Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin.

Published byJonathan Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin."— Presentation transcript:

1 CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin

2  Web Application Vulnerability Scanning searches for software vulnerabilities within web applications: - Web Application Security (Scripting issues) - Technical Vulnerabilities (Cross-site Scripting) - Security Vulnerabilities (Denial of Service) - Architectural/Logical Vulnerabilities (Information Leakage)  Can be used to help identify potential security vulnerabilities within commercial and proprietary based web applications.  Frequently used in both the pre-deployment and post- deployment test cycles. CAP6135 – Malware and Software Vulnerability Analysis

3  The goal of this project is to explore both the commercial and open source web application vulnerability scanners that currently exist and determine which one(s) we would recommend to an organization. - Evaluate leading commercial products, to include features, strengths and weaknesses - Compare our findings with other research - Review a number of open source tools available - Decide how the commercial products compare against the open source tools CAP6135 – Malware and Software Vulnerability Analysis

4

5  Limited number of false positives and false negatives  Ability to customize configuration options for internal needs  Covers all major platforms (Java, JavaScript, PHP, ASP, ASP.NET), including dynamic content  Ease of use for non-security professionals  Powerful, automated scanning engine that can handle complexities by default (i.e. minimal manual intervention) CAP6135 – Malware and Software Vulnerability Analysis

6  Vendor Support  Tests both application vulnerabilities and known web server vulnerabilities  Usable reports and data  Maintenance/upgrade costs  Expandability for future needs of the organization  Can obtain periodic updates as new vulnerabilities are introduced CAP6135 – Malware and Software Vulnerability Analysis

7  Acunetix Web Vulnerability Scanner by Acunetix  AppScan by IBM/Watchfire, Inc.  WebInspect by HP/SPI-Dynamics  Hailstorm by Cenzic CAP6135 – Malware and Software Vulnerability Analysis

8 Web Application Vulnerability Scanning Software - Comparison of Strengths/Weaknesses ProductAppScan (IBM) Web Vulnerability Scanner (Acunetix) WebInspect (HP)Hailstorm (Cenzic) Strengths Design and Ease of Use Documentation and Help Files Ease in manual adjustments/administration Reports Ability to map and scan Ajax applications (client-side functionality)

9 Web Application Vulnerability Software - Comparison of Strengths/Weaknesses ProductAppScan (IBM) Web Vulnerability Scanner (Acunetix) WebInspect (HP)Hailstorm (Cenzic) Weaknesses Prevalence of False Positives Prevalence of False Negatives Documentation and Help Files Reports Ability to map and scan Ajax applications (client-side functionality) Pricing License/Support CAP6135 – Malware and Software Vulnerability Analysis

10

11  What are the trade-offs of using an open source tool over a commercial product?  Do any of them meet the requirements statement outlined? CAP6135 – Malware and Software Vulnerability Analysis

12  Nikto by Sullo  Paros by Chinotec  WebScarab by Rogan Dawes  Grabber by Romain Gaucher  Grendel-Scan by David Byrne and Eric Duprey  Pantera by Simon Roses Femerling  Powerfuzzer by Marcin Kozlowski  Scuba by Imperva  Wapiti by Nicolas Surribas CAP6135 – Malware and Software Vulnerability Analysis

13

Download ppt "CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin."

Similar presentations

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Web Vulnerability Assessments

Web Vulnerability Assessments
® IBM Software Group © 2010 IBM Corporation What’s New in Profiling & Code Coverage RAD V8 April 21, 2011 Kathy Chan

® IBM Software Group © 2010 IBM Corporation What’s New in Profiling & Code Coverage RAD V8 April 21, 2011 Kathy Chan
Project Management Information Systems A APPENDIX.

Project Management Information Systems A APPENDIX.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Administrative  Philosophy  Class survey  Grading  Proposal (5 points max)  Small projects (10 points each max)  Project (40 points max)  Presentation.

Administrative  Philosophy  Class survey  Grading  Proposal (5 points max)  Small projects (10 points each max)  Project (40 points max)  Presentation.
ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.
DATABASE APPLICATION DEVELOPMENT SAK 3408 The Web and DBMS.

DATABASE APPLICATION DEVELOPMENT SAK 3408 The Web and DBMS.
Administrative  Philosophy  Class survey  Grading  Project  Presentation.

Administrative  Philosophy  Class survey  Grading  Project  Presentation.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.

Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Accounting & Billing System for the WEB Centre GDP 19 Donna Crawford (dc899) David Newman (drn101) Chris O’Neill (ckjon101) Amit Shah (ams401) Supervisor.

Accounting & Billing System for the WEB Centre GDP 19 Donna Crawford (dc899) David Newman (drn101) Chris O’Neill (ckjon101) Amit Shah (ams401) Supervisor.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Static Analysis for Dynamic Assessments Greg Patton | September 2014.

Static Analysis for Dynamic Assessments Greg Patton | September 2014.
Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.

Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.
Software Engineering in Media Engineering ObjectivesCoursesSkills.

Software Engineering in Media Engineering ObjectivesCoursesSkills.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Vulnerability Analysis

Vulnerability Analysis

Similar presentations

Ads by Google