SOFTWARE SECURITY TESTING IS
IMPORTANT, DIFFERENT AND DIFFICULT
4/21/2011
Review by Rayna Burgess
Overview
The Paper Selection
Security Testing is Important (Relevant)
Security Testing is Different from Functional Testing
Security Testing is Difficult
Security Engineer’s Tasks
Analyzing Security Risks
Types of Security Testing
Case Study: Java Card
Conclusion
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
2 of 20
The Paper: Software Security Testing


Gary McGraw, PhD, CTO of Cigital, Inc
Series of Articles in IEEE Security & Privacy
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
3 of 20
Security Testing is Important
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
4 of 20
Security Testing is Different



Malicious attacker
Intelligent Adversary
Vulnerabilities Exploited
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
5 of 20
Aaah! So many vulnerability lists!
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
6 of 20
McGraw’s Vulnerability Taxonomy
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
7 of 20
Vulnerability Name Dropping






gets() (Buffer overflow problem, Morris Worm)
Race condition (time of check to time of use)
Insecure failure
Transitive trust
Trampoline
Zero day exploits
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
8 of 20
SQL Injection Vulnerability
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
9 of 20
Where are we?
The Paper Selection
Security Testing is Important (Relevant)
Security Testing is Different from Functional Testing
Security Testing is Difficult
Security Engineer’s Tasks
Analyzing Security Risks
Types of Security Testing
Case Study: Java Card
Conclusion
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
10 of 20
SW Security Engineer’s Tasks
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
11 of 20
Analyzing Security Risks




Think like an attacker
Vulnerability in weakest link can expose the system
Requires expertise
Can practice/learn on
 Webgoat
 DVWA
 Hacme
Bank
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
12 of 20
Types of Security Testing




Functional Security Testing
Risk-Based Security Testing (hostile attacks)
Black Box/White Box
Static/Dynamic
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
13 of 20
Static Security Analysis


Risk Analysis of Design and Architecture
Static Security Analysis Tools
 Source
Code or Byte Code
 Good at finding patterns
 Numerous False Positives
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
14 of 20
Penetration Testing



Performed on a running system
Can be used on COTS software too
Penetration testing tools
 Network
 Nmap,
and OS vulnerability scanners
Nessus, Aircrack
 Automated
Penetration Testing Tools
 Metasploit,
 Other
useful tools
 Fuzzing

CoreImpact, Canvas
tools, WebScarab,
Quality of pen testing depends on the human!
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
15 of 20
Case Study: Java Card

Operating System for Smart Cards
 GlobalPlatform


(Java Card, MULTOS)
Used on Bank Cards, (also SIMs, ID Cards, Medical)
Two Types of Testing
 Functional
security design tests
 Risk-based attack tests
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
16 of 20
Functional Security Testing

Tests security functionality
 Crypto
 Commands
 Compliance

Testing (GALITT 3/2011)
All cards passed!
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
17 of 20
Risk-Based Security Testing (Attacks)






Hostile Attacks, based on risk assessment
All cards failed some part of this testing!
Analysis of Java Card Design
Identify automic transaction processing as area of
interest
Consequence is “printing money” (Very High Risk)
Put on Black Hat, Don’t follow the rules:
 Abort,

fail to commit, fill buffers, nest transactions
Exposes vulnerabilities before issued to public
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
18 of 20
Almost done!
The Paper Selection
Security Testing is Important (Relevant)
Security Testing is Different from Functional Testing
Security Testing is Difficult
Security Engineer’s Tasks
Analyzing Security Risks
Types of Security Testing
Case Study: Java Card
Conclusion
COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
19 of 20
Conclusion: SW Security Testing is…

Important
More software, more new attacks
 More functionality, more vulnerabilities
 Software is everywhere and connected!


Different
Presence of a malicious, intelligent attacker
 Software Test Engineers have different skills


Difficult
Exploits are subtle
 Automated static & dynamic tools insufficient
 Need a human!

COMP 587 SW V&V Dr. Lingard | Security Testing Review – Rayna Burgess
4/21/2011
20 of 20
“So now, when we face a choice between
adding features and resolving security issues,
we need to choose security.”
-Bill Gates