28
BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

  • Upload
    vukhanh

  • View
    219

  • Download
    5

Embed Size (px)

Citation preview

Page 1: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

Page 2: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Disclaimer !!

2

Best Practices are…

• Not rules or rigid standards• General solutions to common problems• Guidelines and common reference that can be shared, further developed, and can give rise to new “Best practices”

Page 3: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Agenda

3

Security Testing

Summary

Myths Vs Realities

The 10 Recommended Security Practices

Page 4: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Security Testing

Security Testing is the process to determine that an information system protects data and maintains functionality as intended.

4

• Validates system’s conformance to security requirements

• Identify potential security vulnerabilities

• Improve project costs• Reduce Litigation • Conform to regulatory requirements• Protect reputation or brand

Need of Security Testing: Technical and Business Perspectives

Source: Avert Labs

“A few lines of code can wreak more havoc than a bomb” - Tom Ridge (Former) Secretary of the U.S. Department of Homeland Security

Page 5: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Myths Vs Realities

5

Some Myths of Software Security

• My applications do not have any security problem

• Network defense mechanism will protect an organization from any application based security breach

• Magic bullet theory

• Security implementation in an organization is costly

• Security testing is time consuming

Page 6: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Changing the Old ParadigmCreating a better, more secure applicationdevelopment process

6

• Software security testing is different from software functionality testing

• Integrate security best practices into the software development lifecycle (SDLC), instead of hastily adding it at the end.

• This increases efficiency, reduces overall costs and improves customer satisfaction

Page 7: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Integration of Security Testing throughout SDLC

7

Maintain ( 500 X )

Test & Deploy ( 50 X – 200 X)

Implementation ( 20 X)

Design ( 5 X )

Requirements Definition

( 3 X )

Project Initiation & Planning ( X )

Parallel Security Activities

Page 8: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Information GatheringSoftware Components and Their Environment

8

• Collecting as much information as possible about the target application

• Understanding the software and it’s environment is important to evaluate the attack surface

Page 9: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Information Gathering

9

Evaluation of the Software Attack

Surface

Page 10: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Threat Evaluation

10

• Data Flow Diagram (DFD) helps understand how the system works and the threats it faces

• A good way to get started in this space is the Microsoft’s STRIDE model

Page 11: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

STRIDE

11

Tampering

Repudiation

Information disclosure

Denial of service

Can an attacker gain access using a false identity?

Can an attacker modify data as it flows through the application?

If an attacker denies doing something, can we prove he did it?

Can an attacker gain access to private or potentially injurious data?

Can an attacker crash or reduce the availability of the system?

Elevation of privilegeCan an attacker assume the identity of a privileged user?

Spoofing

Page 12: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only12

Every Asset is Subject to Attack

External Entity

Process

Data Store

Dataflow

UserUserServiceService

AuthnAuthnEngineEngine

CredentialsCredentials

Data FilesData FilesRequestRequest

ResponseResponse

AuthnAuthnRequestRequest

AuthnAuthnInfoInfo

RequestedRequested File(sFile(s))

GetGet CredentialsCredentials

12

Asset

Page 13: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Threat Types by Asset Type

13

External Entity

Process

Data Store

Dataflow

AssetS

SpoofingT

Tamperin g

R Repudiation

I Information Disclosure

D Denial of Service

E Elevation of Privilege

Page 14: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Prioritizing Security Testing

14

• Why analyze and prioritize ?• What is Threat Modeling ?

“Focus testing on areas where difficulty of attack is least and the impact is highest ” - Chris Wysopal

Page 15: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Why Analyze and Prioritize Security Testing?

15

Because attackers

Want to attack

Your application

Put appropriate defenses in products

Page 16: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Threat Modeling and Its’ Benefits

Threat modeling is..

• A security-based analysis that helps understand where the product is most vulnerable

• Find assets, evaluates threats and uncovers vulnerabilities• Helps reduce overall security risks• Prioritizes security tests• Forms the basis of security design specifications• Determines the threat mitigation techniques to employ

Benefits

• Helps understand an application better• Helps find bugs and flaws in complex designs• Drives well-designed security test plans

16

Page 17: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Threat Modeling Process

17

Identify AssetsIdentify Assets1

Create an Architecture OverviewCreate an Architecture Overview2

Document the ThreatsDocument the Threats5

Threat Modeling Process

Page 18: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Identifying Vulnerabilities InSource Code

18

• Well-tested code that includes security tests results in an end product that is more robust, easier to maintain and more secure

• Can be detected through Security code reviewsSource code analysis

• Automating the code review process is a good approach

Page 19: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Testing with Known Intrusions

19

• No security testing regime is complete until the product is tested with known intrusions

• It verifies that the application cannot be breached by known means. If it can, then fix and verify before the application goes into production

Page 20: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only20

• 99% of network intrusions occurred based on known vulnerabilities that could have been prevented with proactive vulnerability management.

• Automate attack simulation whereby software pretends to attack the application with known paths of intrusion. Tools like Metasploit can help.

Source: CERT

Page 21: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Creating a Security Test Plan

21

• The Security Test Plan should incorporate a high- level outline of the artifacts to be tested and the methodologies to be used

Page 22: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Security Test Plan

22

Page 23: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Choosing the Right Tools forSecurity Testing

23

• Know your attacker and know yourself

• Test an application under the following conditions to determine the vulnerabilities

a non-authenticated useran authenticated user an administrative user

Page 24: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Metrics & Reporting

24

• Both the quantity and quality of testing needs to be measured to assess the efficiency of the testing performed on the software

• Defect metrics are vital

• All time-oriented metrics should be measured regular

• Maintain a common problem database

Page 25: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only25

Page 26: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

Recap

• Security is a Process and not a Product

• Break the traditional approach. Integrate security testing throughout SDLC

• Evaluate the attack surface and threats

• Develop security testing strategy

• Analyze and prioritize test strategies

• Think Evil. Be Evil. Test Evil

• Perform code reviews

• Know your enemy and know yourself

• Attack!!!

26

Page 27: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

References

• Risk-Based and Functional Security Testing: C. C. Michael and Will Radosevich

• Building Secure Web Applications: Peter Varhol, Technology Strategy Research, LLC

• Threat Modeling-Improving the Application Life cycle: Dan Sellers• Myths of Software Security by People Security• Secure Coding: Principles and Practices. Graff, Mark G. & Van Wyk, Kenneth

R. Sebastopol, CA: O’Reilly, 2003 (ISBN: 0596002424).• Security Considerations in the Information System Development Life Cycle:

Grance, T.; Myers, M.; & Stevens, M (NIST Special Publication 800-64), 2004 • Risk Based Security Testing: TechRepublic Publication• http://www.cert.org/stats/• http://web.nvd.nist.gov/view

27

Page 28: BEST PRACTICES FOR SECURITY TESTING PRACTICES FOR SECURITY TESTING ... Confidential McAfee Internal Use Only Threat Evaluation. 10 ... Mark G. & Van Wyk,

Confidential McAfee Internal Use Only

THANK [email protected]

[email protected] +91 9980851530

28