Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation OWASP NoVA October 4 th 2012 Benchmarking Web Application Scanners for YOUR Organization Dan Cornell Founder.

Published byMadeline Mills Modified over 10 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation OWASP NoVA October 4 th 2012 Benchmarking Web Application Scanners for YOUR Organization Dan Cornell Founder."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org OWASP NoVA October 4 th 2012 Benchmarking Web Application Scanners for YOUR Organization Dan Cornell Founder and CTO, Denim Group OWASP San Antonio Chapter OWASP Global Membership Committee dan@denimgroup.com Twitter: @danielcornell@danielcornell

2 The OWASP Foundation http://www.owasp.org 2 My Background Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San Antonio, Global Membership Committee

3 The OWASP Foundation http://www.owasp.org What Do You Want From a Scanner? Coverage Low False Positives Low False Negatives 3

4 The OWASP Foundation http://www.owasp.org Scanner Coverage You can’t test what you can’t see How effective is the scanner’s crawler? How are URLs mapped to functionality? RESTful Parameters Possible issues: Login routines Multi-step processes Anti-CSRF protection 4

5 The OWASP Foundation http://www.owasp.org Are You Getting a Good Scan? Large financial firm: “Our 500 page website is secure because the scanner did not find any vulnerabilities!” Me: “Did you teach the scanner to log in so that it can see more than just the homepage?” Large financial firm: “…” 5

6 The OWASP Foundation http://www.owasp.org Can Your Scanner Do This? Two-step login procedure: Enter username / password (pretty standard) Enter answer to one of several arbitrary questions Challenge was that the parameter indicating the question was dynamic Question_1, Question_2, Question_3, and so on Makes standard login recording ineffective 6

7 The OWASP Foundation http://www.owasp.org It All Started With A Simple Blog Post… Ran into an application with a complicated login procedure and wrote blog post about the toolchain used to solve the problem http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning- handling-complicated-logins-with-appscan-and-burp-suite.html Other scanner teams responded: IBM Rational AppScan http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-complicated- logins-with-appscan-only.html HP WebInspect http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-hp- webinspect.html Mavituna Security Netsparker http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-mavituna- netsparker.html NTObjectives NTOSpider http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-ntospider.html 7

8 The OWASP Foundation http://www.owasp.org Scanner Authentication Scenario Examples Built as a response to the previously-mentioned blog conversation Example implementations of different login routines How can different scanners be configured to successfully scan? GitHub site: https://github.com/denimgroup/authexamples 8

9 The OWASP Foundation http://www.owasp.org Did I Get a Good Scan? Scanner training is really important Read the Larry Suto reports… Must sanity-check the results of your scans What URLs were accessed? If only two URLs were accessed on a 500 page site, you probably have a bad scan If 5000 URLs were accessed on a five page site, you probably have a bad scan What vulnerabilities were found and not found? Scan with no vulnerabilities – probably not a good scan Scan with excessive vulnerabilities – possibly a lot of false positives 9

10 The OWASP Foundation http://www.owasp.org Low False Positives Reports of vulnerabilities that do not actually exist How “touchy” is the scanner’s testing engine? Why are they bad? Take time to manually review and filter out Can lead to wasted remediation time 10

11 The OWASP Foundation http://www.owasp.org Low False Negatives Scanner failing to report vulnerabilities that do exist How effective is the scanner’s testing engine? Why are they bad? You are exposed to risks you do not know about You expect that the scanner would have found certain classes of vulnerabilities What vulnerability classes do you think scanners will find? 11

12 The OWASP Foundation http://www.owasp.org Other Benchmarking Efforts Larry Suto’s 2007 and 2010 reports Analyzing the Accuracy and Time Costs of Web Application Security Standards http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf Vendor reactions were … varied [Ofer Shezaf attended this talk at AppSecEU 2012 and had some great questions and comments. See his reactions to the latest Larry Suto scanner report here :http://www.xiom.com/2010/02/09/wafs-are-not- perfect-any-security-tool-perfect ]http://www.xiom.com/2010/02/09/wafs-are-not- perfect-any-security-tool-perfect Shay Chen’s Blog and Site http://sectooladdict.blogspot.com/ http://www.sectoolmarket.com/ http://www.infosecisland.com/blogview/21926-A-Step-by-Step-Guide-for-Choosing-the-Best-Scanner.html Web Application Vulnerability Scanner Evaluation Project (wavsep) http://code.google.com/p/wavsep/ 12

