[OWASP-TESTING] RE: [OWASP-TESTING] Testing Sign Up

Davis, Carl cdavis at fnni.com
Thu Feb 26 06:55:21 EST 2004


I apologize for not getting this out sooner but work has been busier then
normal.  Anywho,  I have included in this email and attached a draft
(outline format) of the 'Ten Principles for Application Security Testing'
[Chapter 4] for hashing out, comments, suggested changes, etc. by the group.
My current plan is to briefly speak to each bullet in the paragraph
accompanying each heading; principles, bullets, etc. are by no means set in
stone at this point.
 
On a separate but related note...I volunteered to help out with Chapter 2,
the 'Regulatory Requirements' section and noticed that there was a question
mark next to my name for this chapter in a previous email detailing
assignments.  Also, Javier has more recently volunteered to help out with
this chapter as well so, I was wondering how you would like to handle?  I
would not mind still helping out with Regu Reqs but if Javier is going to
cover this section that is fine too.
 
I really look forward to everyone's feedback (good or bad) regarding the 10
Principles.
 
Cheers,
 
- Carl
 
------------
 Ten Principles for Application Security Testing

There is No Silver Bullet
 - One glove (testing approach) does not fit all
 - Design based on requirements and other governing factors i.e.
limitations, costs, etc.

Think Strategically, Not Tactically
 - Build security into the test plan
 - Establish test methods
 - Identify security issues during the design review phase
 - Build in security in-depth (layered approach)
 - Ask questions regarding future requirements/enhancements
 - Future growth

Test Early and Test Often
 - Substantial cost savings 
 - Test in development, QA, and production environments 
     (limited access prior to "going live")
 - Work closely with responsible teams during the development 
     process to remediate or mitigate issues 
 - Establish a Due Care process based on risk level
 - Educate developers about Web App sec issues

Understand the Scope
 - Governing regulatory requirements
 - Level of security required i.e. sensitive, Top Secret 
 - Timeframe (schedule)
 - Interviews with developers, involved teams, and project leads
 - Complexity of project
 - Approval requirements
 - Proof of concept (yes or no)
 - Cost limitations (time to market)
 - Classification of data e.g. GLBA, Cardholder, CA SB1386, etc. 

Mindset
 - Think like a hacker or cracker
 - Customize your approach and or methodology
 - Think outside of the box
 - Try the unexpected; be creative
 
Know Thy Target
 - User & Administrative documentation
 - Architectural diagrams and data flow charts  
 - Technical system and application documentation
 - Disallowed functionality/intentions
 - Understand the threat and known exploits
 - Understand regulatory requirements
 - Thoroughly research application & systems being used
 - Conduct passive & active recon

Use the Right Tools
 - Use a combination automated and manual techniques
 - Frequently update tool & technique inventory
 - Become intimately familiar with technology being used and 
   known/probable security issues
 - Shouldn't bring a knife to a gun fight

Attention to Detail
 - Weed out false positives
 - Thoroughly explore logic in an attempt to expose flaws
 - Look for the less obvious security issues
 - Become intimate with the application
 - Evaluate every aspect

Use Manual Source Code Inspections Whenever Possible
 - Allows for the identification of security holes and 
   vulnerabilities often missed by black or gray box testing
 - Reinforce secure coding practices 
 - Should include User Interface development 

Use the System Development Life Cycle (SDLC)
 - Structured approach that provides guidance regarding the handling 
   of IT Security activities throughout the life of the system or
application
 

-----Original Message----- 
From: Mark Curphey [mailto:mark.curphey at foundstone.com] 
Sent: Tue 2/24/2004 9:21 AM 
To: daniel at deeper.co.za; owasp-testing at lists.sourceforge.net 
Cc: 
Subject: RE: [OWASP-TESTING] Testing Sign Up



Dan, you are working with Nish and Hari on 5. I suggest you guys hook up 
off line or via the list to co-ordinate etc 

-----Original Message----- 
From: daniel at deeper.co.za [mailto:daniel at deeper.co.za
<mailto:daniel at deeper.co.za> ] 
Sent: Tuesday, February 24, 2004 5:04 AM 
To: owasp-testing at lists.sourceforge.net 
Subject: Re: [OWASP-TESTING] Testing Sign Up 

is there an updated list of who is doing what, as not to duplicate any 
effort? 



