adaptive application security testing model
play

Adaptive Application Security Testing Model Ashish Khandelwal - PowerPoint PPT Presentation

Mar 11, 2023 •211 likes •429 views

Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum Confidential McAfee Internal Use Only Security Testing Confidential McAfee Internal Use Only Cost Impact m suffered a heavy The TJX Company breach, which m

  1. Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi

  2. Agendum Confidential McAfee Internal Use Only

  3. Security Testing Confidential McAfee Internal Use Only

  4. Cost Impact m suffered a heavy The TJX Company breach, which m suffered a heavy The TJX Company breach, which security breach in Aug 2007 that was first reported in January of 2007, security breach in Aug 2007 that was first reported in January of 2007, reportedly resulted in the theft of reportedly resulted in the theft of has been widely recognized as t he has been widely recognized as t he the confidential information for the confidential information for largest report ed theft of personal largest report ed theft of personal o o some 1.3 million j ob seekers. c some 1.3 million j ob seekers. c details ever lost by a company. details ever lost by a company. . . r r e e t s t s n n o o M M Operation Aurora affected as Operation Aurora affected as many as 2,411 companies and many as 2,411 companies and compromised data ranges from compromised data ranges from intellectual property, classified intellectual property, classified documents to credit card transaction documents to credit card transaction details details LOVE BUG exploited Microsoft LOVE BUG exploited Microsoft Outlook e-mail client to execute Outlook e-mail client to execute programs. The damage resulting programs. The damage resulting from this virus was reported to be from this virus was reported to be in the billions of dollars. in the billions of dollars. Confidential McAfee Internal Use Only

  5. Rich Man’s Wisdom A man who wants to remain rich , will make sure he locks his money in The “VAULT” Confidential McAfee Internal Use Only

  6. Case Study – Product Context Setting  Applicat ion Product t eam  Int egrat ed Engineering t eam  S kill S et s  S pecialized S killed Confidential McAfee Internal Use Only

  7. Threat Model and its constraints P P R R O O G G C C E E E E T T S S S S S S E E F F T T L L O O G G W W O O C C O O N N S S T T R R A A I I N N T T S S Confidential McAfee Internal Use Only

  8. Adaptive Ladder • Full Time S ecurity Tester Threat • S ecurity Expertise Model • Authorized personnel Adaptive Model Adversarial Security R3 Testing Expertise Level R2 Peripheral R1 Security Testing • Part time S ecurity tester • S ecurity Testing Novice • Limited Access to codebase Success Rate Confidential McAfee Internal Use Only

  9. Adaptive Model - Highlights Two-tier sequential model Peripheral Security Testing (PST) Adversarial Security Testing (AST) Each of these testing types is defined in terms of  Inputs  Activities  Outputs Adaptive Model kicks off with PS T and then helps to  Enhance security knowledge and experience  Constantly Deliver results  Build perquisite for AS T Confidential McAfee Internal Use Only

  10. Adaptive Model – Basic Workflow Activities Inputs Outputs QA with Security Expertise Analysis , Research & Result Documents AST Code Access Historical Knowledge S ecurity Experience Expertise QA with Attack Perspective PST Execution & Results Document Archit ect ure Document Use Cases AST –Adversarial Security Testing PST –Peripheral Security Testing EPs –Entry/Exit Points Confidential McAfee Internal Use Only

  11. Peripheral Security Testing Entry Place where inputs are supplied to Entry Points Points your application Desirable/ undesirable Exit Exit output from the application. Points Points Without much knowledge of internal Outside Outside implementation Approach Approach Easier to detect and require less effort. On the On the S urface S urface Confidential McAfee Internal Use Only

  12. Sample Study I (Peripheral Security Testing) P P R R O O C C E E S S S S F F L L O O W W A A T T T T A Does your product functionality hamper if you deny the permissions to the temp folder ? A C C K K Do the files(logs/event xml/binaries) contain sensitive data ? M M Is there a way in which you can cause buffer overflow in the file extension /file names? O O D D E E L L Confidential McAfee Internal Use Only

