Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reverse Benchmarking -- Tom Stracener, Sr. Security Analyst, Cenzic Inc. Toorcon 9.

Published byKerrie Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "Reverse Benchmarking -- Tom Stracener, Sr. Security Analyst, Cenzic Inc. Toorcon 9."— Presentation transcript:

1 Reverse Benchmarking -- Tom Stracener, Sr. Security Analyst, Cenzic Inc. Toorcon 9

2 Analyzing Application Security Scanners Benchmarking Concepts –Benchmarking black box scanners is ultimately a systematic comparison –Most common Benchmarking technique is ‘positive’ or ‘comparative’ benchmarking –The goal is to see which scanner does the best against a selected application

3 Application Security - what is it? Internet ClientFirewall Web Server App Server Database IDS/IPS Application Security Network Security Desktop and Content Security Software

4 Analyzing Application Security Scanners Security Assessment ‘quality’ critiera –Functionality (Black vs White Box) –Ergonomics & Usability –Performance –Feature Sets –Bling –Accuracy –False Positive Rates i.e. Signal to Noise

5 Positive and Negative Accuracy concepts 4 Key Concepts

6 + Benchmarking: Accuracy Positive Benchmarking is a measure of the number of valid results relative to the total number of vulnerabilities in the application. Example: Scanner Foodizzle found 8 out of 10 vulnerabilities in the target application, i.e. it was 80% relative to the vulnerability-set. Use: Measures of ‘accuracy’ are commonly used during positive benchmarking, bake-offs, etc. Challenges: Accuracy is difficult to measure because its often difficult to know exactly how many vulnerabilities there are in the target application.

7 + Benchmarking Limitations Positive Benchmarking relies on objective knowledge of vulnerabilities in the target application, and thus breaks down when not performed by experts Selection Bias: Scanner Foodizzle found 8 out of 10 vulnerabilities in the target application, i.e. it was 80% relative to the vulnerability-set. Interpreting the Data: Measures of ‘accuracy’ are commonly used during positive benchmarking, bake-offs, etc. Tuning Against the App: Accuracy is difficult to measure because its often difficult to know exactly how many vulnerabilities there are in the target application. Analysis Gaps:

8 The answer is 42

Download ppt "Reverse Benchmarking -- Tom Stracener, Sr. Security Analyst, Cenzic Inc. Toorcon 9."

Similar presentations

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Chapter Four Managing Marketing Information. Roadmap: Previewing the Concepts Copyright 2007, Prentice Hall, Inc.4-2 1.Explain the importance of information.

Chapter Four Managing Marketing Information. Roadmap: Previewing the Concepts Copyright 2007, Prentice Hall, Inc Explain the importance of information.
Abirami Poonkundran 2/22/10.  Goal  Introduction  Testing Methods  Testing Scope  My Focus  Current Progress  Explanation of Tools  Things to.

Abirami Poonkundran 2/22/10.  Goal  Introduction  Testing Methods  Testing Scope  My Focus  Current Progress  Explanation of Tools  Things to.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.
Ethical Hacking by Shivam.

Ethical Hacking by Shivam.
1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.

1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Account Planning and Research Chapter 06 McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Account Planning and Research Chapter 06 McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Comp 8130 Presentation Security Testing Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang.

Comp 8130 Presentation Security Testing Group Members: U Hui Chen U Ming Chen U Xiaobin Wang.
Security in IP telephony (VoIP) David Andersson Erik Martinsson.

Security in IP telephony (VoIP) David Andersson Erik Martinsson.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin.

CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin.
WHAT Exam Practice WHY All MUST Most SHOULD Some COULD Be able to understand the requirements of the exam to achieve a grade D Be able to understand the.

WHAT Exam Practice WHY All MUST Most SHOULD Some COULD Be able to understand the requirements of the exam to achieve a grade D Be able to understand the.
Stefan Thorvaldsson – What is a network? A network is two or more computer linked together so the are able to share resources. It could.

Stefan Thorvaldsson – What is a network? A network is two or more computer linked together so the are able to share resources. It could.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
“Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc.

“Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc.

Similar presentations

Ads by Google