Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hybrid approach to security testing

OWASP Montréal
July 11, 2017
Programming
0
220

Hybrid approach to security testing

As part of their defensive efforts, businesses commonly commission cybersecurity assessments of their web applications; with the aim of identifying any weaknesses in the security controls and ensuring a continually strong cybersecurity posture of their systems.
The classical approach of either secure code review (white box) or penetration testing (black box) assessment have proven to be effective in securing of web applications. The new trend, however, is moving towards the combination of these two approaches; expert consensus is rapidly recognizing the advantages of using a hybrid approach. When applied properly, a hybrid approach can build on the strengths of both white and black box testing, while compensating for their individual shortcomings.
In this presentation, we will examine the details of secure code review and penetration testing, and run demos to contrast their respective strengths and weaknesses. We will also examine why a hybrid approach can produce more complete and relevant assessment results. To conclude, we will cover proven approaches, and practical techniques, on how you can start leveraging a hybrid approach to web application assessments today.
Anne Gauthier is an application security analyst at GoSecure. Anne is also the president of the Montreal Chapter of OWASP – the industry standard for web application security. With a penetration testing background, she specializes in secure code reviews and in helping companies to improve their software development lifecycle (SDLC) according to industry best practices. Anne is CSSLP, GWAPT and GSSP-JAVA certified. She obtained a Software Engineering bachelor’s degree from Ecole de Technologie Supérieure in Montréal and is now pursuing a Master of Engineering (MEng) degree in Information Systems Security at Concordia University. She is the author of the Project 201 Security blog.
Merci à nos précieux commanditaires !

OWASP Montréal

July 11, 2017
Tweet

More Decks by OWASP Montréal

See All by OWASP Montréal
OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf
owaspmontreal
0
150
Endpoint Bypass Charles Hamilton
owaspmontreal
0
140
Threat Modeling Toolkit
owaspmontreal
0
1.1k
NorthSec - Applied Security Event
owaspmontreal
0
210
Sécurité des applications : Les fondements
owaspmontreal
0
120
WORKSHOP ! Server Side Template Injection (SSTI)
owaspmontreal
1
1k
Ransomware and healthcare - Hacking Health
owaspmontreal
0
160
OWASP Montréal reçoit Mario Contestabile
owaspmontreal
0
270
Comment protéger les applications mobiles
owaspmontreal
0
100

Other Decks in Programming

See All in Programming
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
430
みんなでプロポーザルを書いてみた
yuriko1211
0
230
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
0
220
ActiveSupport::Notifications supporting instrumentation of Rails apps with OpenTelemetry
ymtdzzz
1
210
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
10
1.2k
Dev ContainersとGitHub Codespacesの素敵な関係
ymd65536
1
140
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
590
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
770
破壊せよ!データ破壊駆動で考えるドメインモデリング / data-destroy-driven
minodriven
17
4.3k
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
210
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
420
RubyLSPのマルチバイト文字対応
notfounds
0
100

Featured

See All Featured
YesSQL, Process and Tooling at Scale
rocio
168
14k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Code Review Best Practice
trishagee
64
17k
A Tale of Four Properties
chriscoyier
156
23k
Done Done
chrislema
181
16k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
RailsConf 2023
tenderlove
29
900
What's in a price? How to price your products and services
michaelherold
243
12k
Thoughts on Productivity
jonyablonski
67
4.3k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
How to Ace a Technical Interview
jacobian
276
23k

Transcript

  1. 2017-05-24 1 Security Testing: Unlocking the Benefits of a Hybrid

    Approach Anne Gauthier • Application Security Analyst @ GoSecure • Secure code reviews • Secure Software Development Lifecycle (SDLC) • Penetration testing background • Software Engineer from École de Technologie Supérieure • Pursuing a Master of Engineering in Information Systems Security at Concordia • OWASP Montreal Chapter Leader • Author of the Project201Security Blog • Started my career as a developer • Photographer, Seamstress, Globetrotter and Passionate about Art

  2. 2017-05-24 2 Let’s Talk About Application Security Hybrid Security Testing

    is: Penetration Testing • Black box • Dynamic = Running Application Code Review • White box • Static = Source Code + = Hybrid Testing Best of both worlds Let’s Talk About Application Security Question #1 When is it time to perform security testing during the software development lifecycle (SDLC)? Question #2 HOW?

