1 / 14

Penetration Testing by Brad Arkin Scott Stender and Gary McGraw

Penetration Testing by Brad Arkin Scott Stender and Gary McGraw. Topics. Introduction Penetration Testing Today Better Approach Summary/Conclusion. Introduction. Testing for positives Security testing Test for negatives. Penetration Testing Today.

mroyalty
Download Presentation

Penetration Testing by Brad Arkin Scott Stender and Gary McGraw

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Penetration Testing byBrad Arkin Scott Stender and Gary McGraw Computer Security: Art and Science

  2. Topics • Introduction • Penetration Testing Today • Better Approach • Summary/Conclusion Computer Security: Art and Science

  3. Introduction • Testing for positives • Security testing • Test for negatives Computer Security: Art and Science

  4. Penetration Testing Today • Attractive late life cycle activity • Too little, too late an attempt to tackle security. • Use of security requirements, abuse cases, security risk knowledge, attack patterns in application design, analysis and testing are missing. Computer Security: Art and Science

  5. Penetration Testing Today (contd) • Attractive late life cycle activity • Results Interpretation • A list of flaws, bugs and vulnerabilities • Doesn’t factor in the time-boxed nature of late lifecycle assessments. • Penetration testing as a way to declare victory Computer Security: Art and Science

  6. Penetration Testing in SDLC Computer Security: Art and Science

  7. A Better Approach • Base the testing activities on the security findings discovered and tracked from the beginning of the development life cycle. • Structure test according to perceived risk and offer some kind of metric relating risk measurement to software security’s posture at the time of the test. • Make Use of Tools • Use static analysis tools • Use dynamic analysis tools Computer Security: Art and Science

  8. A Better Approach (contd) • Benefits of Tools • Tools can perform the routine work needed for basic software security analysis. • Tool output lends itself to metrics, which software development teams can use to track progress overtime. Computer Security: Art and Science

  9. A Better Approach (contd) • Test more than once • Test at the feature, component, unit and system level • Tests should attempt unauthorized misuse of, and access to, target assets as well as try to violate any assumptions the system might make relative to its components Computer Security: Art and Science

  10. A Better Approach (Contd) • Test more than once • Component level testing • Use static and dynamic tools uniformly at the component level. • The tool design should reflect the security test’s goal: to misuse the component’s assets, violate intercomponent assumptions, or probe risks. • Unit testing • breaks system security down into several discrete parts Computer Security: Art and Science

  11. A Better Approach (contd) • Test more than once • System level testing • system-level testing focuses on identifying intercomponent issues and assessing the security risk inherent at the design level. • a component assumes that only trusted components have access to its assets, security testers should structure a test to attempt direct access to that component from elsewhere • focus on aspects of the system that couldn’t be probed during unit testing. Computer Security: Art and Science

  12. A Better Approach (Contd) • Integrate with development life cycle • Most common problem with penetration testing is the failure to identify lessons to be learned and propagated back into the organization’s SDLC. • Mitigation strategy • Rather than simply fixing identified bugs, developers should perform a root-cause analysis of the identified vulnerabilities • Developers and architects should devise mitigation strategies to address the identified vulnerabilities and any similar vulnerability in the code base. • Buffer overflow example Computer Security: Art and Science

  13. A Better Approach (Contd) • Integrate with development life cycle • Use test result information to measure progress against a goal. • Add tests for the mitigated vulnerability to the automated test suites • Employ iterative security penetration tests • Reveals fewer and less severe flaws in the system. Computer Security: Art and Science

  14. Summary • Penetration testing is the most commonly applied mechanism used to measure software security but it’s also the most misapplied mechanism as well. • Apply penetration testing at the unit and system level, derive test cases from risk analysis, and incorporate the results back into the development life cycle • Integrate penetration testing into the development process to improve design, implementation and deployment practices • Questions/Comments ??? Computer Security: Art and Science

More Related