I.T. DIGIT TestCentre Vulnerability assessment service Gabriel BABIANO DIGIT.A.3 29/11/2012.

Slides:



Advertisements
Presentasi serupa
Tahapan information engineering
Advertisements

Manajemen Risiko Strategi Risiko Reaktif & Proaktif
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 1 Slide 1 Review Software Engineering.
PREPARE YOURSELF FOR A CHALLENGE!. RECRUITMENT STAGE ABDI DALEM PSMI Administration Screening Technical Competence Soft Competence Final Project Review.
WaterfallPrototyping RAD Incremental Prototyping Pendekatan SDLC.
BLACK BOX TESTING.
ANALISIS STRATEGIS: MENENTUKAN POTENSI MASA MENDATANG MODUL 6 PERT. 19 S/D 21.
Testing Implementasi Sistem Oleh :Rifiana Arief, SKom, MMSI
Pertemuan 25 EVALUASI DAN MANAJEMEN PROYEK Matakuliah: S0174/Evaluasi dan Manajemen Proyek Tahun: 2006 Versi: 1.
1 Pertemuan 12 Pengkodean & Implementasi Matakuliah: T0234 / Sistem Informasi Geografis Tahun: 2005 Versi: 01/revisi 1.
The Bug Tracking Database (1) Pertemuan 6
1 Pertemuan 21 Function Matakuliah: M0086/Analisis dan Perancangan Sistem Informasi Tahun: 2005 Versi: 5.
1 Pertemuan 22 Analisis Studi Kasus 2 Matakuliah: H0204/ Rekayasa Sistem Komputer Tahun: 2005 Versi: v0 / Revisi 1.
Pertemuan <<1>> Pengantar tentang database(01)
Pertemuan XIV FUNGSI MAYOR Assosiation. What Is Association Mining? Association rule mining: –Finding frequent patterns, associations, correlations, or.
Pertemuan 07 Peluang Beberapa Sebaran Khusus Peubah Acak Kontinu
Perencanaan Pengujian (Test Plan) Pertemuan 4
1 Pertemuan 11 Function dari System Matakuliah: M0446/Analisa dan Perancangan Sistem Informasi Tahun: 2005 Versi: 0/0.
Rekayasa Perangkat Lunak 1
7 Sistem Penunjang Keputusan (Decission Support System) 2 SKS
1 INTRODUCTION Pertemuan 1 s.d 2 Matakuliah: A0554/Analisa dan Perancangan Sistem Informasi Akuntansi Tahun: 2006.
Keuangan dan Akuntansi Proyek Modul 2: BASIC TOOLS CHRISTIONO UTOMO, Ph.D. Bidang Manajemen Proyek ITS 2011.
Samples: Smart Goals ©2014 Colin G Smith
THE OLD WAY OF BRANDING Brand (-ing) is only about tagline for promotion Brand (-ing) is only about the logo & creative Brand (-ing) is only for the communication.
Rekayasa Perangkat Lunak
Manajemen Ruang Lingkup Proyek
EIS (Executive Information Systems)
Software Engineering Process
AJAX (Asynchronous Javascript And XML)
Ingin Menjadi Hacker ?
Pert. 16. Menyimak lingkungan IS/IT saat ini
AJAX Teguh S.
IT AUDITS IT audits: pemeriksaan terhadap proses atau data yang melekat dengan teknologi informasi. Berkaitan dengan internal, external, dan fraud audits.
Rekayasa Perangkat Lunak
PEMILIHAN SISTEM.
Pengujian Hipotesis (I) Pertemuan 11
Pertemuan <<18>> << Penemuan Fakta(01) >>
Software Engineering Rekayasa Perangkat Lunak
Pertemuan <<18>> << Penemuan Fakta(01) >>
Bug Tracking Database (2) Pertemuan 7
IMPLEMENTASI & TESTING E-BISNIS Pertemuan 10
EIS (Executive Information Systems)
Phase III Rapid Prototyping and Demonstration Prototype
Teknik Pengujian Software
Manajemen Proyek Perangkat Lunak (MPPL)
Dasar-Dasar Sistem Informasi
Rekayasa Perangkat Lunak Part-5
Secure Analysis & Testing (Hacking Technique)
Master data Management
1 © 2004, Cisco Systems, Inc. All rights reserved. Module 2 Single-Area OSPF.
4 plan.
How to Set Up AT&T on MS Outlook ATT is a multinational company headquartered in Texas. ATT services are used by many people widely across.
How You Can Make Your Fleet Insurance London Claims Letter.
Why It Is Necessary to Have More Sells Through the Social Media
How Can I Be A Driver of The Month as I Am Working for Uber?
How the Challenges Make You A Perfect Event Organiser.
How to Pitch an Event
Angular js training institute in indore
Sistem Pendukung Keputusan Roni Andarsyah, ST., M.Kom Lecture Series.
Mobile Courier User Training Kramat Raya 43, Xprins Meeting Room May 8th, 2014.
THE INFORMATION ABOUT HEALTH INSURANCE IN AUSTRALIA.
Group 3 About causal Conjunction Member : 1. Ahmad Fandia R. S.(01) 2. Hesti Rahayu(13) 3. Intan Nuraini(16) 4. Putri Nur J. (27) Class: XI Science 5.
Software Testing Strategies
V ERIZON SETTINGS FOR I P HONE, A NDROID, O UTLOOK, AND W INDOWS P HONE.
HughesNet was founded in 1971 and it is headquartered in Germantown, Maryland. It is a provider of satellite-based communications services. Hughesnet.
 Zoho Mail offers easy options to migrate data from G Suite or Gmail accounts. All s, contacts, and calendar or other important data can be imported.
In this article, you can learn about how to synchronize AOL Mail with third-party applications like Gmail, Outlook, and Window Live Mail, Thunderbird.
BY : LUTFIANI RATNA DEWANTI LILIS SINARSIH Action Research.
A SHORT ESSAY OF CIVIL ENGINEERING BY : ALFATIHATU RAHMI CIVIL ENGINEERING ENGINEERING FACULTY ANDALAS UNIVERSITY PADANG.
2. Discussion TASK 1. WORK IN PAIRS Ask your partner. Then, in turn your friend asks you A. what kinds of product are there? B. why do people want to.
Transcript presentasi:

