1.
What? Why? Who? How? Of
Application Security Testing
Presented by: Declan O’Riordan
@DeclanTestingIT

2.
www.eurostarconferences.com
Application Security
www.eurostarconferences.com

3.
www.eurostarconferences.com
What is Application Security? I tried ISO 27001

4.
www.eurostarconferences.com
Threat growth
Source: Verizon
2013 - 20% more breaches
2012 - 30% higher cost per breach
2014 - Commercial cyber security spending $46 billion

5.
www.eurostarconferences.com
What is Application Security?
It is NOT Building, or Network Security!
84% of attacks target
the applications (Source: HP)
90% of sites are vulnerable
to application attacks
(Watchfire)

6.
www.eurostarconferences.com
What is the money spent on?
Source: OWASP AppSec USA 2014

7.
www.eurostarconferences.com
The Web was not designed to be secure in the
beginning. Security features are afterthoughts.
Source: OWASP

8.
www.eurostarconferences.com
I started to understand the #1 risk: Injection
‘ ; < > & |
Space newline
&apos; &semi; &lt; &gt;
&amp; &vert; &bsol;
<script > <ScRiPt> %00<script>
<scr%00ipt> expr/***/ession
%3cscript%3e <scr<script>ipt>
HTML encoding, URL encoding,
Unicode encoding, Base64 encoding, Hex encoding

9.
www.eurostarconferences.com
What are Application Vulnerabilities?
Source: OWASP

10.
www.eurostarconferences.com
Why Can’t Penetration
Testers and Tools take
care of Security?

11.
www.eurostarconferences.com
When will the Penetration Tests happen?
Source: OWASP

12.
www.eurostarconferences.com
Using Web Security Scanners to Detect Vulnerabilities in Web Services
Marco Vieira, Nuno Antunes, and Henrique Madeira
CISUC, Department of Informatics Engineering, University of Coimbra – Portugal
“The differences in the vulnerabilities detected and the high number of
false-positives (35% and 40% in two cases) and low coverage (less than
20% for two of the scanners) observed highlight the limitations of web
vulnerability scanners on detecting security vulnerabilities in web
services.”

13.
www.eurostarconferences.com
Differing results found by scanners:
Coverage is not consistent. Only 21 matching results found.

14.
www.eurostarconferences.com
And so to Firewalls
w.w.w. data is exploding:
2010 = 1.2 zettabytes
2015 = 7.9 zettabytes
2020 = 40 zettabytes?
1.2 million variants of malware per day
20%-30% of
malware is
caught by anti-
virus

15.
www.eurostarconferences.com
HP alone sift through 2.5 Billion security events per day
Perimeter / Network defences are failing
Web Application Firewalls, IDS, & IPS filter HTTP
conversations by applying rules to block common attacks.
BUT They cannot read HTTPS messages.
They cannot identify zero-day (new or obfuscated) attacks.
They need significant effort to customize and maintain.
Methods of attack and
defence change over time.

16.
www.eurostarconferences.com
Attackers are using asymmetric economics

17.
www.eurostarconferences.com
Why is Application Security important?
Make that 153m accounts

18.
www.eurostarconferences.com
Why does it take so long to find out?
Source: Verizon

19.
www.eurostarconferences.com
Who is targeted?
Source: Verizon

20.
www.eurostarconferences.com
Who should be doing what?
• We can reverse the asymmetric economics
• Security experts are experts in security, not your system!
• We are the experts in our applications.
• We can build security into the whole SDLC.
• We need to understand the subject.
• Identify what can be done now, and what requires experts.
• We need to make everyone aware of application security.

21.
www.eurostarconferences.com
How?

22.
www.eurostarconferences.com
I became familiar with ‘the’ Top 10 Risks

23.
www.eurostarconferences.com
I created Application Security Testing Procedures
and Development Guidelines

24.
www.eurostarconferences.com
Apply the defences!

25.
www.eurostarconferences.com
Validate Security Requirements

26.
www.eurostarconferences.com
Now get Everyone on board!