What? Why? Who? How? Of Application Security Testing Presented by: Declan O’Riordan @DeclanTestingIT
What? Why? Who? How? Of Application Security Testing
Presented by: Declan O’Riordan
@DeclanTestingIT
www.eurostarconferences.com
Threat growth
Source: Verizon
2013 - 20% more breaches
2012 - 30% higher cost per breach
2014 - Commercial cyber security spending $46 billion
www.eurostarconferences.com
What is Application Security?It is NOT Building, or Network Security!
84% of attacks targetthe applications (Source: HP)
90% of sites are vulnerableto application attacks (Watchfire)
www.eurostarconferences.com
The Web was not designed to be secure in the beginning. Security features are afterthoughts.
Source: OWASP
www.eurostarconferences.com
I started to understand the #1 risk: Injection
‘ ; < > & | \Space newline
' ; < > & | \
<script > <ScRiPt> %00<script><scr%00ipt> expr/***/ession %3cscript%3e <scr<script>ipt>
HTML encoding, URL encoding,Unicode encoding, Base64 encoding, Hex encoding
www.eurostarconferences.com
Using Web Security Scanners to Detect Vulnerabilities in Web ServicesMarco Vieira, Nuno Antunes, and Henrique MadeiraCISUC, Department of Informatics Engineering, University of Coimbra – Portugal
“The differences in the vulnerabilities detected and the high number of false-positives (35% and 40% in two cases) and low coverage (less than 20% for two of the scanners) observed highlight the limitations of web vulnerability scanners on detecting security vulnerabilities in web services.”
www.eurostarconferences.com
Differing results found by scanners:
Coverage is not consistent. Only 21 matching results found.
www.eurostarconferences.com
And so to Firewallsw.w.w. data is exploding: 2010 = 1.2 zettabytes2015 = 7.9 zettabytes2020 = 40 zettabytes?
1.2 million variants of malware per day
20%-30% of malware iscaught by anti-virus
www.eurostarconferences.com
HP alone sift through 2.5 Billion security events per day
Perimeter / Network defences are failing
Web Application Firewalls, IDS, & IPS filter HTTP conversations by applying rules to block common attacks.
BUT They cannot read HTTPS messages.
They cannot identify zero-day (new or obfuscated) attacks.
They need significant effort to customize and maintain.
Methods of attack and defence change over time.
www.eurostarconferences.com
Who should be doing what?
• We can reverse the asymmetric economics
• Security experts are experts in security, not your system!
• We are the experts in our applications.
• We can build security into the whole SDLC.
• We need to understand the subject.
• Identify what can be done now, and what requires experts.
• We need to make everyone aware of application security.
www.eurostarconferences.com
I created Application Security Testing Proceduresand Development Guidelines