Agenda

Application Assessments: PABP vs. Penetration Test / Code Review Introduction to Application Security Methodology Case Examples Conclusions

Application Assessments: PABP vs. Penetration Test / Code Review

Visa CISP PABP

Visa’s CISP PABP A voluntary compliancy program for payment applications

which validate a set of best practices.

What is a Payment Application:PABP is applicable to any third-party payment application utilized by a merchant or service provider that is involved in authorization and settlement of credit or debit card transaction.

What are Best Practices:Recommended practices for software vendor to create secure payment applications to help their customers comply with CISP / PCI

Payment Application Best Practice

Requirements

1. Do not retain full magnetic stripe or CVV2 data

2. Protect stored data

3. Provide secure password features

4. Log application activity

5. Develop secure applications

6. Protect wireless transmissions

7. Test applications to address vulnerabilities

8. Facilitate secure network implementation

9. For Internet-based applications, store cardholder data in internal network only

10. Facilitate secure remote software updates

11. Facilitate secure remote access to application

12. Encrypt sensitive traffic over public networks

13. Encrypt internal administrative access

Application Penetration Test/Code Review

Application Penetration Test A thorough security assessment to determine if an

application is vulnerable to application-level attacks from both external “hackers” and malicious authorized users.

Identify the maximum number of vulnerabilities that may be present in an application.

Code review A detailed line-by-line analysis of source code where the

goal is to identify coding errors which lead to application vulnerabilities.

PABP Methodology

Interviews and questionnaires completed by client personnel (i.e. developers, support staff, and managers)

Thorough functional and security testing of the application

Review of the application’s operating files, logs, databases, and storage of cardholder information

Application Pen Test Methodology

•Authentication and Authorization•Unlimited Login Attempts•Insufficient Authentication•Insufficient Authorization•Session Management•Session Prediction•Session Hijacking•Session Replay•Insufficient Session Expiration•Injection•OS Command Injection•SQL Injection•Cross-site Scripting•LDAP Injection•HTML Injection•Logical Attacks•Abuse of Functionality

CryptographyAlgorithmKey ManagementData ProtectionTransportStorageInformation DisclosureDirectory IndexingPath TraversalVerbose Error MessagesHTML CommentsBuffer OverflowStack-basedHeap-basedFormat String•Integer Overflow/Underflow

Code Review Methodology

Buffer overflow conditions

Unintended operation

Dynamic content creation issues

Potential manipulation of variables

Potential acceptance of external scripts or inputs

Failure conditions

Cryptographic weaknesses

Manipulation of back-end services or calls

SQL Insertion

Command Re-direction

Tools: Automated vs. Manual

Automated Fast, especially for large applications Good at finding low hanging fruit Easy to use Somewhat extensible, but increases learning curve Expensive Fallible – no human intelligence behind it

Tools: Automated vs. Manual

Manual Inexpensive Very extensible – scripts can call other scripts As intelligent as the human using it

Best used in conjunction with one another

Tool Examples:

Non Web-based Insure, Code Wizard, J-Test, Holodeck, BugScan, Filemon,

Regmon, APISpy, IDAPro, SoftICE

Web-based Wget, Paros, AppScan, WebDetective, SOATest, Burpe

Suite, WebProxy, FxCop (free from Microsoft), Spike Proxy, Absinthe, Nikto

Combination Spike, findstr and Ildasm, File-Fuzzer (Fuzzers in general)

Test Cases

Payment Application Best Practices:

Point of Sale System

VMWare as a test environment

Tracking Read/Write Events

Enter data

Where does the app write data

Is the data encrypted?

PAYMENT 10027

AUTHAMT 22.50

BATCHAMT 23.79

BATCHTIP 0.00

CARDTYPE VISA

CARD 4227331003328562

EXP 0307

TRACK1 %B4227331003328562^GATES/COURTNEY F.MS^07031011000000397000000?

TRACK2 ;4227331003328562=070310110000397?

REF 138

APPROVED YES

AUTH 012064

INFO E,0001,00,120304,135836,5,094338683164532,K35X

Test Cases

Application Testing

Source Code Review

Performing Text Searches

Search for Hard-Coded Strings Scan through code and search for common string

patterns such as the following: "key," "secret," "password," "pwd," and "connectionstring."

For example, to search for the string "password" in the Web directory of the application, use the Findstr tool from a command prompt as follows:

findstr /S /M /I /d:c:\projects\yourweb "password" *.*

Automating Findstr

Automate Searches for Hard-Coded Strings Create a text file with common search strings. Findstr can then read the search strings from the

text file. Run the following command from a directory that

contains .aspx files.

findstr /N /G:SearchStrings.txt *.aspx

Text searches in binary assemblies

Use the Findstr command in conjunction with the ildasm.exe utility to search binary assemblies for hard-coded strings Example:Ildasm.exe secureapp.dll /text | findstr ldstr IL_000c: ldstr

"RegisterUser" IL_0027: ldstr "@userName" IL_0046: ldstr "@passwordHash" IL_0065: ldstr "@salt" IL_008b: ldstr "Exception adding account. " IL_000e: ldstr "LookupUser" IL_0027: ldstr "@userName" IL_007d: ldstr "SHA1" IL_0097: ldstr "Exeception verifying password. " IL_0009: ldstr "SHA1" IL_003e: ldstr "Logon successful: User is authenticated" IL_0050: ldstr "Invalid username or password" IL_0001: ldstr "Server=AppServer;database=users; username='sa' password=password"