[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] application attacks
- From: "Schmidt, Albert E" <AES@xxxxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] application attacks
- Date: Mon, 17 Jul 2006 15:54:39 -0400
------_=_NextPart_001_01C6A9DA.EE3D26EC
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
I think it would be impossible or extremely difficult for any individual
or group of individuals to write a web application without
vulnerabilities just by their know ledge alone. When ever I audit a web
application, I test to see if the agency performs web application scans
as part of their development cycle (prior to moving a web application
into production). If they do not, I make a formal recommendation that
they do. The state of Maryland's Department of Budget and Management's
Systems Development Life Cycle requires agencies to scan applications
for vulnerabilities (see excerpt below). =20
=20
Al S.
=20
=20
Excerpt: Systems Development Life Cycle (SDLC) - Volume 2, SDLC Phases,
Dated July 2002=20
Source: Maryland Department of Budget and Management
=20
=20
INTEGRATION AND TEST PHASE=20
=20
1.0 OBJECTIVE=20
=20
The objective of this phase is to prove that the developed system
satisfies the requirements defined in the FRD. Another purpose is to
perform an integrated system test function as specified by the design
parameters. This function shall be the responsibility of the system
testers and will be heavily supported by the user participants.=20
=20
Prerequisites of this phase are the FRD, project management plan and
schedule, system baseline software and documents, and a test plan
containing all test requirements and schedules.=20
=20
Several types of tests will be conducted in this phase. First, subsystem
integration tests shall be executed and evaluated by the development
team to prove that the program components integrate properly into the
subsystems and that the subsystems integrate properly into an
application. Next, the testing team conducts and evaluates system tests
to ensure the developed system meets all technical requirements,
including performance requirements. Next, the testing team and the
Security Program Manager conduct security tests to validate that the
access and data security requirements are met. Finally, users
participate in acceptance testing to confirm that the developed system
meets all user requirements as stated in the FRD. Acceptance testing
shall be done in a simulated "real" user environment with the users
using simulated or real target platforms and infrastructures.=20
=20
2.3 Conduct Security Testing=20
The test and evaluation team will again create or load the test
database(s) and execute security (penetration) test(s). All tests will
be documented, similar to those above. Failed components will be
migrated back to the development phase for rework, and passed components
will be migrated ahead for acceptance testing.=20
=20
=20
-----Original Message-----
From: Dennis Hurst [mailto:dhurst@spidynamics.com]=20
Sent: Monday, July 17, 2006 3:41 PM
To: websecurity@webappsec.org
Subject: RE: [WEB SECURITY] application attacks
=20
I'm new to the list so please pardon if I'm repeating something other
people have mentioned.
=20
=20
=20
After being a developer for a long time and talking to developers about
security every day it seems that we (security people) miss a point very
often. Even in an ideal world where developers knew what SQL Injection,
et al, are and know how to code against them you are still going to have
issues. Web app security issues are frequently just bugs that have a
security aspect. They are simple mistakes that people make when they
get in a rush. I think this will always be the case which is why
testing for security issues is critical. Just like people test for
functional issues we need to test for security issues. No one says
"who's wrong?" when they find a simple bug, they just know that
development is a bug prone process and know that the process needs to
support stable software. It seems to me that blame does not do any good
but improving the process of developing secure software a huge value.
=20
=20
Dennis Hurst
dhurst@spidynamics.com
Microsoft Developer Security - MVP
=20
=20
=20
=20
=20
-----Original Message-----
From: AF [mailto:newsalaksa@nxtg.net]=20
Sent: Monday, July 17, 2006 3:26 PM
To: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] application attacks
=20
=20
Hi there!
=20
I think the mistake is in this sentence:=20
=20
> Now, every developer know how to=20
> protect their web applications against application attacks such as SQL
=20
> Injection,XSS, HTTP smuggling, and others. So could someone give me
some
> clear image about that. What's wrong?
