DIGIT TestCentre

Vulnerability assessment service

Gabriel BABIANO DIGIT.A.3

I.T.

29/11/2012

Agenda
Service presentation
Lessons learned

DIGIT TestCentre
Organizational location: Physical location: Service manager: DIGIT.A.3 DRB D3 (LUX) Gabriel BABIANO

Performance testing service since 2002 (currently 6 testers) Vulnerability assessment service since 2011 (currently 3 testers)

DIGIT TestCentre clients and figures

Clients
European Commission (including Executive Agencies and Services) Other European institutions under agreement (e.g. Court of Justice of the European Union)
Breakdown per DGs

Around 50 VTs per year

Grounds for vulnerability assessment

Motivation:
Legal constraints Reputation Data stolen Continuity of the service

75% cyber-attacks directed to web application layer (Gartner) Network security alone does not protect web apps!!!
5

Tests in Information Systems life-cycle

Cost versus life-cycle stage

"Finding and fixing a software problem after delivery is often 100 times more expensive than finding and fixing it during the design and requirements phase" (Barry Boehm)

VT

Secure coding guidelines

7

DIGIT TC Vulnerability service deliverables

Vulnerability assessment reports (per test/iteration)
Filtered potential vulnerabilities (no false positive) Classification on criticality and prioritization Potential remediation Evolution from previous iterations

Secure coding guidelines

Best practices in secure coding Recommended languages (HTML, JAVA, ColdFusion) Aligned to threats evolution Both for developers and operational managers 1st draft release due for 01/2013
8

DIGIT VT service tests

Black Box Vulnerability Test (dynamic analysis)
Need a working application target (closest to PROD) No access to source code required Not specific to coding language(s) Automatic tools + manual testing to supplement the tools Complement to Penetration Testing and WBVT

White Box Vulnerability Tests (static analysis)

Access to buildable source code Automatic tools + manual revision to avoid false positives All recommended languages are supported (Java, CF) No absolute need for application target but it helps a lot Detects more vulnerabilities than black box
9

DIGIT TestCentre service procedure workflow

Several iterations are normally required

10

DIGIT TC Vulnerability service tools

Static code analysis (SAST) Automatic tools Manual code review:
Eclipse

Dynamic program analysis (DAST) Automatic tools Manual tools:

Firefox and plugins:
Tamper Data

Database tools

11

Tools evaluation - methodology

12

Tools evaluation criteria

13

Tools evaluation critical metrics

Correctness of the results
Accurate Minimum false positive Minimum inconclusive Minimum duplicates

Completeness of the results

% detected % missed False negatives Misnamed

Performance

Scan duration
14

Tools lists
Static code analysis (SAST) http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis https://www.owasp.org/index.php/Source_Code_Analysis_Tools Dynamic program analysis (DAST) http://en.wikipedia.org/wiki/Dynamic_program_analysis
Open source DAST tools:
WebScarab Nikto / Wikto Open Web Application Security Project (OWASP) Google ratproxy and skipfish W3af Websecurify
15

Costs per test

In-house service:
Assumption: complete VTs (WB & BB) takes 10 working days in average (15 tests per tester per year) Strong investment in licenses the first year Costs are similar after the th 4 year Security skilled tester with an "industrialized" procedure required

Outsourced service:

No requires investment Less flexible for the development? Quality? Iterations?

16

Engineering for attacks

17

Vulnerability risk areas

Security controls

Security functions

18

OWASP Top Ten (2010 Edition)

http://www.owasp.org/index.php/Top_10

19

20

21

2011 CWE Top 25 Most Dangerous Software Errors

22

http://cwe.mitre.org/top25/

Comparison OWASP Top Ten 2010 CWE Top 25 2011

http://cwe.mitre.org/top25/

23

DIGIT TestCentre

Priorities are adapted for every application

Score = Risk * Impact

24

Vulnerability assessment
Assess and secure all parts individually
The idea is to force an attacker to penetrate several defence layers As a general rule, data stored in databases are considered as "untrusted" "In God we trust, for the rest, we test"

25

Vulnerability remediation priorities

Recommendations for remediation are founded in the report Cover high priority first. Then others when affordable Begin with risky vulnerabilities that are easy to remediate

26

Vulnerabilities type occurrence in the 1st iteration (%)

100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

http://cwe.mitre.org/top25/

http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics
27

Improvements in Design and Coding stages

Iteration Vulnerability group Cross-Site Scripting Injection Insecure Transmission of credentials/tokens Password Management Cookie Security Path Manipulation Weak authentication Open redirect Logging of credentials Cross-Site Request Forgery Header Manipulation Weak cryptography File Upload Forced Browsing Log Forging Information disclosure 1 43 23 10 13 9 3 4 5 2 16 15 14 8 7 6 4
28

2 14 6 3 6 7 2 2 1 4 3 2 3 2 1 3

3 2 1

4 2

5 1 1

6 1

2
1

Flaws can appear in future iterations

1

1 1 1 1 1

security increases 1 in every iteration

1 1 2

Threats to the VT success

Tested source code not the same as PROD Testing environment differs from PROD Vulnerability testing tools cant cover all automatically Hacking techniques faster than service coverage If necessary, penetration tests are conducted by a 3rd party

100% risks & vulnerability-free cannot be guaranteed and security is not only a secure source code

29

Some references
Open Web Application Security Project (OWASP): www.owasp.org Web Application Security Consortium (WASC): www.webappsec.org Common Vulnerability Scoring System (CWSS): http://www.first.org/cvss/ Common Weakness Enumeration (CWE): http://cwe.mitre.org Common Attack Pattern Enumeration and Classification (CAPEC): http://capec.mitre.org/ SANS Institute: www.sans.org

30

Questions?

31

Thank you!

32