8/14/2019 05 Vulnerability assessment.ppt
1/32
I.T.
DIGIT TestCentreVulnerability assessment service
Gabriel BABIANO
DIGIT.A.329/11/2012
8/14/2019 05 Vulnerability assessment.ppt
2/32
2
Agenda
Service presentation
Lessons learned
8/14/2019 05 Vulnerability assessment.ppt
3/32
3
DIGIT TestCentre
Organizational location: DIGIT.A.3
Physical location: DRB D3 (LUX)
Service manager: Gabriel BABIANO
Performance testing service since 2002
(currently 6 testers)
Vulnerability assessment service since 2011
(currently 3 testers)
8/14/2019 05 Vulnerability assessment.ppt
4/32
8/14/2019 05 Vulnerability assessment.ppt
5/32
5
Grounds for vulnerability assessment
Motivation:
Legal constraints
ReputationData stolen
Continuity of the service
75% cyber-attacks
directed to webapplication layer(Gartner)
Network security alone does not protect web apps!!!
8/14/2019 05 Vulnerability assessment.ppt
6/32
6
Tests in Information Systems life-cycle
8/14/2019 05 Vulnerability assessment.ppt
7/327
Cost versus life-cycle stage
"Finding and fixinga softwareproblem afterdelivery is often100 times moreexpensive thanfinding and fixingit during the
design andrequirementsphase"
(Barry Boehm)
VT
Secure coding guidelines
8/14/2019 05 Vulnerability assessment.ppt
8/328
DIGIT TC Vulnerability service deliverables
Vulnerability assessment reports (per test/iteration)
Filtered potential vulnerabilities (no false positive)
Classification on criticality and prioritization
Potential remediation
Evolution from previous iterations
Secure coding guidelines
Best practices in secure coding Recommended languages (HTML, JAVA, ColdFusion)
Aligned to threats evolution
Both for developers and operational managers
1stdraft release due for 01/2013
8/14/2019 05 Vulnerability assessment.ppt
9/329
DIGIT VT service tests
Black Box Vulnerability Test (dynamic analysis)
Need a working application target (closest to PROD)
No access to source code required
Not specific to coding language(s)
Automatic tools + manual testing to supplement the tools
Complement to Penetration Testing and WBVT
White Box Vulnerability Tests (static analysis)
Access to buildable source code
Automatic tools + manual revision to avoid false positives
All recommended languages are supported (Java, CF)
No absolute need for application target but it helps a lot
Detects more vulnerabilities than black box
8/14/2019 05 Vulnerability assessment.ppt
10/3210
DIGIT TestCentre service procedure workflow
Several iterationsare normallyrequired
8/14/2019 05 Vulnerability assessment.ppt
11/3211
DIGIT TC Vulnerability service tools
Static code analysis (SAST)
Automatic tools
Manual code review:Eclipse
Dynamic program analysis (DAST)
Automatic tools
Manual tools:Firefox and plugins:
Tamper Data
Database tools
8/14/2019 05 Vulnerability assessment.ppt
12/3212
Tools evaluation - methodology
8/14/2019 05 Vulnerability assessment.ppt
13/3213
Tools evaluation criteria
8/14/2019 05 Vulnerability assessment.ppt
14/3214
Tools evaluation critical metricsCorrectness of the results
AccurateMinimum false positiveMinimum inconclusiveMinimum duplicates
Completeness of the results% detected% missedFalse negatives
Misnamed
Performance
Scan duration
8/14/2019 05 Vulnerability assessment.ppt
15/32
15
Tools lists
Static code analysis (SAST)
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
Dynamic program analysis (DAST)
http://en.wikipedia.org/wiki/Dynamic_program_analysis
Open source DAST tools:
WebScarab
Nikto / Wikto
Open Web Application Security Project (OWASP)
Google ratproxy and skipfish
W3af
Websecurify
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysishttps://www.owasp.org/index.php/Source_Code_Analysis_Toolshttp://en.wikipedia.org/wiki/Dynamic_program_analysishttp://en.wikipedia.org/wiki/Dynamic_program_analysishttp://en.wikipedia.org/wiki/Dynamic_program_analysishttp://en.wikipedia.org/wiki/Dynamic_program_analysishttps://www.owasp.org/index.php/Source_Code_Analysis_Toolshttps://www.owasp.org/index.php/Source_Code_Analysis_Toolshttps://www.owasp.org/index.php/Source_Code_Analysis_Toolshttps://www.owasp.org/index.php/Source_Code_Analysis_Toolshttp://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis8/14/2019 05 Vulnerability assessment.ppt
16/32
16
Costs per testIn-house service:
Assumption: complete VTs(WB & BB) takes 10 workingdays in average (15 tests pertester per year)
Strong investment in
licenses the first yearCosts are similar after the
4thyearSecurity skilled tester with
an "industrialized" procedurerequired
Outsourced service:No requires investmentLess flexible for the
development?Quality?Iterations?
