web applications security assessment in the portuguese world wide web panorama
TRANSCRIPT
Web Applications Security Assessment
in the Portuguese WWW Panorama
ISCTE-IUL/DCTI
Instituto Superior do Trabalho e da EmpresaInstituto Universitário de Lisboa
Departamento de Ciências e Tecnologias de Informação
Carlos Serrã[email protected]@gmail.com
http://www.carlosserrao.nethttp://blog.carlosserrao.nethttp://www.linkedin.com/in/carlosserrao
Nuno [email protected]@hotmail.com
http://www.linkedin.com/in/nunoteodoro
Iberic Web Application Security Conference 2009
2
Motivation
Master thesis project
Great academic interest
Original study in Portugal
Important in the Portuguese community- Recent events expose the Portuguese network insecurity
Growing insecurity in web applications
Iberic Web Application Security Conference 2009
3
Assessment…how?
1. Web application security assessment methodologies analysis
2. Vulnerabilities identification
3. Selection of the Web applications to be tested
4. Web applications security assessment methodology
5. Apply the methodology to the web applications‐
6. Tests results
Iberic Web Application Security Conference 2009
4
Web application security assessment methodologies analysis
What do we have to start with?
Source code? Online Access to te Web Application?
Inside knowledge about the Web Application?
What we can’t do What we can do
- Application Security Architecture Review - Automated Source Code Analysis - Manual Security-Focused Code Review
- Automated External Application Scanning- Manual Penetration Testing
Iberic Web Application Security Conference 2009
5
Vulnerabilities identification
Iberic Web Application Security Conference 2009
6
Selection of the Web applications to be tested
Public Administration Services Banks
Main critical areas to assess
Most representative
set
Most representative
set
Iberic Web Application Security Conference 2009
7
Selection of the Web applications to be tested
Public Administration Services
Finances
Health Care
Social Security
Citizens’ Portal
Banks
Iberic Web Application Security Conference 2009
8
Selection of the Web applications to be tested
Why were these Web Applications chosen?
Critical operations
Portuguese domain
Massive utilization
Interesting in the Portuguese WWW panorama
Iberic Web Application Security Conference 2009
9
Selection of the Web applications to be tested
Finances
Citizens
Companies
Public entities
Other entities
IRS IVA IES
IRC Open Activity Confirm TOC
IMI IMT Circulation Tax
Ask NIF Change NIB
Critical operations
Iberic Web Application Security Conference 2009
10
Selection of the Web applications to be tested
Health Care
Critical operations
Register Pay servicesCitizens
Public entities
Health entities
Iberic Web Application Security Conference 2009
11
Selection of the Web applications to be tested
Social Security
Critical operations
Companies
Employees
Others
Register Payments Penalties
Retirement Pensions
Family pensions Unemployed pensions
Iberic Web Application Security Conference 2009
12
Selection of the Web applications to be tested
Citizen’ Portal
Critical operations
Companies
Citizens
Create company General services
Iberic Web Application Security Conference 2009
13
Web applications security assessment methodology
Penetration Testing
Passive Mode
Active Mode
Iberic Web Application Security Conference 2009
14
Web applications security assessment methodology
Discovery
Document and analysis of the Discovery results
Create attack simulations on the target entity
Analysis of each attack
Document the results of the Attacks
Solutions to mitigate the problems
Presentation of the results to the entity
Iberic Web Application Security Conference 2009
15
Apply the methodology to the web‐applications
OWASP Testing Guide WASC Threat Classification
Why combine both?
Bigger Issues Coverage
Two important organizations
Iberic Web Application Security Conference 2009
16
Tests results
The aim is to produce a report for each tested Web Application
The typical modus operandi of the attacker
The techniques and tools attackers will rely to conduct these attacks
Which exploits attackers will use
Data they are being exposed from the web application
Iberic Web Application Security Conference 2009
17
Legal constraints
Most of the work described in this paper has to be bounded by legislation
Getting the target entity to establish clear time frames for pen testing exercise
Getting the target entity to clearly agree that we are not liable foranything going wrong
Find if the target entity has any non disclosure agreements that have tobe signed
Getting the target entity relevant contacts for any unexpected situation
Iberic Web Application Security Conference 2009
18
Legal constraints
NOT doing that…
Might get us, or more precisely, ME, arrested…
…and I don’t want that!
Iberic Web Application Security Conference 2009
19
Legal constraints
Presents crutial point in this work
Can lead to work invalidation if
permissions are denied
Can lead to entire work scope change
Iberic Web Application Security Conference 2009
20
Legal constraints
Mitigate legal constraints
Change target entities
Lost of some interest… ?
Iberic Web Application Security Conference 2009
21
Future Work
Ask for authorizations
Better understand the government services and identify processes workflows
Get better insight on tools, processes, methodologies, etc, to perform these assessments
Start working…
Iberic Web Application Security Conference 2009
22
Questions
?