Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hybrid approach to security testing

OWASP Montréal
July 11, 2017
Programming
0
190

Hybrid approach to security testing

As part of their defensive efforts, businesses commonly commission cybersecurity assessments of their web applications; with the aim of identifying any weaknesses in the security controls and ensuring a continually strong cybersecurity posture of their systems.
The classical approach of either secure code review (white box) or penetration testing (black box) assessment have proven to be effective in securing of web applications. The new trend, however, is moving towards the combination of these two approaches; expert consensus is rapidly recognizing the advantages of using a hybrid approach. When applied properly, a hybrid approach can build on the strengths of both white and black box testing, while compensating for their individual shortcomings.
In this presentation, we will examine the details of secure code review and penetration testing, and run demos to contrast their respective strengths and weaknesses. We will also examine why a hybrid approach can produce more complete and relevant assessment results. To conclude, we will cover proven approaches, and practical techniques, on how you can start leveraging a hybrid approach to web application assessments today.
Anne Gauthier is an application security analyst at GoSecure. Anne is also the president of the Montreal Chapter of OWASP – the industry standard for web application security. With a penetration testing background, she specializes in secure code reviews and in helping companies to improve their software development lifecycle (SDLC) according to industry best practices. Anne is CSSLP, GWAPT and GSSP-JAVA certified. She obtained a Software Engineering bachelor’s degree from Ecole de Technologie Supérieure in Montréal and is now pursuing a Master of Engineering (MEng) degree in Information Systems Security at Concordia University. She is the author of the Project 201 Security blog.
Merci à nos précieux commanditaires !

OWASP Montréal

July 11, 2017
Tweet

More Decks by OWASP Montréal

See All by OWASP Montréal
OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf
owaspmontreal
0
110
Endpoint Bypass Charles Hamilton
owaspmontreal
0
130
Threat Modeling Toolkit
owaspmontreal
0
900
NorthSec - Applied Security Event
owaspmontreal
0
170
Sécurité des applications : Les fondements
owaspmontreal
0
110
WORKSHOP ! Server Side Template Injection (SSTI)
owaspmontreal
1
900
Ransomware and healthcare - Hacking Health
owaspmontreal
0
140
OWASP Montréal reçoit Mario Contestabile
owaspmontreal
0
170
Comment protéger les applications mobiles
owaspmontreal
0
74

Other Decks in Programming

See All in Programming
dbtではじめる クエリの再利用と正確性の向上について
yamayafumiteru
4
710
実演TypeScript + GitHub Copilot
erukiti
9
3.1k
転職先の研修内容がBacklogが使われてた話
satoshi256kbyte
0
230
How lint rules implemented in swift-format
kitasuke
1
120
サブスクリプション機能制御の設計における勘所
rockname
0
160
Glue for Rayを使ってみよう #devio2023 / devio2023-glue-for-ray
kasacchiful
0
330
Hacking Guide of the ruby.wasm
ledsun
0
540
ぼくのかんがえたさいきょうのけいやくによるプログラミング
m_seki
0
240
技術的負債の怨霊と除霊方法 / ghosts-of-technical-debt
minodriven
6
2.1k
ゴーファーくんたちと辿るフロントエンドの潮流/tide-of-frontend
iwasiman
1
210
알아두면 쓸 데 있는 코틀린
arawn
0
110
データ基盤管理の考え方 〜dbtの極意〜 Lunch LT
10xinc
3
530

Featured

See All Featured
Art, The Web, and Tiny UX
lynnandtonic
285
18k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
Learning to Love Humans: Emotional Interface Design
aarron
265
38k
Statistics for Hackers
jakevdp
787
210k
Adopting Sorbet at Scale
ufuk
66
8.1k
Web Components: a chance to create the future
zenorocha
304
41k
For a Future-Friendly Web
brad_frost
168
8.2k
Being A Developer After 40
akosma
52
580k
YesSQL, Process and Tooling at Scale
rocio
159
13k
GraphQLとの向き合い方2022年版
quramy
24
11k
KATA
mclloyd
13
10k
WebSockets: Embracing the real-time Web
robhawkes
58
6.4k

Transcript

  1. 2017-05-24
    1
    Security Testing: Unlocking the Benefits
    of a Hybrid Approach
    Anne Gauthier
    • Application Security Analyst @ GoSecure
    • Secure code reviews
    • Secure Software Development Lifecycle (SDLC)
    • Penetration testing background
    • Software Engineer from École de Technologie Supérieure
    • Pursuing a Master of Engineering in Information Systems Security at Concordia
    • OWASP Montreal Chapter Leader
    • Author of the Project201Security Blog
    • Started my career as a developer
    • Photographer, Seamstress, Globetrotter and Passionate about Art

    View Slide

  2. 2017-05-24
    2
    Let’s Talk About Application Security
    Hybrid Security Testing is:
    Penetration Testing
    • Black box
    • Dynamic = Running
    Application
    Code Review
    • White box
    • Static = Source Code
    + =
    Hybrid Testing
    Best of both worlds
    Let’s Talk About Application Security
    Question #1
    When is it time to perform security testing
    during the software development lifecycle (SDLC)?
    Question #2
    HOW?

