oucc 2015 inspiring innovation presentation: secure web apps via language security checklists,...
TRANSCRIPT
OUCC 2015 Inspiring Innovation
Presentation: Secure Web Apps via Language Security Checklists, Project Management Principles, and Cyclic App Pen TestingPresenter: Patrick Matlock, U of WaterlooDate: May 5th, 2015Email: [email protected]
MY DAY JOB• Web penetration tester• Security consultant• Code reviews• EA web security reference model VMs• (developer; eater of Dog Food)
WEB PEN TEST CLIENTS• UW Portal [OUCC 2015]• UW OpenData [OUCC 2015]• PeopleSoft HR• Desire2Learn• 190+ different vendors/systems
WHAT WAS THE PROBLEM ?
• btw: “require pen test/web pen test. Today”• “end of project”• ”Uhmmm. Software/system has some issues …”• Hated throughout the land
SPECIFIC TO GENERAL• “end of project parade”• However, web pen testing is set of variable tasks• SDLC: inject IT security as early as possible• Pro-active vs Reactive
SECURITY BY DESIGN
• SDLC (security development life cycle)• “Spiral (waterfall; go back)” project management• Get the risks correct (close)• Language security checklist (deterministic)• Web Pen test profiler rig (self serve, deterministic)
CHECKLIST CONTENT
• Best practice, usage guide, DB, framework?, • MUST, SHOULD, COULD• Web Specific pieces per language• Formal References
WEB PEN TEST PROFILER: why• Light patrol of campus public web • (no WAFs, SAST./DAST/IAST/RASP)• Surgical vs brute force (time & $$$$$$)• IST-ISS is campus resource; “manage what measure”• API self-service *now*• Pro-active
LOOKING FOR?
• XSS (Cross Site Scripting)• CSRF (Cross Site Request Forgery• missing SESSION cookie “secure” flag• missing SESSION cookie “httpOnly” flag• SQL* injection• SESSION issues
HOW DO PROJECTS ROLL NOW?
Initiate –
Code?
Plan - Checklist
Execute –
Follow?
Monitor –
Review
Control – Pen
test
Anything Else?
• Hey I have my kali/backbox pen test VM!• Detailed “managed risk” reports [15pg. to 35pg.]• IST-ISS, vendor*, client as risk partners• Manage the web risk over longer time period• Rinse & Repeat now
Next for WEB Pen Test Rig/Checklists?• 8? Flavours of “RESTful” like webservices• Nonce based AuthN & AuthZ• Perhaps some load test properties• Formal Github project • Checklists submitted as supported set to OWASP