Tietoturvatyökalujen tuominen osaksi testausprosessia

Opinnäytetyö tehtiin Codemate-nimiselle suomalaiselle ohjelmistoyritykselle, joka tarvitsi hyvää vertailua nykyisistä tietoturvatestaukseen suunnitelluista työkaluista. Vertailun tavoitteena oli löytää ja valita sopivat työkalut, joita voidaan hyödyntää Codematen testausprosessissa. Vertailua oli tarkoituksena tehdä lähinnä web-sovelluksiin suunnattuihin työkaluihin, mutta lisäksi mukaan otettiin myös muutamia verkko- ja palvelinskannereita ja Content Management System –skannereita. Vertailtavien työkalujen valintaan käytettiin muutamia kriteerejä. Tärkeimpinä kriteereinä olivat työkalun haavoittuvuuksien löytökyky, työkalun käytettävyys, raporttien laatu ja selkeys sekä jatkuva kehitys tasaisilla päivityksillä. Kaikista työhön valituista työkaluista kirjoitettiin selkeät ja laajat teoriaosuudet joissa tuotiin esille työkalujen perustiedot, tarkat tekniset ominaisuudet, käyttöliittymät sekä skannereiden tekemät haavoittuvuustestit. Toteutusosuudessa vertailtiin valittuja web-sovelluksiin suunnattuja työkaluja tarkemmin. Jokaisesta työkalusta vertailtiin hintaa, WAVSEP-tuloksia, OWASP top 10 kattavuutta, käytettävyyttä/ominaisuuksia ja päivityksiä. Tulososuudessa valittiin vertailluista työkaluista Codematelle sopivat ja maksullisille työkaluille valittiin myös ilmainen vaihtoehto. Valitut web-sovelluten automaattiset skannerit olivat Arachni, Acuentix, Tinfoil Security ja CMSmap. Valitut web-sovellusten manuaaliset testityökalut olivat Burp Suite ja OWASP ZAP. Web-sovellusten exploit-työkaluiksi valittiin SQLmap ja W3AF. Palvelin- ja verkkoskannereiksi valittiin OpenVAS sekä NMAP. Työtä tehdessä selvisi, että web-sovellusskannereille on todella vaikea tehdä luotettavia vertailutestejä johtuen haavoittuviksi tehtyjen web-sovellusten ja oikeiden web-sovellusten eroavaisuuksista. Yhdellä työkalulla ei myöskään tietoturvatestauksessa usein pärjää vaan parhaat tulokset saa, kun joka osa-alueeseen käyttää siihen suunniteltua työkalua.The Bachelor’s thesis was assigned by a Finnish software company named Codemate. Codemate needed a good comparison of web application security-testing tools. The goal with the comparison was to find the right tools for Codemate’s testing process. The comparison was to be done mostly between the web application security-testing tools and also some network scanners and Content Management System scanners were to be included. Few criteria were used to choose the tools for comparison. The most important criteria were the vulnerability detection ability and usability of the tool, the quality of reports and continuous development including updates. An extensive theory section was written on every tool which includes the basic info, technical features, available user interfaces and the security tests executed by the scanner. In the comparison section the web application testing tools were compared in more detail. Every tool was compared regarding its price, WAVSEP score, OWASP top 10 coverage, usability, features and updates. In the results section the suitable tools were chosen for Codemate and for every commercial tool there was also a free option. The chosen automatic scanners for web applications were Arachni, Acuentix, Tinfoil Security and CMSmap. The chosen manual tools for web applications were Burp Suite and OWAPS ZAP. The tools chosen for exploiting were SQLmap and W3AF. OpenVAS and NMAP were chosen for network scanning. During the thesis it became clear that a reliable comparison of web application security-scanners is not that easy because of the differences in designed to be vulnerable web applications and real world web applications. Also, one tool is rarely enough for security testing and often the best results are achieved by using the right tool for the part it is mostly designed for

