Скачать презентацию IBM Software Group Get Ready for Web Скачать презентацию IBM Software Group Get Ready for Web

814e11389ac1ac13ea50a59980de7c99.ppt

  • Количество слайдов: 43

® IBM Software Group Get Ready for Web Application Security Testing Alan Kan Technical ® IBM Software Group Get Ready for Web Application Security Testing Alan Kan Technical Manager IBM Rational Software [email protected] 1. ibm. com © 2010 IBM Corporation

IBM Software Group | Rational software Run Down § The Security Landscape § What IBM Software Group | Rational software Run Down § The Security Landscape § What does it mean for Testing Professionals § A Few Top Attacks and How to Test for Them § What You Can Do to Prepare for Security Testing

IBM Software Group | Rational software IBM Software Group | Rational software

IBM Software Group | Rational software IBM Software Group | Rational software

IBM Software Group | Rational software IBM Software Group | Rational software

IBM Software Group | Rational software The Web Ecosystem (Simplified) IBM Software Group | Rational software The Web Ecosystem (Simplified)

IBM Software Group | Rational software IBM Software Group | Rational software

IBM Software Group | Rational software IBM Software Group | Rational software

IBM Software Group | Rational software d face e Ind is Nex ch is IBM Software Group | Rational software d face e Ind is Nex ch is Lex Brea st o a Dat hington P s -Wa 7, 2008 ia. T im Ma es. c lwa o —I nfo re m rm Feb eb 1 F into reaks l rb Hacke presidentia or’s Ecuad te websi , 2008 — CNet, Jan 14, 20 08 — Th d off e. Reg ister, • T y istr cker in k M by ha e Gre s hit on te si 008 bsi intru 1, 2 n 3 we , Ja Chi n stea ese ha iden ls 18 M cker ti - Ha ck. B ties ase 10, 2. com, Feb 008 Ha Co cker s c st ea - F lie ls all nt s. T da Dav rib ta i u ne , Fe rin ime th Ka Your Free Mac. World Expo Platinum Pass wipe iste 2008 i ian, F Thaind RIAA eg he R atio 17, n. Wee 200 k 8 eb 11 — d ogs S l ac b XS , Feb 17, M r by Jan 2 the N 0 200 et 8 —e b 4 ds on 20 08 Hacking Stage 6 — Wikipedia, Feb 9 2007 Hacke r g in Penns takes dow min ar n ylvan y Ph ild ia gvm -b — AP, t Drive the W Jan 6, 00 2008 21 2 Itali an B ank XSS frau hit by dste —N rs et cra 2008 ft, Jan 8 — tec, man Sy Jan

IBM Software Group | Rational software What about in this part of the world? IBM Software Group | Rational software What about in this part of the world? “JB Hi-Fi's websites in Australia and New Zealand were redirecting customers to malicious web pages over the weekend in a cyber attack ” stuff. co. nz 01/12/2009 “Turkish defacers broke into the New Zealand based registrar Domainz. net …Companies which had their New Zealand web sites defaced include Microsoft, HSBC, Coca-Cola, F-secure, Bitdefender, Sony and Xerox ” zone-h. org/news/id/4708 21/04/2009 “Security Intelligence Service director Warren Tucker revealed government department websites had been attacked and information stolen” nzherald. co. nz 12/09/2007 “A florist which does all of its business online has had its website targeted by hackers and customers' credit card details have been stolen” abc. net. au 16/9/2007 “Computer hackers have cracked the defences of dozens of top government and business sector internet sites this year, raising concerns about the safety of consumers' financial and personal information” SMH. com. au 14/10/ 2007

IBM Software Group | Rational software IBM Software Group | Rational software

IBM Software Group | Rational software IBM Software Group | Rational software

IBM Software Group | Rational software Web Application Security is Neglected Security Spending % IBM Software Group | Rational software Web Application Security is Neglected Security Spending % of Attacks % of Dollars Web Applications 75% 25% 10% 90% Network Server of all attacks on Information Security 75% are directed to the Web Application Layer 2/3 of all Web Applications are vulnerable

IBM Software Group | Rational software Run Down § The Security Landscape § What IBM Software Group | Rational software Run Down § The Security Landscape § What does it mean for Testing Professionals § A Few Top Attacks and How to Test for Them § What You Can Do to Prepare for Security Testing

IBM Software Group | Rational software Secure Applications – Who is Responsible? § System IBM Software Group | Rational software Secure Applications – Who is Responsible? § System Administrator? § Network Administrator? § Security Professional? § Solution Architect? § Developers? § Testing Professional?

