SlideShare ist ein Scribd-Unternehmen logo

QAing Security with OWASP Top 10

Amit Gundiyal
Amit Gundiyal

Here are the slides from my recent workshop on "QAing the Security Way!" This workshop was focused on setting up OWASP Mutillidae II application on local machines and perform hands-on OWASP Top 10 Most Critical Web Application Security Risks. OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.

Software
1 von 57
QAing the Security Way! Amit & Null vodQA, Pune 17th March 2018
“A system is secure if it behaves precisely in the manner intended - and does nothing more” - Ivan Arce
Amit Gundiyal Senior Consultant - Quality Analyst at ThoughtWorks, Inc 6+ years of experience (as Dev, QA & BA) About Me
Nalinikanth AKA Null About Me Senior Consultant - Quality Analyst at ThoughtWorks, Inc 5+ years of experience
©ThoughtWorks, Inc. Do not copy. Do not distribute. 5 Ground Rules ● Follow the speaker ○ Don’t get deviated. ○ If you are stuck call any of the volunteers. ● We will share you all the material don’t bother about that. ● Ask questions whenever you have - don’t wait. ● MOST IMPORTANT!
Information Technology Act 2000 Imprisonment upto 5 years and / or with fine upto ₹5,00,000 http://www.itlaw.in/ https://en.wikipedia.org/wiki/Information_Technology_Act,_2000
©ThoughtWorks, Inc. Do not copy. Do not distribute. 7 What to expect? ● Talk about QAing and Security. ● OWASP TOP 10 ● Hands on few OWASP threats. ● We will be using tools to do an attack, but will not go in depth on the tools.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 8 Agenda ● What and Why of security ? ● QA role in testing security. ● OWASP TOP 10 ● Hands on security vulnerabilities
©ThoughtWorks, Inc. Do not copy. Do not distribute. 9 What and Why of Security Testing? In 2017 ● Verizon: 14 Millions of customer records exposed in security lapse. ● Verifone: the largest maker of point-of-sale credit card terminals used across world. ● Deloitte: Embarrassingly for the accounting firm who pride themselves on their Cyber Intelligence Centre, Deloitte fell victim to a cyber attack in March. ● Deep Root Analytics: A data analytics firm, to gather political information about U.S. voters. Chris Vickery, a cyber risk analyst, discovered that the sensitive information Deep Root Analytics obtained–personal data for roughly 198 million American citizens. ● Virgin America: In a letter to employees, airline Virgin America revealed that a hacker had successfully entered their corporate network gaining access to login information and passwords used by employees to access the network. ● Equifax: one of the three largest credit agencies in the U.S., suffered a breach that may affect 143 million consumers.
As a QA
©ThoughtWorks, Inc. Do not copy. Do not distribute. 11 What a QA has? ● End to end knowledge. ● One who tests almost everything in the system. ● Implement security thinking. ● Add security analysis to stories. ● Identify where security can possibly go for toss. ● Test the stories if they are vulnerable. ● Help team build more security products What a QA can do?
©ThoughtWorks, Inc. Do not copy. Do not distribute. 12 QA could have stopped this https://www.exploit-db.com/exploits/6421/
©ThoughtWorks, Inc. Do not copy. Do not distribute. 13 Let's start with a story
©ThoughtWorks, Inc. Do not copy. Do not distribute. 14 OWASP ● Open Web Application Security Project (OWASP) ● Online community, which creates freely-available articles, tools, methodologies, documentation, and technologies in the field of web application security. ● Not-for-profit charitable organization. ● Focussed on improving the security of software. ● Currently has over 150+ active projects
©ThoughtWorks, Inc. Do not copy. Do not distribute. 15 OWASP Top 10 ● List the 10 most critical web application security risks. ● A powerful awareness document. ● Published at regular intervals. ● Approximately once in 3 years. ● Last published in 2017
©ThoughtWorks, Inc. Do not copy. Do not distribute. 16 OWASP Top 10 - 2013 vs 2017
©ThoughtWorks, Inc. Do not copy. Do not distribute. 17 Tools we are using today ● OWASP Mutillidae II - Application to attack ● Burp suite to intercept requests (we can use ZAP as well) ● Python to steal cookie
What causes most of the attacks?
©ThoughtWorks, Inc. Do not copy. Do not distribute. 19 User Input - Surface Area I don’t like user input and this is why I don’t
©ThoughtWorks, Inc. Do not copy. Do not distribute. 20 A7: Cross-site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can: ● hijack user sessions ● deface web sites ● redirect the user to malicious sites.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 21 A7: How XSS works?
©ThoughtWorks, Inc. Do not copy. Do not distribute. 22 Types of XSS ● Reflected XSS ○ Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, etc. and without permanently storing the user provided data. ● Stored XSS ○ Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc.
XSS Hands-on!! 23
©ThoughtWorks, Inc. Do not copy. Do not distribute. 24 Where in Mutillidae II?
©ThoughtWorks, Inc. Do not copy. Do not distribute. 25 A1: Injection Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Types of Injection: ● SQL Injection - Anywhere input value is being executed as a database query. ● OS Command Injection - Anywhere input is being executed as a command. ● Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, XML and many more
Injection Hands-on!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. 27 Where in Mutillidae II? For SQL Injections -
©ThoughtWorks, Inc. Do not copy. Do not distribute. 28 Where in Mutillidae II? For OS Command Injection -
