SlideShare uma empresa Scribd logo

Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

Transferir como PPTX, PDF
Smals
Smals

Slides from David's presentation at Devoxx on 14/11/2013.

Tecnologia
1 de 32
Information Security Web Application Security Security Test Automation in Software Development using Open Source Tools Information Security
About Smals vzw-asbl One of Belgium's largest ICT-organisations: 1750 people "ICT for Society" Work: ex. Dimona-DmfA Salary & labour prestations Health: ex. eHealth-platform Secure exchange of medical data in Belgium Family life: ex. VESTA Home care for elderly (financial / operational support) In-house ICT-service, working exclusively for the government High priority for ICT Security & Privacy Information Security
Introduction  Security Test Automation in Software Development using Open Source Tools  Can we do it?  What do we need?  Source code  Working parts of the application  Selenium tests for the functional part 33 Information Security
Application Security Disclaimer Hacking is illegal and can be punished under the legal framework of the information criminality laws (Law issued on the 28 of november 2000 about informatica criminality). So the methods we show here are illegal if used without consent of the victim. 4 Information Security 4
Hacking is illegal under Belgium Law  5 Article 550bis § 1 A person who, while he knows that he is not yet entitled to it, gain access to a computer system, or in it maintains, shall be punished with imprisonment from three months to one year and a fine of twenty-six [euro] to twenty-five thousand [euro] or with one of these penalties. If the crime referred to in the first paragraph, committed with fraudulent intent, the maximum six months imprisonment to two years. Information Security
Security myths Firewalls … • Firewalls are always configured to allow web traffic -> HTTP(S) • Attacker appears to the web application as a normal user Information Security
Security myths SSL secures the application… • Server-side SSL only guarantees confidentiality on transport level • Attacker also uses the SSL tunnel 7 Information Security
Security myths The Application framework solves that… • Frameworks Don't Solve Security Issues • Some frameworks facilitate, but not by default • Some frameworks do, by default Workarounds exist to develop the security problems 8 Information Security
OWASP Top Ten (2013 Edition) 9
SQL Injection User: John xxxx password: secret ' or 1=1;-- SELECT user FROM SELECT user FROMWHERE users users WHERE AND user='xxx' user='John' AND password='' or 1=1;--'; password='secret'; John Aaron Welkom, Aaron John Information Security
Stored XSS <script> Coming home Steal password at 5 o'clock </script> passwords Information Security11
Reflected XSS http://site.com/index?<script>steal password</script> http://site.com/index?<script>steal password</script> Error: reason (<script>steal password</script>) unknown passwords Information Security12
Sensitive Data Exposure Clear text transmission • Confidential information is just sent back to the User Improper web application implementation Secure and non-secure sections Improper analysis of the information Improper configuration Unsecured SESSION cookies 13 Information Security
Sensitive Data Exposure Error messages • Error messages for developers carry a lot information to find the problem causing the error message Stack traces in JAVA SQL Error messages from Database PHP error messages … • Those error messages can give a lot information to the hacker, when displayed to him/her Information of dataflow in the Web application Database layout Operating System information Network information Application frameworks used 14 Information Security
Cross Site Request Forgery http://bank.com/transaction?amoun t=10000&acc=001.1234567.27 http://bank.com/transaction?amount= 10000&acc=001.1234567.27 Transaction successfull Online to her bank Information Security
Secure SDLC Security requirements Design Review Risk analysis Requirements and use cases Iterative approach Design Risk-based security tests Test plans Code Review 16 Static analysis (tools) Code Penetration testing Test results Information Security Field feedback
Findbugs  Static Source code analyzer  Works on Java byte code  Source must compile!  Searches for bug patterns  Find bugs  Find false warnings  Eclipse plugin  By default almost all enabled 17 Information Security
Findbugs  For security patterns:  DMI_CONSTANT_DB_PASSWORD Hardcoded constant database password  DMI_EMPTY_DB_PASSWORD Empty database password  EI_EXPOSE_REP May expose internal representation by returning reference to mutable objects  EI_EXPOSE_REP2 May expose internal representation by incorporating reference to mutable object  EI_EXPOSE_STATIC_REP2 May expose internal static state by storing a mutable object into a static field  MS_EXPOSE_REP Public static method may expose internal representation by returning array 18 Information Security
Findbugs  SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE Nonconstant string passed to execute method on an SQL statement  SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_ST RING A prepared statement is generated from a nonconstant String  XSS_REQUEST_PARAMETER_TO_SEND_ERROR JSP reflected cross site scripting vulnerability  XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER Servlet reflected cross site scripting vulnerability in error page  RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE Nullcheck of value previously dereferenced  NP_NULL_ON_SOME_PATH Possible null pointer dereference  NP_NULL_ON_SOME_PATH_EXCEPTION Possible null pointer dereference in method on exception path 19 Information Security
Demo Findbugs  Eclipse 20 Information Security
PMD     Static Source code analyzer Runs against the Java source code Also searches for bug patterns There are no real security patterns included  Gotham Digital Science has a security rule set 21 Information Security
PMD  For security patterns:         22 ArrayIsStoredDirectly AvoidCatchingThrowable AvoidPrintStackTrace AvoidThrowingNullPointerException DoNotCallSystemExit ExceptionAsFlowControl MethodReturnsInternalArray MisplacedNullCheck Information Security
Demo PMD  Eclipse 23 Information Security
Zed Attack Proxy        24 Intercepting Proxy Traditional and AJAX spiders Automated scanner Forced Browsing Fuzzer Dynamic SSL Certificates Smartcard and Client Digital Certificates support Information Security
Zed Attack Proxy  Web sockets support  Support for wide range of scripting languages  Plug-n-Hack support  Authentication and Session Support  Powerful REST based API  Automatic updating option  Integrated and growing marketplace of add-ons 25 Information Security
Demo Zaproxy  Eclipse 26 Information Security
Demo: Automatic Build Proces  Maven  Findbugs  PMD  Zaproxy 27 Information Security
TODO’s  Maven  Zed Attack Proxy and site phase integration  SONAR integration of Zed Attack Proxy  How about Agile development?  Can we ingrate this process in TDD and BDD? 28 Information Security
Links FindBugs™ - Find Bugs in Java Programs PMD – Don’t shoot the Messenger OWASP Zed Attack Proxy Project - OWASP ZAP Maven Plugin Automated Security Testing of web applications using OWASP Zed Attack Proxy  Belgium - OWASP  Gotham Digital Science      29 Information Security
Resources … • Books: Software Security Microsoft Secure Development Lifecycle Enterprise Security Architecture 30 Information Security30
Reflection  Open Source  Good start  Commercial Tools  Are more integrated in their environment  Perform better  Comes with a price  Manual review by experts     31 Best results Expensive Non constant reviews Very late in the process Information Security
Questions 32 Information Security

