This presentation talks about the focus towards building security in the software development life cycle and covers details related to Reconnaissance, Scanning and Attack based test design and execution approach.

1. Name of the Speakers :
 Anish Cheriyan, Director Quality and Centre of Excellence-Cyber Security
 Sriharsha Narayanam , Test Architect and Cyber Security Test Engineering -COE Team
Company Name : Huawei Technologies India Private Limited

2. ● Introduction
● Principles of Security for Secure Products
● Security in Product Development Life Cycle
● Penetration Testing Approach
● Details of Pen Test
● Cyber Security- a mindset and some anti
patterns
● Conclusion

3. http://einstueckvomglueck.com/wp-content/uploads/2010/11/philiplumbang.jpg

4. http://thevarguy.com/site-files/thevarguy.com/files/archive/thevarguy.com/wp-content/uploads/2008/12/canonical-unison-attack-microsoft-e
Just Attack Testing

5. http://thevarguy.com/site-files/thevarguy.com/files/archive/thevarguy.com/wp-content/uploads/2008/12/canonical-unison-attack-microsoft-e
http://7428.net/wp-content/uploads/2013/05/Color-Feather.jpg
Feather Touch Testing

6. http://http://blog.courtmetrange.eu/?attachment_id=1487
Time Bound Testing

7. http://www.zazzle.com/innocent+until+proven+guilty+gifts

9.  Favor simplicity
◦ Use fail safe defaults
◦ Do not expect expert users
 Trust with reluctance
◦ Employ a small trusted computing base
◦ Grant the least privilege possible
 Promote privacy
 Compartmentalize
 Defend in Depth
◦ Use Community resource-no security by obscurity
 Monitor and trace
Reference: Reference: Software Security by Michael Hicks, Coursera

10. Reference: Reference: Software Security by Michael Hicks, Coursera

17. www.unicomlearning.com/ethicalha

21. Requirement Design Coding Testing Release
•General
Security
Requirement
Analysis
•Attack
Surface
Analysis
• Threat
Modeling -
STRIDE(Micro
soft)
•Testability
Analysis
•Secure
Architecture
and Design.
•Security
Design
guidelines
•Security
Test Strategy
and Test
Case
•Secure
Coding
Guidelines
(cert.org-
good
reference)
•Static Check
Tools like
Fortify,
Coverity (Ref-
owasp.org)
•Code
Reviews
•Security Test
Cases
•Penetration
Testing
Approach
(Reconnaissa
nce,
Scanning,
Attack,
Managing
access)
•Anti Virus
•Continuous
Delivery
System
(Inspection
and Secure
Test)

22. Reference: https://msdn.microsoft.com
Identify assets. Identify the valuable assets
that your systems must protect.
Create an architecture overview. Use simple
diagrams and tables to document the
architecture of your application, including
subsystems, trust boundaries, and data flow.
Decompose the application. Decompose the
architecture of your application, including the
underlying network and host infrastructure
design, to create a security profile for the
application.
Identify the threats. Keeping the goals of an
attacker in mind, and with knowledge of the
architecture and potential vulnerabilities of
your application, identify the threats that
could affect the application.
Document the threats. Document each threat
using a common threat template that defines
a core set of attributes to capture for each
threat.
Rate the threats. Rate the threats to prioritize
and address the most significant threats first.

23. Reference: https://msdn.microsoft.com

24. Reference: https://msdn.microsoft.com

25. Reference: https://msdn.microsoft.com

26. Reference:
https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet#DRAFT_CHEAT_SHEET_-
_WORK_IN_PROGRESS
•Business Model
•Data Essential
•End Users
•Third Party
•Administrators
•Regulations
Business
Requirements
•Network
•Systems
•Infrastructure Monitoring
•Virtualization and
Externalization
Infrastructure
Requirements •Environments
•Data Processing
•Access
•Application Monitoring
•Application Design
Application
Requirements
•Operations
•Change Management
•Software Development
•Corporate
Security Program
Requirements
www.unicomlearning.com/IT_Security_and_Ethical_Hacking

27. Reference: https://owasp.org
Input
Validation
Output
Encoding
Authn. & Pwd.
Mgmt.
Session
Management
Access
Control
Cryptographic
Practices
Error
Handling and
Logging
Data
Encryption
Communicati
on Security
System
Configuration
File
Management
Memory
Management
Gen. Coding
Practices
www.unicomlearning.com/IT_Security_and_Ethical_Hacking

