Name of the Speakers : Anish Cheriyan, Director Quality and Centre of Excellence-Cyber Security
Sriharsha Narayanam , Test Architect and Cyber Security Test Engineering -COE Team
Company Name : Huawei Technologies India Private Limited
Topics● Introduction● Principles of Security for Secure Products ● Security in Product Development Life Cycle● Penetration Testing Approach ● Details of Pen Test● Cyber Security- a mindset and some anti
patterns● Conclusion
http://einstueckvomglueck.com/wp-content/uploads/2010/11/philiplumbang.jpg
http://thevarguy.com/site-files/thevarguy.com/files/archive/thevarguy.com/wp-content/uploads/2008/12/canonical-unison-attack-microsoft-exchange.jpg
Just Attack Testing
http://thevarguy.com/site-files/thevarguy.com/files/archive/thevarguy.com/wp-content/uploads/2008/12/canonical-unison-attack-microsoft-exchange.jpghttp://7428.net/wp-content/uploads/2013/05/Color-Feather.jpg
Feather Touch Testing
http://http://blog.courtmetrange.eu/?attachment_id=1487
Time Bound Testing
http://www.zazzle.com/innocent+until+proven+guilty+gifts
Build Security In-Some perspective
The Principles- Secure software design Favor simplicity
◦ Use fail safe defaults◦ Do not expect expert users
Trust with reluctance◦ Employ a small trusted computing base◦ Grant the least privilege possible
Promote privacy Compartmentalize
Defend in Depth◦ Use Community resource-no security by obscurity
Monitor and traceReference: Reference: Software Security by Michael Hicks, Coursera
Favor Simplicity
Reference: Reference: Software Security by Michael Hicks, Coursera
Favor Simplicity: Fail Safe Defaults
Favor Simplicity: Do not expect expert users
Trust with Reluctance(TwR)
Trust with Reluctance(TwR)- Trusted Computing Base
Trust with Reluctance(TwR)- Least Privilege
Trust with Reluctance(TwR)- Compartmentalization
Defend in Depth
www.unicomlearning.com/ethicalhacking
Defend in Depth-Use Community Resources
Monitoring and Traceability
Top 10 Flaws. Do Not..
Building Security in Product Development Life CycleRequiremen
t
Design
Coding
Testing
Release•General
Security Requirement Analysis •Attack Surface Analysis• Threat Modeling -STRIDE(Microsoft)•Testability Analysis
•Secure Architecture and Design.•Security Design guidelines•Security Test Strategy and Test Case
•Secure Coding Guidelines (cert.org-good reference)•Static Check Tools like Fortify, Coverity (Ref- owasp.org)•Code Reviews
•Security Test Cases•Penetration Testing Approach (Reconnaissance, Scanning, Attack, Managing access)
•Anti Virus•Continuous Delivery System (Inspection and Secure Test)
Threat Modeling
Reference: https://msdn.microsoft.com
Identify assets. Identify the valuable assets that your systems must protect.
Create an architecture overview. Use simple diagrams and tables to document the architecture of your application, including subsystems, trust boundaries, and data flow.
Decompose the application. Decompose the architecture of your application, including the underlying network and host infrastructure design, to create a security profile for the application.
Identify the threats. Keeping the goals of an attacker in mind, and with knowledge of the architecture and potential vulnerabilities of your application, identify the threats that could affect the application.
Document the threats. Document each threat using a common threat template that defines a core set of attributes to capture for each threat.
Rate the threats. Rate the threats to prioritize and address the most significant threats first.
Threat Modeling Diagram- a simple example
Reference: https://msdn.microsoft.com
Threat Modeling Diagram- a simple example
Reference: https://msdn.microsoft.com
Threat Modeling Diagram- a simple example
Reference: https://msdn.microsoft.com
Secure Architecture and Design Perspective
Reference: https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet#DRAFT_CHEAT_SHEET_-_WORK_IN_PROGRESS
• Business Model• Data Essential• End Users• Third Party• Administrators• Regulations
Business Requirements
www.unicomlearning.com/IT_Security_and_Ethical_Hacking
Secure Code Perspective
Reference: https://owasp.org
Input ValidationOutput Encoding
Authn. & Pwd. Mgmt.