Recomendados

Secure Code the Cyber Pandemic Vaccine - Wayne Burke
Secure Code the Cyber Pandemic Vaccine - Wayne BurkeSecure Code the Cyber Pandemic Vaccine - Wayne Burke
Secure Code the Cyber Pandemic Vaccine - Wayne BurkeEC-Council
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingsrivinayak
 
Cv gulam rasool
Cv gulam rasoolCv gulam rasool
Cv gulam rasoolGulam Rasool
 
Sql injection
Sql injectionSql injection
Sql injectionDilan Warnakulasooriya
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 
Proposal
ProposalProposal
Proposalwilcbrowning
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
A Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 VulnerabilitiesA Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 Vulnerabilitiesmilagerova
 

Recomendados

Secure Code the Cyber Pandemic Vaccine - Wayne Burke
Secure Code the Cyber Pandemic Vaccine - Wayne BurkeSecure Code the Cyber Pandemic Vaccine - Wayne Burke
Secure Code the Cyber Pandemic Vaccine - Wayne BurkeEC-Council
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingsrivinayak
 
Cv gulam rasool
Cv gulam rasoolCv gulam rasool
Cv gulam rasoolGulam Rasool
 
Sql injection
Sql injectionSql injection
Sql injectionDilan Warnakulasooriya
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 
Proposal
ProposalProposal
Proposalwilcbrowning
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
A Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 VulnerabilitiesA Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 Vulnerabilitiesmilagerova
 
WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)AshishKakne
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tamperingDilan Warnakulasooriya
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodologyCahyo Darujati
 
Database Security
Database SecurityDatabase Security
Database Securityalraee
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Surelog Intelligence
Surelog IntelligenceSurelog Intelligence
Surelog IntelligenceErtugrul Akbas
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
ANKUR AGGARWAL
ANKUR AGGARWALANKUR AGGARWAL
ANKUR AGGARWALAnkur Aggarwal
 
