This document discusses application security testing techniques and tools that can be used on a limited budget. It recommends establishing security governance through policies, standards and guidelines to provide structure for a security program. It introduces the Open Web Application Security Project (OWASP) as an open source community and lists some of their key resources like the Open Software Assurance Maturity Model (OpenSAMM) for evaluating security practices, and tools like AntiSamy and CSRFGuard for protecting against common vulnerabilities. The document advocates threat modeling to identify risks and provides examples of tools for static analysis and dynamic testing of applications to identify security issues before attackers.
Top 10 Essentials for Building a Powerful Security Dashboard
Ähnlich wie Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
Ähnlich wie Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People (20)
Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People
1. Application Security on a Dime
Open Technologies, Tools, and Techniques for Running an Blossoming InfoSec Program
POSSCON – Columbia, SC April 2015
2.
3. Anyone run Wordpress?
Wordpress
hacks
are
boun0ful.
Secure
them
using
latest
hardening
guidelines
h9p://codex.wordpress.org/Hardening_WordPress
Test
#WordPress
using
WPScan
h9p://wpscan.org/;
blackbox
vuln
scanner
#posscon
#appsec
6. Who am I? Why should you listen | care?
20 years of IT / InfoSec experience
Utility | Fed | Banking | Retail | Healthcare | Information Services | Hosting | Financial Services |
Manufacturing | Insurance | Real Estate
Former developer | sysadmin | network engineer | iso | security engineer |
security architect | security assessor | security director | ciso |
Author ‘Risk Centric Threat Modeling’, Wiley Life Sciences 2015 –
comprehensive walk through security principles
Started security consulting firm in 2007 – www.versprite.com
Presentation based upon hands-on work and global travels working with both
large enterprises and SMB
7.
8. SECURITY CULTURE BEGINS W/ GOVERNANCE
Establish
a
framework
and
ecosystem
of
security
processes
and
tools.
9. Establish Governance
Security Requirements &
Resources
Implementation of S-
SDLC
Use Security Frameworks
Test and Test Early
Track Defects
Before you begin, know inherent challenges
Challenges in AppSec
Isolated SDLC Efforts
Anti-Security Culture
Expanding heterogeneous
tech stack
Decentralizing management
Security is not built into IT
functions early on
Targeted attacks
Open intel on application
components
Sound Solutions
10. A BIT ABOUT OWASP
Open
Web
Applica;on
Security
Project
11.
12.
13. Intro to OWASP
§ Open Web Application Security Project
§ Community driven; 11 years old
§ Dedicated to openness of all content & materials
§ International community focused on AppSec
§ X-cultural, X-industry related challenges exposed
and addressed.
§ Massively supportive and responsive.
§ Follow @OWASP
14. Intro to OWASP
§ Open Web Application Security Project
§ Community driven; 11 years old
§ Dedicated to openness of all content & materials
§ International community focused on AppSec
§ X-cultural, X-industry related challenges exposed
and addressed.
§ Massively supportive and responsive.
§ Follow @OWASP
17. …governance is the better starting point
Security
Governance
Opera0ons
Risk
Management
Compliance
Although
a
key
business
driver,
don’t
let
Compliance
eclipse
Security.
#POSSCON
Provides
structure
to
a
security
program.
Makes
security
ac0onable
but
can
be
known
to
be
black
hole
to
security
$$$.
Everyone’s
security
threat
is
not
yours.
Don’t
believe
the
FUD;
make
risk
based
security
decisions.
18. Policies, Standards, Guidelines
Policies provide accountability
Standards govern technology
Guidelines provide “best practices”
Framework for enterprise operations
Creates baseline of what is ‘secure’ and
‘acceptable’ in terms of risk
20. OWASP Open SAMM
! The Software Assurance Maturity Model (SAMM) is an
open framework to help organizations formulate and
implement a strategy for software security that is tailored
to the specific risks facing the organization.
! Benefits
" Evaluate your organization's existing software
security practices
" Build a balanced software security program in well-
defined iterations.
" Demonstrating concrete improvements
http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
21.
22. Wide Scope Covered by OpenSAMM
! Supports a Security Plan or Roadmap
! Establish governance
! Perform against assessments
! Test and Report
! Enhance Security Operations
! Building a S-SDLC Initiative
! Measures success/ shortcomings
! Provides metrics for reporting
http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
23.
24. OpenSAMM Key Links
Main link to OpenSAMM gateway of resources
https://www.owasp.org/index.php/
Category:Software_Assurance_Maturity_Model
Latest on the global initiative
https://docs.google.com/document/d/
1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/
edit
25. SECURE CODING & SECURITY ARCHITECTURE
Simple considerations of secure coding &
security architecture can lay a foundation of
security for your development efforts.
