05 Vulnerability assessment.ppt

8/14/2019 05 Vulnerability assessment.ppt

1/32

I.T.

DIGIT TestCentreVulnerability assessment service

Gabriel BABIANO

DIGIT.A.329/11/2012


2/32

2

Agenda

Service presentation

Lessons learned


3/32

3

DIGIT TestCentre

Organizational location: DIGIT.A.3

Physical location: DRB D3 (LUX)

Service manager: Gabriel BABIANO

Performance testing service since 2002

(currently 6 testers)

Vulnerability assessment service since 2011

(currently 3 testers)


4/32


5/32

5

Grounds for vulnerability assessment

Motivation:

Legal constraints

ReputationData stolen

Continuity of the service

75% cyber-attacks

directed to webapplication layer(Gartner)

Network security alone does not protect web apps!!!


6/32

6

Tests in Information Systems life-cycle


7/327

Cost versus life-cycle stage

"Finding and fixinga softwareproblem afterdelivery is often100 times moreexpensive thanfinding and fixingit during the

design andrequirementsphase"

(Barry Boehm)

VT

Secure coding guidelines


8/328

DIGIT TC Vulnerability service deliverables

Vulnerability assessment reports (per test/iteration)

Filtered potential vulnerabilities (no false positive)

Classification on criticality and prioritization

Potential remediation

Evolution from previous iterations

Secure coding guidelines

Best practices in secure coding Recommended languages (HTML, JAVA, ColdFusion)

Aligned to threats evolution

Both for developers and operational managers

1stdraft release due for 01/2013


9/329

DIGIT VT service tests

Black Box Vulnerability Test (dynamic analysis)

Need a working application target (closest to PROD)

No access to source code required

Not specific to coding language(s)

Automatic tools + manual testing to supplement the tools

Complement to Penetration Testing and WBVT

White Box Vulnerability Tests (static analysis)

Access to buildable source code

Automatic tools + manual revision to avoid false positives

All recommended languages are supported (Java, CF)

No absolute need for application target but it helps a lot

Detects more vulnerabilities than black box


10/3210

DIGIT TestCentre service procedure workflow

Several iterationsare normallyrequired


11/3211

DIGIT TC Vulnerability service tools

Static code analysis (SAST)

Automatic tools

Manual code review:Eclipse

Dynamic program analysis (DAST)

Automatic tools

Manual tools:Firefox and plugins:

Tamper Data

Database tools


12/3212

Tools evaluation - methodology


13/3213

Tools evaluation criteria


14/3214

Tools evaluation critical metricsCorrectness of the results

AccurateMinimum false positiveMinimum inconclusiveMinimum duplicates

Completeness of the results% detected% missedFalse negatives

Misnamed

Performance

Scan duration


15/32

15

Tools lists

Static code analysis (SAST)

http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis

https://www.owasp.org/index.php/Source_Code_Analysis_Tools

Dynamic program analysis (DAST)

http://en.wikipedia.org/wiki/Dynamic_program_analysis

Open source DAST tools:

WebScarab

Nikto / Wikto

Open Web Application Security Project (OWASP)

Google ratproxy and skipfish

W3af

Websecurify
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysishttps://www.owasp.org/index.php/Source_Code_Analysis_Toolshttp://en.wikipedia.org/wiki/Dynamic_program_analysishttp://en.wikipedia.org/wiki/Dynamic_program_analysishttp://en.wikipedia.org/wiki/Dynamic_program_analysishttp://en.wikipedia.org/wiki/Dynamic_program_analysishttps://www.owasp.org/index.php/Source_Code_Analysis_Toolshttps://www.owasp.org/index.php/Source_Code_Analysis_Toolshttps://www.owasp.org/index.php/Source_Code_Analysis_Toolshttps://www.owasp.org/index.php/Source_Code_Analysis_Toolshttp://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis


16/32

16

Costs per testIn-house service:

Assumption: complete VTs(WB & BB) takes 10 workingdays in average (15 tests pertester per year)

Strong investment in

licenses the first yearCosts are similar after the

4thyearSecurity skilled tester with

an "industrialized" procedurerequired

Outsourced service:No requires investmentLess flexible for the

development?Quality?Iterations?


17/32

17

Engineering for attacks


18/32

18

Vulnerability risk areas Securitycontrols

Securityfunctions


19/32

19

OWASP Top Ten (2010 Edition)

http://www.owasp.org/index.php/Top_10
http://www.owasp.org/index.php/Top_10http://www.owasp.org/index.php/Top_10


20/32

20


21/32

21


22/32

22

2011 CWE Top 25 Most Dangerous Software Errors

http://cwe.mitre.org/top25/
http://cwe.mitre.org/top25/http://cwe.mitre.org/top25/


23/32

23

Comparison OWASP Top Ten 2010 CWE Top 25 2011

http://cwe.mitre.org/top25/
http://cwe.mitre.org/top25/http://cwe.mitre.org/top25/


24/32

24

DIGIT TestCentre

Score = Risk * Impact

Priorities areadapted for everyapplication


25/32

25

Vulnerability assessment

Assess and secure all parts individually

The idea is to force an attacker to penetrate severaldefence layers

As a general rule, data stored in databases areconsidered as "untrusted"

"In God we trust,

for the rest, we test"


26/32

26

Recommendations for remediation are founded in thereport

Cover high priority first. Then others whenaffordable

Begin with risky vulnerabilities that are easy toremediate

Vulnerability remediation priorities


27/32

27

Vulnerabilities type occurrence in the 1st iteration (%)

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

http://cwe.mitre.org/top25/http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics
http://cwe.mitre.org/top25/http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statisticshttp://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statisticshttp://cwe.mitre.org/top25/


28/32

28

Improvements in Design and Coding stagesIteration

Vulnerability group 1 2 3 4 5 6

Cross-Site Scripting 43 14 2 2 1 1

Injection 23 6 1 1

Insecure Transmission of

credentials/tokens 10 3

Password Management 13 6 2

Cookie Security 9 7

Path Manipulation 3 2 1 1

Weak authentication 4 2

Open redirect 5

Logging of credentials 2 1

Cross-Site Request Forgery 16 4 1 1Header Manipulation 15 3 1

Weak cryptography 14 2 1

File Upload 8 3 1 1

Forced Browsing 7 2 1

Log Forging 6 1 1 1

Information disclosure 4 3 2

security increasesin every iteration

Flaws can appearin future iterations


29/32


30/32

30

Some referencesOpen Web Application Security Project (OWASP): www.owasp.org

Web Application Security Consortium (WASC): www.webappsec.org

Common Vulnerability Scoring System (CWSS): http://www.first.org/cvss/

Common Weakness Enumeration (CWE): http://cwe.mitre.org

Common Attack Pattern Enumeration and Classification (CAPEC):

http://capec.mitre.org/

SANS Institute: www.sans.org
http://www.owasp.org/http://www.webappsec.org/http://www.first.org/cvss/http://cwe.mitre.org/http://capec.mitre.org/http://www.sans.org/http://www.sans.org/http://capec.mitre.org/http://cwe.mitre.org/http://www.first.org/cvss/http://www.webappsec.org/http://www.owasp.org/


31/32

31

Questions?


32/32

Thank you!

Documents

05 Vulnerability assessment.ppt