security regression
play

Security Regression Addressing Security Regression by Unit Testing - PowerPoint PPT Presentation

Aug 01, 2023 •104 likes •472 views

Security Regression Addressing Security Regression by Unit Testing Christopher Grayson @_lavalamp Introduction WHOAMI ATL Web development Academic researcher Haxin all the things (but I rlllly like networks) Founder

  1. Security Regression Addressing Security Regression by Unit Testing Christopher Grayson @_lavalamp

  2. Introduction

  3. WHOAMI • ATL • Web development • Academic researcher • Haxin’ all the things • (but I rlllly like networks) • Founder • Red team @_lavalamp 3

  4. WHY’S DIS • Security regression is a huge problem • Lots of infrastructure built around regression testing already • Let’s leverage all of that existing infrastructure to improve application security posture at a minimal cost to development teams 4

  5. Agenda 1. Background 2. Dynamic Security Test Generation 3. Non-dynamic Security Test Generation 4. Conclusion 5

  6. Background

  7. A Bit More on Motivation… • I’ve always loved breaking into things, have been doing this professionally since 2012 • Go in, break app, help client with remediation, check that remediation worked – great! • Come back 3-6 months later and test again, same vulns are back (commonly in the same places) • Offensive testing is good at diagnosing - not solving 7

  8. Regression Testing • Standard tool in any development team’s toolbox • Unit tests to ensure code does not regress to a prior state of instability • Lots of great tools (especially in the CI/CD chain) for ensuring tests are passing before deployment 8

  9. Putting it All Together Why not take the problem of security regression and use all of the tools already built for regression testing to improve the security posture of tested applications? 9

  10. The Demo Application • Street Art Around the World! • Written in Django (standard framework, no API, full post-back) • Same techniques work for any programming language and framework that support introspection • These examples require a framework that has explicit URL https://github.com/lavalamp-/security-unit-testing mapping 10

  11. Dynamic Generation

  12. Django Registered Routes • Django requires users to write views and then explicitly map these views to URL routes where they are served from • Views come from a set of pre- defined base classes that support default functionality (UpdateView, DeleteView, DetailView, FormView, etc) 12

  13. Testing Registered Routes • We can use introspection to enumerate all of the views registered within an application • Now that we know the views, how can we support testing functionality that issues requests to all of the view functionality? • Enter the Requestor class 13

  14. Requestor Registry Architecture • Requestors mapped to views they are meant to send requests to via Python decorators • Singleton registry contains mapping of views to requestors • Importing all of the views automatically establishes all of the mappings 14

  15. Dynamic Test Generation • We now can enumerate all of the views and access classes that are designed to submit requests to the views • With this capability we can dynamically generate test cases for all of the views in an application • Test cases take view classes and HTTP verbs as arguments to constructors 15

  16. Testing for Requestors If we are relying on requestor classes being defined for all views, then let’s test for it! 16

  17. Testing for Denial of Service We’ve got the ability to test every known HTTP verb of every registered view, so let’s test for successful HTTP responses. 17

  18. Testing for Unknown Methods Test to ensure that the methods supported by requestors match the methods returned by OPTIONS request. 18

  19. Testing for Auth Enforcement • Tell the requestors whether or not the tested view requires authentication • Can improve upon this demo by checking for inheritance of the LoginRequiredMixin • Check that unauthenticated request is denied 19

  20. Response Header Inclusion 20

  21. Testing for OPTIONS Accuracy We already built out requestors based on the OPTIONS response, so now let’s make sure that the OPTIONS response included the correct HTTP verbs. 21

  22. Testing for CSRF Enforcement Test to ensure that CSRF tokens are required for function invocation on non-idempotent view functionality. 22

  23. What Have We Gained? • We now have guarantees that • Our app contains no hidden functionality • All of our views are working as intended given expected input • Authentication is being properly enforced • Security headers are present • CSRF is properly protected against 23

