Software Security Testing

The Next Frontier

Software Confidence. Achieved.

Scott Matsumoto
Principal Consultant
smatsumoto@cigital.com
www.cigital.com
info@cigital.com
+1.703.404.9293

Tuesday, May 01, 2007 1

About Cigital

A leading consulting firm specializing in helping
organizations improve their software security and software
quality posture

Recognized experts in “Building Security In”

Extensive Industry Standards, Best Practices, and
Regulatory Compliance Experience

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 2

1
 Software Security Is A Challenge

The Trinity of Trouble …is this complex program

Connectivity
The network is
the computer.

The Internet is
everywhere and most
software is on it

Complexity

Networked, distributed,
mobile code is hard

Extensibility

Systems evolve in

.NET
unexpected ways and
are changed on the fly This simple interface…

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 3

Software Vulnerability Growth

Reported Software Vulnerabilities

9000 8064
8000
7000
5690
6000
5000 4129 3784 3780
4000
3000 2437
2000 1090
1000
0
2000 2001 2002 2003 2004 2005 2006

Source: CERT
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 4

2
 Web-based Application Vulnerability

Software Security problems are in the application software

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 5

Top 4 Vulnerabilities in CVE

Percentage distribution of top 4 vulnerabilities

25.00%

20.00%

XSS
15.00%
buf
sql-inject
10.00%
dot
5.00%

0.00%
2000 2001 2002 2003 2004 2005 2006 2007

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 6

3
 Software Security Touchpoints

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 7

SQL Injection

Insert SQL commands into data fields to alter
behavior of server

Return different data

Overwork server with unbounded queries and
joins (denial of service)

Alter data

Execute blocks of arbitrary SQL statements

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 8

4
 Example SQL Injection Vulnerability

Compose a dynamic query based on user input:

SELECT cc_type, cc_num FROM cc_data
WHERE id=‘%s’ AND cc_type=‘%s’

Normal cc_type = ‘Visa’:
SELECT cc_type, cc_num FROM cc_data
WHERE id=‘123456789’
AND cc_type=‘VisaVisa’
Visa

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 9

JRM2

SQL Injection

Insert SQL commands into data fields to alter
behavior of application

Example: Enter x’ OR ‘a’=‘a instead of
“Visa” to produce
SELECT cc_type, cc_num FROM cc_data
WHERE id=‘123456789’ AND
cc_type =‘x’ OR ‘a’ = ‘a’

Results in all credit card data being returned

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 10

5
Slide 10

JRM2 Brook: Explain why this is important to morgan.

rmills, 11/6/2006
 Software Security Testing – Call to Action

Types of problems (vulnerabilities)

Weaknesses, Vulnerability and Attack
Patterns

Tools and Techniques for Testing

Penetration and Fuzzing tools

Think like a bad guy

Know your application

Resources

CWE/CVE – mitre.org

OWASP – owasp.org

Verify 2007 – verifyconference.com
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 11

Thank you for your time.

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 12