t14
play

T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D - PDF document

Mar 14, 2023 •167 likes •578 views

BIO PRESENTATION T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D EER IN THE H EADLIGHTS ? Ryan English SPI Dynamics Inc International Conference On Software Testing Analysis and Review May 15-19, 2006 Orlando, Florida USA

  1. BIO PRESENTATION T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D EER IN THE H EADLIGHTS ? Ryan English SPI Dynamics Inc International Conference On Software Testing Analysis and Review May 15-19, 2006 Orlando, Florida USA

  2. Ryan English Ryan English is the group product manager for SPI Dynamics' QAInspect(tm) Quality Assurance Security testing product line, overseeing product strategy and direction for the company's five Quality Assurance products. Prior to joining SPI Dynamics, Ryan was responsible for product management at Live Oak Technologies, a quality assurance software company. In addition, Ryan was a project manager for the supply chain software company, VerticalNet, where he assisted in the strategic growth and development of their consulting division. Ryan has also led project management teams with MCI Worldcom and DayNine. Ryan is a seasoned speaker on the topic of security testing Web applications in QA and has spoken at several Quality Assurance industry events including Mercury World 2005.

  3. Do you feel Like a Deer in Headlights? Ryan English SPI Dynamics

  4. Simple Web Site Architecture (1996)

  5. Complex Web Architecture (2006)

  6. Web Applications Breach the Perimeter Trusted Corporate Internet DMZ Inside Inside ASP MS-SQL IIS .NET ORACLE SunOne J2EE DB2 Apache HTTP/HTTPS

  7. Examples of Application Security Vulnerabilities Application Application Application Mapping Adm inistration Adm inistration Buffer Overflow Backup Checking Brute Force Common File Checks Cookie Manipulation Data Extension Platform Checking Cookie Poisoning/ Theft Platform Directory Cross-site scripting Known Enumeration Vulnerabilities Custom Application Extension Checking Scripting BEA WebLogic Forceful Browsing Parameter Manipulation IBM WebSphere Hidden Web Paths Reverse Directory Transversal Path Truncation Microsoft IIS SQL Injection

  8. Recent Application Security Attacks

  9. Customers In the Field 100X System/Acceptance Testing 15X Integration Testing Unit Test 6.5X 1 X Design Development Testing Deployment

  10. Implications of Application Security 35 major identity theft cases reported in first half of 2005 . Personal information of over 9.6 million individuals was stolen. Web application hacking was the most common method used. -IDC

  11. Value Proposition • Regulatory compliance policies like HIPAA. SOX, PCI, and GLBA • Identify areas of your application vulnerable to hacking, identity theft and phishing attack vulnerabilities • Reduce cost of outsourced or manual security testing • Big ROI with security testing during quality process - Costs one-fifth as much to fix an application in QA then after deployment

  12. How Do Web Applications Communicate? Netw ork Layer • Client connects to the server • Client sends request to server • Server responds to client Server • Connection is disconnected w w w .m ybank.com – HTTP is stateless ( 6 4 .5 8 .7 6 .2 3 0 ) Client PC Port: 8 0 ( 1 0 .1 .0 .1 2 3 ) Request Response

  13. Securing the Network Layer • SSL ( Secure Sockets Layer) – Provided encryption of data between Server a client and server w w w .m ybank.com – Typically guarantees to client that server is who it asserts itself to be ( 6 4 .5 8 .7 6 .2 3 0 ) Client PC Port: 4 4 3 ( 1 0 .1 .0 .1 2 3 ) SSL Tunnel

  14. Securing the Network Layer SSL • • Firew alls – Allows or disallows traffic to pass from the external network to the internal network – Acts as a “ traffic cop ” Server – Port 80 (HTTP) and port 443 (HTTPS) w w w .m ybank.com travel freely through the firewall ( 6 4 .5 8 .7 6 .2 3 0 ) Client PC Port: 4 4 3 ( 1 0 .1 .0 .1 2 3 ) SSL Tunnel

