Upload
jasonhaddix
View
4.031
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Powered By:
PSO eOPS Security TrainingOctober 1st, 2012Jason Haddix-Director of Penetration Testing
• Jason Haddix (@jhaddix)
• Director of Penetration Testing at HP/Fortify on their ShadowLabs team.• Previously worked in HP’s Professional Services as a security consultant,
and an engineer & pen tester for Redspin. • Frequent attender, presenter, & CTF participant at security cons such as
Defcon, BlackHat, Brucon, DerbyCon, etc. • Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and
Hakin9 magazine.• Serves on the advisory board for GIAC Penetration Testing curriculum as
well is GSEC, GPEN, and eCPPT certified.
About the Presenter
Why Application Security?
Source: http://xkcd.com/327/
“We've also seen 19,000 new malicious URLs each day in the first half of this year.
And, 80% of those URLs are legitimate websites that were hacked or
compromised .”
Sophos Threat Report (First half of 2011)
...a new web threat emerges every 4 .5 seconds...
NetworksHardware
Security Measures
• Switch/Router security
• Firewalls• NIPS/NIDS• VPN• Net-Forensics• Anti-Virus/Anti-Spam• DLP• Host FW• Host IPS/IDS• Vuln. Assessment
tools
Attackers are targeting applications
Intellectual Property
Customer Data
Business Processes
Trade Secrets
Applications
Regulations and Standards (PCI, HIPAA, SOX, etc)
Your critical business applications face the Internet
More than 60% of applications have serious flaws
Why do we care?
• Difficult to train and retain staff - very difficult to keep skills up-to-date
• Constantly changing environment
• New attacks constantly emerge
• Compliance Requirements
• Too many tools for various results
Challenges
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Introducing
• SAAS-Based, Annual subscription model
• Unlimited Assessments, Unlimited Users
• The most Comprehensive Coverage Model – Verify False Positives & Manual Penetration Testing
• Single portal for consuming results
• Market leading analyzers for Static and Dynamic Testing
What is Fortify on Demand?
• Business Logic Assessments
• Large Testing team at your fingertips
• Scale Rapidly (10, 100, 1000)
• Security Branding with HP FOD Logo on Web Applications
ThickClient
Web
Binary
3rd Party API
Mobile
FOD
Dynamic Testing
Baseline
Standard
Premium} 3
Application
• Recommended for Low Risk Websites (Marketing Sites, Brochure, Not much change in the application)
• An automated solution for WebsitesWebInspect security scanner
• All results are manually reviewed by security experts to remove false positives
ApplicationBaseline
Standard
Premium
Dynamic Testing
• Recommended for Medium Risk Websites
• Use of multiple automated and manual testing solutions
• All results are manually reviewed by security experts to remove any false positives. Includes penetration testing.
• Single User Perspective
Dynamic Testing
Baseline
Standard
Premium
Application
• Recommended for High Risk websites
• Designed for mission-critical Technical and business logic vulnerabilities
• All results are manually reviewed by security experts to remove any false positives. Higher focus on manual penetration testing.
• Two User Perspective
• Web Services
Dynamic Testing
Baseline
Standard
Premium
Application
Dynamic Testing
Automated Scanning
False Positive Removal
User Accounts
Remediation Scan
Manual Security Testing
Business Logic
Web Services
Baseline 1
Standard 1
Premium 2
Custom -
Terms and Definitions
Automated Scanning: Fortify On Demand utilizes, as it’s core technology, HP WebInspect to perform automated crawling and technical auditing of Web Applications.
False Positive Removal: For all levels of service (Baseline, Standard, Premium), security assessment results are verified by a team of expert Security Engineers before results are marked for completion within the Fortify On Demand Portal. The Fortify On Demand team confirms that all data provided in the final report is free of false positives.
User Accounts: Depending the level of service, the FOD assessment team will utilize either one (1) or two (2) user accounts for exercising the target application. By utilizing more than one account profile during the testing process, the assessment team may recognize a significant number of Business Logic flaws within the application. Examples of this may be “Session Hijacking” or “Privilege Escalation”.
Remediation Scan: For each completed assessment, users may opt to have discovered vulnerabilities retested to confirm remediation efforts where successful. The remediation scan process does not involve a re-scan of the entire application, but a verification of the unique (initially discovered) vulnerabilities.
Manual Security Testing: For service levels “Standard” and “Premium”, advanced tools and automated scripts are utilized to assess the target application for non-standard web application security flaws.
Business Logic Testing: Business Logic flaws represent a category of vulnerabilities which can not be discovered by technical or automated scanning technology. Business Logic testing may be leveraged within our Premium Level of Service and provides approximately 40 hours of manual testing by a team of expert Application Security Engineers.
Web Services: The Premium level of service provides the assessment (SOAP and REST-based) of Web Services for up to ten (10) Web Service endpoints.