13 The OWASP Foundation http://www.owasp.org So I Should Just Buy the Best Scanner, Right? Or the cheapest? Well… What do you mean by “best”? Follow-on questions How well do the scanners work on your organization’s applications? How many false positives are you willing to deal with? What depth and breadth of coverage do you need? 13

14 The OWASP Foundation http://www.owasp.org ThreadFix - Overview ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. Freely available under the Mozilla Public License (MPL) Hosted at Google Code: http://code.google.com/p/threadfix/http://code.google.com/p/threadfix/ 14

15 The OWASP Foundation http://www.owasp.org What is a Unique Vulnerability? (CWE, Relative URL) Predictable resource location Directory listing misconfiguration (CWE, Relative URL, Injection Point) SQL injection Cross-site Scripting (XSS) Injection points Parameters – GET/POST Cookies Other headers 15

16 The OWASP Foundation http://www.owasp.org What Do The Scanner Results Look Like? Usually XML Skipfish uses JSON and gets packaged as a ZIP Scanners have different concepts of what a “vulnerability” is We normalize to the (CWE, location, [injection point]) noted before Look at some example files Several vendors have been really helpful adding additional data to their APIs and file formats to accommodate requests (thanks!) 16

17 The OWASP Foundation http://www.owasp.org Let’s Look at Some Example Files AppScan Netsparker w3af Arachni

18 The OWASP Foundation http://www.owasp.org Why Common Weakness Enumeration (CWE)? Every tool has their own “spin” on naming vulnerabilities OWASP Top 10 / WASC XX are helpful but not comprehensive We tried to create our own vulnerability classification scheme Proprietary Not sustainable Stupid CWE is pretty exhaustive Reasonably well-adopted standard Many tools have mappings to CWE for their results Main site: http://cwe.mitre.org/http://cwe.mitre.org/ 18

19 The OWASP Foundation http://www.owasp.org Challenges Using the CWE It is pretty big (909 nodes, 693 actual weaknesses) But it kind of has to be to be comprehensive… Many tools provide mappings And sometimes they’re even kind of accurate! Some tools provide more than one CWE category for a vulnerability So in ThreadFix we make a best guess Some tools provide “junk” results So in ThreadFix we collapse those into a single vulnerability Some organizations have their own classification schemes

20 The OWASP Foundation http://www.owasp.org Demo Unpack and install ThreadFix Use ThreadFix to normalize and report on the use of multiple scanning technologies on a given application Import multiple scans and de-duplicate the results These screenshots are based on UNTUNED scans and are NOT meant to show a real benchmark of these scanners – only the process. 20

21 The OWASP Foundation http://www.owasp.org Unzip the ThreadFix Package (like WebGoat!) 21

22 The OWASP Foundation http://www.owasp.org Make threadfix.sh Executable 22

23 The OWASP Foundation http://www.owasp.org Run ThreadFix Pre-Configured Tomcat Server 23

24 The OWASP Foundation http://www.owasp.org Login to ThreadFix (“user” and “password”) 24

25 The OWASP Foundation http://www.owasp.org Upload Various Scan Results Files 25

26 The OWASP Foundation http://www.owasp.org This Vulnerability Found By Three Scanners 26

27 The OWASP Foundation http://www.owasp.org Mark False Positives (wavsep Uses “FalsePositives” In the URL…) 27

28 The OWASP Foundation http://www.owasp.org Summary Report – Found, Not Found, False Positives (Again – NOT Based on Tuned Scans) 28

