340 likes | 675 Views
OWASP Education Computer based training. Security Scanning. Nishi Kumar IT Architect Specialist Chair, Software Security Forum FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Contributor and Reviewer Keith Turpin. Objectives.
E N D
OWASP Education Computer based training Security Scanning Nishi Kumar IT Architect Specialist Chair, Software Security Forum FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Contributor and Reviewer Keith Turpin
Objectives • Understand different offerings available to find vulnerabilities • Learn pros and cons of those offerings • Know about some open source and commercial scanning tools
Industry Application Security Offerings • Automated • Dynamic web application interface scanning • Static code scanning • Web app firewalls • Intrusion Prevention Systems (IPS) • Manual • Application penetration test • Code review
Automated vs. Manual: Advantages • Advantages of automated solutions • Low incremental cost • Minimal training • Potentially 24/7 protection • Advantages of manual solutions • No false positives • Guaranteed code coverage • Ability to identify complex vulnerabilities • Understand business logic • Acts like a determined attacker • Can combine vulnerabilities
What Automated Solutions Miss • Theoretical • Logic flaws (business and application) • Design flaws • Practical • Difficulty interacting with Rich Internet Applications • Complex variants of common attacks (SQL Injection, XSS, etc) • Cross-Site Request Forgery (CSRF) • Uncommon or custom infrastructure • Abstract information leakage
Conducting the Assessment • If you are using automated scanning tools, beware of false positives and negatives • Pattern recognition has limitations • Combine various testing methods • Automated scanning • Code review • Manual testing • Learn what tools do and do not do well • Validate every finding • Keep detailed notes
Commercial Dynamic Scanning Tools • Web Inspect – by HP • Rational AppScan – by IBM • Acunetix WVS – by Acunetix • Hailstorm – by Cenzic • NTOSpider – by NT OBJECTives
Open Source and Low Cost Scanners • W3af - http://w3af.sourceforge.net/ • Burp Suite - http://portswigger.net/ • Grendel Scan - http://grendel-scan.com/ • Wapiti - http://wapiti.sourceforge.net/ • Arachni - http://zapotek.github.com/arachni/ • Skipfish - http://code.google.com/p/skipfish/ • Paros - http://www.parosproxy.org/(Free version no longer maintained)
Code Scanning Tools • Fortify – by HP • Rational AppScan Source Edition – by IBM • Coverity Static Analysis – by Coverity • CxSuite – by Checkmarx • Yasca – by OWASP • Veracode binary analysis – Veracode • (Veracode uses a different methodology than other scanners)
Client Side Web Proxies • Paros - http://www.parosproxy.org/(Free version no longer maintained) • Burp Suite - http://portswigger.net/ • WebScarab NG - https://www.owasp.org/index.php/OWASP_WebScarab_NG_Project • Charles Proxy - www.charlesproxy.com/ • Browser Plugins: • Internet Explorer: Fiddler • Firefox: Tamper Data
Paros Proxy Paros Proxy is a security scanning tool. Through Paros's proxy all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.
W3AF by OWASP Web application attack and audit framework
IBM Rational App Scan Commercial Scanning Tool
IBM Rational App Scan Interface Online Risk Mitigation and Compliance Solutions
Web Inspect Commercial Scanning Tool
Summary • Over 90% of ecommerce PCI breaches are from application flaws • Application security is not a percentage game. One missed flaw is all it takes • Vulnerabilities can come from more than one avenue: • Acquisitions • Old or dead code • Third-party libraries