Upload
vukhanh
View
219
Download
5
Embed Size (px)
Citation preview
BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES
Confidential McAfee Internal Use Only
Disclaimer !!
2
Best Practices are…
• Not rules or rigid standards• General solutions to common problems• Guidelines and common reference that can be shared, further developed, and can give rise to new “Best practices”
Confidential McAfee Internal Use Only
Agenda
3
Security Testing
Summary
Myths Vs Realities
The 10 Recommended Security Practices
Confidential McAfee Internal Use Only
Security Testing
Security Testing is the process to determine that an information system protects data and maintains functionality as intended.
4
• Validates system’s conformance to security requirements
• Identify potential security vulnerabilities
• Improve project costs• Reduce Litigation • Conform to regulatory requirements• Protect reputation or brand
Need of Security Testing: Technical and Business Perspectives
Source: Avert Labs
“A few lines of code can wreak more havoc than a bomb” - Tom Ridge (Former) Secretary of the U.S. Department of Homeland Security
Confidential McAfee Internal Use Only
Myths Vs Realities
5
Some Myths of Software Security
• My applications do not have any security problem
• Network defense mechanism will protect an organization from any application based security breach
• Magic bullet theory
• Security implementation in an organization is costly
• Security testing is time consuming
Confidential McAfee Internal Use Only
Changing the Old ParadigmCreating a better, more secure applicationdevelopment process
6
• Software security testing is different from software functionality testing
• Integrate security best practices into the software development lifecycle (SDLC), instead of hastily adding it at the end.
• This increases efficiency, reduces overall costs and improves customer satisfaction
Confidential McAfee Internal Use Only
Integration of Security Testing throughout SDLC
7
Maintain ( 500 X )
Test & Deploy ( 50 X – 200 X)
Implementation ( 20 X)
Design ( 5 X )
Requirements Definition
( 3 X )
Project Initiation & Planning ( X )
Parallel Security Activities
Confidential McAfee Internal Use Only
Information GatheringSoftware Components and Their Environment
8
• Collecting as much information as possible about the target application
• Understanding the software and it’s environment is important to evaluate the attack surface
Confidential McAfee Internal Use Only
Information Gathering
9
Evaluation of the Software Attack
Surface
Confidential McAfee Internal Use Only
Threat Evaluation
10
• Data Flow Diagram (DFD) helps understand how the system works and the threats it faces
• A good way to get started in this space is the Microsoft’s STRIDE model
Confidential McAfee Internal Use Only
STRIDE
11
Tampering
Repudiation
Information disclosure
Denial of service
Can an attacker gain access using a false identity?
Can an attacker modify data as it flows through the application?
If an attacker denies doing something, can we prove he did it?
Can an attacker gain access to private or potentially injurious data?
Can an attacker crash or reduce the availability of the system?
Elevation of privilegeCan an attacker assume the identity of a privileged user?
Spoofing
Confidential McAfee Internal Use Only12
Every Asset is Subject to Attack
External Entity
Process
Data Store
Dataflow
UserUserServiceService
AuthnAuthnEngineEngine
CredentialsCredentials
Data FilesData FilesRequestRequest
ResponseResponse
AuthnAuthnRequestRequest
AuthnAuthnInfoInfo
RequestedRequested File(sFile(s))
GetGet CredentialsCredentials
12
Asset
Confidential McAfee Internal Use Only
Threat Types by Asset Type
13
External Entity
Process
Data Store
Dataflow
AssetS
SpoofingT
Tamperin g
R Repudiation
I Information Disclosure
D Denial of Service
E Elevation of Privilege
Confidential McAfee Internal Use Only
Prioritizing Security Testing
14
• Why analyze and prioritize ?• What is Threat Modeling ?
“Focus testing on areas where difficulty of attack is least and the impact is highest ” - Chris Wysopal
Confidential McAfee Internal Use Only
Why Analyze and Prioritize Security Testing?
15
Because attackers
Want to attack
Your application
Put appropriate defenses in products
Confidential McAfee Internal Use Only
Threat Modeling and Its’ Benefits
Threat modeling is..
• A security-based analysis that helps understand where the product is most vulnerable
• Find assets, evaluates threats and uncovers vulnerabilities• Helps reduce overall security risks• Prioritizes security tests• Forms the basis of security design specifications• Determines the threat mitigation techniques to employ
Benefits
• Helps understand an application better• Helps find bugs and flaws in complex designs• Drives well-designed security test plans
16
Confidential McAfee Internal Use Only
Threat Modeling Process
17
Identify AssetsIdentify Assets1
Create an Architecture OverviewCreate an Architecture Overview2
Document the ThreatsDocument the Threats5
Threat Modeling Process
Confidential McAfee Internal Use Only
Identifying Vulnerabilities InSource Code
18
• Well-tested code that includes security tests results in an end product that is more robust, easier to maintain and more secure
• Can be detected through Security code reviewsSource code analysis
• Automating the code review process is a good approach
Confidential McAfee Internal Use Only
Testing with Known Intrusions
19
• No security testing regime is complete until the product is tested with known intrusions
• It verifies that the application cannot be breached by known means. If it can, then fix and verify before the application goes into production
Confidential McAfee Internal Use Only20
• 99% of network intrusions occurred based on known vulnerabilities that could have been prevented with proactive vulnerability management.
• Automate attack simulation whereby software pretends to attack the application with known paths of intrusion. Tools like Metasploit can help.
Source: CERT
Confidential McAfee Internal Use Only
Creating a Security Test Plan
21
• The Security Test Plan should incorporate a high- level outline of the artifacts to be tested and the methodologies to be used
Confidential McAfee Internal Use Only
Security Test Plan
22
Confidential McAfee Internal Use Only
Choosing the Right Tools forSecurity Testing
23
• Know your attacker and know yourself
• Test an application under the following conditions to determine the vulnerabilities
a non-authenticated useran authenticated user an administrative user
Confidential McAfee Internal Use Only
Metrics & Reporting
24
• Both the quantity and quality of testing needs to be measured to assess the efficiency of the testing performed on the software
• Defect metrics are vital
• All time-oriented metrics should be measured regular
• Maintain a common problem database
Confidential McAfee Internal Use Only25
Confidential McAfee Internal Use Only
Recap
• Security is a Process and not a Product
• Break the traditional approach. Integrate security testing throughout SDLC
• Evaluate the attack surface and threats
• Develop security testing strategy
• Analyze and prioritize test strategies
• Think Evil. Be Evil. Test Evil
• Perform code reviews
• Know your enemy and know yourself
• Attack!!!
26
Confidential McAfee Internal Use Only
References
• Risk-Based and Functional Security Testing: C. C. Michael and Will Radosevich
• Building Secure Web Applications: Peter Varhol, Technology Strategy Research, LLC
• Threat Modeling-Improving the Application Life cycle: Dan Sellers• Myths of Software Security by People Security• Secure Coding: Principles and Practices. Graff, Mark G. & Van Wyk, Kenneth
R. Sebastopol, CA: O’Reilly, 2003 (ISBN: 0596002424).• Security Considerations in the Information System Development Life Cycle:
Grance, T.; Myers, M.; & Stevens, M (NIST Special Publication 800-64), 2004 • Risk Based Security Testing: TechRepublic Publication• http://www.cert.org/stats/• http://web.nvd.nist.gov/view
27