Web Application Penetration Test Checklist by bbi14045

VIEWS: 90 PAGES: 22

More Info
									Secure Development Lifecycle



Danny Allan
Strategic Research Analyst
Watchfire Corporation




                               1
 Agenda


Background
Enterprise Risk Management
   – People
   – Process
      • Threat modeling vs. ERM
      • Security as a quality
   – Technology
      • Automated & manual testing
Sample ERM Model
Summary



                                     2
 Not me …


We have a firewall
We use an IDS
Isn’t that what IT does?
We’re using SSL




                           3
 Wait a second …


Application deployments are “highly” time critical
Application deployments are often late
Application deployments are often over-budget

“Won’t this add time, cost and resources?”




                                                     4
 Basic Premise


Enterprise Risk Management saves time, money and
  resources

   –   Today: web application
   –   Tomorrow: web service
   –   Next week: Web 2.0 AJAX
   –   Next year: Web 10.0 CCS.NTs




                                                   5
Enterprise Risk Management




                   People

                  Process

                 Technology




                              6
                                                People
                                               Process

 People                                       Technology




Developer training
   – Security features ≠ secure programming
   – Security principles
   – Application threat classification




                                                           7
                               People
                              Process

 Security Principles         Technology




Use least privilege
Defense in depth
Don’t trust user input
Check at the gate
Fail securely
Secure the weakest link
Create secure defaults
Reduce your attack surface


                                          8
                                       People
                                      Process

 Application Threat Classification   Technology




Authentication
Authorization
Client-side attacks
Command execution
Information disclosure
Logical attacks




                                                  9
                                                         People
                                                        Process

 Threat Modeling                                       Technology




Structured approach to identifying, quantifying and
   addressing threats


Allows security personnel to communicate potential risks and
   prioritize remediation efforts in a tangible form




                                                                    10
                                                                                                    People
                                                                                                   Process

Threat Modeling Activities                                                                        Technology




 Input                           Step                              Output
    Business requirements       1.     Identify security             Key security objectives
    Security policies                  objectives

    Compliance requirements
    Deployment diagrams         2.     Create an application         Whiteboard-style diagram
    Use cases                          overview                      Key scenarios
    Functional specifications                                        Roles
                                                                      Technologies
                                                                      AppSec mechanisms
    Deployment diagrams         3.     Decompose your                Trust boundaries
    Use cases                          application                   Entry points
    Functional specifications                                        Exit points
    Data flow diagrams                                               Data flows
    Common Threats              4.     Identify, document and        Threat List
                                        rate threats

    Common Vulnerabilities      5.     Identify vulnerabilities      Vulnerability List




                                                                                                               11
                                                            People
                                                            Process

 Enterprise Risk Mgmt Process                           Technology




Structured approach to designing, building and delivering
   web applications


Allows an organization to measure and communicate
   trustworthy computing in a tangible form




                                                                      12
                                                            People
                                                           Process

 Definitions                                              Technology




Proc·ess: a series of actions directed toward a specific aim


Tan·gi·ble: capable of being given a physical existence




                                                                       13
                                                                       People
                                                                      Process

 Security as a Quality Vector                                        Technology




Maps well to Software Development Lifecycle model


        Don’t think …                     Think …
        Security                          Quality

        XSS w/ HTML quote encapsulation   Output Encoding

        Blind SQL injection               White listing input
                                          Parameterized queries
        Security issues                   Secure coding techniques




                                                                                  14
                                           People
                                          Process

Automated & Manual Testing               Technology




 Automated Testing
    – White box (static code analysis)
    – Black box (web app scanners)
    – Strengths
        • Technical vulnerabilities
        • Scale and cost


 Manual Testing
    – Strengths
        • Logical vulnerabilities
        • Human intelligence



                                                      15
                                                                                              People
                                                                                              Process

  Phase: Requirements                                                                       Technology