=20
The question is "Who's wrong ?"
The answer is : You. : )=20
=20
That's a fact: many web developpers still don't know how to implement
security=20
principles. Many don't even know security principles exist!
=20
So when it comes to sql injection, xss, splitting, applogic, and so
on... well... there's
still a lot of work ahead of us to do. This applies to almost every
industry!=20
=20
Pentesting, for fun, but also teaching and spreading the information
around us,=20
as much as we can. That's it. That's what we can (have to?) do.
=20
@ntoine
=20
=20
=20
------------------------------------------------------------------------
----
The Web Security Mailing List:=20
http://www.webappsec.org/lists/websecurity/
=20
The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
=20
=20
------------------------------------------------------------------------
----
The Web Security Mailing List:=20
http://www.webappsec.org/lists/websecurity/
=20
The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
=20
------_=_NextPart_001_01C6A9DA.EE3D26EC
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"State"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"place"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.MsoHeader, li.MsoHeader, div.MsoHeader
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.MsoFooter, li.MsoFooter, div.MsoFooter
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
font-weight:bold;}
p.UJ, li.UJ, div.UJ
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arBlankLine, li.arBlankLine, div.arBlankLine
{margin:0in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arCoverItalicsStmt, li.arCoverItalicsStmt, div.arCoverItalicsStmt
{margin:0in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;
font-style:italic;}
p.arCoverLine, li.arCoverLine, div.arCoverLine
{margin:0in;
margin-bottom:.0001pt;
text-align:center;
line-height:110%;
font-size:16.0pt;
font-family:"Times New Roman";
text-decoration:underline;}
p.arESBullet, li.arESBullet, div.arESBullet
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
text-indent:-.25in;
line-height:110%;
mso-list:l2 level1 lfo3;
font-size:12.0pt;
font-family:"Times New Roman";}
p.arESBulletUnder, li.arESBulletUnder, div.arESBulletUnder
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.25in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arFindingBox, li.arFindingBox, div.arFindingBox
{margin:0in;
margin-bottom:.0001pt;
line-height:110%;
background:#CCCCCC;
border:none;
padding:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
p.arFindingBullet, li.arFindingBullet, div.arFindingBullet
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
text-indent:-.25in;
line-height:110%;
mso-list:l1 level1 lfo2;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arHeading12Ctr, li.arHeading12Ctr, div.arHeading12Ctr
{margin:0in;
margin-bottom:.0001pt;
text-align:center;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arHeading12CtrBldUnderlined, li.arHeading12CtrBldUnderlined, =
div.arHeading12CtrBldUnderlined
{margin:0in;
margin-bottom:.0001pt;
text-align:center;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
text-decoration:underline;}
p.arHeading12CtrBold, li.arHeading12CtrBold, div.arHeading12CtrBold
{margin:0in;
margin-bottom:.0001pt;
text-align:center;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";}
p.arHeading12LeftBold, li.arHeading12LeftBold, div.arHeading12LeftBold
{margin:0in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";}
p.arHeading14Ctr, li.arHeading14Ctr, div.arHeading14Ctr
{margin:0in;
margin-bottom:.0001pt;
text-align:center;
line-height:110%;
font-size:14.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arHeading14CtrBldUnderlined, li.arHeading14CtrBldUnderlined, =
div.arHeading14CtrBldUnderlined
{margin:0in;
margin-bottom:.0001pt;
text-align:center;
line-height:110%;
font-size:14.0pt;
font-family:"Times New Roman";
text-decoration:underline;}
p.arHeading14LeftBold, li.arHeading14LeftBold, div.arHeading14LeftBold
{margin:0in;
margin-bottom:.0001pt;
line-height:110%;
font-size:14.0pt;
font-family:"Times New Roman";}
p.arHeading16CtrBold, li.arHeading16CtrBold, div.arHeading16CtrBold
{margin:0in;
margin-bottom:.0001pt;
text-align:center;
line-height:110%;
font-size:16.0pt;
font-family:"Times New Roman";}
p.arLetterAddress, li.arLetterAddress, div.arLetterAddress
{margin:0in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arLetterSignatures, li.arLetterSignatures, div.arLetterSignatures
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:3.0in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arParaUnjust, li.arParaUnjust, div.arParaUnjust
{margin:0in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arParaUnjustBold, li.arParaUnjustBold, div.arParaUnjustBold
{margin:0in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";}
p.arTOCIndent1, li.arTOCIndent1, div.arTOCIndent1
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.25in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arTOCIndent2, li.arTOCIndent2, div.arTOCIndent2
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.BY, li.BY, div.BY
{margin:0in;
margin-bottom:.0001pt;
punctuation-wrap:simple;
text-autospace:none;
font-size:10.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.C1, li.C1, div.C1
{margin:0in;
margin-bottom:.0001pt;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.C2, li.C2, div.C2