  13. Sample Study II (Peripheral Security Testing) P P R R O O C C E E S S S S F F L L O O W W A A T T T T A Identify Named Pipes (pipe list) A C C K K View Permissions of Named Pipe (ObjSD) M M Check the product against Hijacking or Impersonating the Named pipe O O D D E E L L Confidential McAfee Internal Use Only

  14. Peripheral Security Testing Checklist S .No. Entry/ Exit Points Attack Model Tools/ S cripts Informat ion Disclosure FileMon ACL Editor Weak Permissions File & Folders 1 Buffer Overflow strings Man-in-the-middle Attack Wire shark netstat.exe S niffing network traffic netcat S end malicious dat a Sockets 2 Regmon Registry Accessed by the product Registry Entries ACL Editor 3 Permission of the registry keys PipS ec Exploit weak permission PipeList Hij ack the creat ion CreateAgentPipe Obj S D Impersonate the client Named Pipes 4 S hatter Att ack S hatter Tool User Interfaces WebText Convertor 5 Format S tring Attacks Command Line swit ches / ? , -? , / h, or -h. Process Explorer Image tab Command Line Arguments Exploit Undocumented command Line switches 6 Uncover Environment Variables used by Product Process Explorer Environnent Tab Manipulating data inside Product defined Environment S ystem Environnent Variable Tab Environment Variables 7 Variables COMRaider ActiveX Repurposing Attacks ActiveX Control 8 ActiveX Fuzzing OLEView I/ O Verification Windows Ut ility-> Verifier.exe Deadlock Detection Windows Ut ility -> fltmc Dangerous APIs Exceptions/ Handlers/ Memory Microsoft Application Verifier Loading and Unloading Filter Driver Velocity Tool by Microsoft Drivers 9 Attach and Detach Filter Driver Confidential McAfee Internal Use Only

  15. Adversarial Security Testing Attack Base An entity of the product or the Operating S ystem which can be Manipulated to perform an attack on software. Observation Based Gather past vulnerability information About the attack base. Abuse Cases Abuse cases (sometimes called misuse cases as well) are a tool that can help you begin to think about your software the same way that attackers do. Confidential McAfee Internal Use Only

  16. Sample Study III( Adversarial Security Testing) A A T T T T  Complexity of ACL’ s configuration A A  Permissions cannot be assigned to all C C K K obj ects  Exploiting Integrity Level (Vista specific) M M O O D D E E L L P P R R O O C C E E S S S S F F L L O O W W Confidential McAfee Internal Use Only

  17. Adversarial Security Testing Checklist S .No. Attack Base Abuse Case S cenarios References and Historical Knowledge Verificat ion of apt ACL’ s for your product resources S hatter Attack Target NULL DACL http:/ / www2.packetstormsecurit y.org/ cgi- Look for dangerous ACE types bin/ search/ search.cgi? searchtype=archives&co -> Everyone (WRITE_DAC) unts=26&searchvalue=win2000+att ack+.c 1 Access Control List -> Everyone (WRITE_OWNER) -> Everyone (FILE_ADD_FILE) Exploiting Integrity Levels Target Windows DAC weakness Target Windows MIC weakness http:/ / archive.hack.lu/ 2007/ cracking_windows _access_control.ppt List out shell extensions used by your product List the resources utilized by our S hell Extension 2 Shell Extensions Behavior of shell extension. http:/ / cve.mitre.org/ cgi- Effect of impersonat ing your product shell extensions. bin/ cvename.cgi? name=CVE-2006-5902 List resources used by BHO Learn how to write a BHO Understand functionality of IE Plugin. 3 P lugins -> This can give more att ack vectors Effect of impersonat ing our product BHO http:/ / cve.mitre.org/ cgi- Find a way to disable IE Plugin bin/ cvename.cgi? name=CVE-2004-2382 Do basic analysis of DOS At tacks Identify the services rendered by your product Identify the ports used by the services 4 Denial Of Service Identify tools to send specially crafter packet s to perform a DOS Attack on our product. ( use historical info ) http:/ / cve.mitre.org/ cgi- Analyze the results bin/ cvename.cgi? name=CVE-2008-1855 Confidential McAfee Internal Use Only

