Testing & Code Review Guides & Labrat (OWASP Live CD)
Testing & Code Review Guides & Labrat (OWASP Live CD)
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
Agenda
The OWASP Testing Guide
Its expensive
A: Probably not; end-to-end security assessments are getting larger and larger.
– Time is a finite resource, in the business world. We can’t spend a week on,
say “session mgt”`.
IBM Labs: It’s 100 times more expensive to fix security vulnerabilities after
an application/system is deployed into production.
Integrated at the design phase, security is more effective and the total cost
of ownership (TCO) is less but it may take a little longer to develop (10%-
15%).
Consumers are not aware of the issues or have no choice but to purchase.
Or it could be
Books go out of date, not just technology changes, but standards change!
The Industry embraces technology prior to defacto standards being defined and
agreed upon.
No one person can have all the answers and hence the app sec community can
team together and build a comprehensive guide to application penetration testing.
As technology evolves so will the guide, another reason for using a WIKI
Categorised by vulnerability
Report Writing:
- Covers how to tackle documenting issues discovered.
Also Covered:
Automated Testing & tools, references to other matieral
Restructure
Less theory about testing but…
More examples
More pragmatic
More practical
More of a “guide”
Stable release
-Why?
Process (People)-
Involve developers
Business buy-in – Paramount importance.
Culture of secure development (Very important)
Information gathering – We need context.
Pitfalls (People) –
Information and context issues
“Half-baked” code – Context of code?
Baselined code
Not auditors, but a helpful resource. – “help me help you”
OWASP AppSec Seattle 2006 22
OWASP Code Review Guide
Learn by example: Code + Framework examples:
How to locate vulnerable code:
(Anti)Patterns to look out for.
- API’s relating to common security issues.
Java HTTPRequest, Java.net.* etc…..
Transation analysis
- Data flow analysis (From event to result)
- Follow the data
Example:
Introduction
How to locate the potentially vulnerable code (Anti Pattern)
o JAVA
o .NET
Vulnerable Patterns for Error Handling
Page_Error
Global.asax
Web.config
Try & Catch (Java/ .NET)
Releasing resources and good housekeeping
Potential solutions:
Centralised exception handling (Struts Example)
Logging
We call it LabRat
Team:
And…..
Me.
Based on Morphix/KDE
Infrastructure:
•Nmap
•Hping2
•TCPDump
•Yersinia
•MetaSploit Framework
•Nessus
Currently they (OWASP Guides) are some of the most frequented AppSec guides
on the net.
But…….
(Thanks)