agenda
DESCRIPTION
Agenda. Application Assessments: PABP vs. Penetration Test / Code Review Introduction to Application Security Methodology Case Examples Conclusions. Application Assessments: PABP vs. Penetration Test / Code Review. Visa CISP PABP. Visa’s CISP PABP - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/1.jpg)
Agenda
Application Assessments: PABP vs. Penetration Test / Code Review Introduction to Application Security Methodology Case Examples Conclusions
![Page 2: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/2.jpg)
Application Assessments: PABP vs. Penetration Test / Code Review
![Page 3: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/3.jpg)
Visa CISP PABP
Visa’s CISP PABP A voluntary compliancy program for payment applications
which validate a set of best practices.
![Page 4: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/4.jpg)
What is a Payment Application:PABP is applicable to any third-party payment application utilized by a merchant or service provider that is involved in authorization and settlement of credit or debit card transaction.
What are Best Practices:Recommended practices for software vendor to create secure payment applications to help their customers comply with CISP / PCI
Payment Application Best Practice
![Page 5: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/5.jpg)
Requirements
1. Do not retain full magnetic stripe or CVV2 data
2. Protect stored data
3. Provide secure password features
4. Log application activity
5. Develop secure applications
6. Protect wireless transmissions
7. Test applications to address vulnerabilities
8. Facilitate secure network implementation
9. For Internet-based applications, store cardholder data in internal network only
10. Facilitate secure remote software updates
11. Facilitate secure remote access to application
12. Encrypt sensitive traffic over public networks
13. Encrypt internal administrative access
![Page 6: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/6.jpg)
Application Penetration Test/Code Review
Application Penetration Test A thorough security assessment to determine if an
application is vulnerable to application-level attacks from both external “hackers” and malicious authorized users.
Identify the maximum number of vulnerabilities that may be present in an application.
Code review A detailed line-by-line analysis of source code where the
goal is to identify coding errors which lead to application vulnerabilities.
![Page 7: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/7.jpg)
PABP Methodology
Interviews and questionnaires completed by client personnel (i.e. developers, support staff, and managers)
Thorough functional and security testing of the application
Review of the application’s operating files, logs, databases, and storage of cardholder information
![Page 8: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/8.jpg)
Application Pen Test Methodology
•Authentication and Authorization•Unlimited Login Attempts•Insufficient Authentication•Insufficient Authorization•Session Management•Session Prediction•Session Hijacking•Session Replay•Insufficient Session Expiration•Injection•OS Command Injection•SQL Injection•Cross-site Scripting•LDAP Injection•HTML Injection•Logical Attacks•Abuse of Functionality
CryptographyAlgorithmKey ManagementData ProtectionTransportStorageInformation DisclosureDirectory IndexingPath TraversalVerbose Error MessagesHTML CommentsBuffer OverflowStack-basedHeap-basedFormat String•Integer Overflow/Underflow
![Page 9: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/9.jpg)
Code Review Methodology
Buffer overflow conditions
Unintended operation
Dynamic content creation issues
Potential manipulation of variables
Potential acceptance of external scripts or inputs
Failure conditions
Cryptographic weaknesses
Manipulation of back-end services or calls
SQL Insertion
Command Re-direction
![Page 10: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/10.jpg)
Tools: Automated vs. Manual
Automated Fast, especially for large applications Good at finding low hanging fruit Easy to use Somewhat extensible, but increases learning curve Expensive Fallible – no human intelligence behind it
![Page 11: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/11.jpg)
Tools: Automated vs. Manual
Manual Inexpensive Very extensible – scripts can call other scripts As intelligent as the human using it
Best used in conjunction with one another
![Page 12: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/12.jpg)
Tool Examples:
Non Web-based Insure, Code Wizard, J-Test, Holodeck, BugScan, Filemon,
Regmon, APISpy, IDAPro, SoftICE
Web-based Wget, Paros, AppScan, WebDetective, SOATest, Burpe
Suite, WebProxy, FxCop (free from Microsoft), Spike Proxy, Absinthe, Nikto
Combination Spike, findstr and Ildasm, File-Fuzzer (Fuzzers in general)
![Page 13: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/13.jpg)
Test Cases
Payment Application Best Practices:
Point of Sale System
![Page 14: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/14.jpg)
VMWare as a test environment
![Page 15: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/15.jpg)
Tracking Read/Write Events
![Page 16: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/16.jpg)
Enter data
![Page 17: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/17.jpg)
Where does the app write data
![Page 18: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/18.jpg)
Is the data encrypted?
PAYMENT 10027
AUTHAMT 22.50
BATCHAMT 23.79
BATCHTIP 0.00
CARDTYPE VISA
CARD 4227331003328562
EXP 0307
TRACK1 %B4227331003328562^GATES/COURTNEY F.MS^07031011000000397000000?
TRACK2 ;4227331003328562=070310110000397?
REF 138
APPROVED YES
AUTH 012064
INFO E,0001,00,120304,135836,5,094338683164532,K35X
![Page 19: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/19.jpg)
Test Cases
Application Testing
Source Code Review
![Page 20: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/20.jpg)
Performing Text Searches
Search for Hard-Coded Strings Scan through code and search for common string
patterns such as the following: "key," "secret," "password," "pwd," and "connectionstring."
For example, to search for the string "password" in the Web directory of the application, use the Findstr tool from a command prompt as follows:
findstr /S /M /I /d:c:\projects\yourweb "password" *.*
![Page 21: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/21.jpg)
Automating Findstr
Automate Searches for Hard-Coded Strings Create a text file with common search strings. Findstr can then read the search strings from the
text file. Run the following command from a directory that
contains .aspx files.
findstr /N /G:SearchStrings.txt *.aspx
![Page 22: Agenda](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145b0550346895db2aed8/html5/thumbnails/22.jpg)
Text searches in binary assemblies
Use the Findstr command in conjunction with the ildasm.exe utility to search binary assemblies for hard-coded strings Example:Ildasm.exe secureapp.dll /text | findstr ldstr IL_000c: ldstr
"RegisterUser" IL_0027: ldstr "@userName" IL_0046: ldstr "@passwordHash" IL_0065: ldstr "@salt" IL_008b: ldstr "Exception adding account. " IL_000e: ldstr "LookupUser" IL_0027: ldstr "@userName" IL_007d: ldstr "SHA1" IL_0097: ldstr "Exeception verifying password. " IL_0009: ldstr "SHA1" IL_003e: ldstr "Logon successful: User is authenticated" IL_0050: ldstr "Invalid username or password" IL_0001: ldstr "Server=AppServer;database=users; username='sa' password=password"