  15. Securing the Network Layer • SSL • Firew alls • I DS ( I ntrusion Detection System ) – Monitors network for malicious activities Server – Typically signature based detection w w w .m ybank.com (similar to virus protection) ( 6 4 .5 8 .7 6 .2 3 0 ) – Blind to encrypted (SSL) traffic Port: 4 4 3 Client PC ( 1 0 .1 .0 .1 2 3 ) I DS SSL Tunnel

  16. What is HTTP? HTML Page • HTML Page <a href=http://www.test.me>Click Here</a> < a href= http: / / www.test.me> Click Here< / a> Request • Request GET / HTTP/ 1.1 GET / HTTP/ 1.1 Accept: * / * Response Accept: * / * Accept-Language: en-us Accept-Encoding: identity Accept-Language: en-us User-Agent: Mozilla/ 4 .0 ( com patible; MSI E 6 .0 ; W indow s NT 5 .0 ; .NET CLR 1 .0 .3 7 0 5 ) HTTP/ 1 .1 2 0 0 OK Accept-Encoding: identity Host: w w w .spidynam ics.com Server: Microsoft-I I S/ 5 .0 User-Agent: Mozilla/ 4 .0 ( com patible; MSI E 6 .0 ; W indow s NT Connection: Keep-Alive Date: Mon, 07 Apr 2003 12: 52: 26 GMT 5 .0 ; .NET CLR 1 .0 .3 7 0 5 ) • Response Content-Length: 1 0 2 2 5 Host: w w w .spidynam ics.com Content-Type: text/ htm l Connection: Keep-Alive HTTP/ 1 .1 2 0 0 OK Cache-control: private Server: Microsoft-I I S/ 5 .0 Set-Cookie: Date: Mon, 07 Apr 2003 12: 52: 26 GMT Content-Length: 1 0 2 2 5 ASPSESSI ONI DCSCRRCBS= GODPKFJDPJNMHGGJDOEI DDMK ; path= / ; Content-Type: text/ htm l Cache-control: private < html> Set-Cookie: ASPSESSI ONI DCSCRRCBS= GODPKFJDPJNMHGGJDOEI DDMK ; path= / ; < body> < html> < body> Server Client PC Request Response

  17. How Does Your Application Work? • GET – Simple query string based request • POST – Contains POST data in the body of the request W eb Application HTTP Netw ork

  18. HTTP – GET With a Query String • HTML Page HTML Page <a href=http://www.test.me/ banklogin.asp?serviceName=FreebankCaastAccess&ID=5 >Click Here</a> <a href=http://www.test.me/ banklogin.asp?serviceName=Freebank • Request Request CaastAccess&ID=5 >Click Here</a> GET /banklogin.asp?serviceName=FreebankCaastAccess& GET / banklogin.asp?serviceNam e= FreebankCaastAccess&tem plateNam e= prod_ sel.forte&I D= 5 HTTP/ 1.1 Response Accept: * / * templateName=prod_sel.forte&ID=5 HTTP/1.1 Accept-Language: en-us Accept: */* Accept-Encoding: identity HTTP/1.1 200 OK User-Agent: Mozilla/ 4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Accept-Language: en-us Server: Microsoft-IIS/5.0 Host: www.company.com Accept-Encoding: identity Connection: Keep-Alive Date: Fri, 04 Apr 2003 15:17:50 GMT User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR Cookie: ASPSESSI ONI DCQABRCAA= DKBNDFFCLDKNPGFDDFJCLBDN Content-Length: 4183 1.0.3705) Content-Type: text/html Host: www.company.com • Response Cache-control: private Connection: Keep-Alive Set-Cookie: sessionid=25; path=/; Cookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN HTTP/ 1.1 200 OK Set-Cookie: state=GA; path=/; Server: Microsoft-IIS/ 5.0 Set-Cookie: username=MrUser; path=/; Date: Fri, 04 Apr 2003 15: 17: 50 GMT Content-Length: 4183 Set-Cookie: userid=1538; path=/; Content-Type: text/ html Cache-control: private <HTML> Set-Cookie: sessionid= 2 5 ; path= / ; Set-Cookie: state= GA; path= / ; <HEAD> Set-Cookie: usernam e= MrUser; path= / ; <TITLE></TITLE> Set-Cookie: userid= 1 5 3 8 ; path= / ; </HEAD> < HTML> <BODY> < HEAD> < TITLE> < / TITLE> < / HEAD> < BODY>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reflections on the Proposed Ontario Retirement Pension Plan Kevin Milligan Vancouver School of

