Penetration testing dont just leave it to chance

  • View

  • Download

Embed Size (px)


Next Generation Testing Leadership Asia-Pac Summit 2015

Name of the Speakers : Anish Cheriyan, Director Quality and Centre of Excellence-Cyber SecuritySriharsha Narayanam , Test Architect and Cyber Security Test Engineering -COE TeamCompany Name : Huawei Technologies India Private Limited

TopicsIntroductionPrinciples of Security for Secure Products Security in Product Development Life CyclePenetration Testing Approach Details of Pen TestCyber Security- a mindset and some anti patternsConclusion Attack Testing

Feather Touch Testing


Time Bound Testing

Build Security In-Some perspective

The Principles- Secure software designFavor simplicityUse fail safe defaultsDo not expect expert usersTrust with reluctanceEmploy a small trusted computing baseGrant the least privilege possiblePromote privacyCompartmentalizeDefend in DepthUse Community resource-no security by obscurityMonitor and traceReference: Reference: Software Security by Michael Hicks, Coursera

Favor SimplicityReference: Reference: Software Security by Michael Hicks, Coursera

Favor Simplicity: Fail Safe Defaults

Favor Simplicity: Do not expect expert users

Trust with Reluctance(TwR)

Trust with Reluctance(TwR)- Trusted Computing Base

Trust with Reluctance(TwR)- Least Privilege

Trust with Reluctance(TwR)- Compartmentalization

Defend in Depth

Defend in Depth-Use Community Resources

Monitoring and Traceability

Top 10 Flaws. Do Not..

Building Security in Product Development Life CycleGeneral Security Requirement Analysis Attack Surface Analysis Threat Modeling -STRIDE(Microsoft)Testability AnalysisSecure Architecture and Design.Security Design guidelinesSecurity Test Strategy and Test CaseSecure Coding Guidelines ( reference)Static Check Tools like Fortify, Coverity (Ref- ReviewsSecurity Test CasesPenetration Testing Approach (Reconnaissance, Scanning, Attack, Managing access)Anti VirusContinuous Delivery System (Inspection and Secure Test)

Threat ModelingReference:

Identify assets. Identify the valuable assets that your systems must protect.

Create an architecture overview. Use simple diagrams and tables to document the architecture of your application, including subsystems, trust boundaries, and data flow.

Decompose the application. Decompose the architecture of your application, including the underlying network and host infrastructure design, to create a security profile for the application.

Identify the threats. Keeping the goals of an attacker in mind, and with knowledge of the architecture and potential vulnerabilities of your application, identify the threats that could affect the application.

Document the threats. Document each threat using a common threat template that defines a core set of attributes to capture for each threat.

Rate the threats. Rate the threats to prioritize and address the most significant threats first.

Threat Modeling Diagram- a simple exampleReference:

Threat Modeling Diagram- a simple exampleReference:

Threat Modeling Diagram- a simple exampleReference:

Secure Architecture and Design PerspectiveReference:

Secure Code PerspectiveReference:

Secure Code Perspective-Code ReviewFurther Reading: Threat Modeling- Frank Swiderski, Window Snyder, A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World - doing the code review we can take the inputs from the code in the trust boundary, issues from the static tools like Fortiy, Coverity etc and put the focus at the right place for the Code Review

Secure Testing (Pen Test) PerspectiveInformation Gathering (About the system, environment etc.)Scan the system

Threat Analysis

Usage of the Static analyzer (Run fortify, Coverity, Appscan, Nessus, NMAP etc)Right tool usage

Vulnerability AnalysisFuzz Testing

Penetration testing

Use /Develop right set of tools to attackRaise Defects

Test Strategy

Validation Approach of ABCPicture Courtesy:

Security Test Strategy - Inputs

Security Test Strategy - What to Cover ?


Penetration Testing Analysis overall flow

OutputPenetration Test Scenarios

Penetration Test Cases


Damage potential AssessmentNew Test Cases

Reconnaissance is a the first and the key phase of penetration testing where the information is gathered. The more time you spend collecting information on your target, the more likely you are to be successful in the later phases. There can be a checklist based approach for information gathering but it need not be constrained to the list. Information Gathering helps teams to think about the product properties upfront.So OnReconnaissance / Information Gathering

CategorySuggestive Informations to be gathered / verifiedActual InformationGeneral InformationList of IP addresses that can be scannedTarget OS and File permission informationInformation about the LOG FILE and their pathsInformation about the DATA FILE Location, and their formatStorage mechanism of the USERNAME/PASSWORD of the application

Reconnaissance / Information GatheringFew Tools for WebApplication ReconnaissanceWappalyzerPassive ReconGround Speed []

SoftwareURLDescriptionMaltego defacto standard for mining data on individuals and companies. Comes in a free community version and paid version.Nessus vulnerabilty scanning tool available in paid and free versions. Nessus is useful for finding and documenting vulnerabilities mostly from the inside of a given network.IBM AppScan's automated Web application security testing suite.eEye Retina is an an automated network vulnerability scanner that can be managed from a single web-based console. It can be used in conjunction with Metasploit where if an exploit exists in Metasploit, it can be launched directly from Retina to verify that the vulnerability exists.Nexposehttp://www.rapid7.comNexpose is a vulnerability scanner from the same company that brings you Metasploit. Available in both free and paid versions that differ in levels of support and features.OpenVAShttp://www.openvas.orgOpenVAS is a vulnerability scanner that originally started as a fork of the Nessus project. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 20,000 in total (as of January 2011)HP WebInspect WebInspect performs web application security testing and assessment for complex web applications. Supports JavaScript, Flash, Silverlight and others.HP SWFScan SWFScan is a free tool developed by HP Web Security Research Group to automatically find security vulnerabilities in applications built on the Flash platform. Useful for decompiling flash apps and finding hard-coded credentials, etc.THC IPv6 Attack Toolkit largest single collection of tools designed to exploit vulnerabilities in the IPv6 and ICMP6 protocols.

Pen Test Tools and Guidelines-

Security Tools and Version Analysis

Tools Analysis helps the teams to select the applicable tools upfront and build required competency to use them / acquire license , well before test execution phase.

Scanning is the phase where the vulnerabilities and the weak areas in the system / target can be identified. Tools to be finalized based on the application scope.

Based on the Threat Modeling Analysis, understand the Trust Boundary.Analyze the present Risk Mitigation mechanism and derive test scenariosAnalysis the proposed Risk Mitigation mechanism and device the test scenariosThreat Modeling analysis to be done both at System and at Sub system levelSo OnSo OnSystem Scanning and further AnalysisTest Scenarios from Threat Modeling Analysis

CategoryTool / TechniqueApplicability AnalysisScanning of the system under test using Static Code AnalyzerFortify , CoverityDetermining if a system is alive Scanning ApplicationAppScan , Acunetix, RSAS , QRADAR. .

Entity or Process Threat TypeApplicable ?Test Scenario based on Current MitigationTest Scenario based on Proposed MitigationRequirement 1SYesTNoRIDE

Vulnerability analysis is