29 The OWASP Foundation http://www.owasp.org Report By Vulnerability Type 29

30 The OWASP Foundation http://www.owasp.org Detail Report Can Be Used To Error-Check Merge Process 30

31 The OWASP Foundation http://www.owasp.org Current Limitations Vulnerability importers are not currently formally vendor-supported Though a number have helped us test and refine them (thanks!) After you get a good scan make sure you also got a good import Summary report should show data by severity rating Make it easier to focus on vulnerabilities you probably care more about But you can look at the data by vulnerability type 31

32 The OWASP Foundation http://www.owasp.org Try This At Home, Kids Pick some applications to test Representative sample for your organization Common languages, frameworks Run scans with the targeted scanning technologies Make sure you get good scans: login, other state-based issues If you train the scans (always a good idea) be consistent Import the scans into ThreadFix Make sure you’re happy with the import Complain vigorously to me if you run into import issues dan@denimgroup.comdan@denimgroup.com or https://code.google.com/p/threadfix/issues/listhttps://code.google.com/p/threadfix/issues/list (better) Run some reports 32

33 The OWASP Foundation http://www.owasp.org You Know What Would Make All This Way Easier? Common data standards for scanning tools! Current efforts: MITRE Software Assurance Findings Expression Schema (SAFES) http://www.mitre.org/work/tech_papers/2012/11_3671/ OWASP Data Exchange Format Project https://www.owasp.org/index.php/OWASP_Data_Exchange_ Format_Project 33

34 The OWASP Foundation http://www.owasp.org Simple Software Vulnerability Language (SSVL) Common way to represent static and dynamic scanner findings Based on our experience building importers for ThreadFix It “works” for real-world applications because we are essentially using it. Love to hear feedback Send me a request and I can share the document for editing/annotation. Online: https://docs.google.com/document/d/1H5hWUdj925TtoZ7ZvnfHdFABe7hBCGuZtLUas29yBGI/e dit?pli=1 https://docs.google.com/document/d/1H5hWUdj925TtoZ7ZvnfHdFABe7hBCGuZtLUas29yBGI/e dit?pli=1 Or http://tinyurl.com/cslqv47http://tinyurl.com/cslqv47 34

35 The OWASP Foundation http://www.owasp.org Simple Software Vulnerability Language (SSVL) 35

36 The OWASP Foundation http://www.owasp.org Why Use Multiple Scanners? Better / different coverage Open source scanners – no licensing issues Commercial scanners – limited licenses SaaS services – portfolio coverage / economic questions Static and dynamic scanners Supported technologies and URL construction schemes Used at different points in the process Different insight into the software system – internal vs. external Sometimes you have no choice Security licenses scanner ABC, IT Audit subscribes to service XYZ You have to deal with the results of both scanners…

37 The OWASP Foundation http://www.owasp.org And Once You Have a Scanner… …you need to use it But you already knew that Right?

38 The OWASP Foundation http://www.owasp.org 38 Questions Dan Cornell dan@denimgroup.com Twitter: @danielcornell@danielcornell code.google.com/p/threadfix (210) 572-4400

Download ppt "The OWASP Foundation OWASP NoVA October 4 th 2012 Benchmarking Web Application Scanners for YOUR Organization Dan Cornell Founder."

Similar presentations

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Register Laulima Workshop for Instructors Solutions to help you engage your students through Laulima.

Register Laulima Workshop for Instructors Solutions to help you engage your students through Laulima.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Web 2.0. Definitions Web 1.0 Web 1.0 Static web pages Static web pages Use of search engines Use of search engines “Surfing” the web “Surfing” the web.

Web 2.0. Definitions Web 1.0 Web 1.0 Static web pages Static web pages Use of search engines Use of search engines “Surfing” the web “Surfing” the web.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Using CryptoWallet By Zed A. Shaw. Overview Learning Objectives What is CryptoWallet How Is It Designed.

Using CryptoWallet By Zed A. Shaw. Overview Learning Objectives What is CryptoWallet How Is It Designed.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Register Laulima Workshop for Instructors Solutions to help you engage your students through Laulima.

Register Laulima Workshop for Instructors Solutions to help you engage your students through Laulima.
The easy way to a nice looking website design By a total non-designer (Me!)

The easy way to a nice looking website design By a total non-designer (Me!)
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.

Similar presentations

Ads by Google