Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evaluation of Security Scanners for Web Application Presented By: Sunint Kaur Khalsa (100875000) Sarabjeet Kaur Saini(6235987)

Published byKatrina McKenzie Modified over 8 years ago

Similar presentations

Presentation on theme: "Evaluation of Security Scanners for Web Application Presented By: Sunint Kaur Khalsa (100875000) Sarabjeet Kaur Saini(6235987)"— Presentation transcript:

1 Evaluation of Security Scanners for Web Application Presented By: Sunint Kaur Khalsa (100875000) Sarabjeet Kaur Saini(6235987)

2 Outline  Context  Goal and Scope of Study  Methodology  Evaluation Criteria  Evaluation of Candidate Tools  Conclusion and Recommendation

3 News…  Harvard Website attacked by Syrian Protesters  77 US Law Enforcement Websites hit in mass attack by “LulzSec” hacking group.  The website of World’s most popular Martial Arts Organisation “Ultimate Fighting Championship” hacked  …

4 Solution… Firewall ?

5 Blue Crystal Inc.  Web Application Development firm with a Work Force of 15 people  Develop web applications based on.Net Platform  Incepted the idea of giving security services to their clients after selecting a suitable tool  Wanted a tool with high functionality, low cost, low resource consumption and high vulnerability detection

6 Goal and Scope of Study  Goal  Select the most suitable tool for Blue Crystal as per their given requirements.  Scope  To conduct the evaluation of selected tools on the basis of High Impact and Low impact criteria.

7 Methodology Used  Test Cases for the Evaluation  Test websites provided by the vendors are used  Score given to each tool on the scale of 0-10 for the corresponding evaluation criteria  Weights have been assigned to the evaluation criteria  Final score = Where i= Evaluation Criteria wi = Weight of i th evaluation criteria si= Score of the tool corresponding to the i th evaluation criteria

8 High Impact and Low Impact Criteria

9 Evaluation Criteria High Impact Criteria Crawling and Parsing5 Vulnerability Identification5 Performance4 Cost and License5 Evaluation CriteriaLow Impact Criteria Ease of Installation3 Usability3 Scan Control Capability3 Reporting and Documentation3 Weighing Scheme

10 Tools Selected  Rational Appscan  A Product of IBM  Originally developed by Sanctum Ltd.  First released in 1998  HP WebInspect  A Product of HP  Originally developed by SPI Dynamics

11 Test Websites ToolHost Web Pages Operating System Web Server Application Language AppScanhttp://demo.testfire.net34 Win32 – Windows XP IISASP.NET WebInspecthttp://zero.webappsecurity.com 100Win32 – Windows XP IISASP.NET

12 Ease of Installation  This criterion considered the ease of acquisition and installation of the tool  Rational Appscan had a file of size 497 MB and took 5 hours for its installation  HP WebInspect took 2 hours for the installation of 641 MB file but we had to wait for 6 hours to get the key as that required domain verification.  WebInspect also required SQL server and there is no such requirement for Appscan Appscan = 8WebInspect = 6

13 Usability  Usability Criterion is a combination of  Ease of use  Efficiency  AppScan takes screenshots of the browser responses corresponding to the generated attacks  AppScan provides in depth description of the detected vulnerabilities including possible causes, technical description and fixing recommendation whereas WebInspect provides only recommendations  WebInspect creates macros to record testing steps during scan and automate repeated testing Appscan = 9WebInspect = 8

14 Usability…

15

16

17 Scan Control Capability  Evaluated the scan control capabilities of both the tools to find which tool is better for handling the scan.  Both tools provide operator with the ability to  Pause a scan  Restart the scan at a later time  Both tools provides the viewing the real-time status of running scans. This status could include information such as which tests are currently being run and the scan completion percentage. Appscan = 9WebInspect = 9

18 Reporting and Documentation  This criterion evaluates the tool on the basis of  Generation of reports in different formats  Comprehensiveness of the generated reports  Appscan can generate different types of reports  Security Report  Industry Standard Report  Regulatory Compliance Report  Delta Analysis Report  Template Based Report

19 Reporting and Documentation  Features of Appscan’s Report  Report was divided into different sections based on the URLs, where vulnerabilities have been encountered.  Reports consisted of tables, text and graphs and hence more readable and understandable  The reports by WebInspect comprised of a lot of text with definitions and explanation and less of graphs, tables. Appscan = 10WebInspect = 8

20 Report Generation in AppScan

21 Report Generation in WebInspect

22 Crawling and Parsing  Crawling is an activity by which the scanner browses various web elements like cookies, forms, parameters, links etc looking for vulnerabilities  Parsing is defined as crawling for the various types of contents like HTML, ActiveX objects, Java Applets, Java Scripts, XML etc  Both the tools have automated crawling  In manual configuration, user is given the option  Specifying a request delay,  Maximum crawl depth  Have concurrent sessions