29. OWASP Developer References
Educate
OWASP
WebGoat
• Exercise
successful
implementa0on
of
OWAPSP
Countermeasures
OWASP
Top
Ten
• Ranks
top
web
app
related
risks
• Serves
as
a
good
scope
for
ini0al
tes0ng
Develop
OWASP
Code
Review
• Methodology
for
Source
Code
Reviews
OWASP
Development
Guide
• Establishes
a
process
for
secure
development
efforts
across
various
SDLCs
OWASP
Cheat
Sheet
Series
OWASP
Countermeasures
• OWASP
CSRFGuard
• OWASP
An0-‐Samy
Test
OWASP
Zed
A9ack
Proxy
• Test
against
OWASP
Top
Ten
• Use
in
conformance
to
Tes0ng
Guide
OWASP
YASCA
• Leverages
FindBugs,
PMD,
JLint,
JavaScript
Lint,
PHPLint,
Cppcheck,
ClamAV,
RATS,
and
Pixy
to
scan
31. OWASP Cheat Sheet Snippet
Insecure Direct object references
It may seem obvious, but if you had a bank account
REST web service, you have to make sure there is
adequate checking of primary and foreign keys:
https://example.com/account/325365436/transfer?
amount=$100.00&toAccount=473846376
In this case, it would be possible to transfer money from
any account to any other account, which is clearly
insane. Not even a random token makes this safe.
https://example.com/invoice/2362365
In this case, it would be possible to get a copy of all
invoices.
Please make sure you understand how to protect against
insecure direct object references in the OWASP Top 10
2010.
Java Regex Usage Example
Example validating the parameter “zip” using a regular expression.
private static final Pattern zipPattern = Pattern.compile("^d{5}(-d{4})?$");
public void doPost( HttpServletRequest request, HttpServletResponse
response) {
try {
String zipCode = request.getParameter( "zip" );
if ( !zipPattern.matcher( zipCode ).matches() {
throw new
YourValidationException( "Improper zipcode format." );
}
.. do what you want here, after its been validated ..
} catch(YourValidationException e ) {
response.sendError( response.SC_BAD_REQUEST,
e.getMessage() );
}
}
33. OWASP AntiSamy
! OWASP AntiSamy is an API for ensuring user-supplied
HTML/CSS is compliant within the applications rules.
" API plus implementations
" Java, .Net, Coldfusion, PHP (HTMLPurifier)
! Benefits
" It helps you ensure that clients don't supply malicious
code into your application
" A safer way to allow for rich content from an
application's users
http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
34. OWASP CSRFGuard
! OWASP CSRFGuard utilizes request tokens to address
Cross-Site Request Forgery. CSRF is an attack where
the victim is tricked into interacting with a website where
they are already authenticated.
" Java, .Net and PHP implementations
" CSRF is considered the app sec sleeping giant
! Benefits
" Provides code to generate unique request tokens to
mitigate CSRF risks
http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
39. ! The OWASP Application Security Verification Standard
(ASVS) defines a standard for conducting app sec
verifications.
" Covers automated and manual approaches for
external testing and code review techniques
" Recently created and already adopted by several
companies and government agencies
! Benefits
" Standardizes the coverage and level of rigor used to
perform app sec assessments
" Allows for better comparisons
http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
OWASP ASVS - Security Assurance Methodology
40. OWASP Top Ten
! The OWASP Top Ten represents a broad consensus of
what the most critical web application security flaws are.
" Adopted by the Payment Card Industry (PCI)
" Recommended as a best practice by many
government and industry entities
! Benefits
" Powerful awareness document for web application
security
" Great starting point and reference for developers
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
41. Prescriptive Advice for Testing
! Simplify!!!
! Create Roadmap
! Standardize Testing
! Follow a Methodology!!!
! Metrics are actually important. Really.
! Tools.
42.
43.
44. Sqlmap.py – Test for the dreaded SQLi
! Use in conjunction with Burp or Zed Attack Proxy.
! Capture POST request to web site via proxy
! Copy POST requests to text file
! http://sqlmap.org/
47. Static Analysis Options for Source Code Reviews
Product License Type Languages Features
FxCop 4 Open Source
MS-PL
VS Plugin .NET Security-specific static analysis,
UI built into Visual Studio
RIPS 7 Open-Source
GPL
Standalone PHP Professional user-interface,
Security-specific analysis
FlawFinder 19 Open-Source
GPL
Standalone
Text-based
C++ Security-specific analysis,
Injections, Overflow, etc.
Dangerous function analysis
PreFast 20 Open-Source
MS-PL
VS Plugin C++ General static analysis,
UI built into Visual Studio
BrakeMan 21 Open-Source
MIT
Standalone
Text-based
Ruby Security-specific analysis
Strong following
48. FlawFinder
Works on C++ source-code.