  3. 2017-05-24 3 Current Security Testing Model in Software Companies Internet

    Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ (Only testing here is too late) IDEAL Security Testing Model for Software Companies Internet Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Hybrid Security Testing

  4. 2017-05-24 4 IDEAL Security Testing Model for Software Companies Internet

    Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Security is present at each phase Consider your Application ... demo in a Malicious Way

  5. 2017-05-24 5 Secure Code Review « All software projects are

    guaranteed to have one artifact in common – source code. Because of this guarantee, it make sense to center a software assurance activity around code itself. » - Gary McGraw CTO of Cigital (Software-Quality Management Firm) The author of • Software Security (Addison-Wesley, 2006), • Exploiting Software (Addison-Wesley, 2004), • Building Secure Software (Addison-Wesley, 2001) and • Much more Secure Code Review Demo: Static Code Analysis Tool

  6. 2017-05-24 6 IDEAL Security Testing Model for Software Companies Internet

    Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Secure Code Review Secure Code Review • Use of a Static Code Analysis Tool during the implementation phase • Multiple free tools are available depending on the language • Provides rapid feedback to developers • Help find security flaws earlier during the development • An automated tool will identify patterns for which it has been programmed to search for • No software can replace a human brain • Requires security skills

  7. 2017-05-24 7 Penetration Testing « If you fail a penetration

    test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don’t have a very bad problem. » - Gary McGraw CTO of Cigital (Software-Quality Management Firm) The author of • Software Security (Addison-Wesley, 2006), • Exploiting Software (Addison-Wesley, 2004), • Building Secure Software (Addison-Wesley, 2001) and • Much more Penetration Testing Demo

  8. 2017-05-24 8 Penetration Testing • Can be done internally using

    a dynamic security testing tool • Can be performed by an external security team • Multiple free tools are available • Realistic simulations of attack scenarios • Requires exploitation skills • External testers do not know the inner workings of the application • The application should run • Scope of the test is the key • It costs a lot to fix a security flaw at this point IDEAL Security Testing Model for Software Companies Internet Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Penetration Testing

  9. 2017-05-24 9 Assessing the Security Posture of an App: A

    Methodology Using a Hybrid Approach Mandate Client with an application Report Secure Code Review Penetration Testing SHARE INFORMATION Assessing the Security Posture of an App: A Methodology Using a Hybrid Approach Secure Code Review Attack Surface Interview with the client Automated Tool(s) Manual Review Review Process

  10. 2017-05-24 10 Assessing the Security Posture of an App: A

    Methodology Using a Hybrid Approach Demo: Attack Vectors Finder Tool Information Gathering Manual Review Findings Hybrid Security Testing • Security testing starts ealier during the SDLC • Provides a more complete coverage of the security posture of an app • Security is the responsibility of every stakeholder, not just the security team • Requires team work • Requires specialized tools • Requires security skills • The integrated security activities will need to be documented and communicated

  11. 2017-05-24 11 References Static Code Analysis Tool for Java Find

    Security Bugs • OWASP TOP 10 : The Ten Most Critical Web Application Security Risks • OWASP ASVS : Application Security Verification Standard • OWASP Testing Guide : Penetration Testing Framework • OWASP Code Review Guide : Source Code Analysis Framework • OWASP Cheat Sheet : Best practices guidelines for developers Attack Vectors Finder Project Tool & Methodology for Hybrid Security Testing Anne Gauthier [email protected] @Anne__Gauthier project201security.wordpress.com Icon designed by Virus, Freepik, Pixel Buddha, Alfredo Hernandez, Roundicons, Madebyoliver, Icon Monk from Flaticon