[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)Fortifier. IT Company
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Windows network
Windows networkWindows network
Windows networkJithesh Nair
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)ShahDhruv21
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT DetectionThibault Debatty
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Op Sy 03 Ch 61a
Op Sy 03 Ch 61aOp Sy 03 Ch 61a
Op Sy 03 Ch 61a Google
 
Acuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information servicesAcuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information servicesGO opleidingen
 
Radiation reactors
Radiation reactorsRadiation reactors
Radiation reactorsjmocherman
 

Mais conteúdo relacionado

Mais procurados

WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)AshishKakne
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 
Database Security
Database SecurityDatabase Security
Database Securityalraee
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)Fortifier. IT Company
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)ShahDhruv21
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT DetectionThibault Debatty
 
Op Sy 03 Ch 61a
Op Sy 03 Ch 61aOp Sy 03 Ch 61a
Op Sy 03 Ch 61a Google
 

Mais procurados (20)

WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReport
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
 
Database Security
Database SecurityDatabase Security
Database Security
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Surelog Intelligence
Surelog IntelligenceSurelog Intelligence
Surelog Intelligence
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
ANKUR AGGARWAL
ANKUR AGGARWALANKUR AGGARWAL
ANKUR AGGARWAL
 
[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
 
Windows network
Windows networkWindows network
Windows network
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Web attacks
Web attacksWeb attacks
Web attacks
 
Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT Detection
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
Op Sy 03 Ch 61a
Op Sy 03 Ch 61aOp Sy 03 Ch 61a
Op Sy 03 Ch 61a
 

Destaque

Acuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information servicesAcuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information servicesGO opleidingen
 
Radiation reactors
Radiation reactorsRadiation reactors
Radiation reactorsjmocherman
 
Viral is a Dirty Word
Viral is a Dirty WordViral is a Dirty Word
Viral is a Dirty WordOgilvy
 
Targets as tools, not talismans - Don Williams
Targets as tools, not talismans - Don WilliamsTargets as tools, not talismans - Don Williams
Targets as tools, not talismans - Don WilliamsHELIGLIASA
 
Content Curation; or how to be an Information Hero
Content Curation; or how to be an Information HeroContent Curation; or how to be an Information Hero
Content Curation; or how to be an Information HeroGO opleidingen
 
禽流感和人流感簡介
禽流感和人流感簡介禽流感和人流感簡介
禽流感和人流感簡介honan4108
 
13-07-2015 Greenlight (Visualisations removed)
13-07-2015 Greenlight (Visualisations removed)13-07-2015 Greenlight (Visualisations removed)
13-07-2015 Greenlight (Visualisations removed)Marius Lazauskas
 
Engage All The Things: Rethinking Online Engagement
Engage All The Things: Rethinking Online EngagementEngage All The Things: Rethinking Online Engagement
Engage All The Things: Rethinking Online EngagementFarra Trompeter, Big Duck
 
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...Dra. Roxana Silva Ch.
 
Content Marketing Master Class - San Francisco: Epilogue
Content Marketing Master Class - San Francisco: EpilogueContent Marketing Master Class - San Francisco: Epilogue
Content Marketing Master Class - San Francisco: EpilogueContent Marketing Institute
 
Measuring change presentation
Measuring change presentationMeasuring change presentation
Measuring change presentationNinti_One
 
名人美食經
名人美食經名人美食經
名人美食經honan4108
 
Drongo: Zoeken in Audiovisuele Documenten
Drongo: Zoeken in Audiovisuele DocumentenDrongo: Zoeken in Audiovisuele Documenten
Drongo: Zoeken in Audiovisuele DocumentenNOTaS
 
Código de Planificación y Finanzas Públicas Ecuador
Código de Planificación y Finanzas Públicas Ecuador Código de Planificación y Finanzas Públicas Ecuador
Código de Planificación y Finanzas Públicas Ecuador Dra. Roxana Silva Ch.
 
