Professional Documents
Culture Documents
29/11/2012
Agenda
Service presentation
Lessons learned
DIGIT TestCentre
Organizational location: Physical location: Service manager: DIGIT.A.3 DRB D3 (LUX) Gabriel BABIANO
Performance testing service since 2002 (currently 6 testers) Vulnerability assessment service since 2011 (currently 3 testers)
75% cyber-attacks directed to web application layer (Gartner) Network security alone does not protect web apps!!!
5
VT
Database tools
11
12
13
Performance
Scan duration
14
Tools lists
Static code analysis (SAST) http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis https://www.owasp.org/index.php/Source_Code_Analysis_Tools Dynamic program analysis (DAST) http://en.wikipedia.org/wiki/Dynamic_program_analysis
Open source DAST tools:
WebScarab Nikto / Wikto Open Web Application Security Project (OWASP) Google ratproxy and skipfish W3af Websecurify
15
Outsourced service:
17
Security controls
Security functions
18
http://www.owasp.org/index.php/Top_10
19
20
21
22
http://cwe.mitre.org/top25/
http://cwe.mitre.org/top25/
23
DIGIT TestCentre
24
Vulnerability assessment
Assess and secure all parts individually
The idea is to force an attacker to penetrate several defence layers As a general rule, data stored in databases are considered as "untrusted" "In God we trust, for the rest, we test"
25
26
http://cwe.mitre.org/top25/
http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics
27
2 14 6 3 6 7 2 2 1 4 3 2 3 2 1 3
3 2 1
4 2
5 1 1
6 1
2
1
1 1 1 1 1
100% risks & vulnerability-free cannot be guaranteed and security is not only a secure source code
29
Some references
Open Web Application Security Project (OWASP): www.owasp.org Web Application Security Consortium (WASC): www.webappsec.org Common Vulnerability Scoring System (CWSS): http://www.first.org/cvss/ Common Weakness Enumeration (CWE): http://cwe.mitre.org Common Attack Pattern Enumeration and Classification (CAPEC): http://capec.mitre.org/ SANS Institute: www.sans.org
30
Questions?
31
Thank you!
32