Session Management
Access Control
Cryptographic Practices
Error Handling and LoggingData Encryption
Communication Security
System Configuration
File Management
Memory Management
Gen. Coding Practices
www.unicomlearning.com/IT_Security_and_Ethical_Hacking
Secure Code Perspective-Code Review
Further Reading: Threat Modeling- Frank Swiderski, Window Snyder, A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World - http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext
Trust boundary code (Thre
at Mode
l)
Static
Tool Execution
Manual Cod
e Review
While doing the code review we can take the inputs from the code in the trust boundary, issues from the static tools like Fortiy, Coverity etc and put the focus at the right place for the Code Review
Secure Testing (Pen Test) Perspective
•Information Gathering (About the system, environment etc.)
•Scan the system
•Threat Analysis
•Usage of the Static analyzer (Run fortify, Coverity, Appscan, Nessus, NMAP etc)•Right tool usage
•Vulnerability Analysis
•Fuzz Testing
•Penetration testing
•Use /Develop right set of tools to attack
•Raise Defects
Reconnaissance
Scanning
Attack
Managing
Access
Test Strategy
Validation Approach of ABC
Picture Courtesy: http://sd.keepcalm-o-matic.co.uk/i/assume-nothing-believe-nobody-and-check-everything--1.png
Security Test Strategy - InputsUnderstands the typical application scenario. Analyse the system
topology, architecture etc.
Analyse the Threat Model , Security design and identifies the trust boundaries., Apply Penetration Test Analysis and Design
Review and Analyse the Open source and third party software
Analyse report of non dynamic examination like Fortify, Coverity.
Analyze the information like communication matrix, product manual. . etc
Conduct the code verification from security perspective
Conduct penetration testing (Information gathering, Scanning, Attack, Defects)
Web Security
Network Security
DB Security
OS Security
Mobile Security
Open Source
Security
Password
Security Tools to be used
Code Vulnerabil
ities Validation Penetrat
ion Test Analysis
and Design
Top 3 Attacks to be
Focused
Customer
Deployment
TopologyThreat Modeling
based Scenarios
Penetration Test Approac
h
Attack Vectors / Surface
Automation ?
Country Specific Security
Test Case
Database
Good practice inheritance from Security defects
from past
Security Test Strategy - What to Cover ?
Penetration Testing Analysis overall flow
Output
Penetration Test Scenarios
Penetration Test Cases Defects
1. Damage potential Assessment
2. New Test Cases
Reconnaissance is a the first and the key phase of penetration testing where the information is gathered.
The more time you spend collecting information on your target, the more likely you are to be successful in the later phases. There can be a checklist based approach for information gathering but it need not be constrained to the list.
Information Gathering helps teams to think about the product properties upfront.
... So On
Reconnaissance / Information Gathering
Category Suggestive Informations to be gathered / verified Actual Information
General Informatio
n
List of IP addresses that can be scannedTarget OS and File permission informationInformation about the LOG FILE and their pathsInformation about the DATA FILE Location, and their formatStorage mechanism of the USERNAME/PASSWORD of the application
Reconnaissance / Information Gathering
Few Tools for WebApplication Reconnaissance Wappalyzer Passive Recon Ground Speed
[http://www.slideshare.net/groundspeed/groundspeed-presentation-at-the-owasp-nynj]
Software URL Description
Maltego http://www.paterva.com/web5 The defacto standard for mining data on individuals and companies. Comes in a free community version and paid version.
Nessushttp://tenable.com/products/nessus
A vulnerabilty scanning tool available in paid and free versions. Nessus is useful for finding and documenting vulnerabilities mostly from the inside of a given network.
IBM AppScan http://www-01.ibm.com/software/awdtools/appscan
IBM's automated Web application security testing suite.
eEye Retinahttp://www.eeye.com/Products/Retina.aspx
Retina is an an automated network vulnerability scanner that can be managed from a single web-based console. It can be used in conjunction with Metasploit where if an exploit exists in Metasploit, it can be launched directly from Retina to verify that the vulnerability exists.
Nexposehttp://www.rapid7.com
Nexpose is a vulnerability scanner from the same company that brings you Metasploit. Available in both free and paid versions that differ in levels of support and features.
