test design techniques in security testing · test design techniques in security testing by artem...
TRANSCRIPT
![Page 1: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/1.jpg)
Test Design Techniques
in Security Testing
by Artem Vasiuk
![Page 2: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/2.jpg)
Artem Vasiuk• From Ukraine. Live in Denmark
• In testing since 2004
• Test Manager in Scalepoint
About Me
![Page 3: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/3.jpg)
In Scope• Where to start & to go
• How to design Security checklists
• Process Maturity levels
• Practical challenges
About Workshop
![Page 4: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/4.jpg)
About Workshop
Out of Scope• Hacking or Cracking techniques
• Pentesting
![Page 5: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/5.jpg)
• Breaches ratio increase
• More cracking tools & knowledge
• Area for personal growth
• Career opportunity
Why Security?
Reasons
![Page 6: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/6.jpg)
• Part of Quality
• Non-Functional requirement
• White-hat hacker mindset
Why Security?
Needed effort
![Page 7: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/7.jpg)
• "We are secure" is not permanent state
• "We use external component" is not an excuse
• Team effort
Why Security?
Continuous effort
![Page 8: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/8.jpg)
Why Security?
Meet hackers (expected)
![Page 9: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/9.jpg)
Why Security?
Meet hackers (actual)
Jake Davies, 18
(and his mum)
Ryan Cleary, 19
(and his mum)
![Page 10: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/10.jpg)
Principles and Techniques
![Page 11: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/11.jpg)
Build Tactics and StrategyDefine Scope of Security TestingIntegrate into SDLCNo silver bullet
Principles
![Page 12: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/12.jpg)
Review and Inspection [on Requirements] Threat Modelling [on Design]Code Analysis (SAST) [on Development] Penetration Testing (DAST) [on Testing]
Techniques
![Page 13: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/13.jpg)
Let's talk about ....
Req Dev Test Rel
Level 1
Level 2
Level 3
Process Maturity
![Page 14: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/14.jpg)
Process Maturity Levels
Learn as you go
AdHocOrganise your efforts
ControlledImprove what you know
EfficientIntegrate the knowledge
Optimising
![Page 15: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/15.jpg)
"For this situation"
AdHoc
"Done for a particular purpose as necessary"
"Informal testing with an aim to break"
What does AdHoc mean?
![Page 16: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/16.jpg)
• Logic flows and flaws
• Types of UI controls
• User input validation
• URL & Body of HTML requests/responses
• HTTP methods
AdHoc
Testing WebApp architecture
![Page 17: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/17.jpg)
AdHoc
• OWASP Top 10
• Bypassing validation
• Parameters tampering
• Impersonating
Typical Attack vectors
![Page 18: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/18.jpg)
Challenge #1
Practice
Explore JuiceShop for the security flaws
URL: https://www2.owasp.org/www-project-juice-shop/
![Page 19: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/19.jpg)
AdHoc
People with knowledge and skills
What's needed for AdHoc?
![Page 20: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/20.jpg)
Process Maturity Levels
Learn as you go
AdHocOrganise your efforts
ControlledImprove what you know
EfficientIntegrate the knowledge
Optimising
![Page 21: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/21.jpg)
Controlled
The power to influence people's behaviour or the course of events.
What does Control mean?
![Page 22: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/22.jpg)
• Process overview
• Test Cases
• Examples
• Follow and adjust to your own needs
• Educate yourself and team
Controlled
OWASP Testing Guide
![Page 23: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/23.jpg)
Practice
Design a 5-step security checklist for Sanity checks
Challenge #2
URL: https://www.owasp.org/index.php/Testing_Checklist
![Page 24: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/24.jpg)
Practice
Apply security checklist on JuiceShop
Challenge #3
![Page 25: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/25.jpg)
Controlled
The acceptance criteria that are common to every single user story.
• Functionality is Security Verified
Definition of Done
• Code reviewed
• Verified in test environment
• Automated tests written and passed
• Regression testing completed
![Page 26: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/26.jpg)
What's needed to have Control?
Controlled
People working within Process
People Process
![Page 27: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/27.jpg)
• Security is a part of product quality
• Testing without specific goals is non-productive
• Sanity Checklists improve your process
• Consider Security when you say "Done"
Small Follow-up
What did we talk about?
![Page 28: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/28.jpg)
Process Maturity Levels
Learn as you go
AdHocOrganise your efforts
ControlledImprove what you know
EfficientIntegrate the knowledge
Optimising
![Page 29: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/29.jpg)
Application Security Verification Standard (ASVS)
Efficient
Framework of security requirements that focus on normalising the functional and non-functional security controls required when designing, developing and testing modern web applications.
Level 3 Advanced
Level 2 Standard
Level 1 Opportunistic
Level 0 Cursory
![Page 30: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/30.jpg)
Practice
Map a security checklist with similar ASVS controls
Challenge #4
URL: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
![Page 31: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/31.jpg)
• Built for Dynamic AppSec Testing
• Manipulating requests
• Automated attacks
• Automated Scanning for vulnerabilities*
• Vulnerabilities reporting*
Efficient
*Professional version
BurpSuite application
![Page 32: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/32.jpg)
• Intercept requests/responses between browser and server
• Build requests manually
• Crawl a website by automatically visiting every page
• Fuzz applications by sending valid & invalid data
Efficient
BurpSuite application
![Page 33: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/33.jpg)
Challenge #5
Practice
Bypass client validation using BurpSuite
![Page 34: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/34.jpg)
• Continuous Code Inspection
• Code quality, Security, Tech Debt, Dependencies
• Numerous plugins (languages, scanning tools, reporting etc.)
Efficient
![Page 35: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/35.jpg)
What's needed to gain Efficiency?
Efficient
People working within Process with Tools
QualityPeople Process
Tools
Speed
![Page 36: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/36.jpg)
Process Maturity Levels
Learn as you go
AdHocOrganise your efforts
ControlledImprove what you know
EfficientIntegrate the knowledge
Optimising
![Page 37: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/37.jpg)
Let's see what we have now
Optimising
Automated DAST
Manual DAST
SAST
![Page 38: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/38.jpg)
Continuous Testing
Optimising
• Testing Early
• Testing Often
• Test Everywhere
• Automation
![Page 39: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/39.jpg)
How can we Optimise?
Optimising
Introduce automation of Tools
QualityPeople Process
Tools
Speed Automation
![Page 40: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/40.jpg)
Practice
Automate a scenario and run it through BurpSuite
Challenge #6
![Page 41: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/41.jpg)
Afterword
Security Ambassador• A Role, not Responsibility
• Concerned about Security related questions
• Knows the drill and is ready to act
• Has good communication skills
![Page 42: Test Design Techniques in Security Testing · Test Design Techniques in Security Testing by Artem Vasiuk. Artem Vasiuk ... TestCon Workshop - TestDesign - A.Vasiuk Created Date: 10/18/2019](https://reader033.vdocuments.mx/reader033/viewer/2022060418/5f159ce35f1e4d1e230721cf/html5/thumbnails/42.jpg)
The End
Thank you!