Embed Size (px)
Citation preview
Agenda
Application Assessments: PABP vs. Penetration Test / Code Review Introduction to Application Security Methodology Case Examples Conclusions
Application Assessments: PABP vs. Penetration Test / Code Review
Visa CISP PABP
Visa’s CISP PABP A voluntary compliancy program for payment applications
which validate a set of best practices.
What is a Payment Application:PABP is applicable to any third-party payment application utilized by a merchant or service provider that is involved in authorization and settlement of credit or debit card transaction.
What are Best Practices:Recommended practices for software vendor to create secure payment applications to help their customers comply with CISP / PCI
Payment Application Best Practice
Requirements
1. Do not retain full magnetic stripe or CVV2 data
2. Protect stored data
3. Provide secure password features
4. Log application activity
5. Develop secure applications
6. Protect wireless transmissions
7. Test applications to address vulnerabilities
8. Facilitate secure network implementation
9. For Internet-based applications, store cardholder data in internal network only
10. Facilitate secure remote software updates
11. Facilitate secure remote access to application
12. Encrypt sensitive traffic over public networks
13. Encrypt internal administrative access
Application Penetration Test/Code Review
Application Penetration Test A thorough security assessment to determine if an
application is vulnerable to application-level attacks from both external “hackers” and malicious authorized users.
Identify the maximum number of vulnerabilities that may be present in an application.
Code review A detailed line-by-line analysis of source code where the
goal is to identify coding errors which lead to application vulnerabilities.
PABP Methodology
Interviews and questionnaires completed by client personnel (i.e. developers, support staff, and managers)
Thorough functional and security testing of the application
Review of the application’s operating files, logs, databases, and storage of cardholder information
Application Pen Test Methodology
•Authentication and Authorization•Unlimited Login Attempts•Insufficient Authentication•Insufficient Authorization•Session Management•Session Prediction•Session Hijacking•Session Replay•Insufficient Session Expiration•Injection•OS Command Injection•SQL Injection•Cross-site Scripting•LDAP Injection•HTML Injection•Logical Attacks•Abuse of Functionality
CryptographyAlgorithmKey ManagementData ProtectionTransportStorageInformation DisclosureDirectory IndexingPath TraversalVerbose Error MessagesHTML CommentsBuffer OverflowStack-basedHeap-basedFormat String•Integer Overflow/Underflow
Code Review Methodology
Buffer overflow conditions
Unintended operation
Dynamic content creation issues
Potential manipulation of variables
Potential acceptance of external scripts or inputs
Failure conditions
Cryptographic weaknesses
Manipulation of back-end services or calls
SQL Insertion
Command Re-direction
Tools: Automated vs. Manual
Automated Fast, especially for large applications Good at finding low hanging fruit Easy to use Somewhat extensible, but increases learning curve Expensive Fallible – no human intelligence behind it
Tools: Automated vs. Manual
Manual Inexpensive Very extensible – scripts can call other scripts As intelligent as the human using it
Best used in conjunction with one another
Tool Examples:
Non Web-based Insure, Code Wizard, J-Test, Holodeck, BugScan, Filemon,
Regmon, APISpy, IDAPro, SoftICE
Web-based Wget, Paros, AppScan, WebDetective, SOATest, Burpe
Suite, WebProxy, FxCop (free from Microsoft), Spike Proxy, Absinthe, Nikto
Combination Spike, findstr and Ildasm, File-Fuzzer (Fuzzers in general)
Test Cases
Payment Application Best Practices:
Point of Sale System
VMWare as a test environment
Tracking Read/Write Events
Enter data
Where does the app write data
Is the data encrypted?
PAYMENT 10027
AUTHAMT 22.50
BATCHAMT 23.79
BATCHTIP 0.00
CARDTYPE VISA
CARD 4227331003328562
EXP 0307
TRACK1 %B4227331003328562^GATES/COURTNEY F.MS^07031011000000397000000?
TRACK2 ;4227331003328562=070310110000397?
REF 138
APPROVED YES
AUTH 012064
INFO E,0001,00,120304,135836,5,094338683164532,K35X
Test Cases
Application Testing
Source Code Review
Performing Text Searches
Search for Hard-Coded Strings Scan through code and search for common string
patterns such as the following: "key," "secret," "password," "pwd," and "connectionstring."
For example, to search for the string "password" in the Web directory of the application, use the Findstr tool from a command prompt as follows:
findstr /S /M /I /d:c:\projects\yourweb "password" *.*
Automating Findstr
Automate Searches for Hard-Coded Strings Create a text file with common search strings. Findstr can then read the search strings from the
text file. Run the following command from a directory that
contains .aspx files.
findstr /N /G:SearchStrings.txt *.aspx
Text searches in binary assemblies
Use the Findstr command in conjunction with the ildasm.exe utility to search binary assemblies for hard-coded strings Example:Ildasm.exe secureapp.dll /text | findstr ldstr IL_000c: ldstr
"RegisterUser" IL_0027: ldstr "@userName" IL_0046: ldstr "@passwordHash" IL_0065: ldstr "@salt" IL_008b: ldstr "Exception adding account. " IL_000e: ldstr "LookupUser" IL_0027: ldstr "@userName" IL_007d: ldstr "SHA1" IL_0097: ldstr "Exeception verifying password. " IL_0009: ldstr "SHA1" IL_003e: ldstr "Logon successful: User is authenticated" IL_0050: ldstr "Invalid username or password" IL_0001: ldstr "Server=AppServer;database=users; username='sa' password=password"
