Download AppSecEU08-SRF_Simon_Roses

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
Document related concepts

Nonlinear dimensionality reduction wikipedia , lookup

Transcript 
OWASP Europe Conference 2008
Graph Analysis for WebApps:
From Nodes to Edges
OWASP
Simon Roses Femerling
Security Technologist and Researcher
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Intro - Who I am
 Natural from wonderful Mallorca Island in the
Mediterranean Sea
 Postgraduate in E-Commerce from Harvard University
and a B.S. from Suffolk University at Boston,
Massachusetts
 Former PwC, @Stake among others…
 Security Technologist (ACE Team) at Microsoft
OWASP
Talk Objectives
Success Cases using graphs in security space
Not a class on graphs
Improve web assessments by
Saving time
Focus on what matters
Surgical Testing
OWASP
Agenda
Overview
Process
Data Analysis
Summary
Q&A
OWASP
OVERVIEW
OWASP
Why?
Apps are more complex daily
Tired of using poor tool set
Move away from raw text
Need identify patterns quickly
Time is precious and usually you don’t have
enough
OWASP
Security Visualization
Becoming a popular field
Needs a lot of research
Makes easier to analyze data
We perform better with visual images that raw
data
OWASP
Success Cases Visualization
Reverse Engineering
IDS Log Analysis
Network Analysis
Source Code Review
http://secviz.org/
OWASP
OWASP
OWASP
OWASP
OWASP
PROCESS
OWASP
Process
3 steps process
SOURCE
NORMALIZATION
ANALYSIS
OWASP
SOURCE
Black box or White box independency
As much data we got the better (everything is
important)
Lot of tools that can help us
Proxies
Crawlers
Scanners
SOURCE
OWASP
NORMALIZATION
Raw data normalized
XML for convenience
Normalize / Analysis Engine is key
NORMALIZATION
OWASP
ANALYSIS
Start identifying issues easier and faster
Visual approach
Take decisions and focus testing
Data Mining is the key
ANALYSIS
OWASP
DATA ANALYSIS
OWASP
Target Site
OWASP
Target Relationship
Query:
Pages that link to Home
Objectives:
 Learning about target
 Mapping Application
OWASP
FORMS + HIDDEN
Query:
Pages that contains a form
and hidden tag
Objectives:
 Data Entry Point
 Tamper with hidden tag
OWASP
COOKIES
Query:
Pages that set a cookie
Objectives:
 Contains session ID?
 Tamper Cookie
OWASP
SSL
Query:
Pages that uses SSL
Objectives:
 Check SSL Certificate
 Can I call pages without
SSL?
OWASP
Attack Surface
Query:
All data points
Objectives:
 Have fun 
OWASP
Analysis tips
 Diff between pages
 What pages contain more data entries?
 What pages contain more issues?
 Identify pages with script code, comments, etc…
 We are constrained to:
What we know from target
Our imagination
OWASP
Now what?
Improve our Security Testing
Fuzzing
Generate Attack Trees / Attack Graphs
Threat Modeling
OWASP
Web Attack Graphs
OWASP
TAM graphs visualization
OWASP
Data Analysis Goal
Build a focus attack roadmap to test target
OWASP
SUMMARY
OWASP
Security Visualization Coolness
Makes our lives easier
Allows for easy pattern identification
Cuts down our analysis time
Focus security testing
Add cool visuals to report 
OWASP
Future
Adding graphs analysis into PANTERA
Some current research into web sec graphs
Build an automated process
Check out OWASP Tiger
(http://www.owasp.org/index.php/OWASP_Tiger)
OWASP
Pantera Data Mining I
OWASP
Pantera Data Mining II
OWASP
Nice toolset to play with…
 Python
 Pydot (http://code.google.com/p/pydot/)
 pGRAPH (included in PAIMEI)
 Java
 JUNG (http://jung.sourceforge.net/)
 JGraphT (http://www.jgrapht.org/)
 .NET
 QuickGraph
(http://www.codeproject.com/KB/miscctrl/quickgraph.aspx)
 MSAGL (http://research.microsoft.com/research/msagl/)
OWASP
The End
Q&A
 Important: Beer / hard liquor (Vodka Lemon, Margaritas,
Mojitos, you named it…) are always welcome 
 Simon Roses Femerling
www.roseslabs.com
OWASP
Related documents
View Report - PDF
View Report - PDF
Advanced SQL Injection - Victor Chapela
Advanced SQL Injection - Victor Chapela
Slide 1
Slide 1
OWASP_WebGoat
OWASP_WebGoat
Do`s and Don`ts for web application developers
Do`s and Don`ts for web application developers
OWASP Education Project
OWASP Education Project
OWASP`s Ten Most Critical Web Application Security Vulnerabilities
OWASP`s Ten Most Critical Web Application Security Vulnerabilities
Secure Coding Practices
Secure Coding Practices
Colinwatson-a-new-ontology-of-unwanted-automation
Colinwatson-a-new-ontology-of-unwanted-automation
AppSecEU08-ReformAndCanoodle-Eddington
AppSecEU08-ReformAndCanoodle-Eddington
OWASP_Academies_Meeting_GR_presented
OWASP_Academies_Meeting_GR_presented
OWASP Top 10 2007
OWASP Top 10 2007
Web Application Security
Web Application Security
Workshop 3 Web Application Security - comp
Workshop 3 Web Application Security - comp
Dealing with threats to databases
Dealing with threats to databases
Media:Adam Boulton Security Assessing Java RMI
Media:Adam Boulton Security Assessing Java RMI
Android Reverse Engineering
Android Reverse Engineering
Web Application Security and Search Engines - Beyond
Web Application Security and Search Engines - Beyond
Role of Web Application Vulnerabilities in Information
Role of Web Application Vulnerabilities in Information
MakingTheFutureSecWJava-MS14
MakingTheFutureSecWJava-MS14
Ruby on Rails Security
Ruby on Rails Security
slides
slides