Contraced Services Considerations

• Some Advantages:
  • Highly skilled
  • Established tools, processes, and standards
  • Unbiased
  • Available as needed
• Some Disadvantages:
  • Expensive, especially for an extended engagement
  • Less control and flexibility
  • Not familiar with company processes and culture
  • Rotating staff

Planning

• Considerations for establishing an internal team:
  • Time to staff and train the team
  • Overlap of external and internal teams
  • Development of processes and standards
  • Acquiring necessary tools

Service Model

• Define the services your team will provide.  This will be greatly influenced by:
  • The team's size and skills
  • The number of applications you have to support
  • The tools available
  • The level of executive support
  • The funding model
    • Who pays for your services
  • The team's role
    • Development support, pre-deployment testing or post deployment auditing and pen testing

Staffing the Team

• Decide how to staff your team and what skills you need.  Possible candidates include:
  • Experienced Application Testers
    • This is ideal from a skills standpoint, but people in this category may be harder to find, cost more, may not be familiar with your company and or fit its culture.
  • Experienced Developers
    • Developers will have a good understanding of the technologies, but may not understand security principles.  Their focus is on what an application is intended to do, not what it can be made to do.
  • Other IT Security Professionals
    • They have a good understanding of security principles, but may lack specific technical skills.  However, some skills may provide a useful overlap, like experienced OS or network testers.
  • Service and Project Managers
    • Building a new team, defining processes and standards, managing work flow and handling customer relations requires a set of skills as important, but distinct, from technical testing skills.

Selecting Tools

• There are a lot of options when it comes to tools.  What you choose depends on the services you want to provide, your team's skills and your budget.
  • Commercial vs. Free or Low Cost Tools
    • Commercial tools scale to support enterprise use, utilize a higher degree of automation and come with product support.  They also come with a big price tag.
    • Open source and low cost tools allow for more customization, and are free or inexpensive, usually have a supportive user community, but often require a higher degree of user knowledge and skill.
  • Types of Tools
    • Vulnerability Scanners
      • Commercial examples include IBM AppScan, HP WebInspect and Cenzic Hailstorm
    • Source Code Analysis
      • There are commercial options like Fortify or open source tools like the OWASP Yasca Project
    • Client Side Web Proxies
      • Options include WebScarab, Burp Suite and Charles Proxy
    • Other Tools
      • These include password crackers, hex editors, text extractors, browser plug-ins, integrated development environments, network mapping, network traffic analysis, and exploitation tools

What to Assess

• Measuring an application's risk:
  • The Types of Users
    • Privileged Users, employees, suppliers, customers or the general public
  • The Sensitivity of the Data
    • Intellectual Property, PII or other regulatory requirements
  • Availability and Integrity Requirements
    • The impact to the business if compromised
  • Technology and Environmental Consideration
    • What technologies are used, where is it deployed,...

Gather Necessary Information

• Before starting an assessment you will need to gather important information:
  • Application contacts
  • Server contacts
  • The process for getting accounts
  • A description of what the application does
  • The description or diagram of the system architecture

Assessment Planning Meeting

• Meet with the application development and support teams:
  • Get a demonstration of the application
  • Review the information gathered to support the assessment
  • Discuss the testing process and ground rules
    • No changes to the code during testing
    • Backups of the application servers and databases
    • How to address system crashes during testing
    • Database corruption issues
    • Emails generated by the application

Testing Notifications

• You should have a process to notify affected parties before the actual testing begins.
  • Key system contacts
  • Intrusion detection teams
  • Other assessors
• Information to include in the notification:
  • Source IP addresses
  • Target IP addresses, URL, system name
  • Testing schedule
  • Assessment team contacts

Conducting the Assessment

• If you are using automated scanning tools, beware of false positives and negatives
  • Pattern recognition has limitations
  • Combine various testing methods
    • Automated scanning
    • Code review
    • Manual testing
  • Learn what your tools do and do not do well
  • Validate every finding
  • Keep detailed notes

Establish Standards

• Assessments performed by two different people or the same person over time, may result in the same finding being presented very differently
  • This may result in inconsistent descriptions of the vulnerability or different recommendations for remediation
  • Without standard findings you may also find it difficult to produce meaningful metrics about discovered vulnerabilities

Standard Findings

• Opinions about how to standardize software vulnerabilities are like noses, everyone has one.
• At Boeing we have categorized vulnerabilities into approximately 70 standard findings like:
  • SQL Injection
  • Path Traversal
  • Session Fixation
  • Excessive Authentication Attempts
  • Forced Browsing
  • System information Leakage

Data Elements for Standard Findings

• Each finding is made up of the following data elements:
  • Name
  • Control Classification
  • Severity (Likelihood + Impact)
  • Company Policy References
  • Industry References
  • Summary Description (one sentence)
  • Impact Statement (one sentence)
  • Detailed Description (basic introduction to vulnerability + detailed description of how it manifests within their application)
  • Recommendation (standard remediation recommendations tied into SDLC practices)

Control Classifications

• We group individual vulnerabilities into control classifications.  This helps us determine how effective we are at implementing control types.
• Our classifications:
  • Input and output controls
  • Authentication and password management
  • Authorization and access management
  • Sensitive information storage or transmission
  • System configuration and management
  • General coding errors

Reporting Findings

• Developing a standardized reporting template will allow you to deliver a consistent, branded message
  • Cover Page
    • Provides information necessary to identify the assessment, what was assessed and who the key people were
  • Executive Summary
  • Findings Summary
  • Detailed Findings
  • Conclusion
    • Summary of assessment results, discussion of next steps and links to additional resources
  • Appendixes
    • Information on how severity ratings are determined, description of control classifications
  • Attachments
    • Typically raw scan files

