SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT
Review by Rayna Burgess4/21/2011
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
The Paper SelectionSecurity Testing is Important (Relevant)Security Testing is Different from Functional TestingSecurity Testing is Difficult
Security Engineer’s Tasks
Analyzing Security Risks
Types of Security Testing
Case Study: Java CardConclusion
Overview
4/21/2011 2 of 20
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
3 of 20
The Paper: Software Security Testing
4/21/2011
Gary McGraw, PhD, CTO of Cigital, Inc Series of Articles in IEEE Security &
Privacy
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4 of 20
Security Testing is Important
4/21/2011
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
5 of 20
Security Testing is Different
4/21/2011
Malicious attacker Intelligent Adversary Vulnerabilities Exploited
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
6 of 20
Aaah! So many vulnerability lists!
4/21/2011
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
7 of 20
McGraw’s Vulnerability Taxonomy
4/21/2011
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
8 of 20
Vulnerability Name Dropping
4/21/2011
gets() (Buffer overflow problem, Morris Worm)
Race condition (time of check to time of use)
Insecure failure Transitive trust Trampoline Zero day exploits
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
9 of 20
SQL Injection Vulnerability
4/21/2011
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
The Paper SelectionSecurity Testing is Important (Relevant)Security Testing is Different from Functional TestingSecurity Testing is Difficult
Security Engineer’s Tasks
Analyzing Security Risks
Types of Security Testing
Case Study: Java CardConclusion
Where are we?
4/21/2011 10 of 20
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
11 of 20
SW Security Engineer’s Tasks
4/21/2011
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
12 of 20
Analyzing Security Risks
4/21/2011
Think like an attacker Vulnerability in weakest link can expose
the system Requires expertise Can practice/learn on
Webgoat DVWA Hacme Bank
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
13 of 20
Types of Security Testing
4/21/2011
Functional Security Testing Risk-Based Security Testing (hostile
attacks) Black Box/White Box Static/Dynamic
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
14 of 20
Static Security Analysis
4/21/2011
Risk Analysis of Design and Architecture Static Security Analysis Tools
Source Code or Byte Code Good at finding patterns Numerous False Positives
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
15 of 20
Penetration Testing
4/21/2011
Performed on a running system Can be used on COTS software too Penetration testing tools
Network and OS vulnerability scanners Nmap, Nessus, Aircrack
Automated Penetration Testing Tools Metasploit, CoreImpact, Canvas
Other useful tools Fuzzing tools, WebScarab,
Quality of pen testing depends on the human!
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
16 of 20
Case Study: Java Card
4/21/2011
Operating System for Smart Cards GlobalPlatform (Java Card, MULTOS)
Used on Bank Cards, (also SIMs, ID Cards, Medical)
Two Types of Testing Functional security design tests Risk-based attack tests
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
17 of 20
Functional Security Testing
4/21/2011
Tests security functionality Crypto Commands Compliance Testing (GALITT 3/2011)
All cards passed!
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
18 of 20
Risk-Based Security Testing (Attacks)
4/21/2011
Hostile Attacks, based on risk assessment All cards failed some part of this testing! Analysis of Java Card Design Identify automic transaction processing as
area of interest Consequence is “printing money” (Very High
Risk) Put on Black Hat, Don’t follow the rules:
Abort, fail to commit, fill buffers, nest transactions Exposes vulnerabilities before issued to public
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
The Paper SelectionSecurity Testing is Important (Relevant)Security Testing is Different from Functional TestingSecurity Testing is Difficult
Security Engineer’s Tasks
Analyzing Security Risks
Types of Security Testing
Case Study: Java CardConclusion
Almost done!
4/21/2011 19 of 20
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
20 of 20
Conclusion: SW Security Testing is…
4/21/2011
Important More software, more new attacks More functionality, more vulnerabilities Software is everywhere and connected!
Different Presence of a malicious, intelligent attacker Software Test Engineers have different skills
Difficult Exploits are subtle Automated static & dynamic tools insufficient Need a human!
“So now, when we face a choice between adding features and
resolving security issues, we need to choose security.”-Bill Gates
Top Related