Directed and focused form of testing that attempts to force specific failures to occur
Focused especially on reliability
The Bug Hypothesis
Where do bugs come from?
Bugs arise from interactionsbetween the software and its environment during operation
What is the software’s operating environment ?
The human user
The file system
The operating system
Other cohabitating and interoperating software
Where do bugs come from?
Bugs arise from the software’scapabilities
Accepting inputs
Producing outputs
Storing data
Performing computations
Feature or Bug
Is Software Security a Feature ?
Most people consider software security as a necessary feature of a product
Is Security Vulnerability a Bug ?
If the software “failed” and allowed a hacker to see personal info, most users would consider that a software bug
Vulnerability Categories
Vulnerabilities typically fall into two categories
Bugs at the implementation level
Bugs tend to be easier for attackers to exploit
Flaws at the design level
The hardest defect category to handle
Also the most prevalent and critical
Reasons for Failures
In the real world, software failures usually happen spontaneously
Without intentional mischief
Failures can be result of malicious attacks
For the Challenge/Prestige
Curiosity driven
Aiming to use resources
Vandalizing
Stealing
Security Testing in the Software Development Life Cycle
Software security testing includes:
Creating security abuse/misuse cases
Listing normative security requirements
Performing architectural risk analysis
Building risk-based security test plans
Wielding static analysis tools
Performing security tests
Performing penetration testing in the final environment
Cleaning up after security breaches
Secure Software Characteristics
Confidentiality
Disclosure of information to only intended parties
Integrity
Determine whether the information is correct or not
Data Security
Privacy
Data Protection
Controlled Access
Authentication
Access to Authorized People
Availability
Ready for Use when expected
Non Repudiation
Information Exchange with proof
Is Your Application “Secure”?
Ever have anyone ask you this? There’s an easy answer: NO There are no “Secure” apps But there are apps that are secure enough How to achieve enough security?
What Does “Secure Enough” Mean to You?
Nobody has an infinite security budget
Many folks would be happy if they had any budget
Be practical!
Get the mostbang for your buck
What is Threat Modeling?
Threat modeling
A process for evaluating a software system for security issues
Can be considered as a variation of formal reviews
The review team looks for areas of the product’s feature set that are susceptible to security vulnerabilities
Threat Modeling Concepts
Threat modeling helps you find what is “secure enough”
Security guidance put together by well-known experts
Threat Modeling Steps
Threat modeling follows a few steps:
Assemble the threat modeling team
Identify the assets
Create an architecture overview
Decompose the application
Identify the threats
Document the threats
Rank the threats
Threat Ranking
Threats are not equally important
A way to rank the threats is the DREAD formula – using these criteria:
Damage potential
Reproducibility
Exploitability
Affected Users
Discoverability
Famous security breaches
Ashley Madison data breach
Facebook bug that could have allowed for any photo on the site to be deleted
The 8 characters that crash Skype
The Heartbleed Bug
Security Organizations
SANS (System Administration, Networking, and Security) Institute
Established in1989as a cooperative research and education organization
Enables more than 165,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face
Established in2001worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
Improper restriction of excessive authentication attempts
SQL Injection
What is SQL injection?
A code injection technique
Malicious code is inserted into strings
Later passed to an instance of SQL Server for parsing and execution
SQL Injection Example
Original SQL Query: String sqlQuery = "SELECT \* FROM user WHERE name = '" \+ username \+"' AND pass='" \+ password \+ "'“
Setting username to John & password to ’ OR ‘1’= '1 produces String sqlQuery = SELECT \* FROM user WHERE name = 'John' AND pass='' OR '1'='1'
The result:
If a user John exists – he islogged in without password
Preventing SQL Injection
Use Prepared Statements
Validate all of the user information
Remove special characters from the user input
Never show SQL error messages to the user
Use different field names for user interface and database
Disable all unused features of the database
Limit user permissions for the database
OS Command Injection
An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application.
The application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user
However, commands are executed with the same privileges and environment as the application has
XSS – Cross-site Scripting
What is XSS?
Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user’s browser.
Why XSS is dangerous?
Stealing other user’s cookies
Keylogging
Phishing
Stealing their private information
Performing actions on behalf of other users
Redirecting to other websites
Showing ads in hidden IFRAMES and pop-ups
Types of XSS
Persistent XSS
The malicious string originates from the website’s database.
Reflected XSS
The malicious string originates from the victim’s request.
DOM-based XSS
The vulnerability is in the client-side code rather than the server-side code.
Preventing XSS
Validate all input data from the user Never show data entered by the user without cleaning them from JavaScript and HTML
Acunetix Vulnerability Scanner
Acunetix WVS (www.acunetix.com)checks your web applications for XSS, SQL Injection & other vulnerabilities Free demo version with limited functionality available (no details, reports or saved results)
Buffer Overflow
What is buffer overflow?
An anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory
Also called buffer overrun
Buffer Overflow - The Usual Victims
Buffer overflow is commonly associated with C and C++
Provide no built-in protection against accessing or overwriting data
Secret cookies and accepting only POST requests does not help
Error Messages
Error messages can reveal important information about your site
Error messages like that should not be allowed:
IP Spoofing
What is IP address spoofing?
Creation of Internet Protocol (IP) packets with a forged source IP address
What is the purpose?
Concealing the identity of the sender
Impersonating another computing system
Session Hijacking
What is session hijacking?
Getting access to the session state of a particular user
Steals a valid session ID which is used to get into system and retrieve the data
Spoofing vs. Hijacking
Spoofing
An attacker does not actively take another user offline to perform the attack
He mainly pretends to be another user or machine to gain access
Hijacking
An attacker takes over an existing session
He relies on the legitimate user to make a connection and authenticate
Subsequently, the attacker takes over the session
Session Hijacking Methods
Session fixation
Setting a user’s session id to a predefined one
Session sidejacking
Using packet sniffing to read network traffic between two parties and steal the session cookie
Cross-site scripting
Obtain a copy of the cookie
Protecting Against Session Hijacking
Use encryption
Use a secure protocol
Limit incoming connections
Minimize remote access
Educate the employees
Social Engineering
What is social engineering?
The act of manipulatingpeople into performing actions or revealing confidential information
Instead of breaking in or using technical hacking techniques
Essentially – a fancier, more technical way of lying
Popular Social Engineering Methods
“Dumpster Diving”
“Shoulder Surfing”
Malicious E-mail Attachments
Deception and Manipulation
“Phishing”
“Pharming”
Reverse Social Engineering
PBX Disguise
Phishing
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication
Pharming
Pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus website.
“Dumpster Diving”
"Dumpster Diving“, a.k.a. trashing or skipping, is the practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful to the dumpster diver
Deception and Manipulation
Real story: Japan Earthquake scammers were spreading malicious links to “dramatic” videos of the disaster. So, you ended up clicking on a link that actually downloaded malware onto your PC or took you to a phishing site that asked for personal information
“Shoulder Surfing”
These are direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:
fill out a form
enter their PIN
enter their password
tell sensitive information over the phone
PBX Disguise
Public Business Exchange – attacker manipulates company ID system to impersonate someone of authority
“Hello? Who is this? Tech support? Oh, I’m sorry. I’m trying to reach Terry Simpson at extension 24667. Can you transfer me, please? I’m in a hurry.” … “Hi Terry, this is Jim from Tech Support. You can verify my identity from the caller-ID. Yes, I need to reset your password…”
Reverse Social Engineering
A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around
Includes three phases: sabotage, advertising, assisting