8/14/2019 05 Vulnerability assessment.ppt
17/32
17
Engineering for attacks
8/14/2019 05 Vulnerability assessment.ppt
18/32
18
Vulnerability risk areas Securitycontrols
Securityfunctions
8/14/2019 05 Vulnerability assessment.ppt
19/32
19
OWASP Top Ten (2010 Edition)
http://www.owasp.org/index.php/Top_10
http://www.owasp.org/index.php/Top_10http://www.owasp.org/index.php/Top_108/14/2019 05 Vulnerability assessment.ppt
20/32
20
8/14/2019 05 Vulnerability assessment.ppt
21/32
21
8/14/2019 05 Vulnerability assessment.ppt
22/32
22
2011 CWE Top 25 Most Dangerous Software Errors
http://cwe.mitre.org/top25/
http://cwe.mitre.org/top25/http://cwe.mitre.org/top25/8/14/2019 05 Vulnerability assessment.ppt
23/32
23
Comparison OWASP Top Ten 2010 CWE Top 25 2011
http://cwe.mitre.org/top25/
http://cwe.mitre.org/top25/http://cwe.mitre.org/top25/8/14/2019 05 Vulnerability assessment.ppt
24/32
24
DIGIT TestCentre
Score = Risk * Impact
Priorities areadapted for everyapplication
8/14/2019 05 Vulnerability assessment.ppt
25/32
25
Vulnerability assessment
Assess and secure all parts individually
The idea is to force an attacker to penetrate severaldefence layers
As a general rule, data stored in databases areconsidered as "untrusted"
"In God we trust,
for the rest, we test"
8/14/2019 05 Vulnerability assessment.ppt
26/32
26
Recommendations for remediation are founded in thereport
Cover high priority first. Then others whenaffordable
Begin with risky vulnerabilities that are easy toremediate
Vulnerability remediation priorities
8/14/2019 05 Vulnerability assessment.ppt
27/32
27
Vulnerabilities type occurrence in the 1st iteration (%)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
http://cwe.mitre.org/top25/http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics
http://cwe.mitre.org/top25/http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statisticshttp://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statisticshttp://cwe.mitre.org/top25/8/14/2019 05 Vulnerability assessment.ppt
28/32
28
Improvements in Design and Coding stagesIteration
Vulnerability group 1 2 3 4 5 6
Cross-Site Scripting 43 14 2 2 1 1
Injection 23 6 1 1
Insecure Transmission of
credentials/tokens 10 3
Password Management 13 6 2
Cookie Security 9 7
Path Manipulation 3 2 1 1
Weak authentication 4 2
Open redirect 5
Logging of credentials 2 1
Cross-Site Request Forgery 16 4 1 1Header Manipulation 15 3 1
Weak cryptography 14 2 1
File Upload 8 3 1 1
Forced Browsing 7 2 1
Log Forging 6 1 1 1
Information disclosure 4 3 2
security increasesin every iteration
Flaws can appearin future iterations
8/14/2019 05 Vulnerability assessment.ppt
29/32
8/14/2019 05 Vulnerability assessment.ppt
30/32
30
Some referencesOpen Web Application Security Project (OWASP): www.owasp.org
Web Application Security Consortium (WASC): www.webappsec.org
Common Vulnerability Scoring System (CWSS): http://www.first.org/cvss/
Common Weakness Enumeration (CWE): http://cwe.mitre.org
Common Attack Pattern Enumeration and Classification (CAPEC):
http://capec.mitre.org/
SANS Institute: www.sans.org
http://www.owasp.org/http://www.webappsec.org/http://www.first.org/cvss/http://cwe.mitre.org/http://capec.mitre.org/http://www.sans.org/http://www.sans.org/http://capec.mitre.org/http://cwe.mitre.org/http://www.first.org/cvss/http://www.webappsec.org/http://www.owasp.org/8/14/2019 05 Vulnerability assessment.ppt
31/32
31
Questions?
8/14/2019 05 Vulnerability assessment.ppt
32/32
Thank you!