  24. Why Dynamic Generation? • Those guarantees are great and all, but can’t we just write individual unit tests to test for them? • In a development team we have multiple people contributing code all the time • Through dynamic generation, these tests will automatically be applied to all new views, providing the same guarantees to code that hasn’t even been written yet 24

  25. Where Can We Go? • Other things that we could write dynamic tests for • Rate-limiting • Fuzzing of all input values to POST/PUT/PATCH/DELETE (introspection into forms used to power the views) • Proper updating, creation, and deletion of new models based on input data 25

  26. Testing Other Vulns

  27. Testing for Cross-site Scripting Test for proper encoding of output data! 27

  28. Testing for SQL Injection Submit two requests to the server, one making the SQL query match none and another making the SQL query match all, test to see if the results match the none and all expected responses 28

  29. Testing for Open Redirects Submit malicious input and see if HTTP redirect response redirects to full URL 29

  30. Conclusion

  31. Benefits of Dynamic Generation • Initial overhead is greater than writing individual unit tests, but new views added to the application also benefit from the tests • Provide us with strong guarantees about known application functionality and basic HTTP-based security controls 31

  32. Benefits of Sec. Unit Testing • Security guarantees now enforced by CI/CD integration • Test Driven Development? Great – have your security testers write failing unit tests that you then incorporate into your test suite • A new interface for how security and development teams can work together in harmony 32

  33. Recap • Security regression is a big problem • We can use the development paradigm of regression testing to address security regression • Dynamic test generation can take us a long way • Individual tests for individual cases further augment dynamic test generation capabilities 33

  34. Resources • Security Unit Testing Project https://github.com/lavalamp-/security-unit-testing • Lavalamp’s Personal Blog https://l.avala.mp/ • Django Web Framework https://www.djangoproject.com/ 34

  35. THANK YOU! @_lavalamp chris [AT] websight [DOT] io github.com/lavalamp-

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Logistic Regression James H. Steiger Department of Psychology and Human Development Vanderbilt

Logistic Regression James H. Steiger Department of Psychology and Human Development Vanderbilt

Introduction The Logistic Regression Model Binary Logistic Regression Binomial Logistic Regression Interpreting Logistic Regression Parameters Examples Logistic Regression and Retrospective Studies Logistic Regression James H. Steiger

777 views • 54 slides
Introduction to Regression and Correlation James H. Steiger Department of Psychology and Human

Introduction to Regression and Correlation James H. Steiger Department of Psychology and Human

Regression Analysis Some Examples Revisiting Basic Regression Results Anscombes Quartet Smoothing the Mean Function The Scatterplot Matrix Two Bivariate Regression Models Where from Here? Introduction to Regression and Correlation James

1.06k views • 57 slides
Efficient Regression for Computational Imaging: from Color Management to Omnidirectional

Efficient Regression for Computational Imaging: from Color Management to Omnidirectional

Efficient Regression for Computational Imaging: from Color Management to Omnidirectional Superresolution Maya R. Gupta Eric Raman Garcia Arora Regression 2 Regression Regression Linear Regression: fast, not good enough Problem : Device

601 views • 56 slides
10-601 Machine Learning Regression Outline Regression vs Classification Linear regression

10-601 Machine Learning Regression Outline Regression vs Classification Linear regression

10-601 Machine Learning Regression Outline Regression vs Classification Linear regression another discriminative learning method As optimization Gradient descent As matrix inversion (Ordinary Least Squares) Overfitting

1.52k views • 97 slides
Workers' Sickness Absences Evidence from Austrian Social Security Data using a Regression

Workers' Sickness Absences Evidence from Austrian Social Security Data using a Regression

Social Insurance, Firms, and Workers' Sickness Absences Evidence from Austrian Social Security Data using a Regression Discontinuity Design Ren Bheim Thomas Leoni (JKU Linz) (WIFO Vienna) 2nd Annual Meeting of

289 views • 15 slides
Regression Methods 1. Linear Regression and Logistic Regression: definitions, and a common

Regression Methods 1. Linear Regression and Logistic Regression: definitions, and a common