> Mark Curphey wrote: 
> 
> > OK so looks like we are all happy with the basic outline we have 
> > today for Part 1, so I am afraid to say its time to sign up to 
> > complete a section before the end of next week as we discussed. By 
> > the way end of next week should mean 6pm Friday 27th Feb Pacific 
> > time I think. I know its RSA etc but .... 
> 
> Sorry for not answering previously, I'm quite busy with work et al. 
> 
> > 2. Reasons for Testing 
> > This chapter should outline the end goal of building secure software 

> > and explain how testing should be performed against requirements or 
> > standards, best practices etc and what you can aim to achieve 
> > through testing. 
>  > 
> (...) 
>  > Anyone else have any specific interests ? 
> 
> 
> I want to help with sections 2 (Reasons for Testing) and section 5 
> (Testing Techniques) 
> 
> I also think can gather reviewers for all sections from my company-s 
> development department. If others are ok, I would like to pass the 
> document around so I can gather more input/reviewing. 
> 
> Regards 
> 
> Javier 
> 
> 
> 
> ------------------------------------------------------- 
> SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
> Build and deploy apps & Web services for Linux with a free DVD 
> software kit from IBM. Click Now! 
> http://ads.osdn.com/?ad_id=1356
<http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click>
&alloc_id=3438&op=click 
> _______________________________________________ 
> owasp-testing mailing list 
> owasp-testing at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
<https://lists.sourceforge.net/lists/listinfo/owasp-testing>  




------------------------------------------------------- 
SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
Build and deploy apps & Web services for Linux with a free DVD software 
kit from IBM. Click Now! 
http://ads.osdn.com/?ad_id=1356
<http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click>
&alloc_id=3438&op=click 
_______________________________________________ 
owasp-testing mailing list 
owasp-testing at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/owasp-testing
<https://lists.sourceforge.net/lists/listinfo/owasp-testing>  


------------------------------------------------------- 
SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
Build and deploy apps & Web services for Linux with 
a free DVD software kit from IBM. Click Now! 
http://ads.osdn.com/?ad_id <http://ads.osdn.com/?ad_id>
56&alloc_id438&op=click 
_______________________________________________ 
owasp-testing mailing list 
owasp-testing at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/owasp-testing
<https://lists.sourceforge.net/lists/listinfo/owasp-testing>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040226/17e0709a/attachment.html 
-------------- next part --------------
           Ten Principles for Application Security Testing


There is No Silver Bullet

	-	One glove (testing approach) does not fit all
	-	Design based on requirements and other governing factors i.e. limitations, costs, etc.


Think Strategically, Not Tactically

	-	Build security into the test plan
	-	Establish test methods
	-	Identify security issues during the design review phase
	-	Build in security in-depth (layered approach)
	-	Ask questions regarding future requirements/enhancements
	-	Future growth


Test Early and Test Often

	-	Substantial cost savings 
	-	Test in development, QA, and production environments 
	    (limited access prior to "going live")
	-	Work closely with responsible teams during the development 
	    process to remediate or mitigate issues 
	-	Establish a Due Care process based on risk level
	-	Educate developers about Web App sec issues


Understand the Scope

	-	Governing regulatory requirements
	-	Level of security required i.e. sensitive, Top Secret 
	-	Timeframe (schedule)
	-	Interviews with developers, involved teams, and project leads
	-	Complexity of project
	-	Approval requirements
	-	Proof of concept (yes or no)
	-	Cost limitations (time to market)
	-	Classification of data e.g. GLBA, Cardholder, CA SB1386, etc. 


Mindset

	-	Think like a hacker or cracker
	-	Customize your approach and or methodology
	-	Think outside of the box
	-	Try the unexpected; be creative



Know Thy Target

	-	User & Administrative documentation
	-	Architectural diagrams and data flow charts  
	-	Technical system and application documentation
	-	Disallowed functionality/intentions
	-	Understand the threat and known exploits
	-	Understand regulatory requirements
	-	Thoroughly research application & systems being used
	-	Conduct passive & active recon


Use the Right Tools

	-	Use a combination automated and manual techniques
	-	Frequently update tool & technique inventory
	-	Become intimately familiar with technology being used and 
	    known/probable security issues
	-	Shouldn't bring a knife to a gun fight


Attention to Detail

	-	Weed out false positives
	-	Thoroughly explore logic in an attempt to expose flaws
	-	Look for the less obvious security issues
	-	Become intimate with the application
	-	Evaluate every aspect


Use Manual Source Code Inspections Whenever Possible

	-	Allows for the identification of security holes and 
	    vulnerabilities often missed by black or gray box testing
	-	Reinforce secure coding practices 
	-	Should include User Interface development 


Use the System Development Life Cycle (SDLC)

	-	Structured approach that provides guidance regarding the handling 
	    of IT Security activities throughout the life of the system or application


More information about the Owasp-testing mailing list