Embed Size (px)
Citation preview
New Adventures
in Security
Testing
Dan Billing
www.thetestdoctor.wordpress.com
@TheTestDoctor
Reflections How far has just being a 'functional
tester' taken me?
Am I excited by my work anymore?
Have I maintained and developed my
skills as a tester?
What do I have to do to make a
change?
"To know what skills to focus on learning you need
to know what skills you need for your chosen
career…compare this to what skills you currently
have. The difference between the two is where
you should focus your learning"
Remaining Relevant and employable in a changing world - Testers Edition
Rob Lambert, Leanpub, 2013
Focus your learning
Why
Security?
Potential Threats
...it's all about the attacks
Motivations behind attacks (Jan - Apr 2014)
Source: Hackmageddon.com
Cyber crime 61% Hacktivism 31%
Recent Significant Attacks
Recent Significant Attacks
Recent Significant Attacks
Boldly Going…?
First Steps • Understand the threats to your systems -
STRIDE
• Explore the OWASP website –
www.owasp.org
• Learn the OWASP Top 10 – They are the
10 Commandments of Web Security
Testing
• Learn some techniques and when to use
them
• Understand your applications
and their infrastructure
• Get to know your Dev/Ops team
– they’ll be your new best
friends
• Follow the security and hacking
bloggers like Troy Hunt
• Take a course or two
Play it Safe
• www.altoromutual.com – deliberately vulnerable
banking site - IBM
• http://google-gruyere.appspot.com – Structured
approach to learning exploits and vulnerabilities
• https://code.google.com/p/bodgeit/ - vulnerable
retail store, runs locally on Apache - OWASP
Play it Safe
• http://www.mmeit.be/bwapp/ – bWapp: an
extremely buggy web app
• https://www.owasp.org/index.php/OWASP_Bricks
- OWASP Bricks
• A VM running your own applications
• Mobisec – a mobile security testing framework
and emulator
Know Your Enemy
• www.hackmageddon.com – news and updates
on recent attacks and hacks
• www.securityninja.com – great news, research
and guidance resource
• www.hackthissite.org – Hackers legal sandbox
• www.hackthis.co.uk – another hackers sandbox
from the UK
“Once you start down the dark path, forever it will dominate your destiny. Consume you it will” - Yoda
STRIDE SPOOFING – illegally using another's authentication information to gain
access
TAMPERING – malicious modification to either persistent data, or as it
flows through a network
REPUDIATION – Denying performing an action without other parties
having a way to prove otherwise
INFORMATION DISCLOSURE – Exposure of information to those who
should not have access
DENIAL OF SERVICE – Denying valid user access to a service
ELEVATION OF PRIVILEGE – Allowing a user access to a system
above their privilege level
Injection in a Nutshell
Xkcd.com/327 – Exploits of a Mom
Injection in a Nutshell
Xkcd.com/327 – Exploits of a Mom
Injection – an Example
Injection – an Example
Cross Site Scripting
XSS – an example
Exploits a victims trust in a
particular site
XSS – an example
Weapon of Choice
• Browser Developer Tools
• Browser plugins e.g.
TamperData, Firebug, The
Postman
• OWASP Mantra
Man in the Middle • Fiddler
• Zed Attack Proxy
• Burpsuite
• nMap/Zenmap
• Beef
• Wireshark
Where next…?
• Automated scanning and
regression
• Better vulnerability
detection and analysis
• Sharing knowledge
• Increased confidence
SEEK! LOCATE! EXTERMINATE!
EX – EXPLORE
T – THREATS
E – EXPERIMENT
R – RISKS
M – MONITOR
IN – INTERROGATE
A – ANALYSIS
T – TARGETED
E - EXPEDITED
A Security Testing
Mnemonic
Q&A
• Senior Test Engineer at New Voice Media
• www.newvoicemedia.com
• Blog: www.thetestdoctor.wordpress.com
• Twitter @thetestdoctor
