Advanced penetration testing - Amarendra Godbole
- 2. The next 60 minutes or so...
•
Introduction
•
Why “Advanced”?
•
Let’s rock! (aka Steps)
•
The standards – CWE, CVSSv2, etc.
•
Conclusion
•
References, Contacts, etc.
- 3. Security and Quality
•
Security must be built “ground-up”
•
Cannot be “bolted-on” to the application
•
Determines overall quality of the
application
Security == Quality
- 4. Penetration Testing
•
Closely approximate an attacker’s
behavior
•
Find security issues in an application
•
Time-bound
•
Leverages knowledge of the pen-
tester
•
Scoped
- 5. Challenges
•
Largely difficult to model an
attacker’s mentality
•
Security skills “acquired” over time
•
Affect efficiency and coverage
- 6. Advanced?
•
Systematic steps
•
Focus on innovation as well as tools
•
Deliver a standardized closure
•
Use standard ratings
•
Use standard vulnerability buckets
- 7. (I) Planning
•
Set expectations (helps accurate
scoping)
•
Estimate approximate effort (helps
create timeline)
•
Obtain required approvals
•
active/passive scan?
•
Decide point-of-contacts
- 8. (II) Reconnaissance
•
Understand the application
•
Read, read, and read – guides, doc
•
“look around” the application
•
May require scanners, and similar tools
•
Deliver a DFD (data flow diagram)
•
Build “mental model”
•
Easy to visualize component interaction.
- 9. (III) Decide attack surface
•
Scope
•
Network facing components
•
User Interfaces’
•
Other “entry points”
•
...
•
Optimize time and efforts, maximize
effectiveness
- 10. (IV) Create attack scenarios
•
Threat modeling – find weak spots
•
Assets, threats, mitigations
•
Use the DFD
•
Abuse cases
•
Things break at the extremes!
•
Creativity counts!
- 11. (V)Tools
•
Right tool for the job
•
Web-console? Burrp, ratproxy, web-
scarab, …
•
Network protocol? Wireshark, nmap,
netcat, …
•
Take out all “low-hanging” fruit
•
May have false-positives
- 12. (VI) Craft and conduct attacks
•
Divide time according to attack
surface
•
Network attacks, then local attacks, ...
•
Record results – success and failures
•
Keep detailed notes
•
Keep the application team informed if
required
- 13. (VII) Delivery and Closure
•
Formal document
•
Capture scope
•
Capture security issues found
•
Capture mitigated issues
•
Recommend fixes
•
Score issues – standardized
•
CVSS v2
•
CWE category
•
Indicate approximate timeframe for
next pen-test.
- 14. References and further reading
•
The Art of Software Security Assessment
-Dowd, McDonald, et. al.
•
24 Deadly Sins of Software Security
-Howard, LeBlanc, et. al.
•
Common Vulnerability Scoring System
(CVSS)
•
Common Weakness Enumeration (CWE)
•
CWE Top-25 Most Dangerous
Programming Errors
•
Data Flow Diagram