©ThoughtWorks, Inc. Do not copy. Do not distribute. 29 A3 : Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Sometimes data pertaining to the configuration of systems is also leaked by error messages or forgotten debug pages.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 30 A3 : Sensitive Data Exposure Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. Scenario #2: A site doesn't use or enforce TLS for all pages, or if it supports weak encryption. An attacker simply monitors network traffic, strips or intercepts the TLS (like an open wireless network), and steals the user's session cookie.The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above he could alter all transported data, e.g. the recipient of a money transfer. Scenario #3: The password database uses unsalted hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 31 Where do we miss it ● Access to some unwanted files. ● Poor encryption mechanism. ● Not using HTTPS
Sensitive Data Exposure Hands-on!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. 33 A2 : Broken Authentication
©ThoughtWorks, Inc. Do not copy. Do not distribute. 34 A2 : Broken Authentication
©ThoughtWorks, Inc. Do not copy. Do not distribute. 35 A2 : Broken Authentication Session management is a critical piece of application security. It is broader risk, and requires developers take care of protecting session id, user credential secure storage, session duration, and protecting critical session data in transit.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 36 How A2 can happen? ● SQL Injection. ● Weak passwords and Password retrieval mechanisms ● Not handling session ids properly which leads to privilege escalation or elevation of privilege. ● Cookies (Unencrypted, not securing them properly)
Broken Authentication Hands-on!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. 38 Set up Proxy on firefox!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. 39 Set up your burp Proxy!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. 40 Interceptor on burp
©ThoughtWorks, Inc. Do not copy. Do not distribute. 41 A9 : Using components with known vulnerabilities Components such as libraries, frameworks & other modules, almost always run with privileges. Exploitation of a vulnerable component can cause serious data loss or server takeover. Apps using components with known vulnerabilities may undermine app defenses and enable a range of attacks.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 42 Where ● Technology we use. ● Third party libraries ○ Programing languages/ frameworks ○ Node modules ○ Charting libraries ○ Many more... ● Any tools or softwares installed.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 43 A9 : Recent Times
©ThoughtWorks, Inc. Do not copy. Do not distribute. 44 Where to check and how to protect? ● https://www.cvedetails.com/ Use dependency checkers.. ● https://www.owasp.org/index.php/OWASP_Dependency_Check ● https://github.com/nodesecurity/nsp
©ThoughtWorks, Inc. Do not copy. Do not distribute. 45 A4 : XML External Entity (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, and denial of service attacks, such as the Billion Laughs attack.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 46 A4 : XML External Entity (XXE)
©ThoughtWorks, Inc. Do not copy. Do not distribute. 47 A8 : Insecure Deserialization Web servers and applications can leak information and allow attackers to take control over systems using misconfigurations either arising out of weak defaults, hidden applications or via enhanced functionality that causes the app to become vulnerable.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 48 A8 : Insecure Deserialization - Example
©ThoughtWorks, Inc. Do not copy. Do not distribute. 49 A5 : Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 50 A6 : Security Misconfiguration Web servers and applications can leak information and allow attackers to take control over systems using misconfigurations either arising out of weak defaults, hidden applications or via enhanced functionality that causes the app to become vulnerable.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 51 A6 : Security Misconfiguration
©ThoughtWorks, Inc. Do not copy. Do not distribute. 52 A6 : Security Misconfiguration
©ThoughtWorks, Inc. Do not copy. Do not distribute. 53 A10 : Insufficient Logging and Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
©ThoughtWorks, Inc. Do not copy. Do not distribute. ● What do you log? ● Where do you log? ● When do you log? ● Why do you log? ● Is this log sufficient? 54 A10 : Insufficient Logging and Monitoring
A system is secure if and only if it starts in a secure state and cannot enter an insecure state!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. References ● https://blog.sqreen.io/reflected-xss/ ● https://news.netcraft.com/archives/2008/05/16/paypal_xss_vulnerability_undermines_ev_ssl_security.html ● https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ ● https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning ● http://www.information-age.com/10-cyber-security-trends-look-2017-123463680/ ● http://www.information-age.com/10-biggest-hacks-rocked-business-world-2017-123469857/ ● http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ ● https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html ● http://fortune.com/2017/06/22/cybersecurity-hacks-history/ ● https://en.wikipedia.org/wiki/List_of_data_breaches ● http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/ ● https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails
THANK YOU For questions or suggestions mailto: amit.gundiyal@thoughtworks.com nalinim@thoughtworks.com