A Brief History of Web Crawlers

Web crawlers visit internet applications, collect data, and learn about new web pages from visited pages. Web crawlers have a long and interesting history. Early web crawlers collected statistics about the web. In addition to collecting statistics about the web and indexing the applications for search engines, modern crawlers can be used to perform accessibility and vulnerability checks on the application. Quick expansion of the web, and the complexity added to web applications have made the process of crawling a very challenging one. Throughout the history of web crawling many researchers and industrial groups addressed different issues and challenges that web crawlers face. Different solutions have been proposed to reduce the time and cost of crawling. Performing an exhaustive crawl is a challenging question. Additionally capturing the model of a modern web application and extracting data from it automatically is another open question. What follows is a brief history of different technique and algorithms used from the early days of crawling up to the recent days. We introduce criteria to evaluate the relative performance of web crawlers. Based on these criteria we plot the evolution of web crawlers and compare their performanc

Model-Based Security Testing

Security testing aims at validating software system requirements related to security properties like confidentiality, integrity, authentication, authorization, availability, and non-repudiation. Although security testing techniques are available for many years, there has been little approaches that allow for specification of test cases at a higher level of abstraction, for enabling guidance on test identification and specification as well as for automated test generation. Model-based security testing (MBST) is a relatively new field and especially dedicated to the systematic and efficient specification and documentation of security test objectives, security test cases and test suites, as well as to their automated or semi-automated generation. In particular, the combination of security modelling and test generation approaches is still a challenge in research and of high interest for industrial applications. MBST includes e.g. security functional testing, model-based fuzzing, risk- and threat-oriented testing, and the usage of security test patterns. This paper provides a survey on MBST techniques and the related models as well as samples of new methods and tools that are under development in the European ITEA2-project DIAMONDS.Comment: In Proceedings MBT 2012, arXiv:1202.582

Combining Static and Dynamic Analysis for Vulnerability Detection

In this paper, we present a hybrid approach for buffer overflow detection in C code. The approach makes use of static and dynamic analysis of the application under investigation. The static part consists in calculating taint dependency sequences (TDS) between user controlled inputs and vulnerable statements. This process is akin to program slice of interest to calculate tainted data- and control-flow path which exhibits the dependence between tainted program inputs and vulnerable statements in the code. The dynamic part consists of executing the program along TDSs to trigger the vulnerability by generating suitable inputs. We use genetic algorithm to generate inputs. We propose a fitness function that approximates the program behavior (control flow) based on the frequencies of the statements along TDSs. This runtime aspect makes the approach faster and accurate. We provide experimental results on the Verisec benchmark to validate our approach.Comment: There are 15 pages with 1 figur

SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities

Algorithmic complexity vulnerabilities occur when the worst-case time/space complexity of an application is significantly higher than the respective average case for particular user-controlled inputs. When such conditions are met, an attacker can launch Denial-of-Service attacks against a vulnerable application by providing inputs that trigger the worst-case behavior. Such attacks have been known to have serious effects on production systems, take down entire websites, or lead to bypasses of Web Application Firewalls. Unfortunately, existing detection mechanisms for algorithmic complexity vulnerabilities are domain-specific and often require significant manual effort. In this paper, we design, implement, and evaluate SlowFuzz, a domain-independent framework for automatically finding algorithmic complexity vulnerabilities. SlowFuzz automatically finds inputs that trigger worst-case algorithmic behavior in the tested binary. SlowFuzz uses resource-usage-guided evolutionary search techniques to automatically find inputs that maximize computational resource utilization for a given application.Comment: ACM CCS '17, October 30-November 3, 2017, Dallas, TX, US

Web Vulnerability Study of Online Pharmacy Sites

Consumers are increasingly using online pharmacies, but these sites may not provide an adequate level of security with the consumers’ personal data. There is a gap in this research addressing the problems of security vulnerabilities in this industry. The objective is to identify the level of web application security vulnerabilities in online pharmacies and the common types of flaws, thus expanding on prior studies. Technical, managerial and legal recommendations on how to mitigate security issues are presented. The proposed four-step method first consists of choosing an online testing tool. The next steps involve choosing a list of 60 online pharmacy sites to test, and then running the software analysis to compile a list of flaws. Finally, an in-depth analysis is performed on the types of web application vulnerabilities. The majority of sites had serious vulnerabilities, with the majority of flaws being cross-site scripting or old versions of software that have not been updated. A method is proposed for the securing of web pharmacy sites, using a multi-phased approach of technical and managerial techniques together with a thorough understanding of national legal requirements for securing systems