1 / 34

Security Scanning

OWASP Education Computer based training. Security Scanning. Nishi Kumar IT Architect Specialist Chair, Software Security Forum FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Contributor and Reviewer Keith Turpin . Objectives.

kaili
Download Presentation

Security Scanning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Education Computer based training Security Scanning Nishi Kumar IT Architect Specialist Chair, Software Security Forum FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Contributor and Reviewer Keith Turpin

  2. Objectives • Understand different offerings available to find vulnerabilities • Learn pros and cons of those offerings • Know about some open source and commercial scanning tools

  3. Industry Application Security Offerings • Automated • Dynamic web application interface scanning • Static code scanning • Web app firewalls • Intrusion Prevention Systems (IPS) • Manual • Application penetration test • Code review

  4. Automated vs. Manual: Advantages • Advantages of automated solutions • Low incremental cost • Minimal training • Potentially 24/7 protection • Advantages of manual solutions • No false positives • Guaranteed code coverage • Ability to identify complex vulnerabilities • Understand business logic • Acts like a determined attacker • Can combine vulnerabilities

  5. What Automated Solutions Miss • Theoretical • Logic flaws (business and application) • Design flaws • Practical • Difficulty interacting with Rich Internet Applications • Complex variants of common attacks (SQL Injection, XSS, etc) • Cross-Site Request Forgery (CSRF) • Uncommon or custom infrastructure • Abstract information leakage

  6. Conducting the Assessment • If you are using automated scanning tools, beware of false positives and negatives • Pattern recognition has limitations • Combine various testing methods • Automated scanning • Code review • Manual testing • Learn what tools do and do not do well • Validate every finding • Keep detailed notes

  7. Commercial Dynamic Scanning Tools • Web Inspect – by HP • Rational AppScan – by IBM • Acunetix WVS – by Acunetix • Hailstorm – by Cenzic • NTOSpider – by NT OBJECTives

  8. Open Source and Low Cost Scanners • W3af - http://w3af.sourceforge.net/ • Burp Suite - http://portswigger.net/ • Grendel Scan - http://grendel-scan.com/ • Wapiti - http://wapiti.sourceforge.net/ • Arachni - http://zapotek.github.com/arachni/ • Skipfish - http://code.google.com/p/skipfish/ • Paros - http://www.parosproxy.org/(Free version no longer maintained)

  9. Code Scanning Tools • Fortify – by HP • Rational AppScan Source Edition – by IBM • Coverity Static Analysis – by Coverity • CxSuite – by Checkmarx • Yasca – by OWASP • Veracode binary analysis – Veracode • (Veracode uses a different methodology than other scanners)

  10. Client Side Web Proxies • Paros - http://www.parosproxy.org/(Free version no longer maintained) • Burp Suite - http://portswigger.net/ • WebScarab NG - https://www.owasp.org/index.php/OWASP_WebScarab_NG_Project • Charles Proxy - www.charlesproxy.com/ • Browser Plugins: • Internet Explorer: Fiddler • Firefox: Tamper Data

  11. Paros Proxy Paros Proxy is a security scanning tool. Through Paros's proxy all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

  12. Paros Proxy- Interface

  13. Paros Proxy- Options Dialog

  14. Paros Proxy- Reporting

  15. W3AF by OWASP Web application attack and audit framework

  16. W3af - Web application attack and audit framework

  17. W3af - Web application attack and audit framework

  18. W3af - Exploit

  19. IBM Rational App Scan Commercial Scanning Tool

  20. IBM Rational App Scan Interface Online Risk Mitigation and Compliance Solutions

  21. Scan Configuration – URL and server

  22. Scan Configuration – Login Management

  23. Scan Configuration – Test Policy

  24. Scan Configuration – Complete

  25. Reporting Industry Standard

  26. Reporting Industry Standard

  27. Web Inspect Commercial Scanning Tool

  28. Scan mode

  29. Audit Policy

  30. Requester Thread

  31. Http Parsing

  32. Report Type

  33. Summary • Over 90% of ecommerce PCI breaches are from application flaws • Application security is not a percentage game. One missed flaw is all it takes • Vulnerabilities can come from more than one avenue: • Acquisitions • Old or dead code • Third-party libraries

More Related