Reflections on the Proposed Ontario Retirement Pension Plan Kevin Milligan Vancouver School of

Reflections on the Proposed Ontario Retirement Pension Plan Kevin Milligan Vancouver School of Economics University of British Columbia Comments prepared for Financial Markets Regulation Roundtable University of Calgary School of Public Policy

214 views • 6 slides
The Institute of Internal Auditors Washington, D.C. Chapter Regulatory &amp; Accounting Hot

The Institute of Internal Auditors Washington, D.C. Chapter Regulatory &amp; Accounting Hot

The Institute of Internal Auditors Washington, D.C. Chapter Regulatory &amp; Accounting Hot Topics March 7, 2016 Jin Ryu Professional Accounting Fellow Office of the Comptroller of the Currency 1 Jin Ryu Professional Accounting Fellow Office

604 views • 47 slides
Photobioreactor system case-study Tom a s Stan ek Tom a s Stan ek

Photobioreactor system case-study Tom a s Stan ek Tom a s Stan ek

Photobioreactor system case-study Tom a s Stan ek Tom a s Stan ek Photobioreactor system case-study Tom a s Stan ek Photobioreactor system case-study Overal description Various devices with some autonomous logic and

920 views • 48 slides
W hat is it w ith W hat is it w ith com pulsory saving? com pulsory saving? Michael Littlew ood

W hat is it w ith W hat is it w ith com pulsory saving? com pulsory saving? Michael Littlew ood

W hat is it w ith W hat is it w ith com pulsory saving? com pulsory saving? Michael Littlew ood Retirem ent Policy and Research Centre Retirem ent Policy and Research Centre A Agenda d Is New Zealand Superannuation sustainable? Is New

456 views • 34 slides
Connectivity Means Community Distributed System Planning for Humans

Connectivity Means Community Distributed System Planning for Humans

Connectivity Means Community Distributed System Planning for Humans https://abc7.com/health/covid-19-socal-customers-see-higher- https://www.wusa9.com/article/news/health/coronavirus/custo utility-bills-amid-pandemic/6103624/

695 views • 42 slides
Presentation Overview Applicability of Rules and Regulations Overview of legislative

Presentation Overview Applicability of Rules and Regulations Overview of legislative

C ANNABIS C ONSUMPTION R ULES &amp; R EGULATIONS Mohanned Malhi, R.E.H.S. October 16, 2018 Health Commission Public Health Committee 2 Presentation Overview Applicability of Rules and Regulations Overview of legislative history

419 views • 15 slides
Making the Most of Social Media North Wind CCL Regional Conference 2018 Kelli Lewis Making the

Making the Most of Social Media North Wind CCL Regional Conference 2018 Kelli Lewis Making the

10/2/18 Making the Most of Social Media North Wind CCL Regional Conference 2018 Kelli Lewis Making the Most of Social Media u Social Media Stats u Dos and Donts u Connecting to Congress u Social Media Goals u Facebook 1 10/2/18 Social

289 views • 7 slides
Presentation of Learning: Planning Tool PHASE OF PROMPTING RELEVANT INFORMATION TO INCLUDE

Presentation of Learning: Planning Tool PHASE OF PROMPTING RELEVANT INFORMATION TO INCLUDE

Presentation of Learning: Planning Tool PHASE OF PROMPTING RELEVANT INFORMATION TO INCLUDE HOW WILL WE PRESENT THIS? PRESENTATION QUESTIONS What was the unique challenge or issue? What did you identify about this? Who were the key

