March 21, 2017 at 10:01 am #15762Only available when logged in
I am new here and a total newbie at security testing. 🙂 Currently, I do an internship in a company that offers an EDI software. My task is to evaluate some Application Security frameworks and run the EDI software on it. Lately, I did some researches to understand the techniques like SAST, DAST and IAST but still, I think there are difficulties to test an EDI Software with it, or maybe not? Like I said, totally new in this scene.
I thought you guys could help me to go into the right direction with my researches. Is it possible to test an EDI software with those frameworks and actually see vulnerabilities? Are there any hacking approaches known to how an EDI software can actually be hacked?
Please forgive my bad English.
KonstantinMarch 30, 2017 at 9:08 am #15856April 5, 2017 at 12:55 pm #15915@kasperOnly available when logged in
Since the resident experts stay quiet I will try my best to answer, but the question is stated in very broad terms and so the answer will also be very generic. Sorry about that, but for more specific answers I will need more specific questions.
SAST, DAST, IAST and RASP can all be used against EDI software, given enough access to the source code. DAST can be done in a complete black box scenario, but the other techniques all need at least some access to the source code.
EDI software is not more or less difficult to test than any other software. But EDI relies extensively on the correct delivery of documents.
This means that any hole in a transport mechanism, translator, or any other element that influences your data flow is immediately critical.
This is what makes security testing for EDI difficult. You need to have an incredible amount of domain, tool and general technical knowledge to pull this off.
There have been successful attacks against EDI software. Of course social engineering ranks high, but also attacks against the underlying technology and transport layers can and will be performed.
I hope this helps a little and may be one of the resident guru’s can chime in?
(CEH, ECSA, LPT)April 6, 2017 at 3:28 pm #15923Only available when logged in
thank you, Ronan, for responding here 🙂 and thank you, Kasper, for your detailed answer even when my question was not clearly. It helps me a lot to understand the situation.
Well, the internship takes only 6 moths so there is no time for me to get an incredible amount of knowledge. 🙁 I assumed to concentrate on the OWASP Top 10. More experienced Security guy is needed for any deeper analysis
Lately, I did some Tests with OWASP ZED. It was not really satisfying or maybe it was 😛 it hasn’t found any critical vulnerability. I think the most of the system was out of scope! I also used Netsparker which has found critical vulnerabilities but since it was a trial version it hasn’t shown much about it. The next step is AppScan Standard, Contrast Security and Synopsys Seeker since those are good IAST frameworks I want to concentrate on them and because Company’s requirements are IAST approaches.
The EDI Application uses instances like Karaf, Cassandra, and MySQL and it has a Web interface trough which you can model Electronic processes on the fly.(simplest explanation. I don’t know how deep I can go on this here).
You must be logged in to reply to this topic.