Console-based and specifically targets security
vulnerabilities.
Uses a built-in database of C/C++ functions
(e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf()
family), format string problems ([v][f]printf(), [v]snprintf(),
and syslog()), race conditions (such as access(),
chown(), chgrp(), chmod(), tmpfile(), tmpnam(),
tempnam(), and mktemp()), potential shell metacharacter
dangers (most of the exec() family, system(), popen()),
and poor random number acquisition (such as
random())”. 19
49.
50. RIPS
Written in PHP and for PHP specifically to find
vulnerabilities..
Can create a program model of the source code.
Detects vulnerable functions (sinks) that can be
utilized by malicious user-input.
Audit framework is provided for further analysis in an
IDE-style.
Detects XSS, SQL Injection, LFI/RFI, and RCE
vulnerabilities.
51.
52. Real Time Code Coverage during Black Box Testing
Follow
your
#blackbox
web
tes0ng
efforts
with
source
code
weakness
#visualiza0on
h9ps://www.owasp.org/index.php/OWASP_Code_Pulse_Project
#POSSCON
#OWASP
53. SPARTA v1.0.2 Network Infra Testing
Run nmap from SPARTA or import nmap XML output.
Transparent staged nmap: get results quickly and achieve thorough coverage.
Configurable context menu for each service. You can configure what to run on discovered
services. Any tool that can be run from a terminal, can be run from SPARTA.
You can run any script or tool on a service across all the hosts in scope, just with a click of
the mouse.
Define automated tasks for services (ie. Run nikto on every HTTP service, or sslscan on
every ssl service).
Default credentials check for most common services. Of course, this can also be
configured to run automatically.
Identify password reuse on the tested infrastructure. If any usernames/passwords are
found by Hydra they are stored in internal wordlists which can then be used on other
targets in the same network (breaking news: sysadmins reuse passwords).
Ability to mark hosts that you have already worked on so that you don’t waste time looking
at them again.
Website screenshot taker so that you don’t waste time on less interesting web servers.
54. Weeding out Bad Hash
Bad hashes
have plagued
news in recent
#breaches.
Validate your
#hash
http://
code.google.com
/p/hash-identifier/
#appsec
Hash ID: Python
based hash
validator
55. The Zed Attack Proxy
• Released September 2010
• Ease of use a priority
• Comprehensive help pages
• Free, Open source
• Cross platform
• A fork of the well regarded Paros Proxy
• Involvement actively encouraged
• Adopted by OWASP October 2010
56. ZAP Overview
• ZAP is:
Easy to use (for a web app pentest tool;)
Ideal for appsec newcomers
Ideal for training courses
Being used by Professional Pen Testers
Easy to contribute to (and please do!)
Improving rapidly
57. The Main Features
All the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Spider
• Report Generation
• Brute Force (using OWASP DirBuster code)
• Fuzzing (using OWASP JBroFuzz code)
58. The Additional Features
Auto tagging
Port scanner
Smart card support
Session comparison
Invoke external apps
BeanShell integration
API + Headless mode
Dynamic SSL Certificates
Anti CSRF token handling
60. ZAP Summary
• ZAP has:
An active development community
An international user base
The potential to reach people new to OWASP
and appsec, especially developers and
functional testers
• ZAP is a key OWASP project
• Security Tool of the Year 2013
61. BurpSuite
• Enhance scanners to detect more vulnerabilities
• Extend API, better integration
• Fuzzing analysis
• Easier to use, better help
• More localization
(all offers gratefully received!)
• Parameter analysis?
• Technology detection?
70. A Word on OpenSource Adoption
1. Define scope of adoption
1. Driven by _ _ _ _ _ _ _ (impact, criticality, etc.)
2. Use cases/ Abuse cases
3. Architecture
2. Set up controlled adoption
3. Test, decompile, review
4. Become involved in dev forums
71. More Tools
• SET – Social Engineering Toolkit
(http://www.social-engineer.org/framework/Computer_Based_
Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET))
• BeEF – Browser Exploitation Framework
(http://www.bindshell.net/tools/beef.html)
• Metasploit – http://www.metasploit.com/
• Kali - http://www.kali.org/
• Burp - http://portswigger.net/burp/
• Recon-ng – full featured web recon framework tool that is text
based and written in Python
https://bitbucket.org/LaNMaSteR53/recon-ng
• Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise
72. Closing Thoughts
Leverage Open Source sources to INFLUENCE your security program
development/ management
Do NOT make your security program free and open, keep it close to the
vest
Keep abreast of security news is a must – ever changing threat
landscape
Need to tell management that security is a process, not a one time
mountain climb. Keeping executive support of security is the most
important thing for longevity of your security program.
Learn how to measure and improve your security program using metrics
over time.