069-may2007-talk

  • Uploaded by: anil
  • 0
  • 0
  • October 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View 069-may2007-talk as PDF for free.

More details

  • Words: 560
  • Pages: 7
Software Security Testing The Next Frontier

Software Confidence. Achieved.

Scott Matsumoto Principal Consultant [email protected]

www.cigital.com [email protected] +1.703.404.9293

Tuesday, May 01, 2007

1

About Cigital 

 

A leading consulting firm specializing in helping organizations improve their software security and software quality posture Recognized experts in “Building Security In” Extensive Industry Standards, Best Practices, and Regulatory Compliance Experience

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

2

1

Software Security Is A Challenge

…is this complex program

The Trinity of Trouble Connectivity  The Internet is everywhere and most software is on it  Complexity  Networked, distributed, mobile code is hard  Extensibility  Systems evolve in unexpected ways and are changed on the fly

The network is the computer.



© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

This simple interface… .NET

Tuesday, May 01, 2007

3

Software Vulnerability Growth Reported Software Vulnerabilities 9000 8000 7000 6000 5000 4000 3000 2000 1000 0

8064 5690 4129 3784 3780 2437 1090

2000 2001 2002 2003 2004 2005 2006 Source: CERT © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

4

2

Web-based Application Vulnerability

Software Security problems are in the application software © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

5

Top 4 Vulnerabilities in CVE

Percentage distribution of top 4 vulnerabilities 25.00% 20.00% XSS

15.00%

buf sql-inject

10.00%

dot 5.00% 0.00% 2000 2001 2002 2003 2004 2005 2006 2007

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

6

3

Software Security Touchpoints

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

7

SQL Injection 

Insert SQL commands into data fields to alter behavior of server  Return different data  Overwork server with unbounded queries and joins (denial of service)  Alter data  Execute blocks of arbitrary SQL statements

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

8

4

Example SQL Injection Vulnerability





Compose a dynamic query based on user input: SELECT cc_type, cc_num FROM cc_data WHERE id=‘%s’ AND cc_type=‘%s’ Normal cc_type = ‘Visa’: SELECT cc_type, cc_num FROM cc_data WHERE id=‘123456789’ AND cc_type=‘Visa Visa’ Visa

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

9

JRM2

SQL Injection  

Insert SQL commands into data fields to alter behavior of application Example: Enter x’ OR ‘a’=‘a instead of “Visa” to produce SELECT cc_type, cc_num FROM cc_data WHERE id=‘123456789’ AND cc_type =‘x’ OR ‘a’ = ‘a’



Results in all credit card data being returned

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

10

5

Slide 10 JRM2

Brook: Explain why this is important to morgan. rmills, 11/6/2006

Software Security Testing – Call to Action 





Types of problems (vulnerabilities)  Weaknesses, Vulnerability and Attack Patterns Tools and Techniques for Testing  Penetration and Fuzzing tools  Think like a bad guy  Know your application Resources  CWE/CVE – mitre.org  OWASP – owasp.org  Verify 2007 – verifyconference.com

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

11

Thank you for your time.

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

12

6

More Documents from "anil"

December 2019 25
Test Case And Use Cases
November 2019 31
Abhi
November 2019 38