oucc 2015 inspiring innovation presentation: secure web apps via language security checklists,...
TRANSCRIPT
OUCC 2015 Inspiring Innovation
Presentation: Secure Web Apps via Language Security Checklists, Project Management Principles, and Cyclic App Pen TestingPresenter: Patrick Matlock, U of WaterlooDate: May 5th, 2015Email: [email protected]
THANKS
• My Dad• Jason Testart
MY DAY JOB• Web penetration tester• Security consultant• Code reviews• EA web security reference model VMs• (developer; eater of Dog Food)
WEB PEN TEST CLIENTS• UW Portal [OUCC 2015]• UW OpenData [OUCC 2015]• PeopleSoft HR• Desire2Learn• 190+ different vendors/systems
WHAT WAS THE PROBLEM ?
• btw: “require pen test/web pen test. Today”• “end of project”• ”Uhmmm. Software/system has some issues …”• Hated throughout the land
Lets graph that!!
SPECIFIC TO GENERAL• “end of project parade”• However, web pen testing is set of variable tasks• SDLC: inject IT security as early as possible• Pro-active vs Reactive
SECURITY BY DESIGN
• SDLC (security development life cycle)• “Spiral (waterfall; go back)” project management• Get the risks correct (close)• Language security checklist (deterministic)• Web Pen test profiler rig (self serve, deterministic)
DATA LANGUAGE CHECKLISTS
CHECKLIST CONTENT
• Best practice, usage guide, DB, framework?, • MUST, SHOULD, COULD• Web Specific pieces per language• Formal References
angularJS CHECKLIST
WEB PEN TEST PROFILER: why• Light patrol of campus public web • (no WAFs, SAST./DAST/IAST/RASP)• Surgical vs brute force (time & $$$$$$)• IST-ISS is campus resource; “manage what measure”• API self-service *now*• Pro-active
WEB PEN TEST PROFILER *TOOL*
Arachni
WEB PEN TEST PROFILER 80/8080/443/4443
Script
WEB PEN TEST PROFILER MAIN URL
WEB PEN TEST PROFILER HOSTS
WEB PEN TEST PROFILER URL LIST
WEB PEN TEST PROFILER PLUGIN
WEB PEN TEST CONFIGURATION
WEB PEN TEST API XML
WEB PEN TEST API JSON
LOOKING FOR?
• XSS (Cross Site Scripting)• CSRF (Cross Site Request Forgery• missing SESSION cookie “secure” flag• missing SESSION cookie “httpOnly” flag• SQL* injection• SESSION issues
HOW DO PROJECTS ROLL NOW?
Initiate –
Code?
Plan - Checklist
Execute –
Follow?
Monitor –
Review
Control – Pen
test
Anything Else?
• Hey I have my kali/backbox pen test VM!• Detailed “managed risk” reports [15pg. to 35pg.]• IST-ISS, vendor*, client as risk partners• Manage the web risk over longer time period• Rinse & Repeat now
Lets graph that!!
Next for WEB Pen Test Rig/Checklists?• 8? Flavours of “RESTful” like webservices• Nonce based AuthN & AuthZ• Perhaps some load test properties• Formal Github project • Checklists submitted as supported set to OWASP
THANKS!
Questions & Answers