2017-05-24 1 Security Testing: Unlocking the Benefits of a Hybrid Approach Anne Gauthier • Application Security Analyst @ GoSecure • Secure code reviews • Secure Software Development Lifecycle (SDLC) • Penetration testing background • Software Engineer from École de Technologie Supérieure • Pursuing a Master of Engineering in Information Systems Security at Concordia • OWASP Montreal Chapter Leader • Author of the Project201Security Blog • Started my career as a developer • Photographer, Seamstress, Globetrotter and Passionate about Art 

2017-05-24 2 Let’s Talk About Application Security Hybrid Security Testing is: Penetration Testing • Black box • Dynamic = Running Application Code Review • White box • Static = Source Code + = Hybrid Testing Best of both worlds Let’s Talk About Application Security Question #1 When is it time to perform security testing during the software development lifecycle (SDLC)? Question #2 HOW? 

2017-05-24 3 Current Security Testing Model in Software Companies Internet Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ (Only testing here is too late) IDEAL Security Testing Model for Software Companies Internet Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Hybrid Security Testing 

2017-05-24 4 IDEAL Security Testing Model for Software Companies Internet Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Security is present at each phase Consider your Application ... demo in a Malicious Way 

2017-05-24 5 Secure Code Review « All software projects are guaranteed to have one artifact in common – source code. Because of this guarantee, it make sense to center a software assurance activity around code itself. » - Gary McGraw CTO of Cigital (Software-Quality Management Firm) The author of • Software Security (Addison-Wesley, 2006), • Exploiting Software (Addison-Wesley, 2004), • Building Secure Software (Addison-Wesley, 2001) and • Much more Secure Code Review Demo: Static Code Analysis Tool 

2017-05-24 6 IDEAL Security Testing Model for Software Companies Internet Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Secure Code Review Secure Code Review • Use of a Static Code Analysis Tool during the implementation phase • Multiple free tools are available depending on the language • Provides rapid feedback to developers • Help find security flaws earlier during the development • An automated tool will identify patterns for which it has been programmed to search for • No software can replace a human brain • Requires security skills 

2017-05-24 7 Penetration Testing « If you fail a penetration test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don’t have a very bad problem. » - Gary McGraw CTO of Cigital (Software-Quality Management Firm) The author of • Software Security (Addison-Wesley, 2006), • Exploiting Software (Addison-Wesley, 2004), • Building Secure Software (Addison-Wesley, 2001) and • Much more Penetration Testing Demo 

2017-05-24 8 Penetration Testing • Can be done internally using a dynamic security testing tool • Can be performed by an external security team • Multiple free tools are available • Realistic simulations of attack scenarios • Requires exploitation skills • External testers do not know the inner workings of the application • The application should run • Scope of the test is the key • It costs a lot to fix a security flaw at this point IDEAL Security Testing Model for Software Companies Internet Internet Requirements Design Implementation Verification Release Excerpt of the Microsoft SDLC https://www.microsoft.com/en-us/sdl/ Penetration Testing 

2017-05-24 9 Assessing the Security Posture of an App: A Methodology Using a Hybrid Approach Mandate Client with an application Report Secure Code Review Penetration Testing SHARE INFORMATION Assessing the Security Posture of an App: A Methodology Using a Hybrid Approach Secure Code Review Attack Surface Interview with the client Automated Tool(s) Manual Review Review Process 

2017-05-24 10 Assessing the Security Posture of an App: A Methodology Using a Hybrid Approach Demo: Attack Vectors Finder Tool Information Gathering Manual Review Findings Hybrid Security Testing • Security testing starts ealier during the SDLC • Provides a more complete coverage of the security posture of an app • Security is the responsibility of every stakeholder, not just the security team • Requires team work • Requires specialized tools • Requires security skills • The integrated security activities will need to be documented and communicated 

2017-05-24 11 References Static Code Analysis Tool for Java Find Security Bugs • OWASP TOP 10 : The Ten Most Critical Web Application Security Risks • OWASP ASVS : Application Security Verification Standard • OWASP Testing Guide : Penetration Testing Framework • OWASP Code Review Guide : Source Code Analysis Framework • OWASP Cheat Sheet : Best practices guidelines for developers Attack Vectors Finder Project Tool & Methodology for Hybrid Security Testing Anne Gauthier [email protected] @Anne__Gauthier project201security.wordpress.com Icon designed by Virus, Freepik, Pixel Buddha, Alfredo Hernandez, Roundicons, Madebyoliver, Icon Monk from Flaticon