Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
4
IBM Security Solutions
Open Web Application Security Project an open organization dedicated to fight insecure software The OWASP Top Ten
document represents a broad consensus about what the most critical web application security flaws are www.owasp.org
5
IBM Security Solutions
TechWorks
IBM Security Solutions
6 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
TechWorks
IBM Security Solutions
SQL Injection
7 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
TechWorks
IBM Security Solutions
8 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
TechWorks
IBM Security Solutions
9 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 0
TechWorks
IBM Security Solutions
1=1--
10 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 1
TechWorks
IBM Security Solutions
11 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 2
TechWorks
IBM Security Solutions
What is it?
Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context
12 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 3
TechWorks
IBM Security Solutions
XSS Example I
<H1>aSdF</h1>
13 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 4
TechWorks
IBM Security Solutions
XSS Example II
HTML code:
14 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 5
4) Script sends users cookie and session information without the users consent or knowledge
User
bank.com
2) User sends script embedded as data 3) Script/data returned, executed by browser
15
1 6
16
1 7
17
1 8
TechWorks
IBM Security Solutions
18 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 9
TechWorks
IBM Security Solutions
Attacker may attempt to manipulate parameter Content Change to Boot.ini system file
19 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
2 0
TechWorks
IBM Security Solutions
20 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
2 1
TechWorks
IBM Security Solutions
21 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan
2 2
22
2 3
WebMail
Bank.com
4) Money Withdrawn
3) Money Transferred
Wireless Router
2) Script (or link) is downloaded and executed in browser 1) User browses page with malicious content
Evil.org
Victim
Security Testing Technologies... Combination of the Two Delivers Comprehensive Solution Static Code Analysis = Whitebox
Scanning source code for security issues
Total Potential Security Issues
Static Analysis
Complete Coverage
Dynamic Analysis
24
IBM Software Group Watchfire Solutions IBM Software Group | |Rational software IBM IBM Security Solutions Software Group | Rational software
25
25
AppScan
Compliance Officers
Review compliance reports ASE Web Based Views (BB & WB)
Management
Review most common security issues View trends Assess risk AppScan Enterprise (ASE) Web Based Views (BB & WB)
QC, CQ
Publish Security Defects AppScan Enterprise Integration
QA & Accessibility
Conduct Quality / Privacy / Accessibility Tests Publish findings for remediation/trending AppScan Enterprise Web Based Views (BB) Policy Tester Module in ASE (BB) AppScan Tester Edition for RQM (BB)
Security specialists
Conduct security assessments Publish findings for remediation/trending AppScan Standard Edition Desktop (BB) AppScan Enterprise Web Based Views (WB & BB) Source Edition Desktop (WB) for Assessments
26
26
Desired Profile
27
28