This document outlines a plan to conduct a web application security assessment of Portuguese websites. It will analyze assessment methodologies, select target applications, and apply an assessment methodology. The methodology involves discovery, attacks, and documenting results. Legal authorization is needed to avoid liability. The goal is to produce a report on vulnerabilities for each application to help improve security.
Web Application Security - Everything You Should Know
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
1. Web Applications Security Assessment in the Portuguese WWW Panorama Carlos Serrão Nuno Teodoro carlos.serrao@iscte.pt carlos.j.serrao@gmail.com http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao nuno.filipe.teodoro@gmail.com nfteodoro@hotmail.com http://www.linkedin.com/in/nunoteodoro ISCTE-IUL/DCTI Instituto Superior do Trabalho e da Empresa Instituto Universitário de Lisboa Departamento de Ciências e Tecnologias de Informação
6. Web application security assessment methodologies analysis Iberic Web Application Security Conference 2009 4 What do we have to start with? Online Access to te Web Application? Source code? Inside knowledge about the Web Application? What we can’t do What we can do - Application Security Architecture Review - Automated Source Code Analysis - Manual Security-Focused Code Review - Automated External Application Scanning - Manual Penetration Testing
8. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 6 Main critical areas to assess Public Administration Services Banks Most representative set Most representative set
9. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 7 Banks Public Administration Services Finances Health Care Social Security Citizens’ Portal
10. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 8 Why were these Web Applications chosen? Critical operations Portuguese domain Massive utilization Interesting in the Portuguese WWW panorama
11. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 9 Critical operations Finances IVA IES IRS Citizens Confirm TOC IRC Open Activity Companies IMI IMT Circulation Tax Public entities Change NIB Ask NIF Other entities
12. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 10 Critical operations Health Care Citizens Pay services Register Public entities Health entities
13. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 11 Critical operations Social Security Penalties Register Payments Companies Family pensions Unemployed pensions Employees Retirement Pensions Others
14. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 12 Critical operations Citizen’ Portal Companies Create company General services Citizens
15. Web applications security assessment methodology Iberic Web Application Security Conference 2009 13 Penetration Testing Passive Mode Active Mode
16. Web applications security assessment methodology Iberic Web Application Security Conference 2009 14 Discovery Document and analysis of the Discovery results Create attack simulations on the target entity Analysis of each attack Document the results of the Attacks Solutions to mitigate the problems Presentation of the results to the entity
17. Apply the methodology to the web‐applications Iberic Web Application Security Conference 2009 15 OWASP Testing Guide WASC Threat Classification Why combine both? Two important organizations Bigger Issues Coverage
23. Legal constraints Iberic Web Application Security Conference 2009 19 Presents crutial point in this work Can lead to work invalidation if permissions are denied Can lead to entire work scope change
24. Legal constraints Iberic Web Application Security Conference 2009 20 Mitigate legal constraints Change target entities Lost of some interest… ?