Empfohlen

vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNorth Texas Chapter of the ISSA
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingKeith Brooks
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?North Texas Chapter of the ISSA
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 

Empfohlen

vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNorth Texas Chapter of the ISSA
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingKeith Brooks
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?North Texas Chapter of the ISSA
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot EssentialsAnton Chuvakin
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Offensive Security basics part 2
Offensive Security basics part 2Offensive Security basics part 2
Offensive Security basics part 2wharpreet
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNorth Texas Chapter of the ISSA
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1wharpreet
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responsejeffmcjunkin
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Network Forensics Backwards and Forwards
Network Forensics Backwards and ForwardsNetwork Forensics Backwards and Forwards
Network Forensics Backwards and ForwardsSavvius, Inc
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
 
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersYou Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersSavvius, Inc
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...North Texas Chapter of the ISSA
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeRIPE NCC
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 

Weitere ähnliche Inhalte

Was ist angesagt?

Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Offensive Security basics part 2
Offensive Security basics part 2Offensive Security basics part 2
Offensive Security basics part 2wharpreet
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1wharpreet
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responsejeffmcjunkin
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Network Forensics Backwards and Forwards
Network Forensics Backwards and ForwardsNetwork Forensics Backwards and Forwards
Network Forensics Backwards and ForwardsSavvius, Inc
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
 
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersYou Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersSavvius, Inc
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...North Texas Chapter of the ISSA
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeRIPE NCC
 

Was ist angesagt? (19)

Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Offensive Security basics part 2
Offensive Security basics part 2Offensive Security basics part 2
Offensive Security basics part 2
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
Network Forensics Backwards and Forwards
Network Forensics Backwards and ForwardsNetwork Forensics Backwards and Forwards
Network Forensics Backwards and Forwards
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersYou Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the Challenge
 

Ähnlich wie QAing Security with OWASP Top 10

Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdfKunjJoshi14
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackinghcls
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Mike Tetreault
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system securityGary Mendonca
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 

Ähnlich wie QAing Security with OWASP Top 10 (20)

Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
01
01 01
01
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 
Network security
Network securityNetwork security
Network security
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Check Point: Securing Web 2.0
Check Point: Securing Web 2.0 Check Point: Securing Web 2.0
Check Point: Securing Web 2.0
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 

Kürzlich hochgeladen

Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 

Kürzlich hochgeladen (20)

Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 

QAing Security with OWASP Top 10

  • 1. QAing the Security Way! Amit & Null vodQA, Pune 17th March 2018
  • 2. “A system is secure if it behaves precisely in the manner intended - and does nothing more” - Ivan Arce
  • 3. Amit Gundiyal Senior Consultant - Quality Analyst at ThoughtWorks, Inc 6+ years of experience (as Dev, QA & BA) About Me
  • 4. Nalinikanth AKA Null About Me Senior Consultant - Quality Analyst at ThoughtWorks, Inc 5+ years of experience
  • 5. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 5 Ground Rules ● Follow the speaker ○ Don’t get deviated. ○ If you are stuck call any of the volunteers. ● We will share you all the material don’t bother about that. ● Ask questions whenever you have - don’t wait. ● MOST IMPORTANT!
  • 6. Information Technology Act 2000 Imprisonment upto 5 years and / or with fine upto ₹5,00,000 http://www.itlaw.in/ https://en.wikipedia.org/wiki/Information_Technology_Act,_2000
  • 7. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 7 What to expect? ● Talk about QAing and Security. ● OWASP TOP 10 ● Hands on few OWASP threats. ● We will be using tools to do an attack, but will not go in depth on the tools.
  • 8. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 8 Agenda ● What and Why of security ? ● QA role in testing security. ● OWASP TOP 10 ● Hands on security vulnerabilities
  • 9. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 9 What and Why of Security Testing? In 2017 ● Verizon: 14 Millions of customer records exposed in security lapse. ● Verifone: the largest maker of point-of-sale credit card terminals used across world. ● Deloitte: Embarrassingly for the accounting firm who pride themselves on their Cyber Intelligence Centre, Deloitte fell victim to a cyber attack in March. ● Deep Root Analytics: A data analytics firm, to gather political information about U.S. voters. Chris Vickery, a cyber risk analyst, discovered that the sensitive information Deep Root Analytics obtained–personal data for roughly 198 million American citizens. ● Virgin America: In a letter to employees, airline Virgin America revealed that a hacker had successfully entered their corporate network gaining access to login information and passwords used by employees to access the network. ● Equifax: one of the three largest credit agencies in the U.S., suffered a breach that may affect 143 million consumers.
  • 11. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 11 What a QA has? ● End to end knowledge. ● One who tests almost everything in the system. ● Implement security thinking. ● Add security analysis to stories. ● Identify where security can possibly go for toss. ● Test the stories if they are vulnerable. ● Help team build more security products What a QA can do?
  • 12. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 12 QA could have stopped this https://www.exploit-db.com/exploits/6421/
  • 13. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 13 Let's start with a story
  • 14. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 14 OWASP ● Open Web Application Security Project (OWASP) ● Online community, which creates freely-available articles, tools, methodologies, documentation, and technologies in the field of web application security. ● Not-for-profit charitable organization. ● Focussed on improving the security of software. ● Currently has over 150+ active projects
  • 15. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 15 OWASP Top 10 ● List the 10 most critical web application security risks. ● A powerful awareness document. ● Published at regular intervals. ● Approximately once in 3 years. ● Last published in 2017
  • 16. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 16 OWASP Top 10 - 2013 vs 2017
  • 17. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 17 Tools we are using today ● OWASP Mutillidae II - Application to attack ● Burp suite to intercept requests (we can use ZAP as well) ● Python to steal cookie
  • 18. What causes most of the attacks?
  • 19. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 19 User Input - Surface Area I don’t like user input and this is why I don’t
  • 20. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 20 A7: Cross-site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can: ● hijack user sessions ● deface web sites ● redirect the user to malicious sites.
  • 21. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 21 A7: How XSS works?
  • 22. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 22 Types of XSS ● Reflected XSS ○ Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, etc. and without permanently storing the user provided data. ● Stored XSS ○ Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc.
  • 24. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 24 Where in Mutillidae II?
  • 25. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 25 A1: Injection Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Types of Injection: ● SQL Injection - Anywhere input value is being executed as a database query. ● OS Command Injection - Anywhere input is being executed as a command. ● Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, XML and many more
  • 27. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 27 Where in Mutillidae II? For SQL Injections -
  • 28. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 28 Where in Mutillidae II? For OS Command Injection -
  • 29. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 29 A3 : Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Sometimes data pertaining to the configuration of systems is also leaked by error messages or forgotten debug pages.