Dimension política de las redes sociales
Dimension política de las redes socialesDimension política de las redes sociales
Dimension política de las redes socialesCristina Juesas
 
Hiscox case study
Hiscox case studyHiscox case study
Hiscox case studyNewsworks
 
Виховна робота
Виховна робота Виховна робота
Виховна робота kpschool7
 
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...Chile Sustentable
 

Destaque (20)

Acuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information servicesAcuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information services
 
Radiation reactors
Radiation reactorsRadiation reactors
Radiation reactors
 
Viral is a Dirty Word
Viral is a Dirty WordViral is a Dirty Word
Viral is a Dirty Word
 
Targets as tools, not talismans - Don Williams
Targets as tools, not talismans - Don WilliamsTargets as tools, not talismans - Don Williams
Targets as tools, not talismans - Don Williams
 
Content Curation; or how to be an Information Hero
Content Curation; or how to be an Information HeroContent Curation; or how to be an Information Hero
Content Curation; or how to be an Information Hero
 
禽流感和人流感簡介
禽流感和人流感簡介禽流感和人流感簡介
禽流感和人流感簡介
 
13-07-2015 Greenlight (Visualisations removed)
13-07-2015 Greenlight (Visualisations removed)13-07-2015 Greenlight (Visualisations removed)
13-07-2015 Greenlight (Visualisations removed)
 
Engage All The Things: Rethinking Online Engagement
Engage All The Things: Rethinking Online EngagementEngage All The Things: Rethinking Online Engagement
Engage All The Things: Rethinking Online Engagement
 
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
 
Content Marketing Master Class - San Francisco: Epilogue
Content Marketing Master Class - San Francisco: EpilogueContent Marketing Master Class - San Francisco: Epilogue
Content Marketing Master Class - San Francisco: Epilogue
 
Measuring change presentation
Measuring change presentationMeasuring change presentation
Measuring change presentation
 
名人美食經
名人美食經名人美食經
名人美食經
 
Drongo: Zoeken in Audiovisuele Documenten
Drongo: Zoeken in Audiovisuele DocumentenDrongo: Zoeken in Audiovisuele Documenten
Drongo: Zoeken in Audiovisuele Documenten
 
Código de Planificación y Finanzas Públicas Ecuador
Código de Planificación y Finanzas Públicas Ecuador Código de Planificación y Finanzas Públicas Ecuador
Código de Planificación y Finanzas Públicas Ecuador
 
2
22
2
 
Dimension política de las redes sociales
Dimension política de las redes socialesDimension política de las redes sociales
Dimension política de las redes sociales
 
Hiscox case study
Hiscox case studyHiscox case study
Hiscox case study
 
Виховна робота
Виховна робота Виховна робота
Виховна робота
 
My influences
My influencesMy influences
My influences
 
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
 

Semelhante a Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
Security Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesSecurity Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesYulian Slobodyan
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCiNPA Security SIG
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure worldGianluca Sartori
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Securitysandra sukarieh
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )Md Raffiqunnabi Rumman
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilitiesAleksandar Bozinovski
 

Semelhante a Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools (20)

Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
Security Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesSecurity Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security Issues
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Web Security
Web SecurityWeb Security
Web Security
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Security
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 
Code securely
Code securelyCode securely
Code securely
 

Mais de Smals

Wat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we zeWat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we zeSmals
 
Wat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nlWat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nlSmals
 
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nlNamed entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nlSmals
 
Natural language generation nederlands
Natural language generation nederlandsNatural language generation nederlands
Natural language generation nederlandsSmals
 
Wat is ai en wat kan het nl
Wat is ai en wat kan het nlWat is ai en wat kan het nl
Wat is ai en wat kan het nlSmals
 
Realite augmentee
Realite augmenteeRealite augmentee
Realite augmenteeSmals
 
Internet des objets
Internet des objetsInternet des objets
Internet des objetsSmals
 
Chatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sertChatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sertSmals
 
Analyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sertAnalyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sertSmals
 
Traduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introductionTraduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introductionSmals
 
Automatisation des processus robotises introduction
Automatisation des processus robotises introductionAutomatisation des processus robotises introduction
Automatisation des processus robotises introductionSmals
 
Interfaces conversationnelle introduction
Interfaces conversationnelle introductionInterfaces conversationnelle introduction
Interfaces conversationnelle introductionSmals
 
Reconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introductionReconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introductionSmals
 
Generation automatique de textes
Generation automatique de textesGeneration automatique de textes
Generation automatique de textesSmals
 
Intelligence artificielle etroite introduction
Intelligence artificielle etroite introductionIntelligence artificielle etroite introduction
Intelligence artificielle etroite introductionSmals
 