IBM Software Group | Rational software The Trend – Incorporate Security into Testing SDLC IBM Software Group | Rational software The Trend – Incorporate Security into Testing SDLC Coding Developers Build QA Security Production Incorporate Security as part of Testing Developers Ensure vulnerabilities are addressed before applications are put into production

IBM Software Group | Rational software Security Testing Steps are not that different from IBM Software Group | Rational software Security Testing Steps are not that different from usual § Identify possible vulnerability § Prove vulnerability § Assess risk, scope, depth, severity and impact § Create repeatable tests § Test migitation, and fixes

IBM Software Group | Rational software Run Down § The Security Landscape § What IBM Software Group | Rational software Run Down § The Security Landscape § What does it mean for Testing Professionals § A Few Top Attacks and How to Test for Them § What You Can Do to Prepare for Security Testing

IBM Software Group | Rational software OWASP and the OWASP Top 10 list § IBM Software Group | Rational software OWASP and the OWASP Top 10 list § Open Web Application Security Project – an open organization dedicated to fight insecure software § “The OWASP Top Ten document represents a broad consensus about what the most critical web application security flaws are”

IBM Software Group | Rational software IBM Software Group | Rational software

IBM Software Group | Rational software 1 - Injection Flaws § What is it? IBM Software Group | Rational software 1 - Injection Flaws § What is it? 4 User-supplied data is sent to an interpreter as part of a command, query or data. § What are the implications? 4 SQL Injection – Access/modify data in DB 4 SSI Injection – Execute commands on server and access sensitive data 4 LDAP Injection – Bypass authentication 4…

IBM Software Group | Rational software SQL Injection § User input inserted into SQL IBM Software Group | Rational software SQL Injection § User input inserted into SQL Command: 4 Get product details by id: Select * from products where id=‘$REQUEST[“id”]’; 4 Hack: send param id with value ‘ or ‘ 1’=‘ 1 4 Resulting executed SQL: Select * from products where id=‘’ or ‘ 1’=‘ 1’ 4 All products returned

IBM Software Group | Rational software SQL Injection Example I IBM Software Group | Rational software SQL Injection Example I

IBM Software Group | Rational software SQL Injection Example II IBM Software Group | Rational software SQL Injection Example II

IBM Software Group | Rational software SQL Injection Example - Exploit IBM Software Group | Rational software SQL Injection Example - Exploit

IBM Software Group | Rational software SQL Injection Example - Outcome IBM Software Group | Rational software SQL Injection Example - Outcome

IBM Software Group | Rational software Injection Flaws (SSI Injection Example) Creating commands from IBM Software Group | Rational software Injection Flaws (SSI Injection Example) Creating commands from input

IBM Software Group | Rational software The return is the private SSL key of IBM Software Group | Rational software The return is the private SSL key of the server

IBM Software Group | Rational software 2. Cross-Site Scripting (XSS) § What is it? IBM Software Group | Rational software 2. Cross-Site Scripting (XSS) § What is it? 4 Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context § What are the implications? 4 Session Tokens stolen (browser security circumvented) 4 Complete page content compromised 4 Future pages in browser compromised

IBM Software Group | Rational software Cross Site Scripting – The Exploit Process Evil. IBM Software Group | Rational software Cross Site Scripting – The Exploit Process Evil. org 1) Link to bank. com sent to user via E-mail or HTTP 5) Evil. org uses stolen session information to impersonate user 4) Script sends user’s cookie and session information without the user’s consent or knowledge User 2) User sends script embedded as data 3) Script/data returned, executed by browser bank. com

