Security: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Line 62: Line 62:
===Wednesday - 27.03.13===
===Wednesday - 27.03.13===
Things what we did that day
Things what we did that day
* First thing
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Second thing
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)


Problems what we faced:
Problems what we faced:
* First problem
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.
* Second problem
 
Questions and answers from client:
* First Question
Answer to question
 
* Second Question
Answer to question


Things what we plan to do:
Things what we plan to do:
* First thing
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* Second thing
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.


===Thursday - 28.03.13===
===Thursday - 28.03.13===

Revision as of 19:55, 27 March 2013

Team page for Deploying IT Infrastructure Solutions.

Team Members

  • Sten Aus, Estonian Information Technology College
  • Matis Palm, Estonian Information Technology College
  • Sandra Suviste, Estonian Information Technology College
  • Markus Rintamäki, Vaasa University of Applied Sciences
  • Tomas Lepistö, Vaasa University of Applied Sciences
  • Mika Salmela, Vaasa University of Applied Sciences
  • Kęstutis Tautvydas, Vilnius University of Applied Sciences
  • Jurij Lukjančikov, Vilnius University of Applied Sciences

Goal

  • OWASP top 10
  • HACK DVWA
  • BackTrack, SamuraiCD (Last year experience)
  • Scanning and testing tools - Qualys SSL Labs
  • Acunetix Web Vulnerability Scanner v.8
  • SubGraph Vega
  • BEAST attack
  • RC4

Activity

Monday - 25.03.13

Things what we did that day

  • Lectures
  • Sumorobot programming
  • Dinner @ St Patricks

Tuesday - 26.03.13

Things what we did that day

  • Documentation!

A1 Injection - Sandra

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis

A4 Insecure Direct Object References - Markus

A5 Security Misconfiguration (was formerly A6)- Tomas

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij

A10 Unvalidated Redirects and Forwards - Sten


Problems what we faced:

  • Still need to get everyone a VM with DVWA running
  • Second problem

Things what we plan to do:

  • Copy Paste
  • Divide OWASP tasks

Wednesday - 27.03.13

Things what we did that day

  • Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
  • Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
  • We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
  • Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
  • Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

Problems what we faced:

  • As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

Things what we plan to do:

  • Estonian members are going to study last year's report and going to make a short overview to other members about it.
  • We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
  • We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
  • In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

Thursday - 28.03.13

Friday - 29.03.13

Saturday - 30.03.13

Sunday - 31.03.13

Monday - 01.04.13

NB! April fools' day! Beware!

Tuesday - 02.04.13

Wednesday - 03.04.13

Thursday - 04.04.13

Friday - 05.04.13

Saturday - 06.04.13

Departure! Bye bye!

Results

Summary of what we did and solution what we developed

Final documentation

Analysis

Solution

IP Feed-back

Sten Aus' feedback

Matis Palm's feedback

Sandra Suviste's feedback

Markus Rintamäki's feedback

Tomas Lepistö's feedback

Mika Salmela's feedback

Kęstutis Tautvydas's feedback

Jurij Lukjančikov's feedback