23 Crawling and Parsing  WebInspect has a feature which shows the steps the scanner took to reach a specific vulnerability, pointing to the specific element.  It is good if we want to retest certain flaws and to see how the scanner is working on it  WebInspect gives the feature to specify the request delay which is of interest to Blue Crystal Inc. as it might help them to use the bandwidth wisely Appscan = 9WebInspect = 10

24 Vulnerability Assessment  This criterion evaluates the total vulnerabilities which have been found by the web scanners on their respective test cases.  In order to find the vulnerabilities on the test websites the number of attacks sent by AppScan 18,634 on 34 pages as compared to 19,968 on 100 pages of WebInspect.  With three times the size of the test website WebInspect generates less attacks and this results in exposing less vulnerabilities.

25 Vulnerability Identification  Appscan exposed 120 vulnerabilities as compared to 272 vulnerabilities exposed by WebInspect. Here it is worth mentioning that the size of WebInspect’s test case is thrice as that of Appscan’s test case.  The various types of attacks detected by both the tools are  SQL Injection  Cross Site Scripting  Buffer Overflow  File guessing Etc… Appscan = 9WebInspect = 7

26 Performance  This criterion covers the time in which the tool completes the scan and the resources utilized during the scan  Appscan completed the scan of website with 34 pages in 31 minutes where as WebInspect completed the scan of 100 pages in 15 minutes showing the better performance of WebInspect  The minimum system requirements of Appscan are  2.4GHz processor  2GB RAM  30GB of free disk space  The minimum system requirements for WebInspect are  1.5GHz processor  2GB of available RAM  10GB of free disk space Appscan = 7WebInspect = 8

27 Cost and License  Cost = Training cost + License Cost  The Training cost is considered the same for both the tools as both of them have online tutorials and quick start up kits. Appscan = 8WebInspect = 7 WebInspect Annual Audit License: This licence type allows access to client’s partner portal (They have the ability to scan unlimited customers on any IP in their environment) + Annual maintenance + customer support + access to daily updated vulnerability checks + Additional Overhead for each additional user $ 20,000 IBM Rational App Scan Standard Edition + SW Subscription & Support 12 Months $19,700

28 Score Earned by each Tool

29 Total Score of each Tool Evaluation Criteria(i)Weight (wi)AppScan(si)WebInspect(si) Ease of Installation3 8 6 Usability398 Scan Control Capability399 Reporting and Documentation 3108 Crawling and Parsing5910 Vulnerability Identification597 Performance478 Cost and License587 Total Score266245

30 Conclusion and Recommendation  Rational AppScan is a clear winner and hence a better tool to fulfill the requirements prescribed by Blue Crystal Inc.  Number of attacks sent by AppScan were more as compared to WebInspect for exposing the vulnerabilities in the test website.  AppScan provides in depth description of the detected vulnerabilities including possible causes, technical description and fixing recommendation whereas WebInspect provides only recommendations, required from development point of view.

31 References  http://www.ibm.com/software/awdtools/appscan/,  http://welcome.hp.com/country/us/en/prodserv/software.ht ml  http://en.wikipedia.org

Download ppt "Evaluation of Security Scanners for Web Application Presented By: Sunint Kaur Khalsa (100875000) Sarabjeet Kaur Saini(6235987)"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Auto-test Tools: Sahi and Rational Robot Ting Yu Xia Liu University of Ottawa.

Auto-test Tools: Sahi and Rational Robot Ting Yu Xia Liu University of Ottawa.
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
OVERVIEW TEAM5 SOFTWARE The TEAM5 software manages personnel and test data for personal ESD grounding devices. Test and personnel data may be viewed/reported.

OVERVIEW TEAM5 SOFTWARE The TEAM5 software manages personnel and test data for personal ESD grounding devices. Test and personnel data may be viewed/reported.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
Reachwell – An Enterprise Asset & Workspace Management System

Reachwell – An Enterprise Asset & Workspace Management System
Using JavaServer Pages Harry R. Erwin, PhD CIT304/CSE301.

Using JavaServer Pages Harry R. Erwin, PhD CIT304/CSE301.
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)

SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.
EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.

EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.

Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
The Premier Software Usage Analysis and Reporting Toolset Maximizing Value for Software Users.

The Premier Software Usage Analysis and Reporting Toolset Maximizing Value for Software Users.
Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.

Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
 Chirita Ionel  Application Security  OWASP Chapter board member.

 Chirita Ionel  Application Security  OWASP Chapter board member.

Similar presentations

Ads by Google