Software Security Testing is Important, Different and Difficult

Software Security Testing is Important, Different and Difficult

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT 4/21/2011 Review by Rayna Burgess Overview The Paper Selection Security Testing is Important (Relevant) Security Testing is Different from Functional Testing Security Testing is Difficult Security Engineers Tasks Analyzing Security Risks Types of Security Testing Case Study: Java Card Conclusion COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess

4/21/2011 2 of 20 The Paper: Software Security Testing Gary McGraw, PhD, CTO of Cigital, Inc Series of Articles in IEEE Security & Privacy COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 3 of 20

Security Testing is Important COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 4 of 20 Security Testing is Different Malicious attacker Intelligent Adversary Vulnerabilities Exploited COMP 587 SW V&V Dr. Lingard | Security Testing Review

Rayna Burgess 4/21/2011 5 of 20 Aaah! So many vulnerability lists! COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 6 of 20 McGraws Vulnerability Taxonomy COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess

4/21/2011 7 of 20 Vulnerability Name Dropping gets() (Buffer overflow problem, Morris Worm) Race condition (time of check to time of use)

Insecure failure Transitive trust Trampoline Zero day exploits COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 8 of 20 SQL Injection Vulnerability COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 9 of 20

Where are we? The Paper Selection Security Testing is Important (Relevant) Security Testing is Different from Functional Testing Security Testing is Difficult Security Engineers Tasks Analyzing Security Risks Types of Security Testing Case Study: Java Card Conclusion COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 10 of 20 SW Security Engineers Tasks

COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 11 of 20 Analyzing Security Risks Think like an attacker Vulnerability in weakest link can expose the system Requires expertise Can practice/learn on

Webgoat DVWA Hacme Bank COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 12 of 20 Types of Security Testing

Functional Security Testing Risk-Based Security Testing (hostile attacks) Black Box/White Box Static/Dynamic COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 13 of 20 Static Security Analysis Risk Analysis of Design and Architecture

Static Security Analysis Tools Source Code or Byte Code Good at finding patterns Numerous False Positives COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 14 of 20 Penetration Testing

Performed on a running system Can be used on COTS software too Penetration testing tools Network and OS vulnerability scanners Nmap, Nessus, Aircrack Automated Penetration Testing Tools Metasploit, Other useful tools Fuzzing

CoreImpact, Canvas tools, WebScarab, Quality of pen testing depends on the human! COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 15 of 20 Case Study: Java Card Operating System for Smart Cards

GlobalPlatform (Java Card, MULTOS) Used on Bank Cards, (also SIMs, ID Cards, Medical) Two Types of Testing Functional security design tests Risk-based attack tests COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011

16 of 20 Functional Security Testing Tests security functionality Crypto Commands Compliance Testing (GALITT 3/2011) All cards passed! COMP 587 SW V&V Dr. Lingard | Security Testing Review

Rayna Burgess 4/21/2011 17 of 20 Risk-Based Security Testing (Attacks) Hostile Attacks, based on risk assessment All cards failed some part of this testing! Analysis of Java Card Design Identify automic transaction processing as

area of interest Consequence is printing money (Very High Risk) Put on Black Hat, Dont follow the rules: Abort, fail to commit, fill buffers, nest transactions Exposes vulnerabilities before issued to public COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 18 of 20 Almost done! The Paper Selection

Security Testing is Important (Relevant) Security Testing is Different from Functional Testing Security Testing is Difficult Security Engineers Tasks Analyzing Security Risks Types of Security Testing Case Study: Java Card Conclusion COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 19 of 20 Conclusion: SW Security Testing is Important

Different More software, more new attacks More functionality, more vulnerabilities Software is everywhere and connected! Presence of a malicious, intelligent attacker Software Test Engineers have different skills Difficult

Exploits are subtle Automated static & dynamic tools insufficient Need a human! COMP 587 SW V&V Dr. Lingard | Security Testing Review Rayna Burgess 4/21/2011 20 of 20 So now, when we face a choice between adding features and resolving security issues, we need to choose security. -Bill Gates

Recently Viewed Presentations

  • The Victorian Age The Norton Anthology of English Literature ...

    The Victorian Age The Norton Anthology of English Literature ...

    The Victorian AgeThe Norton Anthology of English Literature, Norton E. ... The Victorian Age The Norton Anthology of English Literature, Norton E Last modified by: Becknell Patterson, Cheryl L - Teacher English, Montwood High School ...
  • Chapter 1 Uses of Accounting Information and the Basic ...

    Chapter 1 Uses of Accounting Information and the Basic ...

    Job Order Costing in a Service Organization OBJECTIVE 5 Apply job order costing to a service organization. Job Order Costing in Service Organizations Job order cost cards for service organizations can be modified to suit their needs, and to determine...
  • How do these view differ on flag burning?

    How do these view differ on flag burning?

    How do these view differ on flag burning? Should Burning the American Flag be Legal? What reasonable consequences might one face for their expression. ... US (1929) Eavesdropping in public area. Katz v. U.S. (1967) Expectation of privacy in public...
  • Fundamentals of Human Resource Management 11e Chapter 11

    Fundamentals of Human Resource Management 11e Chapter 11

    Jobs placed in grades to compare their descriptions to the benchmarked jobs. Look for a common denominator (skills, knowledge, responsibility). Point method. Jobs are rated and allocated points on several criteria. Jobs with similar point totals are placed in similar...
  • Freshmen/Sophomore Night

    Freshmen/Sophomore Night

    Bioscience (MRHS) Culinary (BGHS) Engineering (MRHS/BCHS) Future Teacher's Academy(MRHS) Interior Architectural Design (SOHS) Law Enforcement (BGHS) DVHS Signature Programs . Hospitality . Nurse Assisting . Sports Medicine . Off Campus CTE Programs Cont. West-MEC.
  • OVERVIEW UNIVERSITY AT ALBANY What is Project Sunlight?

    OVERVIEW UNIVERSITY AT ALBANY What is Project Sunlight?

    What is an Appearance? An appearance must be a substantive interaction that is meant to have an impact on the decision making process of the state.. The only appearances covered are: In-person meetings. Phone calls and conference calls. Video chats...
  • Optimal Binary Search Tree - utaipei.edu.tw

    Optimal Binary Search Tree - utaipei.edu.tw

    Optimal Binary Search Tree Rytas 12/12/04 ... if t<e[i,j] then e[i,j] t root [i,j] r Return e and root Advanced Proof-1 All keys (including data keys and dummy keys) of the weight sum (probability weight) and that can get the...
  • Bookworm Inc. - Ken Goldberg

    Bookworm Inc. - Ken Goldberg

    Bookworm Inc. Designing Catalogs for Targeted Marketing Company Background Online Bookstore Annual Revenue : $6 million Tot.Market For Online Books:$2.4 billion Competitors: Amazon.com, Barnes & Noble etc. Objective: Design customized catalogs for customers to facilitate targeted marketing Sample Survey EER...