{margin:0in;
margin-bottom:.0001pt;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.C3, li.C3, div.C3
{margin:0in;
margin-bottom:.0001pt;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.C4, li.C4, div.C4
{margin:0in;
margin-bottom:.0001pt;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.C5, li.C5, div.C5
{margin:0in;
margin-bottom:.0001pt;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.CS, li.CS, div.CS
{margin:0in;
margin-bottom:.0001pt;
text-align:center;
punctuation-wrap:simple;
text-autospace:none;
font-size:10.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.L0, li.L0, div.L0
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.4in;
margin-bottom:.0001pt;
text-align:justify;
text-indent:-.4in;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.L1, li.L1, div.L1
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.6in;
margin-bottom:.0001pt;
text-align:justify;
text-indent:-.4in;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.L2, li.L2, div.L2
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.8in;
margin-bottom:.0001pt;
text-align:justify;
text-indent:-.4in;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.L3, li.L3, div.L3
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:1.0in;
margin-bottom:.0001pt;
text-align:justify;
text-indent:-.4in;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.L4, li.L4, div.L4
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:1.2in;
margin-bottom:.0001pt;
text-align:justify;
text-indent:-.4in;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.L5, li.L5, div.L5
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:1.4in;
margin-bottom:.0001pt;
text-align:justify;
text-indent:-.4in;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.L6, li.L6, div.L6
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:1.6in;
margin-bottom:.0001pt;
text-align:justify;
text-indent:-.4in;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.P0, li.P0, div.P0
{margin:0in;
margin-bottom:.0001pt;
text-align:justify;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.P1, li.P1, div.P1
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.2in;
margin-bottom:.0001pt;
text-align:justify;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.P2, li.P2, div.P2
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.4in;
margin-bottom:.0001pt;
text-align:justify;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.P3, li.P3, div.P3
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.6in;
margin-bottom:.0001pt;
text-align:justify;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.P4, li.P4, div.P4
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.8in;
margin-bottom:.0001pt;
text-align:justify;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.P5, li.P5, div.P5
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:1.0in;
margin-bottom:.0001pt;
text-align:justify;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.P6, li.P6, div.P6
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:1.2in;
margin-bottom:.0001pt;
text-align:justify;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.SI, li.SI, div.SI
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:3.5in;
margin-bottom:.0001pt;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.SP, li.SP, div.SP
{margin:0in;
margin-bottom:.0001pt;
text-align:justify;
text-indent:.5in;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.TI, li.TI, div.TI
{margin:0in;
margin-bottom:.0001pt;
text-align:center;
punctuation-wrap:simple;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.arFindingBulletArrow, li.arFindingBulletArrow, =
div.arFindingBulletArrow
{margin:0in;
margin-bottom:.0001pt;
line-height:110%;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 77.95pt 1.0in 77.95pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:-2;
mso-list-type:simple;
mso-list-template-ids:828571184;}
@list l0:level1
{mso-level-start-at:0;
mso-level-text:*;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1
{mso-list-id:401756688;
mso-list-type:hybrid;
mso-list-template-ids:-195761914 1393704884 67698691 67698693 67698689 =
67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-style-link:arFindingBullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2
{mso-list-id:1185244756;
mso-list-type:hybrid;
mso-list-template-ids:-665692160 491833814 67698691 67698693 67698689 =
67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-style-link:arESBullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level1 lfo1
{mso-level-start-at:1;
mso-level-number-format:bullet;
mso-level-numbering:continue;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
mso-level-legacy:yes;
mso-level-legacy-indent:.25in;
mso-level-legacy-space:0in;
margin-left:.25in;
text-indent:-.25in;
font-family:"Courier New";}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>I think it would be impossible or extremely =
difficult
for any individual or group of individuals to write a web application =
without
vulnerabilities just by their know ledge alone. When ever I audit =
a web
application, I test to see if the agency performs web application scans =
as part
of their development cycle (prior to moving a web application into
production). If they do not, I make a formal recommendation that =
they do.
