Web Application Testing with AppScan

Terry Labach

"If you spend more on coffee than on Web application security, you will be hacked. What's more, you deserve to be hacked"

- Richard Clarke, Former White House Advisor on Cyberterrorism and Cybersecurity

2010 | The Sky’s the Limit

Introduction

• What are the issues?• How can UW support secure Web

application development?• How can involved parties work together?

2010 | The Sky’s the Limit

Outline

• The state of affairs• Risks and attacks• AppScan at UW• AppScan scanning example• Software engineering for the web• Questions

2010 | The Sky’s the Limit

Web application security is no longer optional

• UW administration concerned about last IT audit

• IT professionalism now includes security

The old Web

2010 | The Sky’s the Limit

"First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII -- and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure."

- Douglas Adams

The new Web

2010 | The Sky’s the Limit

The new Web

• Shopping mall, office, movie theatre, communications hub, self-marketing firm

• We are expected to make more services available on the web

• Financial, medical, personal information increasingly used in web transactions

• Clients interact with our internal systems

2010 | The Sky’s the Limit

Risks on the new Web

2010 | The Sky’s the Limit

Risks

• Theft of personal information• Identity theft• Financial losses• Intellectual Property losses• Damage to UW's reputation• Legal requirements to notify breach

victims

2010 | The Sky’s the Limit

Vulnerabilities

• Technical• OS, server design flaws

• Logical• Application logic design flaws

• Failing to account for malicious/incompetent users

2010 | The Sky’s the Limit

Attacks

• Technical• XSS, SQL injection

• Logical • authorization errors

2010 | The Sky’s the Limit

SQL injection

2010 | The Sky’s the Limit

Cross-site scripting

2010 | The Sky’s the Limit

Authentication and authorization errors

2010 | The Sky’s the Limit

Why scan?

• Mimics the attack of the hacker• No substitute for proper application

development

2010 | The Sky’s the Limit

Scanning methods

• Manual• Automatic

2010 | The Sky’s the Limit

Scanning methods

• Manual• Penetration (“pen”)

testing• Requires human

expert• Slow, error-prone• Can be insightful

2010 | The Sky’s the Limit

Scanning methods

• Automatic• Faster• Complete list of

tests• Not as perceptive

as human tester

2010 | The Sky’s the Limit

What scanning can do

• Black box scanning• Works with any:

• Language• Application server• Web server

2010 | The Sky’s the Limit

What scanning can't do

• White box scanning (can't help with source code issues without additional software)

• Can't be integrated early in the development process

• Requires functional web site

2010 | The Sky’s the Limit

IST Web application testing

2010 | The Sky’s the Limit

AppScan

2010 | The Sky’s the Limit

• IBM product• Selected by IST in 2009 to provide testing

services• IST staff will scan your web application as

part of your testing process• No charge

Preparing your site for testing

• Test instance of application• Be ready for disaster • Backups of all code, data• Allow access to scan server

(firewall, .htaccess)• Method to recreate the web site

2010 | The Sky’s the Limit

The scanning process

• Explore• Spider traverses site and learns about

structure

• Test• Attacks made on site

• Report findings

2010 | The Sky’s the Limit

AppScan demonstration

2010 | The Sky’s the Limit

• IBM provides sample web application to test• Altoro Mutual• http://demo.testfire.net• User: jsmith• Password: demo123

Running AppScan

2010 | The Sky’s the Limit

• URL• Scan wizard• Login method

• Recorded - go through process for scan• Prompt - record initial location, then enter as needed• Automatic - use entered name, password when

required• None - when authentication not used (or ignored)

• Test policy

Running AppScan

2010 | The Sky’s the Limit

• Complete scan• full auto scan• auto explore• manual explore (embedded browser)

• allows limiting scan to part of site or ensuring it follows a set path

• scan later (scheduled)• scan expert

• does short scan to evaluate settings• may suggest configuration changes

Running AppScan

2010 | The Sky’s the Limit

• Scan results• Views

• Reports• Remediation• Regulatory• OWASP• Custom

Thoughts on software engineering for the web

• Basic SE principles still apply• Development-Test-Production

environments• Use commercial solutions rather than

coding your own where reasonable• Application development must be planned

and managed

2010 | The Sky’s the Limit

Thoughts on software engineering for the web

• Add security from the beginning• Publish only desired files• Define what is good input and limit to that,

rather than trying to strip out bad input.• “good enough” isn't – the risks are too

great

2010 | The Sky’s the Limit

References

2010 | The Sky’s the Limit

● IBM AppScan• http://www.ibm.com/software/awdtools/appscan/

standard/

• OWASP• http://www.owasp.org

• IST IT Security team• http://ist.uwaterloo.ca/security/

• Quotation of the Day• http://quotationofthedaylist.blogspot.com/

Questions?

2010 | The Sky’s the Limit