Entry Criteria                                         Deliverables
      –      Business requirements/objectives               – Security Expert/Consultant
      –      Constraints & assumptions                         assigned
      –      Project plans                                  – Preliminary security requirements
      –      High level architecture                           defined
                                                            – Security test strategy
Activities
                                                            – Security integrated into the
       –     Engage Security Expert                            development process
       –     Determine Predictive Threat Index
       –     Determine if application is a candidate
                                                            – Predictive Threat Index (Asset
             for SDL process                                   Value, Attack Surface)
      –      Identify key compliance objectives
      –      Define secure integration with external   Tools
             systems                                        –   Security consultant
      –      Define application security test
             process & deliverables                         –   Design Review Checklist
      –      Adjust project plan to include security        –   Roles and Responsibilities Matrix
             resources                                      –   Predictive Threat Index calculator
      –      Contract needed resources                      –   Security Knowledge Portal
      –      Review test process/strategy
      –      Review project plan & budget
                                                       Exit
                                                              – Test strategy approved
                                                              – Project plan approved
                                                                                                         16
                                                                                          People
                                                                                         Process

  Phase: Design                                                                         Technology




Entry Criteria                                      Deliverables
      –      Security requirements                       – Minimized application attack
      –      Functional requirements                        surface
      –      Use cases                                   – Application security test roles
      –      Project plan & budget
                                                         – Threat model
Activities
                                                         – Security requirements in well
                                                            defined components
       –     Identify components responsible for
             security functions                          – Test plans application security
      –      Identify secure design techniques           – Certified components identified
      –      Document attack surface
      –      Create threat model                    Tools
      –      Review/modify security requirements         – Threat Model Checklist
      –      Identify components for Secure Code
             Review                                      – Threat Model
      –      Define security test requirements           – Platform dependent coding
      –      Determine authorization requirements          checklist
             model                                       – Certified Components
      –      Update Security Master Test Plan
      –      Update test schedule and budget
                                                    Exit
                                                           – Baseline established for
                                                             requirements, test schedule and
                                                             test budget
                                                                                                     17
                                                                                  People
                                                                                 Process

  Phase: Implementation                                                         Technology




Entry Criteria
                                               Deliverables
      –      Threat model
      –      Master test plan                       – Working application
      –      Security test plans
      –      Use cases/roles
                                               Tools
Activities
       –     Code                                  – Static Code Analyzer
             •   Certified components              – Certified Components
             •   Security development/coding
                 guidelines                        – Security Development
                                                     Guidelines
      –      Test / Verify
             •    Security Code Review
             •    Static code analyzer         Exit
                                                      – Code verified using code review
                                                      – Code verified using static code
                                                        analysis tool



                                                                                             18
                                                                                             People
                                                                                            Process

  Phase: Integrate / Release                                                               Technology




Entry Criteria                                       Deliverables
      –      Build from source code repository
      –      Test documents                               – Problems, defects, enhancements
      –      Unit & integration test results (no             logged
             severity 1 defects)                          – Detailed test results
Activities                                                – Validated requirements
       –     Integrate                                    – Updated test results in centralized
             •    Formal Secure Code Review                  location
             •    Automated Application
                  Assessment                              – Certification

                                                     Tools
      –      Final Security Review
             •    Review of all bugs for possible
                                                          –    Secure Code Review
                  security vulnerabilities                –    Automated security tool
             •    Review threat model for possible
                  late developing threats                 –    Manual Penetration Test
             •    Manual penetration testing              –    Final Review Checklist

                                                     Exit
                                                            – No high severity security defects
                                                                                                        19
20
 Summary


Enterprise Risk Management requires:
   – A tangible process
      • SDLC
      • Threat modeling (STRIDE / DREAD)
   – Security cooperation and guidance
   – Application developer buy-in




                                           21
Thanks


                 Questions?


                  Danny Allan
              Office: 781.547.7833
             Dannya@watchfire.com
         www.watchfire.com/securityzone




                                          22

								
To top