Embed Size (px)
DESCRIPTION
With the rising adoption of the cloud and the mobile revolution, software security is more important and complex than ever. The efforts of developers and testers are frequently disconnected, wasting time and reducing effectiveness. Arthur Hicken describes how hybrid security analysis bridges the gap between static analysis and penetration testing by detecting security vulnerabilities with unprecedented accuracy—and few false positives. Testers receive an instant assessment of where security attacks actually penetrated the application. Unlike traditional penetration testing, this pinpoints where attacks really succeeded—not just areas that may be vulnerable to attack. Hybrid analysis involves running penetration attack scenarios against existing functional test scenarios, monitoring the back-end to determine whether security is actually compromised, and correlating source code with the failed tests so you can trace each error to a particular requirement. Learn the drawbacks of static analysis and penetration testing—and how to turn these drawbacks into strengths.
Citation preview
BW12 Session 6/5/2013 3:45 PM
"Hybrid Security Analysis: Bridge the Gap Between Inside-Out
and Outside-In"
Presented by:
Arthur Hicken Parasoft Corporation
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073 888‐268‐8770 ∙ 904‐278‐0524 ∙ [email protected] ∙ www.sqe.com
Arthur Hicken Parasoft
Arthur Hicken has been involved in automating various practices at Parasoft for more than twenty years. He has worked on projects including database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems. Arthur has worked with IT departments in companies including Cisco, Vanguard, and Motorola to help improve their software development practices. He has developed and conducted numerous technical training courses at Parasoft. An expert in his field, Arthur has been quoted in Business 2.0, Internet Week, and CNET news.com regarding website quality issues.
Hybrid Security AnalysisHybrid Security AnalysisBridge the Gap Between Inside‐out and Outside‐inBridge the Gap Between Inside‐out and Outside‐in
Copyright © 2013 Parasoft 1
Arthur HickenParasoft Corporation
June 2013
AgendaAgenda
Existing methodologies benefits and limitsPenetrating static analysisEnhanced testing methodsCutting the cordVirtuous security testing circle
Copyright © 2013 Parasoft 22
Security Testing TechniquesSecurity Testing Techniques
Penetration TestingD Fl A l iData Flow AnalysisStatic Code AnalysisUnit TestingRegression Testing
Copyright © 2013 Parasoft 33
Runtime Error Detection
Penetration Testing OverviewPenetration Testing Overview
Outside‐inRealistic testingEver growing lists of exploits to be testedNumber of tests for real site is prohibitively huge
Copyright © 2013 Parasoft 44
Data Flow Analysis OverviewData Flow Analysis Overview
Simulate hypothetical execution pathsD ibl l h hDetect possible errors along those pathsData flow analysis error categories include:
ExceptionsOptimizationResource Leaks
Copyright © 2013 Parasoft 55
Resource LeaksAPI misuseSecurity
Static Code Analysis OverviewStatic Code Analysis Overview
Inside‐outQuick scan to list possible problemsQuick scan to list possible problemsFixing violations prevents certain classes of errorsStatic analysis categories include:
Logical ErrorsAPI MisuseTypographical Errors
Copyright © 2013 Parasoft 66
SecurityThreads and SynchronizationPerformance and Optimization
Unit Test OverviewUnit Test Overview
Check smaller piecesEasy to run before application is completeUse to bridge the gap from outside to insideStub and isolate dependenciesPeer review for design
Copyright © 2013 Parasoft 77
Regression Testing OverviewRegression Testing Overview
Capture current behavior of covered code pathspaths
Whether the current behavior is right or wrong
Alert when code modifications cause a change in behaviorDevelopers can then mark assertions as
Copyright © 2013 Parasoft 88
Developers can then mark assertions as correct behavior to increase the severity if those assertions fail in the future