  18. AASTM Model - Recap • Position yourself on the Adaptive Ladder and then design your security testing strategy. • The idea is to find security defects in the product. A model is important but not a constraint • Follow Peripheral and Adversarial approaches as a guideline to target security flaws. • Creating a dedicated S kill-set base within the team helps a lot. • Even if it’ s an ad-hoc approach it’ s good to expose some security shortcomings Confidential McAfee Internal Use Only

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Continuous Application Security Testing Presented by:

Continuous Application Security Testing Presented by:

W14 Security Testing Wednesday, October 23rd, 2019 3:00 PM Continuous Application Security Testing Presented by: Josh Gibbs

306 views • 4 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
A Framework for Comparing Models for Adaptive Testing Jill-Jnn Vie February 19, 2016 Models

A Framework for Comparing Models for Adaptive Testing Jill-Jnn Vie February 19, 2016 Models

A Framework for Comparing Models for Adaptive Testing Jill-Jnn Vie February 19, 2016 Models for Adaptive Testing Framework, Experiment, Results NEW! Adaptive Submodularity Models for Adaptive Testing Computerized Adaptive Testing (CAT)

669 views • 30 slides
Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela

Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela

Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela E.Fourneret J.Jurjens P. Yousefi ARES 2011 OUTLINE Introduction Background UMLsec Model-based Testing Security in smart-card

356 views • 17 slides
How Time Variability of Testing the Model Current Map with 8 . . . Testing the Model . . .

How Time Variability of Testing the Model Current Map with 8 . . . Testing the Model . . .

How Temperatures . . . A Model (cont-d) Model: Final Formulas How Time Variability of Testing the Model Current Map with 8 . . . Testing the Model . . . Temperature Depends on a Testing the Model: . . . Testing the Model: . . . Spatial

493 views • 9 slides
Adaptive Testing using a General Diagnostic Model Jill 1 -Jnn 2 Vie 3 Fabrice Popineau 1 Yolaine

Adaptive Testing using a General Diagnostic Model Jill 1 -Jnn 2 Vie 3 Fabrice Popineau 1 Yolaine

Adaptive Testing using a General Diagnostic Model Jill 1 -Jnn 2 Vie 3 Fabrice Popineau 1 Yolaine Bourda 1 ric Bruillard 2 1 CentraleSuplec, Gif-sur-Yvette 2 ENS Cachan/Paris-Saclay 3 Universit Paris-Saclay Filipe 1 1 0 0 0 0 Henry

544 views • 18 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS & IoT Roland Groz, Jean-Luc Richier, Maxime Puys, Laurent Mounier Univ. Grenoble Alpes LIG/Vasco + Vrimag/PACSS Kobe Universit

1.02k views • 33 slides
Widget security model based on MIDP and Web Application based on a security model with TLS/SSL

Widget security model based on MIDP and Web Application based on a security model with TLS/SSL

Widget security model based on MIDP and Web Application based on a security model with TLS/SSL and XMLDsig Claes Nilsson Technology Area Group Leader Web Browsing Marcus Liwell Technology Area Group Leader Security and DRM Rev 1

576 views • 12 slides
Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t.

Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t.

Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t. 31 31 st Presenters ITAC 2014 Bishop Fox Francis Brown Partner Joe DeMesy Security Associate 2 2 Int ntrodu roductions ctions

1.32k views • 86 slides
Framework for Application Security Testing September 11th, 2018 Create thousands of security

Framework for Application Security Testing September 11th, 2018 Create thousands of security

Framework for Application Security Testing September 11th, 2018 Create thousands of security tests from existing functional tests automatically Wallarm FAST enables secure CI / CD Wallarm FAST has many cool features to help

476 views • 14 slides
Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device Security 2013 Boston, MA Presen sented ted by: Francis Brown & Joe DeMesy Bishop Fox www.bishopfox.com Introductions VERY QUICKLY

3.77k views • 83 slides
Coupling MM5 with ISOLSM: Development, Testing, and Application W.J. Riley, H.S. Cooley, Y. He*,

Coupling MM5 with ISOLSM: Development, Testing, and Application W.J. Riley, H.S. Cooley, Y. He*,

Coupling MM5 with ISOLSM: Development, Testing, and Application W.J. Riley, H.S. Cooley, Y. He*, M.S. Torn Lawrence Berkeley National Laboratory June 2003 Yun (Helen) He 1 Outline Introduction Model Integration Model

561 views • 15 slides
Security CS 4720 Mobile Application Development CS 4720 The Traditional Security Model

Security CS 4720 Mobile Application Development CS 4720 The Traditional Security Model

Security CS 4720 Mobile Application Development CS 4720 The Traditional Security Model The Firewall Approach Keep the good guys in and the bad guys out CS 4720 2 Distributed System Security Islands of Security

883 views • 39 slides
Bootstrap method and its application to the hypothesis testing in GPS mixed integer linear model

Bootstrap method and its application to the hypothesis testing in GPS mixed integer linear model

EGU General Assembly 2009 Geodtisches Institut Universitt Stuttgart Bootstrap method and its application to the hypothesis testing in GPS mixed integer linear model Jianqing Cai 1 , Erik W. Grafarend 1 and Congwei Hu 2 1 Institute of

545 views • 27 slides
Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires

Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires

Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires http://oasis.coralcdn.org/ Whats the replica-selection problem? mycdn ? Client needs to choose a good replica server Performance and cost

798 views • 56 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective)

10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective)

10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective) Rijndael Security of Rijndael/AES Spreading of AES Stream ciphers: competitors? Conclusions The early years (1997)

939 views • 70 slides
Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons

Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons

Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported. 1 66 / Agenda The Theory What is it ? Why should I care ? The Practice The

974 views • 66 slides
Analyse de primitives sym etriques Pierre Karpman a lInria Saclay & Rennes, l Th`

Analyse de primitives sym etriques Pierre Karpman a lInria Saclay & Rennes, l Th`

Analyse de primitives sym etriques Pierre Karpman a lInria Saclay & Rennes, l Th` ese pr epar ee ` Ecole polytechnique, et la Nanyang Technological University Sous la direction de Daniel Augot, Pierre-Alain Fouque et

906 views • 58 slides
Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E untrusted communication link Alice Bob E D #%AR3Xf34^$ Attack at Dawn!! decryption encryption (ciphertext) message message Attack at

1.56k views • 143 slides
Making Sense at Scale with Algorithms, Machines & People PI: Michael Franklin

Making Sense at Scale with Algorithms, Machines & People PI: Michael Franklin

UC BERKELEY Making Sense at Scale with Algorithms, Machines & People PI: Michael Franklin University of California, Berkeley Expeditions in Computing PI Meeting May 15, 2013 The Berkeley AMPLab 2 Sources

800 views • 23 slides
Route map of our journey this evening Ciphers - coming of age The Enigma Machine Poles

Route map of our journey this evening Ciphers - coming of age The Enigma Machine Poles

Breaking Enigma & the U-boat Codes and the Legacy of Alan Turing Tuesday 17th April 2012 Professor David Stupples Centre for Cyber Security Sciences Centre for Cyber Security Sciences Route map of our journey this evening Ciphers -

711 views • 36 slides

More recommend