The state of <st1:State w:st=3D"on"><st1:place =
w:st=3D"on">Maryland</st1:place></st1:State><st1:PersonName
w:st=3D"on">'</st1:PersonName>s Department of Budget and =
Management<st1:PersonName
w:st=3D"on">'</st1:PersonName>s Systems Development Life Cycle requires =
agencies
to scan applications for vulnerabilities (see excerpt below). =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Al S.<o:p></o:p></span></font></b></p>
<div =
style=3D'mso-element:para-border-div;border:none;border-bottom:solid =
windowtext 1.0pt;
padding:0in 0in 1.0pt 0in'>
<p class=3DMsoPlainText style=3D'border:none;padding:0in'><b><font =
size=3D2
face=3D"Courier New"><span =
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
</div>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Excerpt: Systems Development Life Cycle =
(SDLC) -
Volume 2, SDLC Phases, Dated July 2002 <o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Source: Maryland Department of Budget and =
Management &nb=
sp; &nbs=
p;  =
; =20
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>INTEGRATION AND TEST PHASE =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>1.0 OBJECTIVE =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>The objective of this phase is to prove that =
the
developed system satisfies the requirements defined in the FRD. Another =
purpose
is to perform an integrated system test function as specified by the =
design
parameters. This function shall be the responsibility of the system =
testers and
will be heavily supported by the user participants. =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Prerequisites of this phase are the FRD, =
project
management plan and schedule, system baseline software and documents, =
and a
test plan containing all test requirements and schedules. =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Several types of tests will be conducted in =
this
phase. First, subsystem integration tests shall be executed and =
evaluated by
the development team to prove that the program components integrate =
properly
into the subsystems and that the subsystems integrate properly into an
application. Next, the testing team conducts and evaluates system tests =
to
ensure the developed system meets all technical requirements, including
performance requirements. Next, <span style=3D'background:yellow'>the =
testing
team and the Security Program Manager conduct security tests to validate =
that
the access and data security requirements are met.</span> Finally, users
participate in acceptance testing to confirm that the developed system =
meets
all user requirements as stated in the FRD. Acceptance testing shall be =
done in
a simulated “real” user environment with the users using =
simulated
or real target platforms and infrastructures. =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>2.3 Conduct Security Testing =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt;background:yellow'>The test and evaluation =
team will
again create or load the test database(s) and execute security =
(penetration) test(s).</span>
All tests will be documented, similar to those above. Failed components =
will be
migrated back to the development phase for rework, and passed components =
will
be migrated ahead for acceptance testing. <o:p></o:p></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>-----Original Message-----<br>
From: Dennis Hurst [mailto:dhurst@spidynamics.com] <br>
Sent: Monday, July 17, 2006 3:41 PM<br>
To: websecurity@webappsec.org<br>
Subject: RE: [WEB SECURITY] application attacks</span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>I<st1:PersonName =
w:st=3D"on">'</st1:PersonName>m new to
the list so please pardon if I<st1:PersonName =
w:st=3D"on">'</st1:PersonName>m
repeating something other<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>people have =
mentioned.<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>After being a developer for a long time and =
talking to
developers about<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>security every day it seems that we (security =
people)
miss a point very<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>often. Even in an ideal world where =
developers
knew what SQL Injection,<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>et al, are and know how to code against them =
you are
still going to have<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>issues. Web app security issues are =
frequently
just bugs that have a<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>security aspect. They are simple =
mistakes that
people make when they<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>get in a rush. I think this will always =
be the
case which is why<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>testing for security issues is =
critical. Just
like people test for<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>functional issues we need to test for =
security
issues. No one says<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>"who<st1:PersonName =
w:st=3D"on">'</st1:PersonName>s
wrong?" when they find a simple bug, they just know =
