BOSTON -- Two application security experts are working on a way to improve the testing of Web applications by incorporating application data flow maps and other information typically used by software quality assurance testers.
Rafal Los and Matt Wood of Hewlett-Packard Co.'s Web Security Research Group presented a set of new testing processes Wednesday at SOURCE Boston 2010. They said the new processes they proposed are currently far too complicated to implement, but will eventually be incorporated in an automated tool.
"We're trying to take the human element and move it more into the scanners," Wood said.
For far too long, penetration testers hunting for vulnerabilities in Web applications have been losing ground.
"Security analyst tools today aren't equipped properly to test highly complex applications," Los said. "The more complex Web apps get, the less effective automation becomes unless we do something. This is that something."
Web application security:
application attacks security guide: Preventing attacks and flaws: This guide explains how Web
application attacks occur, identifies Web application attacks, and provides Web application
security tools and tactics to protect against them.
Podcast: OWASP revises Top 10 List, adds risk factors Jeff Williams, a co-author of the OWASP Top 10 List, explains some of the changes incorporated into the latest version. The list was updated for the first time in 3 years.
The two researchers developed what they call an execution-flow-based approach to application security testing. They use data from QA testers to fully map the Web application's attack surface to better understand how an application functions and more importantly, how data flows through it. Once security testers have the data, they could quickly drill down into a particular area and identify vulnerabilities that pose more risk, Los said.
"QA teams generally know the app; they test for known stuff that is supposed to be there," Los said. "They can tell you that they covered the entire application -- all the functionality."
The researchers call their processes a radical testing methodology in which data requirements and functional paths are used to create an execution-flow diagram to understand the key business logic of an application. The process will result in function-based automated testing. The technique helps testers identify actions that change the application's document flow or actions that could change the state of the application. Indirect flows, external data that can modify the document state, are also incorporated.
For example, in a payment page, "when a user selects American Express or Visa a QA guy will know the user's selection results in a different action within the application," Wood said. "The scanners are not going to know." Since a scanner can only identify errors in a small portion of the attack surface, feeding them application flow data could help "smarten" the Web application scanner and improve the overall test.
Using flow-based threat analysis, pen testers can determine that two vulnerabilities in an area of an app that handle credit cards should take a higher priority than vulnerabilities in a product viewing area. The processes could also help boost the credibility of security testers, the researchers said. Security teams typically are given an application to test in a very short time frame.
"If you have 24 hours and 2.5 million lines to functionally test, how are you going to get that done?" Los asked.