Reverse Benchmarking -- Tom Stracener, Sr. Security Analyst, Cenzic Inc. Toorcon 9.

Slides:



Advertisements
Similar presentations
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Advertisements

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Chapter Four Managing Marketing Information. Roadmap: Previewing the Concepts Copyright 2007, Prentice Hall, Inc Explain the importance of information.
Abirami Poonkundran 2/22/10.  Goal  Introduction  Testing Methods  Testing Scope  My Focus  Current Progress  Explanation of Tools  Things to.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.
Ethical Hacking by Shivam.
1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Account Planning and Research Chapter 06 McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Comp 8130 Presentation Security Testing Group Members: U Hui Chen U Ming Chen U Xiaobin Wang.
Security in IP telephony (VoIP) David Andersson Erik Martinsson.
Web Application Security Assessment and Vulnerability Assessment.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin.
WHAT Exam Practice WHY All MUST Most SHOULD Some COULD Be able to understand the requirements of the exam to achieve a grade D Be able to understand the.
Stefan Thorvaldsson – What is a network? A network is two or more computer linked together so the are able to share resources. It could.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
“Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc.
The future of software testing. The future of Software Testing The test practitioner’s perspective Future from the test organization perspective Innovation.
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 4 Finding Network Vulnerabilities By Whitman, Mattord, & Austin© 2008 Course Technology.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
Hacking the EULA: Reverse Benchmarking Web Application Security Scanners Toorcon 2007.
Application Security
PARTFOLIO: BY GROUP MOHAMAD SHAZWAN BIN DAUD NUR’ ARINA ATIQAH BT ASRAR
19 th Bled eConference, 06 June Hannes Selhofer European Commission An initiative of the Hannes Selhofer empirica GmbH 19 th Bled eConference –
Copyright © 2004 Pearson Education, Inc. Slide 5-1 Securing Channels of Communication Secure Sockets Layer (SSL): Most common form of securing channels.
1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. MOBILE THREAT EXAMPLE.
World Intrusion Detection and Prevention Systems Market Innovative Technologies Improve Accuracy of IDS/IPS Systems “Integration of multiple-attack detection.
Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.
Session Management Security and Applied Reverse Benchmarking - Tom Stracener, Sr. Security Analyst, Cenzic Inc. November 2007.
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
ICT Information and Communication Technology. Two parts : Core (Compulsory) part Elective part.
ICT Information and Communication Technology. Two parts : Core (Compulsory) part Elective part.
Evaluation of Reference Services Dr. Dania Bilal IS 530 Spring 2006.
1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Digital Key Concepts Management 102 Professor Estenson Chapter 12 Research.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
McLean HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Universiti Utara Malaysia Web Application Development STIJ3043.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
Copyright © 2010 Pearson Education, Inc. publishing as Prentice HallChapter Finding, Evaluating, and Processing Information.
Internet2 AdvCollab Apps 1 Access Grid Vision To create virtual spaces where distributed people can work together. Challenges:
Massachusetts Recommended Standards for PreK – 12 Information Literacy Skills Valerie Diggs Standards Committee Chair.
Information and Communication Technology in Business BTT 101 HOLY NAME OF MARY C. S. S. Brampton, Ontario.
Reverse Engineering Dept. of I&CT, MIT, Manipal. Aspects To Be Covered Introduction to reverse engineering. Comparison between reverse and forward engineering.
PRESENTERS: AMOL KOKJE, STEVEN OSBURN, SUNIT VERMA, TOSHA SHAH, KALP PARIKH Vetting Mobile Apps.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
“All measurement is approximate” -- National Math Panel.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CSCE 548 Secure Software Development Risk-Based Security Testing
C IBM Security QRadar SIEM V7.2.6 Associate Analyst
OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap
CompTIA Security+ SY0-401 Real Exam Question Answer
Want To Pass GIAC Certified Intrusion Analyst (GCIA) GCIA Dumps GIAC.
>> Introduction to Web Applications
Quality Management Perfectqaservices.
HTML Level II (CyberAdvantage)
Security Operations Without Going Blind
Security Operations Without Going Blind
Sophia Marie Hollimon Companies: Symantec, Microtek ,Hitachi
ISMS Information Security Management System
الانترنت والبريد الإلكتروني
Information Technology
Engineering Secure Software
Presentation transcript:

Reverse Benchmarking -- Tom Stracener, Sr. Security Analyst, Cenzic Inc. Toorcon 9

Analyzing Application Security Scanners Benchmarking Concepts –Benchmarking black box scanners is ultimately a systematic comparison –Most common Benchmarking technique is ‘positive’ or ‘comparative’ benchmarking –The goal is to see which scanner does the best against a selected application

Application Security - what is it? Internet ClientFirewall Web Server App Server Database IDS/IPS Application Security Network Security Desktop and Content Security Software

Analyzing Application Security Scanners Security Assessment ‘quality’ critiera –Functionality (Black vs White Box) –Ergonomics & Usability –Performance –Feature Sets –Bling –Accuracy –False Positive Rates i.e. Signal to Noise

Positive and Negative Accuracy concepts 4 Key Concepts

+ Benchmarking: Accuracy Positive Benchmarking is a measure of the number of valid results relative to the total number of vulnerabilities in the application. Example: Scanner Foodizzle found 8 out of 10 vulnerabilities in the target application, i.e. it was 80% relative to the vulnerability-set. Use: Measures of ‘accuracy’ are commonly used during positive benchmarking, bake-offs, etc. Challenges: Accuracy is difficult to measure because its often difficult to know exactly how many vulnerabilities there are in the target application.

+ Benchmarking Limitations Positive Benchmarking relies on objective knowledge of vulnerabilities in the target application, and thus breaks down when not performed by experts Selection Bias: Scanner Foodizzle found 8 out of 10 vulnerabilities in the target application, i.e. it was 80% relative to the vulnerability-set. Interpreting the Data: Measures of ‘accuracy’ are commonly used during positive benchmarking, bake-offs, etc. Tuning Against the App: Accuracy is difficult to measure because its often difficult to know exactly how many vulnerabilities there are in the target application. Analysis Gaps:

The answer is 42

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.