  • 30. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 30 A3 : Sensitive Data Exposure Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. Scenario #2: A site doesn't use or enforce TLS for all pages, or if it supports weak encryption. An attacker simply monitors network traffic, strips or intercepts the TLS (like an open wireless network), and steals the user's session cookie.The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above he could alter all transported data, e.g. the recipient of a money transfer. Scenario #3: The password database uses unsalted hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes.
  • 31. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 31 Where do we miss it ● Access to some unwanted files. ● Poor encryption mechanism. ● Not using HTTPS
  • 33. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 33 A2 : Broken Authentication
  • 34. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 34 A2 : Broken Authentication
  • 35. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 35 A2 : Broken Authentication Session management is a critical piece of application security. It is broader risk, and requires developers take care of protecting session id, user credential secure storage, session duration, and protecting critical session data in transit.
  • 36. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 36 How A2 can happen? ● SQL Injection. ● Weak passwords and Password retrieval mechanisms ● Not handling session ids properly which leads to privilege escalation or elevation of privilege. ● Cookies (Unencrypted, not securing them properly)
  • 38. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 38 Set up Proxy on firefox!!
  • 39. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 39 Set up your burp Proxy!!
  • 40. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 40 Interceptor on burp
  • 41. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 41 A9 : Using components with known vulnerabilities Components such as libraries, frameworks & other modules, almost always run with privileges. Exploitation of a vulnerable component can cause serious data loss or server takeover. Apps using components with known vulnerabilities may undermine app defenses and enable a range of attacks.
  • 42. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 42 Where ● Technology we use. ● Third party libraries ○ Programing languages/ frameworks ○ Node modules ○ Charting libraries ○ Many more... ● Any tools or softwares installed.
  • 43. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 43 A9 : Recent Times
  • 44. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 44 Where to check and how to protect? ● https://www.cvedetails.com/ Use dependency checkers.. ● https://www.owasp.org/index.php/OWASP_Dependency_Check ● https://github.com/nodesecurity/nsp
  • 45. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 45 A4 : XML External Entity (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, and denial of service attacks, such as the Billion Laughs attack.
  • 46. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 46 A4 : XML External Entity (XXE)
  • 47. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 47 A8 : Insecure Deserialization Web servers and applications can leak information and allow attackers to take control over systems using misconfigurations either arising out of weak defaults, hidden applications or via enhanced functionality that causes the app to become vulnerable.
  • 48. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 48 A8 : Insecure Deserialization - Example
  • 49. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 49 A5 : Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
  • 50. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 50 A6 : Security Misconfiguration Web servers and applications can leak information and allow attackers to take control over systems using misconfigurations either arising out of weak defaults, hidden applications or via enhanced functionality that causes the app to become vulnerable.
  • 51. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 51 A6 : Security Misconfiguration
  • 52. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 52 A6 : Security Misconfiguration
  • 53. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 53 A10 : Insufficient Logging and Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
  • 54. ©ThoughtWorks, Inc. Do not copy. Do not distribute. ● What do you log? ● Where do you log? ● When do you log? ● Why do you log? ● Is this log sufficient? 54 A10 : Insufficient Logging and Monitoring
  • 55. A system is secure if and only if it starts in a secure state and cannot enter an insecure state!!
  • 56. ©ThoughtWorks, Inc. Do not copy. Do not distribute. References ● https://blog.sqreen.io/reflected-xss/ ● https://news.netcraft.com/archives/2008/05/16/paypal_xss_vulnerability_undermines_ev_ssl_security.html ● https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ ● https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning ● http://www.information-age.com/10-cyber-security-trends-look-2017-123463680/ ● http://www.information-age.com/10-biggest-hacks-rocked-business-world-2017-123469857/ ● http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ ● https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html ● http://fortune.com/2017/06/22/cybersecurity-hacks-history/ ● https://en.wikipedia.org/wiki/List_of_data_breaches ● http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/ ● https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails
  • 57. THANK YOU For questions or suggestions mailto: amit.gundiyal@thoughtworks.com nalinim@thoughtworks.com