Unlimited static scans Results verified Unlimited users
Static TestingBroad Support
• ABAP• C/C++• Cold Fusion• Java• Objective C• Python• VB6
• ASP.NET• Classic ASP• Flex• JavaScript/AJAX• PHP• T-SQL• VBScript
• C#• COBOL• HTML• JSP• PL/SQL• VB.NET• XML
Powerful Remediation
Collaboration ModuleInsightful Analysis and Reports
Fast and Scalable
1 Day Static Turnaround Virtual Scan Farm
Web Application Security
Binary Assessmen
t
Penetration Testing
Source Code
Custom Testing
• Internal Penetration Testing• External Penetration Testing• Wireless Penetration Testing• Physical Penetration Testing• Social Engineering• APT Breach Simulation• Vulnerability Assessment
• Internal• External• Web Service• Cloud
• Mobile Binaries• Reverse Engineering• Malware Analysis• Threat Modeling• Embedded Device Testing
• Manual Source Code Auditing in other languages
• Vulnerability Remediation• SDLC Implementation &
Auditing• Secure Code Training
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Technologies of
World Renowned Technologies
Fortify SCA Engine Fully mapped taxonomy of all Vulnerability categories
(VulnCAT)
Largest set of Dynamic Vulnerability Checks 8k+
(SecureBase)
Leaders in Malware & 0-Day Research
HP WebInspect Engine
TippingPoint & ArcSight Vulnerability Intelligence
Detect more than 480 types of software security vulnerabilities across 20+ development languages—the most in the industry.
IDE Integration for faster identification earlier in the development lifecycle
Mobile Application support: iPhone & Android
Features• Pinpoint root cause of vulnerabilities – line
of code detail• Prioritize fixes sorted by risk severity• Detailed “fix” instruction -- in the
development language
Fortify SCA
Largest Security Check Database (8k+ Dynamic Checks)
Independent research study showed WI to outperform other enterprise dynamic scanners in application coverage and scored a 99.26% in injection accuracy.
One of the only dynamic scanners to support web services and true REST APIs
Features• Can integrate with server runtime to find more vulnerabilities,
faster. (Security Scope)• Easy and simple export of vulnerabilities to TippingPoint WAF• Powerful Macro Engine to navigate custom authentication or
heavy use of AJAX.
HP WebInspect
Source: http://www.sectoolmarket.com/
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Behind the Curtain
Security Assessments by Security Professionals
Automated Static/Whitebox
Analysis
Automated Dynamic/Blackbox
Analysis
ThickClient
Web
Binary
3rd Party
Mobile
FOD
Engineers
False Positive Reduction
Manual Source Code Analysis
Full Web/Mobile Application Penetration
Testing
Dynamic Process Flow
Static Process Flow
History
• Daniel Miessler• Methodology Guru (OWASP, WASC, WAHH)• SecLists Project Maintainer
• Dennis Antunes• Dynamic Assessment Lead
• Bucky Spires• Mobile Assessment Lead
• Andre Gironda• Sr. Application Tester
• Cash Turner• Sr. Dynamic Application Tester
• Nick Childers• Sr Researcher and Application Tester• Former Leader of Shellphish Defcon CTF Team
• Nick Denarski• Metasploit Contributor and Trainer
• Brooks Garret• DVWA Maintainer
• Kevin Lynn• Sr. Application Tester
(Some) Team Members
Community Contributions
Certifications
Repeatable, Highly Technical Methodologies
Web Application Security Consortium
Open Web Application Security Project
Web Application Hackers Handbook
}Combined 7+ decades of practical application
security testing experiencePenetration Testers
Execution Standard
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Success Stories
Leading By Example
Over 1000 organizations worldwide have standardized on HP Fortify:
9 of the top 10 major banks 9 of the top 10 software companies All of the top 10 telecoms All major branches of U.S. DOD All 5 top insurance firms 2 out of 4 top oil and gas companies Many top car manufactures Big 4 accounting firms
Fortify & FoD Awards
“At any given time, there are 200 to 300 zero day vulnerabilities only HP knows about”
Dynamic Application Testing Leader
Static Application Testing Leader
“I was very impressed by the knowledge and the responsiveness of both the Fortify BU sales and delivery resources. They helped me in building the business case for Application security which was key in establishing client stakeholder support for this initiative . Besides, they also partnered with the account to conduct a PoC which helped showcase our capability to the client. I am very confident based on my own positive experience that anyone in the security officer role could benefit a lot by working closely with the Fortify team to introduce our Application security capabilities to their clients”.
An CTO’s Perspective on FoD
Commonalities of Success, Developing a Winning SDLC
Design Code Test ProductionAudit
HP Fortify Solutions
QA & Integration
Testing
Production Environment Assessment
Functional Test Integration
Define
Hybrid
Dynamic
StaticSource code validation
Static Code Analysis in the
IDE (SCA)
Application Audit
Dynamic Penetration
Testing
Continuous Assessment
Audit Static Code Analysis
• Internal app security research
• External hacking research
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The Future of
Powered By:
• More apps more problems
• Pentest like it’s 1999!
Mobile Application Security
Next Step?
• Contact Myself or David Nester
• Discuss our group internally at HP
• Schedule a PoV!
David Nester ([email protected])
Jason Haddix ([email protected])
©Copyright2010Hewlett -Packard DevelopmentCompany,55 3/12/201255
Questions?