Embed Size (px)
Citation preview
Quality Summit 2014 - SHANGHAI
Unit Testing-What Are You Missing For SecuritySuman SouravSenior Software Security Analyst
Quality Summit 2014 - SHANGHAI
Unit Testing
Quality Summit 2014 - SHANGHAI
What is unit testing?
Divide-and-conquer approach Split system into
units. Debug unit
individually. Narrow down places
where bugs can be. Don’t want to chase
down bugs in other units.
Quality Summit 2014 - SHANGHAI
Unit testing Roadmap
Plan
RequirementsDesign Specifications
Prepare Execution
Test Results
Test Set Code under Test
Quality Summit 2014 - SHANGHAI
What you’re missing for Security?
Quality Summit 2014 - SHANGHAI
Unit Testing(Plan)-Missing Security Considerations Whether requirements
document specifies all security requirements as well ?
Whether secure design principles has been considered at every point?
Whether Design has been validated from threat perspectives?
Plan
RequirementsDesign Specifications
Quality Summit 2014 - SHANGHAI
Unit Testing(Prepare)- Missing Security Test Case How to know the
abuse case scenarios? How to write a
security test case ?Prepare
Test Set
Quality Summit 2014 - SHANGHAI
Unit Testing (Execution)-Missing Security Tools How to validate security
test cases ? What kind of tools
required to execute security test cases? Execution
Test Results
Code under Test
Quality Summit 2014 - SHANGHAI
Threat Modeling
Quality Summit 2014 - SHANGHAI
What is Threat Modeling?
An approach for analyzing the security of an application from very beginning.
Looks at a system from a potential attacker's perspective.
Securing entry points of the application and the associated threats with each entry point.
Source: Microsoft
Quality Summit 2014 - SHANGHAI
Threat Modeling Workflow
Diagram
Identify Threats
Mitigate
Validate
Product Requirements &
Design document
Dataflow diagrams &
Use case Stories
Threat Analysis
ImplementSolution
Execute Unit test cases
Write Unit test cases
Requirements & Design Change
Quality Summit 2014 - SHANGHAI
Threat Analysis-Different Approaches
Attack based analysis STRIDE Analysis
Defense in Depth (DID) Analysis Authentication Authorization Input Validation Output encoding Error handling Logging & Auditing Cryptography Configuration
management
Quality Summit 2014 - SHANGHAI
Risk Rating
DREAD model, you arrive at the risk rating for a given threat by asking the following questions:
Damage potential: How great is the damage if the vulnerability is exploited?
Reproducibility: How easy is it to reproduce the attack?
Exploitability: How easy is it to launch an attack?
Affected users: As a rough percentage, how many users are affected?
Discoverability: How easy is it to find the vulnerability?
CVSS: Common Vulnerability Scoring System is a free and open industry standard for
assessing the severity of computer system security vulnerabilities
RISK
CVSS
Quality Summit 2014 - SHANGHAI
Threat Analysis –Final Outcome
Threat list and associated vulnerabilities
Risk Rating Recommendations Validation approach
(Tools & Techniques)
Quality Summit 2014 - SHANGHAI
Threat Modeling-Sample case study Application with Dual
Authentication Asset Identification Entry points Communication
protocols Existing Security
mechanisms Data Flow Diagrams Use Case Stories
Quality Summit 2014 - SHANGHAI
Threat Modeling-Sample case study Use Case- Preparation
User Authentication
Quality Summit 2014 - SHANGHAI
Threat Modeling-Sample case study Threat Analysis-Attack Tree
example
Brute Force
No Password Policy
AuthenticationCompromise
No Account Lockout
Lack of password
Complexity
Insecure Communication
Network Sniffing
Parameter Tampering
SQL Injection
Insecure Storage
Insufficient Encryption in
Database
Insecure Storage in Config File
Business Functionality
Abuse
Misuse of forgot password module
Easily Guessable security answers
Quality Summit 2014 - SHANGHAI
Threat Modeling-Sample case study Threat Analysis-Unit Testing
PointsAuthenticationCompromise
Brute Force
No Password Policy
No Account Lockout
Lack of password
Complexity
Insecure Communication
Network Sniffing
Parameter Tampering
SQL Injection
Insecure Storage
Insufficient Encryption in
Database
Hardcoded password in Source Code
Business Functionality
Abuse
Misuse of forgot password
module
Easily Guessable
security answers
Quality Summit 2014 - SHANGHAI
Threat Modeling-Sample case study
Writing Unit Test Case 1– Case: SQL Injection Validation Point: Input
validation both Client & Server Side, Parameterized SQL Queries
Tools: Commercial-HP WebInspect, Open Source frameworks (i.e sqlmap)
Test case: Depends on framework selected.
Quality Summit 2014 - SHANGHAI
Threat Modeling-Sample case study
Writing Unit Test Case 2– Case: Hardcoded
Password in Source Code Validation Point: Source
Code Tools: Commercial -HP
Fortify (Static Analysis), HP-WebInspect (Dynamic Security testing)
Quality Summit 2014 - SHANGHAI
Threat Modeling-Sample case study
Writing Unit Test Case 3 – Case: Network Sniffing Validation Point:
Communication Channel Tools: OWASP WebScarab Test case: STR
1. ) Configure Webscarab to capture HTTP Traffic
2.) Open Login page http://www.testwebsite.com/login.jsp
3.)Enter User Credentials and press Login
4.) Capture Http traffic and check for sensitive information.
Quality Summit 2014 - SHANGHAI
Unit Test Case-Security Validation
Quality Summit 2014 - SHANGHAI
Unit testing –Enhanced Workflow
Plan
RequirementsDesign Specifications
Prepare Execution
Test Results
Test Set Code under Test
Threat Analysis Report
Threat Validation Test Cases
Security Testing Tools
Security Testing
Quality Summit 2014 - SHANGHAI
Q&A
