• Author
    Posts
  • #15762
    @konsty

    Hello folks,

    I am new here and a┬átotal newbie at security testing. ­čÖé Currently, I do an internship in a company┬áthat offers an EDI software. My task is to evaluate some Application Security frameworks and run the EDI software on it. Lately, I did some researches to understand┬áthe techniques like SAST, DAST and IAST but still, I think there are difficulties to test an EDI Software with it, or maybe not? Like I said, totally new in this scene.

    I thought you guys could help me to go into the right direction with my researches. Is it possible to test an EDI software with those frameworks and actually see vulnerabilities? Are there any hacking approaches known to how an EDI software can actually be hacked?

    Please forgive my bad English.

    Konstantin

    #15856
    @ronan

    Good question. I am not too sure about that one but @declan-oriordan and @danielbilling might be able to answer that one for you.

    #15915
    @kasper

    Since the resident experts stay quiet I will try my best to answer, but the question is stated in very broad terms and so the answer will also be very generic. Sorry about that, but for more specific answers I will need more specific questions.

    SAST, DAST, IAST and RASP can all be used against EDI software, given enough access to the source code. DAST can be done in a complete black box scenario, but the other techniques all need at least some access to the source code.

    EDI software is not more or less difficult to test than any other software. But EDI relies extensively on the correct delivery of documents.
    This means that any hole in a transport mechanism, translator, or any other element that influences your data flow is immediately critical.
    This is what makes security testing for EDI difficult. You need to have an incredible amount of domain, tool and general technical knowledge to pull this off.
    There have been successful attacks against EDI software. Of course social engineering ranks high, but also attacks against the underlying technology and transport layers can and will be performed.

    I hope this helps a little and may be one of the resident guru’s can chime in?

    Kasper
    (CEH, ECSA, LPT)

    #15923
    @konsty

    Hello ­čÖé

    thank you, Ronan, for responding here ­čÖé and thank you, Kasper, for your detailed answer even when my question was not clearly. It helps me a lot to understand the situation.

    Well, the internship takes only ┬á6 moths so there is no time for me to get an incredible amount of knowledge. ­čÖü I assumed to concentrate on the OWASP Top 10. More experienced Security guy is needed for any deeper analysis

    Lately, I did some Tests with OWASP ZED. It was not really satisfying or maybe it was ­čśŤ it hasn’t found any critical vulnerability. I think the most of the system was out of scope! I also used Netsparker which has found critical vulnerabilities┬ábut since it was a trial version it hasn’t┬áshown much about it. The next step is AppScan Standard, Contrast Security┬áand Synopsys Seeker since those are good IAST frameworks I want to concentrate on them and because Company’s requirements┬áare IAST approaches.

    The EDI Application uses instances like Karaf, Cassandra, and MySQL and it has a Web interface trough which you can model┬áElectronic processes on the fly.(simplest explanation. I don’t know how deep I can go on this here).

    sincerely yours

    Konstantin

    #15925
    @konsty

    sorry could not find the edit button

    I forget to mention the EDI software, in this case, is a business integration cluster.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.