207 views • 4 slides
!&quot;#$%&amp;'()'%*+()',#-. !--&quot;()--/(0#12(3&amp;%4&amp;

!&quot;#$%&amp;'()'%*+()',#-. !--&quot;()--/(0#12(3&amp;%4&amp;

!&quot;#$%&amp;'()'%*+()',#-. !--&quot;()--/(0#12(3&amp;%4&amp; &quot;#$%&amp;&quot;'()*(+&amp;,'-&amp;.'/0-&amp;,123-&amp;4//'0 ! 35$$%4+(-/(3678( )'9#*'.&amp;#%&quot;(:4-,4%$9 !&quot;#$%&amp;'()* +,'&quot;-%.'#*-%!-/0'/1(23-

297 views • 11 slides
2.0 April 1-26, 2019 Background The University of Californias Carbon Neutrality Goals

2.0 April 1-26, 2019 Background The University of Californias Carbon Neutrality Goals

2.0 April 1-26, 2019 Background The University of Californias Carbon Neutrality Goals 2020 - Return to 1990 levels (all sectors) 2025 - scopes 1 &amp; 2 emissions 2050 - all sector Success requires engaging all of the

713 views • 27 slides
EUROGATE Container Terminals in Bremerhaven 26 th Sep. 2016 About us EUROGATE was founded in

EUROGATE Container Terminals in Bremerhaven 26 th Sep. 2016 About us EUROGATE was founded in

EUROGATE MOVING THE GLOBAL ECONOMY Eurogate Wir bewegen Wirtschaft EUROGATE Container Terminals in Bremerhaven 26 th Sep. 2016 About us EUROGATE was founded in September 1999 Europes leading, shipping-line independent container

224 views • 10 slides
DEVELOPMENT OF COOL COLORED ROOFING MATERIALS Project Advisory Committee (PAC) Meeting

DEVELOPMENT OF COOL COLORED ROOFING MATERIALS Project Advisory Committee (PAC) Meeting

DEVELOPMENT OF COOL COLORED ROOFING MATERIALS Project Advisory Committee (PAC) Meeting Collaborative R&amp;D with Industry LBNL ORNL LBNL ORNL and Sponsored by the California Energy Commission (Project Manager: Chris Scruton) March 11,

843 views • 55 slides
How to Cool and Heat with pure water... without using any energy or moving parts Cool Cell

How to Cool and Heat with pure water... without using any energy or moving parts Cool Cell

How to Cool and Heat with pure water... without using any energy or moving parts Cool Cell Technology Cool Cells are highly insulated metal boxes used to protect batteries and sensitive electronics from overheating in the summer and from

1.02k views • 12 slides
Operimentum C102-4 Parker Prost, Lawand Yaseen, Nidhi Menon, Brody Payne EF 152 Spring, 2018

Operimentum C102-4 Parker Prost, Lawand Yaseen, Nidhi Menon, Brody Payne EF 152 Spring, 2018

Operimentum C102-4 Parker Prost, Lawand Yaseen, Nidhi Menon, Brody Payne EF 152 Spring, 2018 April 5th 2018 Product Brainstorming and Selection Brainstorming Sessions: Automated anti-frost covers for sensitive plants in the winter

311 views • 10 slides
National School In Lima, Per Summary The First Cool Roof for a National School was a project

National School In Lima, Per Summary The First Cool Roof for a National School was a project

First Cool Roof for a National School In Lima, Per Summary The First Cool Roof for a National School was a project held by the Peruvian national school N 101 Shuji Kitamura, the PTA (Parent-Teacher Association) and MASPROTECTO united

462 views • 22 slides
Cool Room Project Arianna Rundquist, Daniel Sheeter, Michael Cunningham, Jingyan Wu Project

Cool Room Project Arianna Rundquist, Daniel Sheeter, Michael Cunningham, Jingyan Wu Project

