cf.objective.2009
TRANSCRIPT
![Page 1: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/1.jpg)
Approaches to Automated Security Testing
Bill Shelton (no initials – no hacker alias)[email protected]@virtix – Twitter
![Page 2: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/2.jpg)
![Page 3: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/3.jpg)
![Page 4: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/4.jpg)
OneBigAss
Problem!
![Page 5: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/5.jpg)
Programmer Security guy
![Page 6: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/6.jpg)
Programmer Security guy
![Page 7: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/7.jpg)
![Page 8: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/8.jpg)
Break it
![Page 9: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/9.jpg)
Disassemble, Discover, Discard
![Page 10: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/10.jpg)
![Page 11: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/11.jpg)
![Page 12: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/12.jpg)
+ Webdriver + + ==
![Page 13: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/13.jpg)
Ok … Now what?
![Page 14: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/14.jpg)
It’s T-shirt time! What’s wrong with the following code?
![Page 15: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/15.jpg)
![Page 16: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/16.jpg)
StaticAnalysis
![Page 17: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/17.jpg)
![Page 18: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/18.jpg)
Trust Boundaries
![Page 19: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/19.jpg)
Validation
![Page 20: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/20.jpg)
Output
Encoding
![Page 21: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/21.jpg)
Black List
White List
![Page 22: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/22.jpg)
Validate this, punk …
![Page 23: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/23.jpg)
![Page 24: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/24.jpg)
http://foo.com/myapp/profile.cfm?id=123
Direct Object Reference
![Page 25: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/25.jpg)
Indirect
Object
Reference
![Page 26: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/26.jpg)
Take Away
• Think securely from the first line of code -Far better to write securely from the start rather than fix it later
• Use black box tools to help to grab low hanging fruit
• Use your knowledge to dig in and find and fix vulnerabilities – gray and white box approaches
• Learn the trust boundaries• Validate and encode correctly
![Page 27: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/27.jpg)
Test Be Happy
![Page 28: Cf.Objective.2009](https://reader036.vdocument.in/reader036/viewer/2022081602/556153cfd8b42adb6b8b5477/html5/thumbnails/28.jpg)
Stuff to Read
• OWASP - http://www.owasp.org/index.php/Main_Page
• SANS Institute - http://www.sans.org/
• SANS Top 25 of 2009 - - http://www.sans.org/top25errors/
• Secure Programming with Static Analysis – Brian Chess & Jacob West
• OWASP:Software Assurance Maturity Model - http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
• Software Security: Building Security In – Gary McGraw
• Exploiting Software: How to Break Code – Gary McGraw
• Hackers.org - http://ha.ckers.org/
• Free Stock Photos - http://www.sxc.hu/