0. Regression Methods 1. Linear Regression and Logistic Regression: definitions, and a common property CMU, 2004 fall, Andrew Moore, HW2, pr. 4 2. Linear Regression and Logistic Regression: Definitions Given an input vector X , linear

1.07k views • 22 slides
Planning and Optimization B2. Regression: Introduction & STRIPS Case Malte Helmert and

Planning and Optimization B2. Regression: Introduction & STRIPS Case Malte Helmert and

Planning and Optimization B2. Regression: Introduction & STRIPS Case Malte Helmert and Gabriele R oger Universit at Basel October 13, 2016 Regression Regression Example Regression for STRIPS Tasks Summary Regression Regression

466 views • 19 slides
Multiple Regression and Logistic Regression I Dajiang Liu @PHS 525 Apr-14-2016 Multiple

Multiple Regression and Logistic Regression I Dajiang Liu @PHS 525 Apr-14-2016 Multiple

Multiple Regression and Logistic Regression I Dajiang Liu @PHS 525 Apr-14-2016 Multiple Regression Extends simple linear regression to the scenario where Multiple predictors are available Multiple regression often results in better

673 views • 17 slides
Logistic regression and Poisson regression Rasmus Waagepetersen Department of Mathematics

Logistic regression and Poisson regression Rasmus Waagepetersen Department of Mathematics

Logistic regression and Poisson regression Rasmus Waagepetersen Department of Mathematics Aalborg University Denmark October 6, 2017 Outline Logistic regression Poisson regression Binary and count data Linear mixed models very

391 views • 28 slides
Interpretation of regression coe ffi cients Correlation and Regression Is that textbook

Interpretation of regression coe ffi cients Correlation and Regression Is that textbook

CORRELATION AND REGRESSION Interpretation of regression coe ffi cients Correlation and Regression Is that textbook overpriced? > head(textbooks) deptAbbr course isbn uclaNew amazNew more diff 1 Am Ind C170 978-0803272620

401 views • 27 slides
Todays lecture Logistic regression How can we use logistic regression for reranking? Shay

Todays lecture Logistic regression How can we use logistic regression for reranking? Shay

Todays lecture Logistic regression How can we use logistic regression for reranking? Shay Cohen How do we set the parameters of a logistic regression model? (based on slides by Sharon Goldwater) How is logistic regression related

652 views • 9 slides
Regression Regression is a predictive method (like the nearest neighbour algorithm) The

Regression Regression is a predictive method (like the nearest neighbour algorithm) The

Regression Regression is a predictive method (like the nearest neighbour algorithm) The approach is to try to describe a dependent variable in terms of one or more independent variables Regression can be used with both quantitative

402 views • 4 slides
Regression l For classification the output(s) is nominal l In regression the output is continuous

Regression l For classification the output(s) is nominal l In regression the output is continuous

Regression l For classification the output(s) is nominal l In regression the output is continuous Function Approximation l Many models could be used Simplest is linear regression Fit data with the best hyper-plane which "goes

592 views • 35 slides
Regression 3: Logistic Regression Marco Baroni Practical Statistics in R Outline Logistic

Regression 3: Logistic Regression Marco Baroni Practical Statistics in R Outline Logistic

Regression 3: Logistic Regression Marco Baroni Practical Statistics in R Outline Logistic regression Logistic regression in R Outline Logistic regression Introduction The model Looking at and comparing fitted models Logistic regression in

1.09k views • 47 slides
Correlation and Regression 9-1 Overview 9-2 Correlation 9-3 Regression 9-4 Variation and

Correlation and Regression 9-1 Overview 9-2 Correlation 9-3 Regression 9-4 Variation and

Chapter 9 Slide 1 Correlation and Regression 9-1 Overview 9-2 Correlation 9-3 Regression 9-4 Variation and Prediction Intervals 9-5 Multiple Regression 9-6 Modeling Chapter 9, Triola, Elementary Statistics , MATH 1342 Slide 2 Section 9-1

