Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Assumptions
In Information Security several top
10 exist
OWASP Top 10 is dominant
Assumptions
OK. What now?
Top 6 = (Top 3) + (we test what
we can):
Broken authentication and session
management
Unvalidated redirects and forwards
Insecure direct object references
The Problem
Over Complexity
Too much data
Endless attack possibilities
Too many security solutions, vendors,
products
No homogenous approach
system
infrastructure
communication
language
architecture
component
information, any data
physical layer
logical layer
storage device / facility
(communication) channel
interface
encryption
environment
site (including DR)
transaction
log and audit trail
archive
process (operations, ongoing, development)
Takeover
system
infrastructure
Data theft
communication
Data tampering
language
System integrity disruption
architecture
component
Business Logic manipulation
information, any dataEavesdropping
physical layer
Backdoors built in by design
logical layer
Backdoors
storage
device / facility creation by attackers
(communication)
channel
Unintentional
attacks
interface
Intentional by authorized entities
encryption
Attacks by non-human entities
environment
site (including DR) Denial of Service
transactionDe Facto Denial of Service
log and audit trail
Authorization bypass
archive
Access
bypass
process (operations, ongoing,
development)
The Problem
Even the simplified security areas
present a demanding challenge. For
example - XSS:
Very difficult to detect all variants in
modern systems
Almost impossible to retain high
security level once achieved
Common Solutions
Superficial security tests.
Many good reasons:
Budget
Time constraints
Lack of understanding
Over complexity
Common Solutions
Impacts of superficial security
tests in the long run?
Partial to no security
Poor security practices
These organizations effect the
security market, pulling
downwards!
Loss or partial integrity of security
professionals
Worse still: false sense of security
Modern Systems
Common
Pitfall
Modern systems are more
secured. ???
20
Ignorance is bliss.
Security Testing
How to Test?
This is messy. VERY messy.
There are shortcuts
How to Test?
Actually most is quiet easy to test.
Go back to theory.
Forget about the payloads.
How to test?
Supreme excellence consists in breaking
the enemy's resistance without fighting.
Sun Tzu
Common Mobile WCF architecture
Where is the presentation layer?
Which entities are granted access to business
logic?
How to test?
OWASP top 10 mobile:
The
The
The
The
databases
environments
Data Warehouse specialized security
Exadata itself
Organization B tested:
Just some deployed databases
Partial security testing for each database
Worse still: Exadata not to be tested as a policy
The Windows XP
Example
Declarative Security
What?
One of the foundations of modern
languages run-time security.
Mostly ignored or bypassed.
Who said: Security misconfiguration
A5, Missing Function Level access
control A7?
Declarative Security
Deployment descriptors must provide
certain structural information for each
component if this information has not
been provided in annotations or is not to
be defaulted. (Oracle docs.)
Declarative Security
Engage people with what they expect;
it is what they are able to discern and
confirms their projections. It settles
them into predictable patterns of
response, occupying their minds while
you wait for the extraordinary moment
that which they cannot anticipate.
Sun Tzu
Lack or weak declarative security: Once
code access achieved the
extraordinary will be feasible.
Declarative Security
Poor design due to no design
Cancelling off declarative security or
ignoring declarative security revoking
language security fundamentals.
Common real life deployment
descriptors:
// Do what you will. Totally permissive policy file.
grant {
permission java.security.AllPermission;
};
2013-A5 Security
Misconfiguration
There is no external
access!
The intended users will
only perform intended
actions
Virtualization
Separation
40
2013-A5 Security
Misconfiguration
Critical Thinking
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Takeover
system
infrastructure
Data theft
communication
Data tampering
language
System integrity disruption
architecture
component
Business Logic manipulation
information, any dataEavesdropping
physical layer
Backdoors built in by design
logical layer
Backdoors
storage
device / facility creation by attackers
(communication)
channel
Unintentional
attacks
interface
Intentional by authorized entities
encryption
Attacks by non-human entities
environment
site (including DR) Denial of Service
transactionDe Facto Denial of Service
log and audit trail
Authorization bypass
archive
Access
bypass
process (operations, ongoing,
development)
Critical Thinking
Critical thinking is the ability to think clearly
and rationally. This requires reflective and
independent thinking. (Philosophy field)
For organization security is too difficult:
over complexity, too much to orchestrate,
etc.
Increasingly often we are requested to test
much less than the actual scope.
Some organizations will not be educated.
Push the industry back up with those
organizations that can be educated.
Critical Thinking
For the security professionals,
security is a challenge. Hence,
always employ critical thinking and
review the process of testing itself.
Flexibility under varying technologies
Use automated testing tools to the max
AND be always aware of their limitations
Scoping accurately is mandatory
Qustions?