Hybrid approach to security testing

Hybrid approach to security testing

As part of their defensive efforts, businesses commonly commission cybersecurity assessments of their web applications; with the aim of identifying any weaknesses in the security controls and ensuring a continually strong cybersecurity posture of their systems.
The classical approach of either secure code review (white box) or penetration testing (black box) assessment have proven to be effective in securing of web applications. The new trend, however, is moving towards the combination of these two approaches; expert consensus is rapidly recognizing the advantages of using a hybrid approach. When applied properly, a hybrid approach can build on the strengths of both white and black box testing, while compensating for their individual shortcomings.
In this presentation, we will examine the details of secure code review and penetration testing, and run demos to contrast their respective strengths and weaknesses. We will also examine why a hybrid approach can produce more complete and relevant assessment results. To conclude, we will cover proven approaches, and practical techniques, on how you can start leveraging a hybrid approach to web application assessments today.
Anne Gauthier is an application security analyst at GoSecure. Anne is also the president of the Montreal Chapter of OWASP – the industry standard for web application security. With a penetration testing background, she specializes in secure code reviews and in helping companies to improve their software development lifecycle (SDLC) according to industry best practices. Anne is CSSLP, GWAPT and GSSP-JAVA certified. She obtained a Software Engineering bachelor’s degree from Ecole de Technologie Supérieure in Montréal and is now pursuing a Master of Engineering (MEng) degree in Information Systems Security at Concordia University. She is the author of the Project 201 Security blog.
Merci à nos précieux commanditaires !

09905cce02942fb076f958f4b69fd8f6?s=128

OWASP Montréal

July 11, 2017
Tweet

Transcript

  1. 2017-05-24 1 Security Testing: Unlocking the Benefits of a Hybrid

    Approach Anne Gauthier • Application Security Analyst @ GoSecure • Secure code reviews • Secure Software Development Lifecycle (SDLC) • Penetration testing background • Software Engineer from École de Technologie Supérieure • Pursuing a Master of Engineering in Information Systems Security at Concordia • OWASP Montreal Chapter Leader • Author of the Project201Security Blog • Started my career as a developer • Photographer, Seamstress, Globetrotter and Passionate about Art
  2. 2017-05-24 2 Let’s Talk About Application Security Hybrid Security Testing

    is: Penetration Testing • Black box • Dynamic = Running Application Code Review • White box • Static = Source Code + = Hybrid Testing Best of both worlds Let’s Talk About Application Security Question #1 When is it time to perform security testing during the software development lifecycle (SDLC)? Question #2 HOW?
  3. 2017-05-24 3 Current Security Testing Model in Software Companies Internet

    Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ (Only testing here is too late) IDEAL Security Testing Model for Software Companies Internet Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Hybrid Security Testing
  4. 2017-05-24 4 IDEAL Security Testing Model for Software Companies Internet

    Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Security is present at each phase Consider your Application ... demo in a Malicious Way
  5. 2017-05-24 5 Secure Code Review « All software projects are

    guaranteed to have one artifact in common – source code. Because of this guarantee, it make sense to center a software assurance activity around code itself. » - Gary McGraw CTO of Cigital (Software-Quality Management Firm) The author of • Software Security (Addison-Wesley, 2006), • Exploiting Software (Addison-Wesley, 2004), • Building Secure Software (Addison-Wesley, 2001) and • Much more Secure Code Review Demo: Static Code Analysis Tool
  6. 2017-05-24 6 IDEAL Security Testing Model for Software Companies Internet

    Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Secure Code Review Secure Code Review • Use of a Static Code Analysis Tool during the implementation phase • Multiple free tools are available depending on the language • Provides rapid feedback to developers • Help find security flaws earlier during the development • An automated tool will identify patterns for which it has been programmed to search for • No software can replace a human brain • Requires security skills
  7. 2017-05-24 7 Penetration Testing « If you fail a penetration

    test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don’t have a very bad problem. » - Gary McGraw CTO of Cigital (Software-Quality Management Firm) The author of • Software Security (Addison-Wesley, 2006), • Exploiting Software (Addison-Wesley, 2004), • Building Secure Software (Addison-Wesley, 2001) and • Much more Penetration Testing Demo
  8. 2017-05-24 8 Penetration Testing • Can be done internally using

    a dynamic security testing tool • Can be performed by an external security team • Multiple free tools are available • Realistic simulations of attack scenarios • Requires exploitation skills • External testers do not know the inner workings of the application • The application should run • Scope of the test is the key • It costs a lot to fix a security flaw at this point IDEAL Security Testing Model for Software Companies Internet Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Penetration Testing
  9. 2017-05-24 9 Assessing the Security Posture of an App: A

    Methodology Using a Hybrid Approach Mandate Client with an application Report Secure Code Review Penetration Testing SHARE INFORMATION Assessing the Security Posture of an App: A Methodology Using a Hybrid Approach Secure Code Review Attack Surface Interview with the client Automated Tool(s) Manual Review Review Process
  10. 2017-05-24 10 Assessing the Security Posture of an App: A

    Methodology Using a Hybrid Approach Demo: Attack Vectors Finder Tool Information Gathering Manual Review Findings Hybrid Security Testing • Security testing starts ealier during the SDLC • Provides a more complete coverage of the security posture of an app • Security is the responsibility of every stakeholder, not just the security team • Requires team work • Requires specialized tools • Requires security skills • The integrated security activities will need to be documented and communicated
  11. 2017-05-24 11 References Static Code Analysis Tool for Java Find

    Security Bugs • OWASP TOP 10 : The Ten Most Critical Web Application Security Risks • OWASP ASVS : Application Security Verification Standard • OWASP Testing Guide : Penetration Testing Framework • OWASP Code Review Guide : Source Code Analysis Framework • OWASP Cheat Sheet : Best practices guidelines for developers Attack Vectors Finder Project Tool & Methodology for Hybrid Security Testing Anne Gauthier anne.gauthier@owasp.org @Anne__Gauthier project201security.wordpress.com Icon designed by Virus, Freepik, Pixel Buddha, Alfredo Hernandez, Roundicons, Madebyoliver, Icon Monk from Flaticon