Security Scanning OWASP Education Nishi Kumar Computer based training

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Web Vulnerability Assessments
WebGoat & WebScarab “What is computer security for $1000 Alex?”
OWASP Xenotix XSS Exploit Framework
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Penetration testing – W3AF Tool
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
1 Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST Verify Conference – Washington, DC, October 30, 2007 Disclaimer: Any commercial.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Web Application Security Assessment and Vulnerability Assessment.
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Web Application Testing with AppScan Terry Labach.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin.
Introduction to Application Penetration Testing
HTTP and Server Security James Walden Northern Kentucky University.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
Approaches to Application Security – DSM
Imperva Total Application Security Idan Soen, CISSP Security Engineer SecureSphere – The First Dynamic Profiling Firewall Idan Soen, CISSP Security Engineer.
Evaluation of Security Scanners for Web Application Presented By: Sunint Kaur Khalsa ( ) Sarabjeet Kaur Saini( )
Web Application Firewall (WAF) RSA ® Conference 2013.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Hands-On with RailsGoat WEB APPLICATION SECURITY TESTING.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building Secure Web Applications With ASP.Net MVC.
The OWASP Foundation OWASP Education Computer based training Open Web Application Security Project Nishi Kumar IT Architect Specialist,
The OWASP Foundation OWASP Education Computer based training Security for Managers and Executives Nishi Kumar IT Architect Specialist,
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Strategic Security, Inc. © Application Security is Easy Right?
//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili.
Security for Managers and Executives
The OWASP Foundation OWASP Education Computer based training Security for Managers and Executives Nishi Kumar Systems Architect, FIS.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
The OWASP Foundation OWASP Education Computer based training The Basics Nishi Kumar IT Architect Specialist, FIS Chair, Software Security.
MIS Week 5 Site:
Web Applications on the battlefield Alain Abou Tass.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
Defining your requirements for a successful security (and compliance
Fortinet NSE8 Exam Do You Want To Pass In First Attempt.
Securing Your Web Application in Azure with a WAF
Automatic security testing tools for web-based system
Penetration Testing following OWASP
HTML Level II (CyberAdvantage)
Verify Conference – Washington, DC, October 30, 2007
How to Break Web Application Security
Presentation transcript:

Security Scanning OWASP Education Nishi Kumar Computer based training IT Architect Specialist Chair, Software Security Forum FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Contributor and Reviewer Keith Turpin

Objectives Understand different offerings available to find vulnerabilities Learn pros and cons of those offerings Know about some open source and commercial scanning tools An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology

Industry Application Security Offerings Automated Dynamic web application interface scanning Static code scanning Web app firewalls Intrusion Prevention Systems (IPS) Manual Application penetration test Code review An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology

Automated vs. Manual: Advantages Advantages of automated solutions Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions No false positives Guaranteed code coverage Ability to identify complex vulnerabilities Understand business logic Acts like a determined attacker Can combine vulnerabilities

What Automated Solutions Miss Theoretical Logic flaws (business and application) Design flaws Practical Difficulty interacting with Rich Internet Applications Complex variants of common attacks (SQL Injection, XSS, etc) Cross-Site Request Forgery (CSRF) Uncommon or custom infrastructure Abstract information leakage

Conducting the Assessment If you are using automated scanning tools, beware of false positives and negatives Pattern recognition has limitations Combine various testing methods Automated scanning Code review Manual testing Learn what tools do and do not do well Validate every finding Keep detailed notes

Commercial Dynamic Scanning Tools Web Inspect – by HP Rational AppScan – by IBM Acunetix WVS – by Acunetix Hailstorm – by Cenzic NTOSpider – by NT OBJECTives

Open Source and Low Cost Scanners W3af - http://w3af.sourceforge.net/ Burp Suite - http://portswigger.net/ Grendel Scan - http://grendel-scan.com/ Wapiti - http://wapiti.sourceforge.net/ Arachni - http://zapotek.github.com/arachni/ Skipfish - http://code.google.com/p/skipfish/ Paros - http://www.parosproxy.org/ (Free version no longer maintained)

Code Scanning Tools Fortify – by HP Rational AppScan Source Edition – by IBM Coverity Static Analysis – by Coverity CxSuite – by Checkmarx Yasca – by OWASP Veracode binary analysis – Veracode (Veracode uses a different methodology than other scanners) C and C++ code scanning tool http://www.cigital.com/its4/ http://www.dwheeler.com/flawfinder/

Client Side Web Proxies Paros - http://www.parosproxy.org/ (Free version no longer maintained) Burp Suite - http://portswigger.net/ WebScarab NG - https://www.owasp.org/index.php/OWASP_WebScarab_NG_Project Charles Proxy - www.charlesproxy.com/ Browser Plugins: Internet Explorer: Fiddler Firefox: Tamper Data C and C++ code scanning tool http://www.cigital.com/its4/ http://www.dwheeler.com/flawfinder/

Paros Proxy Paros Proxy is a security scanning tool. Through Paros's proxy all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

Paros Proxy- Interface

Paros Proxy- Options Dialog

Paros Proxy- Reporting

Web application attack and audit framework W3AF by OWASP Web application attack and audit framework

W3af - Web application attack and audit framework

W3af - Web application attack and audit framework

W3af - Exploit

Commercial Scanning Tool IBM Rational App Scan Commercial Scanning Tool

IBM Rational App Scan Interface Online Risk Mitigation and Compliance Solutions

Scan Configuration – URL and server

Scan Configuration – Login Management

Scan Configuration – Test Policy

Scan Configuration – Complete

Reporting Industry Standard

Reporting Industry Standard

Commercial Scanning Tool Web Inspect Commercial Scanning Tool

Scan mode

Audit Policy

Requester Thread

Http Parsing

Report Type

Summary Over 90% of ecommerce PCI breaches are from application flaws Application security is not a percentage game. One missed flaw is all it takes Vulnerabilities can come from more than one avenue: Acquisitions Old or dead code Third-party libraries

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.