Managing Corrective Actions

• Once a report is issued you need a closed loop process to ensure serious issues are addressed.  Considerations include:
  • Tracking Findings:
    • Critical and high findings should be tracked to resolution
    • Medium findings are less straight forward
    • Low or informational findings may not be value added
  • Customer Responses to Findings:
    • Implement a technical fix to address the finding
    • Implement a process fix to address the finding
    • The business formally accepts the risk of not remediating

When to Re-Evaluate an Application

• Depending on the number of applications you support and the frequency with which they change you may need to establish re-evaluation guidelines.  Soem criteria to consider include:
  • Fixes to previously accepted risk
  • User population changes
  • Data sensitivity changes
  • Business's dependency on the application has increased
  • Authentication mechanism has changed
  • Authorization mechanism has changed

Application Assessment Process Flow Version

• Create a document that shows the process flow for both requested and targeted assessment (ask for document from presenter?)
• Formal closure process

Conclusion

• Building an assessment team from the ground up takes:
  • Executive Support
  • A lot of planning
  • Staffing
  • The right tools
  • Training
  • Standards
  • Supporting Processes

Step 1: Exploit Overachievers

• Maximize value by using free tools
• OWASP (Open Web Application Security Project)
• WASC (Web Application Security Consortium)

Step 2: Learn

• Security is not an arcane art reserved for people with a special gift.  It’s campfire knowledge.
  • Assess your security posture regularly
  • Do not neglect any aspect of your security; bad guys don’t (Social Engineering, Internal Network, Firewall, Web Apps, etc)

Step 3: Chase Your Tail

• Remember where you started
  • Free tools can provide extreme amounts of value
    • OWASP (Eg: OWASP Testing Guide)
    • WASC
  • There is no magic to security

Tools Needed

• Web Developer Toolbar
  • POST to GET
  • Response headers
• NoScript or QuickJava

Estimating Vulnerabilities

• Site Age – Care & Feeding
  • “Copyright 2003”
  • Alexa
  • Archive.org
  • Whois
  • Last modified date
  • Old server + modules version #’s
• 2-3 years (2), 3-5 years (3), 5-10 years (4), 10+ (5)
• Programming Language
  • .cfm (1)
  • AJAX (1)
  • .do/.jsp (1)
  • .cgi/.pl/.shtml (2)
  • .asp (2)
  • .php (2)
  • .aspx/.jspx/.html (0)
  • Languages + Demographics theory
• Size of the Site Logic Complexity
  • Surf around manually
    • Sitemap
  • Google inurl: search
  • Spider (added download + added time)
  • Small (0), Medium – typical retailer (1), Large – Yahoo (3)
• Search
  • XSS tests (1)
    • “Company”
    • I <3 U
  • SQL injection (1)
    • O’Malley
  • DoS (.5)
    • a AND b AND c …
• Registration
  • Does it exist?  Yes (1)
  • Email validation and/or CAPTCHA (1-2)
  • Password complexity? (1)
  • Can you choose “admin” as a username? (1)
• Security Functions
  • Does change password enforce password complexity rules
  • Does change password require the existing password
  • Can you change email address without a password
  • Can emails be changed without validating them
  • Are secret questions “strong”
• Contact forms
  • Do they have an email address in a hidden field (1)
  • Submit a blank contact
    • Does it work without an error (1)
  • With and without JavaScript
    • Does it say “Thanks” without JS but errors when JS is turned on (1)
  • Can users contact other users on the site (Eg: Private message) (2)
• Login
  • Does it use SSL (1)
  • Does it allow auto complete (1)
  • Does it stop me from being able to type failed logins (3)
    • Horizontal, Vertical, & Diagonal Brute Force attacks
  • Can you switch POST to GET (1)
    • Session fixation
    • CSRF (1 per major site function, EG: change password, change secret question, change email address, etc)
  • Does it auto-logout (1)
  • javascript:alert(document.cookie) (1)
• Forgot password flow
  • Does it send the plaintext password (1)
  • Does it send a “small” key (1) – 20 bits or less
  • Does it tell you if your username is valid or not (.5)
• File Upload
  • Does it check file extensions (.5)
  • Does it check file types (.5)
  • Does it allow re-displaying of the file (1)
• HTML/JS/CSS Comments
  • Intranet IPs/addresses (.5)
  • Passwords (1)
  • Functionality comments (.5)
• URL Structure
  • function?path=/files/file.asp (1)
  • something?id=104 (1)
  • search?q=bob&charset=UTF-8 (1)
    • alternate charset
    • header injection
  • redir?url=http://www.cnn.com/ (.5)
  • chngpasswd?usr=bob&pass=1234 (2)
  • /images/ If it shows a directory (1)
• Obvious admin interfaces (2)
  • /admin/
  • /blog/wp-admin/
  • /administrator/
  • /adm/
  • admin.url.com
• Outdated Open Source or Commercial Programs
  • PHP nuke
  • WordPress
  • Drupal
  • 3/instance
  • +1 for every major revision out of date
• Other questions
  • Does it allow rich HTML user comments (1)
  • Does it have a send-to-friend function (1)
  • Virtual host? (MSN IP search) (1)

Things this doesn’t cover

• Timing attacks, buffer overflows, etc
• Network infrastructure flaws (including DNS)
• Predictable file locations (VCS trees, etc)
• Logic flaws
• Backup files/folders/CVS trees, etc
• Alternate paths of exploitation (email, FTP, APIs, etc)