of service Mitigate attacks that might exploit known vulnerabilities (e.g. OWASP T10) Mitigate attacks that might abuse functionality to cause damage/business impact (e.g. design flaw that allow to reset password insecurely)

Security Testing From Compliance Perspective Good reasons for compliance security testing: Avoid fines : $500,000- 800,000 x breach Doing business with third party (e.g. Walmart) Minimal security assurance: CYA Not convinced checklists will lead to better security But not just rely on compliance security tests since data breaches occur even to PCI compliant companies : Heartland Payment Systems, 130 million credit cards Hannaford Bros, 4.2 million credit card How aware are you about software security assurance ? Beware of bad examples… According to a recent survey (*) “71 percent of companies DO NOT treat PCI as a strategic initiative and 79 percent have experienced a DATA BREACH” (*) http://www.imperva.com/docs/AR_Ponemon_2009_PCI_DSS_Compliance_Survey.pdf

Security Testing From Security Tools Perspective MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true) Beware of the silver bullet security mentality and false sense of security given by tools !

Security Testing From The Application Business Logic Perspective “ 76% of financial sites still have at least one critical design flaw that can be exploited to cause financial fraud, identify theft, reputation-brand damage, denial of service to customers” (University Of Michigan study) “ Information leakage, insufficient authentication and authorization, and abuse of the website’s functionality are prime money-makers ” (WhiteHat Security Inc.)

Risk Based Security Testing Methodology

Starting With Risk Based Security Testing Basic Security Tests Are Prerequisite: Functional and non functional security requirements are tested in compliance with standards and policies Known vulnerabilities are assessed and mitigated Expand Security Testing to: Real attack scenarios (e.g. cybercrime) Same methods, tools attack vectors and vulnerability exploits used by the attackers Potential abuse/misuse of business logic All entry points and access levels Probing secure design/architecture

Risk Based Security Testing Methodology Threat Intelligence : gather information about real attacks to simulate the same attack scenarios Threat tree analysis: learn attacker goals and methods to derive test cases Use and misuse cases to validate countermeasures for potential abuse of functionality Attack vector analysis for testing attacks against defense evasion techniques (e.g. data encoding, automation) Secure architecture analysis for proving countermeasures at different layers: external entity, trust boundary, data flow, process and asset.

Cyber-Attacks Intelligence Driven Security Tests Gather information from cybercrime intelligence: Learn from public cyber-crime reports : IC3, Symantec, Mc Afee AVERT Labs, Finjan software Analyze the attacks : i ndustry, geographic, local market, overall business, branch Become your enemy : derive the attack scenarios, analyze the attack vectors and vulnerabilities exploited by cybercriminals. Probe your defenses: Try to exploit vulnerabilities using attack vectors Use same botnet Trojans and PERL script tools to test application resilience against automation attacks

Cybercrime Threat Intelligence and Analysis: ATTACK: Attack “xp_cmdshell on MSQL server to upload sniffers to capture CC transactions and ATM PINs from DB, HSM TEST CASES AGAINST THIS THREAT: Test xp_cmdshell is disabled Test extended URLs are denied Test escape for special characters “”, comma Test store procedures run with minimum privileges Test SQL Server and IIS run under non-privilege Test appserver not use “sa” hardcoded Test account locking on mainframes against brute force Test access to DB server is internally restricted by IP Test a proxy server is used for internet access Test firewall rules are updated Test HSM not use commands with PIN in the clear

Threat Tree Analysis of Credit Card Compromise Attacks #2 Test for SQL injection and code injection (Frames) vulnerabilities #4 Test for session fixation and hijacking #3 Test encryption of sensitive CC data in storage and transit #1 Test web application assuming browser compromise and/or automation attacks

Security Testing With Attack Libraries Derive a list of attack vectors that can be used for testing countermeasures such as filtering of encoded cross-site scripting and SQL injection commands. Start with code injection attacks library: SQL injection attacks HTML (IFRAME) injection attacks Script injection (e.g. cross-site scripting) attacks Command shell injection attacks File injection attacks Server pages injection attacks (e.g. ASP, PHP) Cookie poisoning attacks XML poisoning attacks

Attack Vectors For Testing Web Applications

Security Testing Using Application Threat Modeling Analysis DFD-secure architecture analysis provide testers information about the application scope for risk based testing such as: The location of the application entry points that need to be tested The access levels that are required to access the entry points The vulnerabilities that can be exploited at each layer of the architecture that need to be tested The countermeasures that need to be tested for mitigation of identified threats.

Application Threat Modeling Access Level External Access Level Internal Access Level Restricted Spoofing Repudiation Tampering Repudiation Info Disclosure Denial OF service AuthN, Encryption Digital, signatures, HMAC, TS AuthN, Encryption Digital signatures, HMAC, TS,AuthZ Audit Encryption, AuthZ Filtering, AuthN

Threat Modeling Driven Security Test Cases Spoofing Identity Test attempts to impersonate a user by sniffing user credentials on the wire or in persistent storage Test that security tokens (e.g. cookie) issued before authentication cannot be replayed to bypass authentication Tampering with the data Test with a web proxy that is not possible to tamper and replay the data Test strength of hashes against replay attacks (e.g. use of salted hashes) Repudiation Test mutual authentication and/or digital signatures to trust connection between client and server Test all security events are audited and logged

Threat Driven Security Test Cases (Con’t) Information Disclosure Test that the access of non-public data requires authentication Test that error messages and exceptions do not disclose useful information to an attacker Test that processes do not cache or log passwords , session information or PII Denial of Service (Dos) Test you cannot flood a process with so much data it stops responding to valid requests. Test that malformed data cannot crash the process Elevation of Privilege Test user cannot tamper client parameters or forceful browsing to his elevate privileges Test that a process cannot be forced to load a command shell, which in turn will execute with elevated privileges

Threat Driven Security Testing Activities Throughout the SDLC Identify security requirements to be tested Identify security flaws and countermeasures to be tested Identify data flows to be tested Identify attack scenarios, goals and methods to test Derive security test cases for integrated system tests Secure Coding Requirements drive testing during coding Identify security bugs with secure code analysis Identify vulnerabilities with pen tests during UAT cycles Test secure configuration before production release

The Security Risk Testing Strategy Identify which attacks can be most likely used against your web application and your customers Use attack methods where difficulty of attack is the least and the impact is the highest Use misuse cases to test abuse of functionality/business logic Use the same same attack vectors to try to evade countermeasures/defense mechanisms Test defense in depth against threats identified in the application threat model

Q & Q U E S T I O N S A N S W E R S

References OWASP Testing Guide http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents Testing for Software Security Rethinking security bugs http://www.ddj.com/184405196 Education Module Embed within SDLC http://www.owasp.org/index.php?title=Education_Module_Embed_within_SDLC&setlang=es OWASP CAL9000 Project http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project Security Flaws Identification and Technical Risk Analysis Through Threat Modeling http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf OWASP Application Threat Modeling http://www.owasp.org/index.php/Application_Threat_Modeling

Web Application Security Testing

More Related Content

What's hot (20)

Similar to Web Application Security Testing (20)

More from Marco Morana (20)

Recently uploaded (20)

Web Application Security Testing

Editor's Notes