Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools

Published byJulie Hardy Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools"— Presentation transcript:

1 Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools
Lewis Sykalski SMU D.E. Software Engineering Student Lockheed Martin - Flight Simulation Engineer

2 OWASP 2013 Candidate List A1 – Injection
A2 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery (CSRF) A9 – Using Known Vulnerable Components A10 – Unvalidated Redirects and Forwards

3 Injection

4 Cross-Site Scripting

5 CSRF

6 Insecure Direct Object Reference

7 What is Static Analysis?
Static program analysis is: an analysis method to determine whether vulnerabilities exist by simply looking at the code in a non-dynamic (running) state. Usually the source code is used, however some tools allow for analysis of object code. most successful tools are ones that analyze the whole scope of the program in relation to a line of code as opposed to only analyzing a single line of code at a time completely independent from the rest of the program.

8 Dynamic Analysis? Dynamic analysis:
analysis of the software while the webapp is running. could be performed in either a white box situation where everything is known or from the black-box situation where nothing is very minimal is known.

9 Open Source Options Product License Type Languages Features LAPSE+ 2
GNU GPL Eclipse Plugin Java Variable Traceback, Good for analysis of injection & cross-site scripting FindBugs 2.0 3 GNU LGPL Good for general purpose bugs, slick interface, security specific detection under-developed Orizon 9 Standalone Text-based Java, Php,C Jsp Report-based scheme, under-developed, lacking nice UI, some security detection SWAAT 8 Custom License StandaloneHTML Report-based Java, C# Nice report based detection, .NET package out-of-date, tool not maintained. Does not necessarily focus on security problems PMD 5 BSD Java, JavaScript, XML, XSL Generic Code quality tool, High quality User Interface, Extensible to other security-specific rule-sets

10 Open Source Options (cont.)
Product License Type Languages Features FxCop 4 Open Source MS-PL VS Plugin .NET Security-specific static analysis, UI built into Visual Studio RIPS 7 Open-Source GPL Standalone PHP Professional user-interface, Security-specific analysis FlawFinder 19 Text-based C++ Security-specific analysis, Injections, Overflow, etc. Dangerous function analysis PreFast 20 General static analysis, BrakeMan 21 MIT Ruby Strong following

11 LAPSE+ OWASP LAPSE+ Java plug-in which integrates tightly with the Eclipse IDE (Helios+, 1.6 JRE+). useful for detecting & subsequently analyzing security vulnerabilities due to untrusted data injection in Java webapps. operates on the concept of sinks and sources, the source referring to the injection of untrusted data (e.g. perhaps a cookie, parameters from HTTP, etc) and the sink referring to the process of data modification to manipulate the behavior of the application (e.g. servlet response or HTML page).

12 LAPSE+

13 FindBugs FindBugs: program which uses static analysis to look for bugs in Java code.  relatively easy to install and purports to find all types of bugs. user interface, where one can filter between various bug categories that are found, a bug review panel which will describe the bug in detail with resolution measures, and a Bug Info Panel which shows a detailed stack trace and description.

14 FindBugs

15 Orizon OWASP Orizon: allows one to perform a security code review over your code making sure it fits recommendations contained into the Owasp Build Guide and the Owasp Code review Guide. standalone console-based tool with it's own shell engine. provides for certain commands which when executed allow one to model the code, crawl through all traces, and then subsequently generate a report for viewing.

16 Orizon

17 PMD PMD: static analysis tool for Java source code.
identifies possible bugs, dead code, suboptimal code, high cyclomatic complexity, and duplicate code. extensible rule-set capability for one to create their own rules. supports a vulnerability view where aforementioned problems are displayed, and the Copy-Paste Detector (CPD) view, where one can view copy-pasted code (code that should likely be consolidated into a single logical block). GDS PMD Secure Coding Ruleset

18 PMD

19 PMD

20 PMD

21 FlawFinder Flawfinder: a tool that works on C++ source-code.
console-based and specifically targets security vulnerabilities. works by using a built-in database of C/C++ functions with well-documented security problems, such “as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random())”. 19

22 FlawFinder

23 RIPS RIPS: written in PHP and for PHP specifically to find vulnerabilities.. can create a program model of the source code. can detect vulnerable functions (sinks) that can be utilized by malicious user-input. Additionally an audit framework is provided for further analysis in an IDE-style visual user- interface. claims to detect XSS, SQL Injection, LFI/RFI, and RCE vulnerabilities.

24 RIPS

25 Commercial Tools Fortify 10 Commercial Standalone 20 different
languages Professional user interface, Security-specific detection/focus, Coverity 16 C++, Java, C# Security-specific detection/focus Insight 17 IDE & static code analyzer, Generic quality detection/focus Parasoft 18 C++, Java, .NET Security specific detection/focus Veracode 14 Professional User Interface, Security Specific detection/focus IBM Security AppScan 15 C++, Java, C#, Objective C Professional User Interface, Centralized security scanning, data consolidation Checkmarx 13 15 languages CodeSecure 12 10 languages CodeSonar 11 Standa Java, C++ General defect, Some security-specific & threading checkings

26 1 OWASP Top-10: https://www.owasp.org/index.p hp/Top_10_2013-Top_10
References 1 OWASP Top-10: hp/Top_10_2013-Top_10 2. LAPSE+: wasp/LapsePlus_Tutorial.pdf 3. FindBugs: / 4. FxCop: us/library/bb429476(VS.80).as px 5. PMD: 6. RATS: elements/threat- intelligence/rats.html 7. RIPS: scanner.sourceforge.net/ 8. SWAAT: hp/Category:OWASP_SWAAT _Project 9. Orizon: p/Category:OWASP_Orizon_P roject 10. HP Fortify: ware- solutions/software.html?comp URI= #.UXvVjxzREQc 11. CodeSonar: odesonar

27 12. Amorize CodeSecure: http://www.armorize.com/code secure/
References (cont.) 12. Amorize CodeSecure: secure/ 13. CheckMarx: hnology/static-code-analysis- sca/ 14. Veracode: 15. IBM Security AppScan: ibm.com/software/rational/p roducts/appscan/source/ 16. Coverity: cts/static-analysis.html 17. Klocwork Insight: ucts/insight.asp 18. Parasoft Static Analysis: pabilities/static_analysis.jsp?it emId=547 19. FlawFinder: nder/ 20. PreFast: us/library/ms aspx 21. BrakeMan: 22. PMD GDS Ruleset: y/GDSPMDSECRULES 23. PMD Rulesets d /rules/index.html#Securit y_Code_Guidelines

Download ppt "Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools"

Similar presentations

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Test Automation Framework Ashesh Jain 2007EE50403 Manager Amit Maheshwari.

Test Automation Framework Ashesh Jain 2007EE50403 Manager Amit Maheshwari.
Static code check – Klocwork

Static code check – Klocwork
Dr. Bill Curtis Director, Consortium for IT Software Quality The Technical Debt Management Cycle: Evaluating the Costs and Risks of IT Assets.

Dr. Bill Curtis Director, Consortium for IT Software Quality The Technical Debt Management Cycle: Evaluating the Costs and Risks of IT Assets.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder.

Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Flawfinder N ă stase George-Daniel MSI2. About Written in python Relatively fast(examined approx. 17milion lines of code in about 6.5minutes) Extremely.

Flawfinder N ă stase George-Daniel MSI2. About Written in python Relatively fast(examined approx. 17milion lines of code in about 6.5minutes) Extremely.
Penetration testing – W3AF Tool

Penetration testing – W3AF Tool
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Similar presentations

Ads by Google