IBM Software Group | Rational software XSS Example I HTML code: IBM Software Group | Rational software XSS Example I HTML code:

IBM Software Group | Rational software XSS Example II HTML code: IBM Software Group | Rational software XSS Example II HTML code:

IBM Software Group | Rational software 4 - Insecure Direct Object Reference § What IBM Software Group | Rational software 4 - Insecure Direct Object Reference § What is it? 4 Part or all of a resource (file, table, etc. ) name controlled by user input. § What are the implications? 4 Access to sensitive resources 4 Information Leakage, aids future hacks

IBM Software Group | Rational software Insecure Direct Object Reference - Example IBM Software Group | Rational software Insecure Direct Object Reference - Example

IBM Software Group | Rational software Insecure Direct Object Reference – Example Cont. IBM Software Group | Rational software Insecure Direct Object Reference – Example Cont.

IBM Software Group | Rational software Insecure Direct Object Reference – Example Cont. IBM Software Group | Rational software Insecure Direct Object Reference – Example Cont.

IBM Software Group | Rational software Run Down § The Security Landscape § What IBM Software Group | Rational software Run Down § The Security Landscape § What does it mean for Testing Professionals § A Few Top Attacks and How to Test for Them § What You Can Do to Prepare for Security Testing

IBM Software Group | Rational software Get Educated on the Topic § Beware of IBM Software Group | Rational software Get Educated on the Topic § Beware of legal issues § Create a Sandpit envrionment § Know the latest trends – IBM X-Force Threat Reports http: //www-935. ibm. com/services/nz/iss/xforce/trendreports/ § Study pass and current exploits – US Computer Emergency Readiness Team http: //www. kb. cert. org/vuls § Learn how to test for the vulnerabilities - OWASP Testing guide http: //www. owasp. org/index. php/OWASP_Testing_Guide_v 3_Table_of_Contents § Learn the syntax of operating system, databases, programming code § Experiemnet with Tools – Web Scarab http: //www. owasp. org/index. php/Category: OWASP_Web. Scarab_Project § Experiment with Tools – IBM Rational App. Scan http: //www-01. ibm. com/software/rational/offerings/websecurity/webappsecurity. html

IBM Software Group | Rational software How Does Automated Tool Work? IBM Software Group | Rational software How Does Automated Tool Work?

IBM Software Group | Rational software Get Tools – which ones? § Automated vs IBM Software Group | Rational software Get Tools – which ones? § Automated vs Manual 4 Do it a lot quicker in a shorter timeframe 4 Regression tests 4 Recommendations § Security-specific vs general automated testing tool 4 Time it takes to become a security expert 4 Time it takes to learn coding 4 Time it takes to create report templates 4 Fix recommendations 4 Hard to reach places – Malware, Flash 4 Still needs a human being to validate results § Commercial vs Free tools 4 It costs 4 Regular updates 4 Usability, Quality

IBM Software Group | Rational software Tools § Manual Testing 4 OWASP Web. Scarab IBM Software Group | Rational software Tools § Manual Testing 4 OWASP Web. Scarab § http: //www. owasp. org/index. php/Category: OWASP_Project 4 Firebug § http: //getfirebug. com § Automated Testing 4 IBM Rational App. Scan § http: //www-01. ibm. com/software/rational/offerings/websecurity/webappsecurity. html

IBM Software Group | Rational software © Copyright IBM Corporation 2010. All rights reserved. IBM Software Group | Rational software © Copyright IBM Corporation 2010. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, the on-demand business logo, Rational, the Rational logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

IBM Software Group | Rational software IBM Rational App. Scan § The undisputed market IBM Software Group | Rational software IBM Rational App. Scan § The undisputed market leader 4 Ranked #1 in Market Share by IDC 4 #1 in numerous industry “bake offs” § Automatically scans web applications for vulnerabilities 4 SQL Injection 4 Cross-site Scripting § Provides clear recommendations on how to fix them 4 i. e. Character sanitization The Result? Improved security, lower costs, and the ability to meet PCI standards for application security