that<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>development is a bug prone process and know =
that the
process needs to<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>support stable software. It seems to me =
that
blame does not do any good<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>but improving the process of developing =
secure
software a huge value.<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'> <o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Dennis Hurst<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>dhurst@spidynamics.com<o:p></o:p></span></font=
></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Microsoft Developer Security - =
MVP<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'> <o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'> <o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'> <o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>-----Original =
Message-----<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>From: AF [mailto:newsalaksa@nxtg.net] =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Sent: Monday, July 17, 2006 3:26 =
PM<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>To: =
websecurity@webappsec.org<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Subject: Re: [WEB SECURITY] application =
attacks<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Hi there!<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>I think the mistake is in this sentence: =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>> Now, every developer know how to =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>> protect their web applications against
application attacks such as SQL<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>> Injection,XSS, HTTP smuggling, and =
others. So
could someone give me<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>some<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>> clear image about that. =
What<st1:PersonName
w:st=3D"on">'</st1:PersonName>s wrong?<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>The question is "Who<st1:PersonName =
w:st=3D"on">'</st1:PersonName>s
wrong ?"<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>The answer is : You. : ) =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>That<st1:PersonName =
w:st=3D"on">'</st1:PersonName>s a
fact: many web developpers still don<st1:PersonName =
w:st=3D"on">'</st1:PersonName>t
know how to implement<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>security <o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>principles. Many don<st1:PersonName =
w:st=3D"on">'</st1:PersonName>t
even know security principles exist!<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>So when it comes to sql injection, xss, =
splitting,
applogic, and so<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>on... well... there<st1:PersonName =
w:st=3D"on">'</st1:PersonName>s<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>still a lot of work ahead of us to do. This =
applies to
almost every<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>industry! <o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>Pentesting, for fun, but also teaching and =
spreading
the information<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>around us, <o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>as much as we can. That<st1:PersonName =
w:st=3D"on">'</st1:PersonName>s
it. That<st1:PersonName w:st=3D"on">'</st1:PersonName>s what we can =
(have to?)
do.<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>@ntoine<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>----------------------------------------------=
--------------------------<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>----<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>The Web Security Mailing List: =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>http://www.webappsec.org/lists/websecurity/<o:=
p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>The Web Security Mailing List Archives: =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>http://www.webappsec.org/lists/websecurity/arc=
hive/<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>http://www.webappsec.org/rss/websecurity.rss =
[RSS
Feed]<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>----------------------------------------------=
------------------------------<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>The Web Security Mailing List: =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>http://www.webappsec.org/lists/websecurity/<o:=
p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>The Web Security Mailing List Archives: =
<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>http://www.webappsec.org/lists/websecurity/arc=
hive/<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'>http://www.webappsec.org/rss/websecurity.rss =
[RSS
Feed]<o:p></o:p></span></font></b></p>
<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></b></p>
</div>
</body>
</html>
------_=_NextPart_001_01C6A9DA.EE3D26EC--
Brought to you by http://www.webappsec.org
Search this site
|