28. Further Reading: Threat Modeling- Frank Swiderski, Window Snyder, A Few Billion Lines of Code Later: Using Static Analysis to
Find Bugs in the Real World - http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext
Trust
boundary
code (Threat
Model)
Static Tool
Execution
Manual Code
Review
While doing the code review we can take the inputs from the code
in the trust boundary, issues from the static tools like Fortiy,
Coverity etc and put the focus at the right place for the Code
Review

29. •Information
Gathering
(About the
system,
environment
etc.)
•Scan the system
•Threat Analysis
•Usage of the Static
analyzer (Run fortify,
Coverity, Appscan,
Nessus, NMAP etc)
•Right tool usage
•Vulnerability
Analysis
•Fuzz Testing
•Penetration
testing
•Use /Develop
right set of tools
to attack
•Raise
Defects
Reconnaiss
ance
Scanning Attack
Managing
Access
Test Strategy

30. Picture Courtesy: http://sd.keepcalm-o-matic.co.uk/i/assume-nothing-believe-nobody-and-check-
everything--1.png

31. Understands the typical application scenario. Analyse the system
topology, architecture etc.
Analyse the Threat Model , Security design and identifies the trust
boundaries., Apply Penetration Test Analysis and Design
Review and Analyse the Open source and third party software
Analyse report of non dynamic examination like Fortify, Coverity.
Analyze the information like communication matrix, product manual. .
etc
Conduct the code verification from security perspective
Conduct penetration testing (Information gathering, Scanning, Attack,
Defects)

32. Web Security
Network
Security
DB Security OS Security
Mobile
Security
Open Source
Security
Password
Security
Tools to be
used
Code
Vulnerabilities
Validation
Penetration
Test Analysis
and Design
Top 3
Attacks to
be Focused
Customer
Deployment
Topology
Threat
Modeling
based
Scenarios
Penetration
Test
Approach
Attack
Vectors /
Surface
Automation
?
Country
Specific
Security
Test Case
Database
Good practice
inheritance from
Security defects
from past
Security Test Strategy - What to Cover ?

33. Threat modeling Analysis
Level Vulnerability analysis.
System Level and Feature
Tools & Version Analysis
Gather Overall Information
Inputs from Baseline
Test Case from Test
Scenarios
Exploratory
Pen Testing With
designed Cases
Perform Scanning
Defect Based Test Cases
Defects Analysis
Manage Access
Penetration Testing Analysis overall flow
Output
Penetration Test
Scenarios
Penetration Test
Cases
Defects
1. Damage potential
Assessment
2. New Test Cases

34.  Reconnaissance is a the first and the key phase of penetration testing where the
information is gathered.
 The more time you spend collecting information on your target, the more likely
you are to be successful in the later phases. There can be a checklist based
approach for information gathering but it need not be constrained to the list.
 Information Gathering helps teams to think about the product properties upfront.
．．．So On
Reconnaissance / Information Gathering
Category
Suggestive Informations to be gathered /
verified
Actual Information
General
Informatio
n
List of IP addresses that can be scanned
Target OS and File permission information
Information about the LOG FILE and their paths
Information about the DATA FILE Location, and their
format
Storage mechanism of the USERNAME/PASSWORD of
the application

35. Reconnaissance / Information Gathering
Few Tools for WebApplication Reconnaissance
 Wappalyzer
 Passive Recon
 Ground Speed
[http://www.slideshare.net/groundspeed/groundspeed-
presentation-at-the-owasp-nynj]

36. Software URL Description
Maltego
http://www.paterva.com/web5
The defacto standard for mining data on individuals and companies.
Comes in a free community version and paid version.
Nessus
http://tenable.com/products/nessus
A vulnerabilty scanning tool available in paid and free versions. Nessus
is useful for finding and documenting vulnerabilities mostly from the
inside of a given network.
IBM AppScan
http://www-
01.ibm.com/software/awdtools/appscan
IBM's automated Web application security testing suite.
eEye Retina
http://www.eeye.com/Products/Retina.asp
x
Retina is an an automated network vulnerability scanner that can be
managed from a single web-based console. It can be used in
conjunction with Metasploit where if an exploit exists in Metasploit, it
can be launched directly from Retina to verify that the vulnerability
exists.
Nexpose
http://www.rapid7.com
Nexpose is a vulnerability scanner from the same company that brings
you Metasploit. Available in both free and paid versions that differ in
levels of support and features.
OpenVAS
http://www.openvas.org
OpenVAS is a vulnerability scanner that originally started as a fork of
the Nessus project. The actual security scanner is accompanied with a
daily updated feed of Network Vulnerability Tests (NVTs), over 20,000
in total (as of January 2011)
HP WebInspect
https://www.fortify.com/products/web_ins
pect.html
HP WebInspect performs web application security testing and
assessment for complex web applications. Supports JavaScript, Flash,
Silverlight and others.
HP SWFScan
https://h30406.www3.hp.com/campaigns/
2009/wwcampaign/1-
5TUVE/index.php?key=swf
HP SWFScan is a free tool developed by HP Web Security Research
Group to automatically find security vulnerabilities in applications built
on the Flash platform. Useful for decompiling flash apps and finding
hard-coded credentials, etc.
THC IPv6 Attack
Toolkit
http://www.thc.org/thc-ipv6
The largest single collection of tools designed to exploit vulnerabilities
in the IPv6 and ICMP6 protocols.
Pen Test Tools and Guidelines- http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
Security Tools and Version Analysis
Tools Analysis helps the teams to select the applicable tools upfront and build required
competency to use them / acquire license , well before test execution phase.