Named entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doenNamed entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doenSmals
 
Real time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat hetReal time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat hetSmals
 
Wat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruikenWat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruikenSmals
 
Wat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doenWat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doenSmals
 
Exemples europeens comme source d inspiration
Exemples europeens comme source d inspirationExemples europeens comme source d inspiration
Exemples europeens comme source d inspirationSmals
 

Mais de Smals (20)

Wat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we zeWat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we ze
 
Wat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nlWat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nl
 
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nlNamed entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
 
Natural language generation nederlands
Natural language generation nederlandsNatural language generation nederlands
Natural language generation nederlands
 
Wat is ai en wat kan het nl
Wat is ai en wat kan het nlWat is ai en wat kan het nl
Wat is ai en wat kan het nl
 
Realite augmentee
Realite augmenteeRealite augmentee
Realite augmentee
 
Internet des objets
Internet des objetsInternet des objets
Internet des objets
 
Chatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sertChatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sert
 
Analyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sertAnalyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sert
 
Traduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introductionTraduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introduction
 
Automatisation des processus robotises introduction
Automatisation des processus robotises introductionAutomatisation des processus robotises introduction
Automatisation des processus robotises introduction
 
Interfaces conversationnelle introduction
Interfaces conversationnelle introductionInterfaces conversationnelle introduction
Interfaces conversationnelle introduction
 
Reconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introductionReconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introduction
 
Generation automatique de textes
Generation automatique de textesGeneration automatique de textes
Generation automatique de textes
 
Intelligence artificielle etroite introduction
Intelligence artificielle etroite introductionIntelligence artificielle etroite introduction
Intelligence artificielle etroite introduction
 
Named entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doenNamed entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doen
 
Real time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat hetReal time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat het
 
Wat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruikenWat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruiken
 
Wat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doenWat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doen
 
Exemples europeens comme source d inspiration
Exemples europeens comme source d inspirationExemples europeens comme source d inspiration
Exemples europeens comme source d inspiration
 

Último

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Último (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

