Web Admin Blog Real Web Admins. Real World Experience.

13Nov/090

Building an In-House Application Security Assessment Team

This presentation was by Keith Turpin from The Boeing Company.   About three years ago, all of Boeing's assessments were coming from outsourced service providers.  They realized that they were unable to have control over the people and process and had difficulties integrating the controls into the SDLC and decided to bring these functions in house.  The goal of this presentation is to show some of the issues they ran into and how they addressed those problems.  My notes from the presentation are below:

Contraced Services Considerations

  • Some Advantages:
    • Highly skilled
    • Established tools, processes, and standards
    • Unbiased
    • Available as needed
  • Some Disadvantages:
    • Expensive, especially for an extended engagement
    • Less control and flexibility
    • Not familiar with company processes and culture
    • Rotating staff

Planning

  • Considerations for establishing an internal team:
    • Time to staff and train the team
    • Overlap of external and internal teams
    • Development of processes and standards
    • Acquiring necessary tools

Service Model

  • Define the services your team will provide.  This will be greatly influenced by:
    • The team's size and skills
    • The number of applications you have to support
    • The tools available
    • The level of executive support
    • The funding model
      • Who pays for your services
    • The team's role
      • Development support, pre-deployment testing or post deployment auditing and pen testing
Tagged as: , , , , , , Continue reading
25Sep/080

Tiger Team – AppSec Projects – OWASP AppSec NYC 2008

This presentation was by Chris Nickerson, founder of Lares Consulting, and the goal was to talk about the use of layered attacks.

General types of threats includes social engineering/human (corporate/personal manipulation, bogus e-mails, physical intrusion, media dropping, phone calls, conversation, role playing), electronic (application and business logic attacks, software vulnerability exploitation, ...), physical (break-in, theft, physical access, physical manipulation, violence), and malfunction/inherent (business logic flaws, software glitches, software coding holes/exploits, process breakdown, act of god/war/terrorism disruption, intended backdoors) and a red team test should cover them all.

Why red teaming?

How do you know you can put up a fight if you have never taken a punch?

Red teaming process: Information Gathering -> Vulnerability Analysis -> Target Selection -> Planning -> Executing the Attack -> Back to step 1

Process of Attack

  • Information Gathering: Research methods and useful information (spend most time here)
  • Vulnerability Analysis: Internal/external/hired/personal
  • Target Selection: Internal/external/hired/personal
  • Planning: Plan a, b, e, d, pie
  • Executing the Attack: Getting what you need and getting out.  Not getting greedy.  Getting out cleanly.

Corporate Attack Approach

  • External Direct: server/app attack
  • External Indirect: client side/phishing/phone calls
  • Internal Indirect: key/cd drops/propaganda/creating a spy
  • Internal Direct: social/electronic/physical/blended
  • Exotic Attacks: environment manipulation (pulling the fire alarm, etc to move people)

Information Gathering Tools

  • Maltego: The best attacks from the best intel (gives a graphical view of how all of the information interacts)
  • Metagoofil: Yer Dox on the net have Infos (Extracts information from internet documents)
  • Clez.net (External Profiling)
  • CentralOps.net (Network Profiling)
  • Robtex (Server Profiling)
  • Touchgraph (Show business relationships and links)
  • ServerSniff (Get tons of webserver specific info and verification)
  • Netcraft (usage info)
  • DomainTools (Domain info)
  • MySpace/Friendster/Twitter (know ya enemy)

Onsite Tools

  • BootRoot/SysReQ
  • Ophcrack Live
  • Helix/Backtrack
  • Core Impact
  • FireWire PCMCIA Card + Winlockpwn = Unlock
  • Switchblade + Hacksaw + U3 drive
  • Elite Keylogger
  • WRT + Metasploit = Cheap leave behind

Other Fun Toys Onsite

  • FlexiSpy (installs image on cell phone to read SMS, listen to phone calls, etc)
  • Pen cams
  • USB cams
  • Cell phone jammers

All of these different methods to test front/back/side doors don't rule out the low tech attacks.  You could spend a million dollars to prevent someone from hacking the server and they could just walk in the front door and take it.  A really good talk by a guy who really knows his stuff and the only talk I've seen so far at the conference that wasn't specifically about technical vulnerabilities.

Tagged as: , , , , , , No Comments
   

Recent Posts

Recent Comments

devops

Links

Security

Tags

agile amazon analysis application appsec attack aws best browser cloud Cloud Computing code Conferences data devops ec2 firewall google hansen internet Management network Operations owasp PCI penetration performance practices project rsnake SaaS secure Security strategies testing velocity velocity08 velocityconf velocityconf08 velocityconf09 Virtualization vulnerability waf web xss

Categories