New Adventures

in Security

Testing

Dan Billing

www.thetestdoctor.wordpress.com

@TheTestDoctor

Reflections How far has just being a 'functional

tester' taken me?

Am I excited by my work anymore?

Have I maintained and developed my

skills as a tester?

What do I have to do to make a

change?

"To know what skills to focus on learning you need

to know what skills you need for your chosen

career…compare this to what skills you currently

have. The difference between the two is where

you should focus your learning"

Remaining Relevant and employable in a changing world - Testers Edition

Rob Lambert, Leanpub, 2013

Focus your learning

Why

Security?

Potential Threats

...it's all about the attacks

Motivations behind attacks (Jan - Apr 2014)

Source: Hackmageddon.com

Cyber crime 61% Hacktivism 31%

Recent Significant Attacks

Recent Significant Attacks

Recent Significant Attacks

Boldly Going…?

First Steps • Understand the threats to your systems -

STRIDE

• Explore the OWASP website –

www.owasp.org

• Learn the OWASP Top 10 – They are the

10 Commandments of Web Security

Testing

• Learn some techniques and when to use

them

• Understand your applications

and their infrastructure

• Get to know your Dev/Ops team

– they’ll be your new best

friends

• Follow the security and hacking

bloggers like Troy Hunt

• Take a course or two

Play it Safe

• www.altoromutual.com – deliberately vulnerable

banking site - IBM

• http://google-gruyere.appspot.com – Structured

approach to learning exploits and vulnerabilities

– Google

• https://code.google.com/p/bodgeit/ - vulnerable

retail store, runs locally on Apache - OWASP

Play it Safe

• http://www.mmeit.be/bwapp/ – bWapp: an

extremely buggy web app

• https://www.owasp.org/index.php/OWASP_Bricks

- OWASP Bricks

• A VM running your own applications

• Mobisec – a mobile security testing framework

and emulator

Know Your Enemy

• www.hackmageddon.com – news and updates

on recent attacks and hacks

• www.securityninja.com – great news, research

and guidance resource

• www.hackthissite.org – Hackers legal sandbox

• www.hackthis.co.uk – another hackers sandbox

from the UK

“Once you start down the dark path, forever it will dominate your destiny. Consume you it will” - Yoda

STRIDE SPOOFING – illegally using another's authentication information to gain

access

TAMPERING – malicious modification to either persistent data, or as it

flows through a network

REPUDIATION – Denying performing an action without other parties

having a way to prove otherwise

INFORMATION DISCLOSURE – Exposure of information to those who

should not have access

DENIAL OF SERVICE – Denying valid user access to a service

ELEVATION OF PRIVILEGE – Allowing a user access to a system

above their privilege level

Injection in a Nutshell

Xkcd.com/327 – Exploits of a Mom

Injection in a Nutshell

Xkcd.com/327 – Exploits of a Mom

Injection – an Example

Injection – an Example

Cross Site Scripting

XSS – an example

Exploits a victims trust in a

particular site

XSS – an example

Weapon of Choice

• Browser Developer Tools

• Browser plugins e.g.

TamperData, Firebug, The

Postman

• OWASP Mantra

Man in the Middle • Fiddler

• Zed Attack Proxy

• Burpsuite

• nMap/Zenmap

• Beef

• Wireshark

Where next…?

• Automated scanning and

regression

• Better vulnerability

detection and analysis

• Sharing knowledge

• Increased confidence

SEEK! LOCATE! EXTERMINATE!

EX – EXPLORE

T – THREATS

E – EXPERIMENT

R – RISKS

M – MONITOR

IN – INTERROGATE

A – ANALYSIS

T – TARGETED

E - EXPEDITED

A Security Testing

Mnemonic

Q&A

• Senior Test Engineer at New Voice Media

• www.newvoicemedia.com

• Blog: www.thetestdoctor.wordpress.com

• Twitter @thetestdoctor