presentation on vulnerability analysis
DESCRIPTION
This is a presentation on the paper of vulnerability analysis paper which is passed as reference.TRANSCRIPT
SAVI: Static-Analysis Vulnerability Indicator
JAMES WALDEN AND MAUREEN DOYLE
NORTHERN KENTUCKY UNIVERSITY
PRESENTED BY: ASIF IMRAN (MSSE0119), JOBAER ISLAM KHAN (MSSE0109)
Addressed Problem
Frequently the target of attackers [1]
Largest source of security vulnerabilities [1]
Identity theft , phishing, malware, etc erode trust and cause
financial loss [2]
Proposed Solution
Static analysis of source code to detect vulnerabilities of web
application.
SAVI: Static- Analysis Vulnerability Indicator
Combines several static-analysis results
Ranks vulnerability of Web Applications
Sources of vulnerability count
Vulnerability repositories [2]:
National Vulnerability Database (NVD)
Microsoft Security Bulletins
Drupal Security Advisories
Output of static-analysis tools
Output of security-focused dynamic-analysis tools
Note: source types comprises many sources with different vulnerability databases and analysis tools
application’s vulnerability history can be obtained from reported databases
Vulnerability Detection Techniques Static Analysis: Static-analysis tools find an application’s current vulnerabilities by
evaluating its source code without executing it.
Example: Fortify SCA
Reduce business risk by identifying vulnerabilities that pose the biggest threat
Identify and remove exploitable vulnerabilities quickly with a repeatable process
Reduce development cost by identifying vulnerabilities early in the SDLC
Educate developers in secure coding practices while they work
Advantages Disadvantages
1. Find vulnerabilities objectively 1. Produce false negatives
2. Find vulnerabilities rapidly 2. Produce false positives
Vulnerability Detection Techniques
[cont]
Dynamic Analysis: identify vulnerabilities in running Web
applications
Examples: Veracode-DA
Advantages Disadvantages
1. Simulates a malicious user by
attacking and probing
1. Increased efforts
2. Independent of Programming
Languages
2. False Positives and False
Negatives
False positives and False negatives
False negatives occur when tools don’t report existing security bugs
False positives occur when tools report vulnerabilities that do not exist
Triaging: Manually auditing source code to identify false positives [3]
Manually auditing enough results, a security team can predict the rate at which false positives and false negatives occur for a given project and extrapolate the number of true positives from a set of raw results [3].
Methodology
Static Analysis
Fast results
Current Bugs can be detected
Repeatability
Vulnerability Repository: NVD to validate the predictions of static
analysis metrics.
Correlation between static-analysis and reported vulnerability for
the analyzed software in the future.
Methodology [cont]
Normalize vulnerabilities based on code
SAVD (Static Analysis Vulnerability Density)
NVD
Correlation between SAVD and NVD
SAVD [4]
Methodology [cont]
Open Source applications as test cases
Dokuwiki :wiki
Mediawiki: wiki
phpBB: web forum
phpMyAdmin: system administration
Squirrelmail: email client
Source code: PHP
Methodology [cont]
Fortify Source Code Analyzer (SCA)
Output in XML : vulnerability data
Custom Ruby scripts used to convert the vulnerability data and line counts into a form that could be analyze with statistical software
29,000 LOC <= code <= 162,000 LOC
180 second <= time <= 3600 seconds
Core i5 processor and 8 Gbytes of RAM
Results
17<= vulnerability <= 96 from NVD
Dokuwiki : 17
PHPmyAdmin: 96
Reults [cont]
SCA founded 57,811 vulnerabilities
LOC: 1.5 million
PHPmyAdmin: 96
Result[cont]
Discussion
Context independent metric: applications have same data,
functionality and same installation standards
SAVI indicates postrelease vulnerability density.
SAVI lets organizations choose less vulnerable applications
Further investigation is required to determine whether similar results
might hold for other application classes
Conclusion[cont]
SAVD for each application version correlated significantly with the
NVD vulnerability density for that version’s year and subsequent
years.
For example, the SAVD of a project for 2009 correlated with the
project’s NVD density for 2010, and 2011. This result means that
static-analysis tools indicate an application’s postrelease
vulnerability.
References
[1] M. Gegick and L. Williams, “Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-Prone Components,” Proc. 2nd Int’l Conf. Internet Monitoring and Protection (ICIMP 07), IEEE CS, 2007, p. 18.
[2] M. Gegick et al., “Prioritizing Software Security Fortification through Code-Level Metrics,” Proc. 4th ACM Workshop Quality of Protection (QoP 08), ACM, 2008, pp. 31–38.
[3] “Coverity Scan: 2010 Open Source Integrity Report,” Coverity, 1 Nov. 2010; www.coverity.com/library/pdf/coverity-scan-2010-open-source-integrity-report.pdf.
[4] http://www.informit.com/articles/article.aspx?p=768662&seqNum=3
Thank You