Cool Room Project Arianna Rundquist, Daniel Sheeter, Michael Cunningham, Jingyan Wu Project Background Location:Yabiavoko village, Ombokoro Parish in Manibe Sub-country, Arua District Goal: Reduce post harvest losses for farmers

400 views • 36 slides
HIST ORY MAKING T HE BUS COOL F OR E VE RYONE F or me d in 1973 as South Coast Ar e a

HIST ORY MAKING T HE BUS COOL F OR E VE RYONE F or me d in 1973 as South Coast Ar e a

MAKING T HE BUS COOL F OR E VE RYONE o n a small budge t R VANE SSA RAUSCHE NBE RGE DI RE CT OR OF PL ANNI NG AND MARK E T I NG HIST ORY MAKING T HE BUS COOL F OR E VE RYONE F or me d in 1973 as South Coast Ar

513 views • 34 slides
CLIMATE LEADERSHIP: HOW CITIES WILL GET THE JOB DONE BRENDAN SHANE and ERIC AST www.c40.org

CLIMATE LEADERSHIP: HOW CITIES WILL GET THE JOB DONE BRENDAN SHANE and ERIC AST www.c40.org

CLIMATE LEADERSHIP: HOW CITIES WILL GET THE JOB DONE BRENDAN SHANE and ERIC AST www.c40.org THIS IS C40 92 of the worlds leading megacities working together to tackle climate change 11 % of global population 25 % of global GDP jhsdfkh

556 views • 41 slides
Manufacturing Day October 3, 2014 Agenda Group 1 9:00: Arrival at Fori Automation

Manufacturing Day October 3, 2014 Agenda Group 1 9:00: Arrival at Fori Automation

Manufacturing Day October 3, 2014 Agenda Group 1 9:00: Arrival at Fori Automation 9:00-9:20: Welcome and Brief Overview 9:25-10:45: Department Presentations 20 min each with 10 minutes walk &amp; talk time

296 views • 19 slides
CAPITAL MARKETS DAY 12 September 2019 DISCLAIMER This presentation includes forward- looking

CAPITAL MARKETS DAY 12 September 2019 DISCLAIMER This presentation includes forward- looking

CAPITAL MARKETS DAY 12 September 2019 DISCLAIMER This presentation includes forward- looking statements. The words believe, expect, anticipate, intend, may, plan, estimate, will, should,

927 views • 75 slides
What do YOU think STEAM is? Sounds pretty cool, right?!? Here are some questions we have

What do YOU think STEAM is? Sounds pretty cool, right?!? Here are some questions we have

What do YOU think STEAM is? Sounds pretty cool, right?!? Here are some questions we have heard... Frequently asked questions: What makes the STEAM Academy different than MFMS? How do you get into the STEAM Academy? What does my

387 views • 11 slides
Objectives Temperature TMDLs Present steps used to produce a temperature TMDL based on

Objectives Temperature TMDLs Present steps used to produce a temperature TMDL based on

5/22/2012 Potential Natural Vegetation Objectives Temperature TMDLs Present steps used to produce a temperature TMDL based on riparian shade. Discuss the Priest Lake Subbasin PNV temperature TMDLs. Mark Shumar, State Technical

208 views • 6 slides
COOL LIKE KATNISS: HOW TO NEVER MISS YOUR TARGET Targeting Why Do We Do It?!

COOL LIKE KATNISS: HOW TO NEVER MISS YOUR TARGET Targeting Why Do We Do It?!

COOL LIKE KATNISS: HOW TO NEVER MISS YOUR TARGET Targeting Why Do We Do It?! Targeting Show your brand to the right environment Unless you show it to the right people at the right time your ad wont reach your goal

537 views • 43 slides
Complete Presentation Skills Discover the secrets, skills and tools that successful presenters use

Complete Presentation Skills Discover the secrets, skills and tools that successful presenters use

Complete Presentation Skills Discover the secrets, skills and tools that successful presenters use to communicate with confidence and ease. The Complete Presentation Skills programme is run over two days: 2 1 Presentation Presentation

246 views • 7 slides

More recommend