Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Scanning OWASP Education Nishi Kumar Computer based training

Published byJayson Horn Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Scanning OWASP Education Nishi Kumar Computer based training"— Presentation transcript:

1 Security Scanning OWASP Education Nishi Kumar Computer based training
IT Architect Specialist Chair, Software Security Forum FIS OWASP CBT Project Lead OWASP Global Industry Committee Contributor and Reviewer Keith Turpin

2 Objectives Understand different offerings available to find vulnerabilities Learn pros and cons of those offerings Know about some open source and commercial scanning tools An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology

3 Industry Application Security Offerings
Automated Dynamic web application interface scanning Static code scanning Web app firewalls Intrusion Prevention Systems (IPS) Manual Application penetration test Code review An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology

4 Automated vs. Manual: Advantages
Advantages of automated solutions Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions No false positives Guaranteed code coverage Ability to identify complex vulnerabilities Understand business logic Acts like a determined attacker Can combine vulnerabilities

5 What Automated Solutions Miss
Theoretical Logic flaws (business and application) Design flaws Practical Difficulty interacting with Rich Internet Applications Complex variants of common attacks (SQL Injection, XSS, etc) Cross-Site Request Forgery (CSRF) Uncommon or custom infrastructure Abstract information leakage

6 Conducting the Assessment
If you are using automated scanning tools, beware of false positives and negatives Pattern recognition has limitations Combine various testing methods Automated scanning Code review Manual testing Learn what tools do and do not do well Validate every finding Keep detailed notes

7 Commercial Dynamic Scanning Tools
Web Inspect – by HP Rational AppScan – by IBM Acunetix WVS – by Acunetix Hailstorm – by Cenzic NTOSpider – by NT OBJECTives

8 Open Source and Low Cost Scanners
W3af - Burp Suite - Grendel Scan - Wapiti - Arachni - Skipfish - Paros - (Free version no longer maintained)

9 Code Scanning Tools Fortify – by HP
Rational AppScan Source Edition – by IBM Coverity Static Analysis – by Coverity CxSuite – by Checkmarx Yasca – by OWASP Veracode binary analysis – Veracode (Veracode uses a different methodology than other scanners) C and C++ code scanning tool

10 Client Side Web Proxies
Paros - (Free version no longer maintained) Burp Suite - WebScarab NG - Charles Proxy - Browser Plugins: Internet Explorer: Fiddler Firefox: Tamper Data C and C++ code scanning tool

11 Paros Proxy Paros Proxy is a security scanning tool. Through Paros's proxy all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

12 Paros Proxy- Interface

13 Paros Proxy- Options Dialog

14 Paros Proxy- Reporting

15 Web application attack and audit framework
W3AF by OWASP Web application attack and audit framework

16 W3af - Web application attack and audit framework

17 W3af - Web application attack and audit framework

18 W3af - Exploit

19 Commercial Scanning Tool
IBM Rational App Scan Commercial Scanning Tool

20 IBM Rational App Scan Interface
Online Risk Mitigation and Compliance Solutions

21 Scan Configuration – URL and server

22 Scan Configuration – Login Management

23 Scan Configuration – Test Policy

24 Scan Configuration – Complete

25 Reporting Industry Standard

26 Reporting Industry Standard

27 Commercial Scanning Tool
Web Inspect Commercial Scanning Tool

28 Scan mode

29 Audit Policy

30 Requester Thread

31 Http Parsing

32 Report Type

33 Summary Over 90% of ecommerce PCI breaches are from application flaws
Application security is not a percentage game. One missed flaw is all it takes Vulnerabilities can come from more than one avenue: Acquisitions Old or dead code Third-party libraries

34

Download ppt "Security Scanning OWASP Education Nishi Kumar Computer based training"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Web Vulnerability Assessments

Web Vulnerability Assessments
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.

Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Penetration testing – W3AF Tool

Penetration testing – W3AF Tool
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
1 Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST Verify Conference – Washington, DC, October 30, 2007 Disclaimer: Any commercial.

1 Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST Verify Conference – Washington, DC, October 30, 2007 Disclaimer: Any commercial.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.

Similar presentations

Ads by Google