1 / 22

Agenda

Agenda. Application Assessments: PABP vs. Penetration Test / Code Review Introduction to Application Security Methodology Case Examples Conclusions. Application Assessments: PABP vs. Penetration Test / Code Review. Visa CISP PABP . Visa’s CISP PABP

eben
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Agenda • Application Assessments: PABP vs. Penetration Test / Code Review • Introduction to Application Security • Methodology • Case Examples • Conclusions

  2. Application Assessments: PABP vs. Penetration Test / Code Review

  3. Visa CISP PABP • Visa’s CISP PABP • A voluntary compliancy program for payment applications which validate a set of best practices.

  4. Payment Application Best Practice • What is a Payment Application:PABP is applicable to any third-party payment application utilized by a merchant or service provider that is involved in authorization and settlement of credit or debit card transaction. • What are Best Practices:Recommended practices for software vendor to create secure payment applications to help their customers comply with CISP / PCI

  5. Requirements • Do not retain full magnetic stripe or CVV2 data • Protect stored data • Provide secure password features • Log application activity • Develop secure applications • Protect wireless transmissions • Test applications to address vulnerabilities • Facilitate secure network implementation • For Internet-based applications, store cardholder data in internal network only • Facilitate secure remote software updates • Facilitate secure remote access to application • Encrypt sensitive traffic over public networks • Encrypt internal administrative access

  6. Application Penetration Test/Code Review • Application Penetration Test • A thorough security assessment to determine if an application is vulnerable to application-level attacks from both external “hackers” and malicious authorized users. • Identify the maximum number of vulnerabilities that may be present in an application. • Code review • A detailed line-by-line analysis of source code where the goal is to identify coding errors which lead to application vulnerabilities.

  7. PABP Methodology • Interviews and questionnaires completed by client personnel (i.e. developers, support staff, and managers) • Thorough functional and security testing of the application • Review of the application’s operating files, logs, databases, and storage of cardholder information

  8. Application Pen Test Methodology

  9. Code Review Methodology • Buffer overflow conditions • Unintended operation • Dynamic content creation issues • Potential manipulation of variables • Potential acceptance of external scripts or inputs • Failure conditions • Cryptographic weaknesses • Manipulation of back-end services or calls • SQL Insertion • Command Re-direction

  10. Tools: Automated vs. Manual • Automated • Fast, especially for large applications • Good at finding low hanging fruit • Easy to use • Somewhat extensible, but increases learning curve • Expensive • Fallible – no human intelligence behind it

  11. Tools: Automated vs. Manual • Manual • Inexpensive • Very extensible – scripts can call other scripts • As intelligent as the human using it • Best used in conjunction with one another

  12. Tool Examples: • Non Web-based • Insure, Code Wizard, J-Test, Holodeck, BugScan, Filemon, Regmon, APISpy, IDAPro, SoftICE • Web-based • Wget, Paros, AppScan, WebDetective, SOATest, Burpe Suite, WebProxy, FxCop (free from Microsoft), Spike Proxy, Absinthe, Nikto • Combination • Spike, findstr and Ildasm, File-Fuzzer (Fuzzers in general)

  13. Test Cases • Payment Application Best Practices: • Point of Sale System

  14. VMWare as a test environment

  15. Tracking Read/Write Events

  16. Enter data

  17. Where does the app write data

  18. Is the data encrypted? PAYMENT 10027 AUTHAMT 22.50 BATCHAMT 23.79 BATCHTIP 0.00 CARDTYPE VISA CARD 4227331003328562 EXP 0307 TRACK1 %B4227331003328562^GATES/COURTNEY F.MS^07031011000000397000000? TRACK2 ;4227331003328562=070310110000397? REF 138 APPROVED YES AUTH 012064 INFO E,0001,00,120304,135836,5,094338683164532,K35X

  19. Test Cases • Application Testing • Source Code Review

  20. Performing Text Searches • Search for Hard-Coded Strings • Scan through code and search for common string patterns such as the following: "key," "secret," "password," "pwd," and "connectionstring." • For example, to search for the string "password" in the Web directory of the application, use the Findstr tool from a command prompt as follows: findstr /S /M /I /d:c:\projects\yourweb "password" *.*

  21. Automating Findstr • Automate Searches for Hard-Coded Strings • Create a text file with common search strings. • Findstr can then read the search strings from the text file. • Run the following command from a directory that contains .aspx files. • findstr /N /G:SearchStrings.txt *.aspx

  22. Text searches in binary assemblies • Use the Findstr command in conjunction with the ildasm.exe utility to search binary assemblies for hard-coded strings • Example: Ildasm.exe secureapp.dll /text | findstr ldstr IL_000c: ldstr "RegisterUser" IL_0027: ldstr "@userName" IL_0046: ldstr "@passwordHash" IL_0065: ldstr "@salt" IL_008b: ldstr "Exception adding account. " IL_000e: ldstr "LookupUser" IL_0027: ldstr "@userName" IL_007d: ldstr "SHA1" IL_0097: ldstr "Exeception verifying password. " IL_0009: ldstr "SHA1" IL_003e: ldstr "Logon successful: User is authenticated" IL_0050: ldstr "Invalid username or password" IL_0001: ldstr "Server=AppServer;database=users; username='sa' password=password"

More Related