    View Slide

  3. 2017-05-24
    3
    Current Security Testing Model
    in Software Companies
    Internet
    Internet
    Requirements Design Implementation Verification Release
    Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/
    (Only testing here is too late)
    IDEAL Security Testing Model
    for Software Companies
    Internet
    Internet
    Requirements Design Implementation Verification Release
    Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/
    Hybrid Security Testing

    View Slide

  4. 2017-05-24
    4
    IDEAL Security Testing Model
    for Software Companies
    Internet
    Internet
    Requirements Design Implementation Verification Release
    Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/
    Security is present at each phase
    Consider your Application
    ... demo
    in a Malicious Way

    View Slide

  5. 2017-05-24
    5
    Secure Code Review
    « All software projects are guaranteed to have one artifact in common
    – source code.
    Because of this guarantee, it make sense to center
    a software assurance activity around code itself. »
    - Gary McGraw
    CTO of Cigital (Software-Quality Management Firm)
    The author of
    • Software Security (Addison-Wesley, 2006),
    • Exploiting Software (Addison-Wesley, 2004),
    • Building Secure Software (Addison-Wesley, 2001) and
    • Much more
    Secure Code Review
    Demo: Static Code Analysis Tool

    View Slide

  6. 2017-05-24
    6
    IDEAL Security Testing Model
    for Software Companies
    Internet
    Internet
    Requirements Design Implementation Verification Release
    Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/
    Secure
    Code Review
    Secure Code Review
    • Use of a Static Code Analysis Tool
    during the implementation phase
    • Multiple free tools are available
    depending on the language
    • Provides rapid feedback to
    developers
    • Help find security flaws earlier
    during the development
    • An automated tool will identify
    patterns for which it has been
    programmed to search for
    • No software can replace a
    human brain
    • Requires security skills

    View Slide

  7. 2017-05-24
    7
    Penetration Testing
    « If you fail a penetration test you know you have a very bad problem indeed.
    If you pass a penetration test you do not know
    that you don’t have a very bad problem. »
    - Gary McGraw
    CTO of Cigital (Software-Quality Management Firm)
    The author of
    • Software Security (Addison-Wesley, 2006),
    • Exploiting Software (Addison-Wesley, 2004),
    • Building Secure Software (Addison-Wesley, 2001) and
    • Much more
    Penetration Testing
    Demo

    View Slide

  8. 2017-05-24
    8
    Penetration Testing
    • Can be done internally using a
    dynamic security testing tool
    • Can be performed by an external
    security team
    • Multiple free tools are available
    • Realistic simulations of attack
    scenarios
    • Requires exploitation skills
    • External testers do not know the
    inner workings of the application
    • The application should run
    • Scope of the test is the key
    • It costs a lot to fix a security flaw at
    this point
    IDEAL Security Testing Model
    for Software Companies
    Internet
    Internet
    Requirements Design Implementation Verification Release
    Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/
    Penetration Testing

    View Slide

  9. 2017-05-24
    9
    Assessing the Security Posture of an App:
    A Methodology Using a Hybrid Approach
    Mandate
    Client with an application
    Report
    Secure Code Review
    Penetration Testing
    SHARE INFORMATION
    Assessing the Security Posture of an App:
    A Methodology Using a Hybrid Approach
    Secure Code Review
    Attack
    Surface
    Interview
    with the client
    Automated
    Tool(s)
    Manual
    Review
    Review Process

    View Slide

  10. 2017-05-24
    10
    Assessing the Security Posture of an App:
    A Methodology Using a Hybrid Approach
    Demo: Attack Vectors Finder Tool
    Information
    Gathering
    Manual Review Findings
    Hybrid Security Testing
    • Security testing starts ealier during
    the SDLC
    • Provides a more complete coverage
    of the security posture of an app
    • Security is the responsibility of
    every stakeholder, not just the
    security team
    • Requires team work
    • Requires specialized tools
    • Requires security skills
    • The integrated security activities
    will need to be documented and
    communicated

    View Slide

  11. 2017-05-24
    11
    References
    Static Code Analysis Tool for Java
    Find Security Bugs
    • OWASP TOP 10 : The Ten Most Critical Web Application Security Risks
    • OWASP ASVS : Application Security Verification Standard
    • OWASP Testing Guide : Penetration Testing Framework
    • OWASP Code Review Guide : Source Code Analysis Framework
    • OWASP Cheat Sheet : Best practices guidelines for developers
    Attack Vectors Finder Project
    Tool & Methodology for
    Hybrid Security Testing
    Anne Gauthier
    [email protected]
    @Anne__Gauthier
    project201security.wordpress.com
    Icon designed by Virus, Freepik, Pixel Buddha, Alfredo Hernandez, Roundicons, Madebyoliver, Icon Monk from Flaticon

    View Slide