Web Application Testing with AppScan Terry Labach

Web Application Testing with AppScan Terry Labach

"If you spend more on coffee than on Web application security, you will be hacked. What's more, you deserve to be hacked" - Richard Clarke, Former White House Advisor on Cyberterrorism and Cybersecurity 2010 The Sky’s the Limit

Introduction What are the issues? How can UW support secure Web application development? How can involved parties work together? 2010 The Sky’s the Limit

Outline The state of affairs Risks and attacks AppScan at UW AppScan scanning example Software engineering for the web Questions 2010 The Sky’s the Limit

Web application security is no longer optional UW administration concerned about last IT audit IT professionalism now includes security

The old Web "First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII -- and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure." - Douglas Adams 2010 The Sky’s the Limit

The new Web 2010 The Sky’s the Limit

The new Web Shopping mall, office, movie theatre, communications hub, self-marketing firm We are expected to make more services available on the web Financial, medical, personal information increasingly used in web transactions Clients interact with our internal systems 2010 The Sky’s the Limit

Risks on the new Web 2010 The Sky’s the Limit

Risks Theft of personal information Identity theft Financial losses Intellectual Property losses Damage to UW's reputation Legal requirements to notify breach victims 2010 The Sky’s the Limit

Vulnerabilities Technical OS, server design flaws Logical Application logic design flaws Failing to account for malicious/incompetent users 2010 The Sky’s the Limit

Attacks Technical XSS, SQL injection Logical authorization errors 2010 The Sky’s the Limit

SQL injection 2010 The Sky’s the Limit

Cross-site scripting 2010 The Sky’s the Limit

Authentication and authorization errors 2010 The Sky’s the Limit

Why scan? Mimics the attack of the hacker No substitute for proper application development 2010 The Sky’s the Limit

Scanning methods Manual Automatic 2010 The Sky’s the Limit

Scanning methods Manual Penetration (“pen”) testing Requires human expert Slow, error-prone Can be insightful 2010 The Sky’s the Limit

Scanning methods Automatic Faster Complete list of tests Not as perceptive as human tester 2010 The Sky’s the Limit

What scanning can do Black box scanning Works with any: Language Application server Web server 2010 The Sky’s the Limit

What scanning can't do White box scanning (can't help with source code issues without additional software) Can't be integrated early in the development process Requires functional web site 2010 The Sky’s the Limit

IST Web application testing 2010 The Sky’s the Limit

AppScan IBM product Selected by IST in 2009 to provide testing services IST staff will scan your web application as part of your testing process No charge 2010 The Sky’s the Limit

Preparing your site for testing Test instance of application Be ready for disaster Backups of all code, data Allow access to scan server (firewall, .htaccess) Method to recreate the web site 2010 The Sky’s the Limit

The scanning process Explore Spider traverses site and learns about structure Test Attacks made on site Report findings 2010 The Sky’s the Limit

AppScan demonstration IBM provides sample web application to test Altoro Mutual http://demo.testfire.net User: jsmith Password: demo123 2010 The Sky’s the Limit

Running AppScan URL Scan wizard Login method Recorded - go through process for scan Prompt - record initial location, then enter as needed Automatic - use entered name, password when required None - when authentication not used (or ignored) Test policy 2010 The Sky’s the Limit

Running AppScan Complete scan full auto scan auto explore manual explore (embedded browser) allows limiting scan to part of site or ensuring it follows a set path scan later (scheduled) scan expert does short scan to evaluate settings may suggest configuration changes 2010 The Sky’s the Limit

Running AppScan Scan results Views Reports Remediation Regulatory OWASP Custom 2010 The Sky’s the Limit

Thoughts on software engineering for the web Basic SE principles still apply Development-Test-Production environments Use commercial solutions rather than coding your own where reasonable Application development must be planned and managed 2010 The Sky’s the Limit

Thoughts on software engineering for the web Add security from the beginning Publish only desired files Define what is good input and limit to that, rather than trying to strip out bad input. “good enough” isn't – the risks are too great 2010 The Sky’s the Limit

References IBM AppScan http://www.ibm.com/software/awdtools/appscan/ standard/ OWASP http://www.owasp.org IST IT Security team http://ist.uwaterloo.ca/security/ Quotation of the Day http://quotationofthedaylist.blogspot.com/ 2010 The Sky’s the Limit

Questions? 2010 The Sky’s the Limit