I.T. DIGIT TestCentre Vulnerability assessment service Gabriel BABIANO DIGIT.A.3 29/11/2012

2 Agenda Service presentation Lessons learned

3 DIGIT TestCentre Organizational location:DIGIT.A.3 Physical location: DRB D3 (LUX) Service manager:Gabriel BABIANO Performance testing service since 2002 (currently 6 testers) Vulnerability assessment service since 2011 (currently 3 testers)

4 DIGIT TestCentre – clients and figures Clients European Commission (including Executive Agencies and Services) Other European institutions under agreement (e.g. Court of Justice of the European Union) Around 50 VTs per year Breakdown per DGs

5 Grounds for vulnerability assessment Motivation: Legal constraints Reputation Data stolen Continuity of the service 75% cyber-attacks directed to web application layer (Gartner) Network security alone does not protect web apps!!!

6 Tests in Information Systems life-cycle

7 Cost versus life-cycle stage "Finding and fixing a software problem after delivery is often 100 times more expensive than finding and fixing it during the design and requirements phase" (Barry Boehm) VT Secure coding guidelines

8 DIGIT TC Vulnerability service deliverables Vulnerability assessment reports (per test/iteration) Filtered potential vulnerabilities (no false positive…) Classification on criticality and prioritization Potential remediation Evolution from previous iterations Secure coding guidelines Best practices in secure coding Recommended languages (HTML, JAVA, ColdFusion) Aligned to threats evolution Both for developers and operational managers 1 st draft release due for 01/2013

9 DIGIT VT service tests Black Box Vulnerability Test (dynamic analysis) Need a working application target (closest to PROD) No access to source code required Not specific to coding language(s) Automatic tools + manual testing to supplement the tools Complement to Penetration Testing and WBVT White Box Vulnerability Tests (static analysis) Access to buildable source code Automatic tools + manual revision to avoid false positives All recommended languages are supported (Java, CF…) No absolute need for application target but it helps a lot Detects more vulnerabilities than black box

10 DIGIT TestCentre service procedure workflow Several iterations are normally required

11 DIGIT TC Vulnerability service tools Static code analysis (SAST) Automatic tools Manual code review: Eclipse Dynamic program analysis (DAST) Automatic tools Manual tools: Firefox and plugins: Tamper Data Database tools

12 Tools evaluation - methodology

13 Tools evaluation – criteria

14 Tools evaluation – critical metrics Correctness of the results Accurate Minimum false positive Minimum inconclusive Minimum duplicates Completeness of the results % detected % missed False negatives Misnamed Performance Scan duration

15 Tools lists Static code analysis (SAST) Dynamic program analysis (DAST) Open source DAST tools: WebScarab Nikto / Wikto Open Web Application Security Project (OWASP) Google ratproxy and skipfish W3af Websecurify

16 Costs per test In-house service: Assumption: complete VTs (WB & BB) takes 10 working days in average (15 tests per tester per year) Strong investment in licenses the first year Costs are similar after the 4 th year Security skilled tester with an "industrialized" procedure required Outsourced service: No requires investment Less flexible for the development? Quality? Iterations?

17 Engineering for attacks

18 Vulnerability risk areas Security controls Security functions

19 OWASP Top Ten (2010 Edition)

20

21

CWE Top 25 Most Dangerous Software Errors

23 Comparison OWASP Top Ten 2010 – CWE Top

24 DIGIT TestCentre Score = Risk * Impact Priorities are adapted for every application

25 Vulnerability assessment Assess and secure all parts individually The idea is to force an attacker to penetrate several defence layers As a general rule, data stored in databases are considered as "untrusted" "In God we trust, for the rest, we test"

26 Recommendations for remediation are founded in the report Cover high priority first. Then others when “affordable” Begin with risky vulnerabilities that are easy to remediate Vulnerability remediation priorities

27 Vulnerabilities type occurrence in the 1st iteration (%)

28 Improvements in Design and Coding stages Iteration Vulnerability group Cross-Site Scripting Injection23611 Insecure Transmission of credentials/tokens103 Password Management1362 Cookie Security97 Path Manipulation3211 Weak authentication42 Open redirect5 Logging of credentials21 Cross-Site Request Forgery16411 Header Manipulation1531 Weak cryptography1421 File Upload8311 Forced Browsing721 Log Forging6111 Information disclosure432 security increases in every iteration Flaws can appear in future iterations

29 Threats to the VT success Tested source code not the same as PROD Testing environment differs from PROD Vulnerability testing tools can’t cover all automatically Hacking techniques faster than service coverage If necessary, penetration tests are conducted by a 3 rd party 100% risks & vulnerability-free cannot be guaranteed and security is not only a secure source code…

30 Some references Open Web Application Security Project (OWASP): Web Application Security Consortium (WASC): Common Vulnerability Scoring System (CWSS): Common Weakness Enumeration (CWE): Common Attack Pattern Enumeration and Classification (CAPEC): SANS Institute:

31 Questions?

32 Thank you!