OpenVAShttp://www.openvas.org
OpenVAS is a vulnerability scanner that originally started as a fork of the Nessus project. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 20,000 in total (as of January 2011)
HP WebInspecthttps://www.fortify.com/products/web_inspect.html
HP WebInspect performs web application security testing and assessment for complex web applications. Supports JavaScript, Flash, Silverlight and others.
HP SWFScanhttps://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf
HP SWFScan is a free tool developed by HP Web Security Research Group to automatically find security vulnerabilities in applications built on the Flash platform. Useful for decompiling flash apps and finding hard-coded credentials, etc.
THC IPv6 Attack Toolkit
http://www.thc.org/thc-ipv6 The largest single collection of tools designed to exploit vulnerabilities in the IPv6 and ICMP6 protocols.
Pen Test Tools and Guidelines- http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines Microsoft Office Excel Worksheet
Security Tools and Version AnalysisTools Analysis helps the teams to select the applicable tools upfront and build required competency to use them / acquire license , well before test execution phase.
Scanning is the phase where the vulnerabilities and the weak areas in the system / target can be identified.
Tools to be finalized based on the application scope.
• Based on the Threat Modeling Analysis, understand the Trust Boundary.– Analyze the present Risk Mitigation
mechanism and derive test scenarios– Analysis the proposed Risk Mitigation
mechanism and device the test scenarios• Threat Modeling analysis to be done both at
System and at Sub system level
... So On
... So On
System Scanning and further Analysis
Test Scenarios from Threat Modeling Analysis
Category Tool / Technique Applicability Analysis
Scanning of the system under test using Static Code Analyzer Fortify , Coverity Determining if a system is alive Scanning Application AppScan , Acunetix,
RSAS , QRADAR. .
Entity or Process
Threat Type Applicable ?
Test Scenario based on Current
Mitigation
Test Scenario based on Proposed Mitigation
Requirement 1
S Yes T No R I D E
Vulnerability analysis is a process in which the vulnerability analysis of the system & Feature are conducted. The various ways in which it can be done are :◦ Threat Modeling analysis◦ Reconnaissance – Information Gathering ◦ System Level Vulnerability based on the Security area (Overlap with Threat Modeling Analysis)◦ Feature level Vulnerability based on the Security area (Overlap with Threat Modeling Analysis)
Security Area
Does this Feature interact with
Trust Boundary
SSL Configuratio
n usedEncryption
Algorithm usedAnti-
Attack Protection
Identity Managem
entPassword
Management
System Level Analysis
Feature 1 ... So On
System and Feature level Vulnerability Analysis
Systematic Penetration Testing – Defects Examples
Web Server version based Defects
Web Server version based
DefectsEncryption
issues
Address ID issueSession ID bases
Privilege Escalation
CSRF issue – Form key
User scenario Bases SQL injection
Penetration Testing Practice platforms
Some Anti Patterns Attack Surface analysis, Threat modeling not deeply
practiced Secure design and code practices not practiced well Ignoring some errors of Fortify /Coverity and other
tools. Sometimes considering them as false positives
Relying too much on Testing “This is not a valid scenario. Customer would never
test this way”. “Innocent until Proven”- It should be “Guilty unless
proven”
Reference: Reference: Software Security by Michael Hicks, Coursera
Conclusion Build Security into the Life Cycle of product
development Focus on Security Competency Assume Nothing, Believe Nobody, Check
Everything. Following Penetration Test Design Methods-
Reconnaissance-Scanning-Attack-Manage Access.
References and Further Reading www.cert.org www.owasp.org http://pr.huawei.com/en/connecting-the-dots/cyber-
security/
http://pr.huawei.com/en/connecting-the-dots/cyber-security/hw-401493.htm#.VV6DBfBCijM
https://msdn.microsoft.com/en-us/security/aa570330.aspx
Building Secure Software –John Viega, Gary McGraw Coursera Course - Software Security by Michael
Hicks, University of Maryland
THANK YOU
Organized by: UNICOM Trainings & Seminars Pvt. [email protected]
www.unicomlearning.com/IT_Security_and_Ethical_Hacking
Speaker Name: Anish Cheriyan , Sriharsha Narayanam
Email ID: [email protected], @anishcheriyan
Recommended