1.12k views • 94 slides
Regression Methods 1. Linear Regression with only one parameter, and without offset; MLE and

Regression Methods 1. Linear Regression with only one parameter, and without offset; MLE and

0. Regression Methods 1. Linear Regression with only one parameter, and without offset; MLE and MAP estimation CMU, 2012 fall, Tom Mitchell, Ziv Bar-Joseph, midterm, pr. 3 2. Consider real-valued variables X and Y . The Y variable is

1.25k views • 86 slides
(U) A Method for Regression Analysis on Sparse Datasets Daniel Barkmeyer NRO CAAG June 2015

(U) A Method for Regression Analysis on Sparse Datasets Daniel Barkmeyer NRO CAAG June 2015

(U) A Method for Regression Analysis on Sparse Datasets Daniel Barkmeyer NRO CAAG June 2015 Background Traditional regression analysis, e.g. Zero-Bias Minimum Percent Error (ZMPE), can run into problems when important independent

370 views • 22 slides
Linear Regression Models Based on Chapter 3 of Hastie, Tibshirani and Friedman Linear Regression

Linear Regression Models Based on Chapter 3 of Hastie, Tibshirani and Friedman Linear Regression

Linear Regression Models Based on Chapter 3 of Hastie, Tibshirani and Friedman Linear Regression Models p = + f ( X ) X 0 j j = j 1 Here the X s might be: Raw predictor variables (continuous or

724 views • 31 slides
January 2019 Important Notice The information contained in this presentation is for

January 2019 Important Notice The information contained in this presentation is for

Bangkok Dusit Medical Services (BDMS) Investor Presentation 3Q18 & 9M18 Results January 2019 Important Notice The information contained in this presentation is for information purposes only and does not constitute an offer or invitation

744 views • 48 slides
The Role of the Guernsey Registry in Charity and NPO registration Helen Proudlove-Gains Deputy

The Role of the Guernsey Registry in Charity and NPO registration Helen Proudlove-Gains Deputy

The Role of the Guernsey Registry in Charity and NPO registration Helen Proudlove-Gains Deputy Registrar 1 The Guernsey Registry took over the administration of The Charities and Non Profit Organisations (Registration) (Guernsey) Law,

571 views • 10 slides
When to invest in high speed rail British experience Chris Nash Research Professor

When to invest in high speed rail British experience Chris Nash Research Professor

Institute for Transport Studies FACULTY OF EARTH AND ENVIRONMENT When to invest in high speed rail British experience Chris Nash Research Professor C.A.Nash@its.leeds.ac.uk HS1 benefits and costs (m) Benefits (1998 Appraisal) User

390 views • 14 slides
Mark Carlson Hui Shan Missaka Warusawitharana Motivation Concerns about the impact of bank

Mark Carlson Hui Shan Missaka Warusawitharana Motivation Concerns about the impact of bank

Mark Carlson Hui Shan Missaka Warusawitharana Motivation Concerns about the impact of bank capital on bank lending have been of increased interest recently Has been a variety of previous efforts to measure this effect One challenge is

591 views • 21 slides
R-CNN minus R Karel Lenc, Andrea Vedaldi Object detection 2 Goal : tightly enclose objects of a

R-CNN minus R Karel Lenc, Andrea Vedaldi Object detection 2 Goal : tightly enclose objects of a

Visual Geometry Group, Department of Engineering Science R-CNN minus R Karel Lenc, Andrea Vedaldi Object detection 2 Goal : tightly enclose objects of a certain type in a bounding box bikes planes horses birds Top

625 views • 27 slides
WhenDeepLearningmeets VisualLocalization Mar MartinHu Humenberger NA

WhenDeepLearningmeets VisualLocalization Mar MartinHu Humenberger NA

WhenDeepLearningmeets VisualLocalization Mar MartinHu Humenberger NA NAVERLA LABS BSEur urop ope,3D 3DVision onGr Group oup http://europe.naverlabs.com Outline

662 views • 54 slides

More recommend