Application Security Testing in the Real World presented at saintcon 2017

by Seth Law,

Summary : Over the past 20 years, the security industry has defined application security testing tools as separate from the traditional QA toolset, although the approach is similar. Send test data (or payloads, exploits) to an application and inspect the response for appropriate or inappropriate behavior. The one-size-fits-all approach for security testing during the software development lifecycle (SDLC) does uncover security flaws, but leaves something to be desired, as it does not pinpoint the exact file/function where a vulnerability exists. Fuzzing application parameters is a great first step, but requires additional research and work to fix or exploit any identified flaws.
Due to the available security testing tools, custom and specific security testing is often overlooked or implemented with the previously-mentioned solutions. As developers and security professionals, we can do better. A hammer is not the only tool in our belt. Now that DevOps practices such as Test Driven Development (TDD) and Continuous Integration (CI) are synonymous with modern development, customized security testing can be integrated into the SDLC.
This talk will first introduce a simple framework for creating security unit tests. Next it will review common strategies for building application security unit tests, including function identification, testing approaches, edge cases, and payload generation. We will demonstrate these techniques in python, Swift, and Java against intentionally vulnerable applications. In addition, it will introduce the sputr (https://github.com/sethlaw/sputr), an open-source repository of security unit testing payloads to use as a starting point for creating custom security unit tests.