  • 1. Information Security Web Application Security Security Test Automation in Software Development using Open Source Tools Information Security
  • 2. About Smals vzw-asbl One of Belgium's largest ICT-organisations: 1750 people "ICT for Society" Work: ex. Dimona-DmfA Salary & labour prestations Health: ex. eHealth-platform Secure exchange of medical data in Belgium Family life: ex. VESTA Home care for elderly (financial / operational support) In-house ICT-service, working exclusively for the government High priority for ICT Security & Privacy Information Security
  • 3. Introduction  Security Test Automation in Software Development using Open Source Tools  Can we do it?  What do we need?  Source code  Working parts of the application  Selenium tests for the functional part 33 Information Security
  • 4. Application Security Disclaimer Hacking is illegal and can be punished under the legal framework of the information criminality laws (Law issued on the 28 of november 2000 about informatica criminality). So the methods we show here are illegal if used without consent of the victim. 4 Information Security 4
  • 5. Hacking is illegal under Belgium Law  5 Article 550bis § 1 A person who, while he knows that he is not yet entitled to it, gain access to a computer system, or in it maintains, shall be punished with imprisonment from three months to one year and a fine of twenty-six [euro] to twenty-five thousand [euro] or with one of these penalties. If the crime referred to in the first paragraph, committed with fraudulent intent, the maximum six months imprisonment to two years. Information Security
  • 6. Security myths Firewalls … • Firewalls are always configured to allow web traffic -> HTTP(S) • Attacker appears to the web application as a normal user Information Security
  • 7. Security myths SSL secures the application… • Server-side SSL only guarantees confidentiality on transport level • Attacker also uses the SSL tunnel 7 Information Security
  • 8. Security myths The Application framework solves that… • Frameworks Don't Solve Security Issues • Some frameworks facilitate, but not by default • Some frameworks do, by default Workarounds exist to develop the security problems 8 Information Security
  • 9. OWASP Top Ten (2013 Edition) 9
  • 10. SQL Injection User: John xxxx password: secret ' or 1=1;-- SELECT user FROM SELECT user FROMWHERE users users WHERE AND user='xxx' user='John' AND password='' or 1=1;--'; password='secret'; John Aaron Welkom, Aaron John Information Security
  • 11. Stored XSS <script> Coming home Steal password at 5 o'clock </script> passwords Information Security11
  • 13. Sensitive Data Exposure Clear text transmission • Confidential information is just sent back to the User Improper web application implementation Secure and non-secure sections Improper analysis of the information Improper configuration Unsecured SESSION cookies 13 Information Security
  • 14. Sensitive Data Exposure Error messages • Error messages for developers carry a lot information to find the problem causing the error message Stack traces in JAVA SQL Error messages from Database PHP error messages … • Those error messages can give a lot information to the hacker, when displayed to him/her Information of dataflow in the Web application Database layout Operating System information Network information Application frameworks used 14 Information Security
  • 15. Cross Site Request Forgery http://bank.com/transaction?amoun t=10000&acc=001.1234567.27 http://bank.com/transaction?amount= 10000&acc=001.1234567.27 Transaction successfull Online to her bank Information Security
  • 16. Secure SDLC Security requirements Design Review Risk analysis Requirements and use cases Iterative approach Design Risk-based security tests Test plans Code Review 16 Static analysis (tools) Code Penetration testing Test results Information Security Field feedback
  • 17. Findbugs  Static Source code analyzer  Works on Java byte code  Source must compile!  Searches for bug patterns  Find bugs  Find false warnings  Eclipse plugin  By default almost all enabled 17 Information Security
  • 18. Findbugs  For security patterns:  DMI_CONSTANT_DB_PASSWORD Hardcoded constant database password  DMI_EMPTY_DB_PASSWORD Empty database password  EI_EXPOSE_REP May expose internal representation by returning reference to mutable objects  EI_EXPOSE_REP2 May expose internal representation by incorporating reference to mutable object  EI_EXPOSE_STATIC_REP2 May expose internal static state by storing a mutable object into a static field  MS_EXPOSE_REP Public static method may expose internal representation by returning array 18 Information Security
  • 19. Findbugs  SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE Nonconstant string passed to execute method on an SQL statement  SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_ST RING A prepared statement is generated from a nonconstant String  XSS_REQUEST_PARAMETER_TO_SEND_ERROR JSP reflected cross site scripting vulnerability  XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER Servlet reflected cross site scripting vulnerability in error page  RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE Nullcheck of value previously dereferenced  NP_NULL_ON_SOME_PATH Possible null pointer dereference  NP_NULL_ON_SOME_PATH_EXCEPTION Possible null pointer dereference in method on exception path 19 Information Security
  • 21. PMD     Static Source code analyzer Runs against the Java source code Also searches for bug patterns There are no real security patterns included  Gotham Digital Science has a security rule set 21 Information Security
  • 22. PMD  For security patterns:         22 ArrayIsStoredDirectly AvoidCatchingThrowable AvoidPrintStackTrace AvoidThrowingNullPointerException DoNotCallSystemExit ExceptionAsFlowControl MethodReturnsInternalArray MisplacedNullCheck Information Security
  • 24. Zed Attack Proxy        24 Intercepting Proxy Traditional and AJAX spiders Automated scanner Forced Browsing Fuzzer Dynamic SSL Certificates Smartcard and Client Digital Certificates support Information Security
  • 25. Zed Attack Proxy  Web sockets support  Support for wide range of scripting languages  Plug-n-Hack support  Authentication and Session Support  Powerful REST based API  Automatic updating option  Integrated and growing marketplace of add-ons 25 Information Security
  • 27. Demo: Automatic Build Proces  Maven  Findbugs  PMD  Zaproxy 27 Information Security
  • 28. TODO’s  Maven  Zed Attack Proxy and site phase integration  SONAR integration of Zed Attack Proxy  How about Agile development?  Can we ingrate this process in TDD and BDD? 28 Information Security
  • 29. Links FindBugs™ - Find Bugs in Java Programs PMD – Don’t shoot the Messenger OWASP Zed Attack Proxy Project - OWASP ZAP Maven Plugin Automated Security Testing of web applications using OWASP Zed Attack Proxy  Belgium - OWASP  Gotham Digital Science      29 Information Security
  • 30. Resources … • Books: Software Security Microsoft Secure Development Lifecycle Enterprise Security Architecture 30 Information Security30
  • 31. Reflection  Open Source  Good start  Commercial Tools  Are more integrated in their environment  Perform better  Comes with a price  Manual review by experts     31 Best results Expensive Non constant reviews Very late in the process Information Security