37.  Scanning is the phase where the
vulnerabilities and the weak areas in
the system / target can be identified.
 Tools to be finalized based on the
application scope.
• Based on the Threat Modeling Analysis,
understand the Trust Boundary.
– Analyze the present Risk Mitigation
mechanism and derive test scenarios
– Analysis the proposed Risk Mitigation
mechanism and device the test scenarios
• Threat Modeling analysis to be done both at
System and at Sub system level
．．．So On
．．．So On
System Scanning and further Analysis
Test Scenarios from Threat Modeling Analysis
Category Tool / Technique
Applicability
Analysis
Scanning of the system
under test using Static
Code Analyzer Fortify , Coverity
Determining if a system
is alive
Scanning Application
AppScan , Acunetix,
RSAS , QRADAR. .
Entity or
Process
Threat
Type
Applicable ?
Test Scenario
based on Current
Mitigation
Test Scenario based
on Proposed
Mitigation
Requirement 1
S Yes
T No
R
I
D
E

38.  Vulnerability analysis is a process in which the vulnerability analysis of the system & Feature are
conducted. The various ways in which it can be done are :
◦ Threat Modeling analysis
◦ Reconnaissance – Information Gathering
◦ System Level Vulnerability based on the Security area (Overlap with Threat Modeling Analysis)
◦ Feature level Vulnerability based on the Security area (Overlap with Threat Modeling Analysis)
Security Area
Does this Feature
interact with
Trust Boundary
SSL
Configuratio
n used
Encryption
Algorithm used
Anti-
Attack
Protection
Identity
Manageme
nt
Password
Management
System Level
Analysis
Feature 1
．．．So On
System and Feature level Vulnerability Analysis

39. Systematic Penetration Testing – Defects Examples
Web Server version
based Defects
Web Server version
based Defects
Encryption issues
Address ID issue
Session ID bases
Privilege Escalation
CSRF issue – Form key
User scenario Bases
SQL injection

40. Penetration Testing Practice platforms

41.  Attack Surface analysis, Threat modeling not
deeply practiced
 Secure design and code practices not practiced
well
 Ignoring some errors of Fortify /Coverity and
other tools. Sometimes considering them as false
positives
 Relying too much on Testing
 “This is not a valid scenario. Customer would
never test this way”.
 “Innocent until Proven”- It should be “Guilty
unless proven”
Reference: Reference: Software Security by Michael Hicks, Coursera

42.  Build Security into the Life Cycle of product
development
 Focus on Security Competency
 Assume Nothing, Believe Nobody, Check
Everything.
 Following Penetration Test Design Methods-
Reconnaissance-Scanning-Attack-Manage
Access.

44.  www.cert.org
 www.owasp.org
 http://pr.huawei.com/en/connecting-the-
dots/cyber-security/
 http://pr.huawei.com/en/connecting-the-
dots/cyber-security/hw-
401493.htm#.VV6DBfBCijM
 https://msdn.microsoft.com/en-
us/security/aa570330.aspx
 Building Secure Software –John Viega, Gary
McGraw
 Coursera Course - Software Security by Michael
Hicks, University of Maryland

45. Organized by: UNICOM Trainings & Seminars Pvt. Ltd.
contact@unicomlearning.com
www.unicomlearning.com/IT_Security_and_Ethical_Hacking
Speaker Name: Anish Cheriyan , Sriharsha Narayanam
Email ID: anishcheriyan@huawei.com, @anishcheriyan
sriharsha.narayanam@huawei.com