Runtime Error DetectionRuntime Error Detection
Check for anti‐patterns at runtime in the applicationViolations are presented in the context of real‐world data values to stress their importanceRuntime error categories include:
Threads and SynchronizationPerformance and OptimizationApplication Crashes
Copyright © 2013 Parasoft 99
Application CrashesFunctional ErrorsSecurity
Enhanced MethodsEnhanced Methods
Automated Unit Test GenerationApplication Tracing for Unit Tests
Copyright © 2013 Parasoft 1010
Automated Unit Test Generation OverviewAutomated Unit Test Generation Overview
Test code branches not covered by the application level testapplication‐level testCombine these unit tests with runtime error detection to check the new execution pathsBuild a baseline regression test suite
Copyright © 2013 Parasoft 1111
Application Tracing for Unit TestsApplication Tracing for Unit Tests
Record internal method calls inside the running application when the problem occursrunning application when the problem occursReplicate the problem in a unit testAlter the unit test to assert the correct behaviorNow possible solutions can be tested quickly
Copyright © 2013 Parasoft 1212
Now possible solutions can be tested quickly without redeploying the web application
Proposed MethodProposed Method
Copyright © 2013 Parasoft 1313
Proposed MethodProposed Method
Copyright © 2013 Parasoft 1414
Proposed MethodProposed Method
Copyright © 2013 Parasoft 1515
Proposed MethodProposed Method
Copyright © 2013 Parasoft 1616
Best ApproachBest Approach
Copyright © 2013 Parasoft 1717
Cutting the CordCutting the Cord
Internet Internet
Business Partner
SOAP over HTTPS
Receive Transaction
Amount> $10000
TransformMessage + +
Send Notification
NOXML XML
Check Customer Status
YES
WebApplication
Copyright © 2013 Parasoft 1818
JMS
CRM Application
Web Browser
InternetDatabase updated
The Internal ChallengeThe Internal Challenge
Test environment constraints are outside the control of development and test leaving gaps in the process of developing and testing software
IT OperationsParallel development delays… Need simple, realistic access to
Staged Assets
3rd Party Assets Virtual Environments
DependentApplications
realistic access to services…
Too much time waiting for access…Need reliable test data
Scheduling
Configuration
Copyright © 2013 Parasoft 1919
VirtualServer 1
Hyper Visor
App App App
Need a realistic testenvironment easy to maintain
Configuration
Access Limits
The Academic WayThe Academic Way
Analyze problemsPeer review resultsQA issuesField reports
Check rules that fitReview severity
Copyright © 2013 Parasoft 2020
Review severityReview likelihoodReview cost/risk
The Manual WayThe Manual Way
Analyze stack traceDebugger on running JVMRuntime trace tools
Create unit testsStubsData sources
Copyright © 2013 Parasoft 2121
Data sources
Cheating the SystemCheating the System
Fix a problemRun static analysis on the old codeRun static analysis on the new codeLook at the delta
Copyright © 2013 Parasoft 2222
The Automated WayThe Automated Way
Unit test generationAutomatic test generationClean assertions – cut with sharp scissorsExpand as needed
Automatic stubsSophisticated stubs for realistic behavior
Copyright © 2013 Parasoft 2323
Sophisticated stubs for realistic behaviorIsolate as much as necessary
SummarySummary
Problem solving in web applications is a long and tedious process without proper toolstedious process without proper toolsReplicating the problem in a unit test shortens the code – test cycleStatic code analysis prevents classes of errorsRuntime error detection finds real‐time problemsUnit testing exercises more code paths
Copyright © 2013 Parasoft 2424
Unit testing exercises more code pathsData flow analysis simulates hypothetical pathsRegression tests ensure that problems stay fixed
Q&AQ&A
[email protected] //alm parasoft comhttp://alm.parasoft.com
Facebook: https://www.facebook.com/parasoftcorporationTwitter: @Parasoft @CodeCurmudgeon
Copyright © 2013 Parasoft 2525
LinkedIn: http://www.linkedin.com/company/parasoft
