security scanning
DESCRIPTION
OWASP Education Computer based training. Security Scanning. Nishi Kumar IT Architect Specialist Chair, Software Security Forum FIS OWASP CBT Project Lead OWASP Global Industry Committee [email protected] Contributor and Reviewer Keith Turpin. Objectives. - PowerPoint PPT PresentationTRANSCRIPT
The OWASP Foundationhttp://www.owasp.org
OWASP EducationComputer based training
Security Scanning
Nishi KumarIT Architect Specialist
Chair, Software Security Forum FISOWASP CBT Project Lead
OWASP Global Industry [email protected]
Contributor and Reviewer Keith Turpin
2
ObjectivesUnderstand different offerings available to find vulnerabilities
Learn pros and cons of those offerings
Know about some open source and commercial scanning tools
3
Industry Application Security Offerings
AutomatedDynamic web application interface scanningStatic code scanningWeb app firewallsIntrusion Prevention Systems (IPS)
Manual
Application penetration testCode review
4
Automated vs. Manual: Advantages
Advantages of automated solutionsLow incremental costMinimal trainingPotentially 24/7 protection
Advantages of manual solutionsNo false positivesGuaranteed code coverageAbility to identify complex vulnerabilitiesUnderstand business logicActs like a determined attackerCan combine vulnerabilities
5
What Automated Solutions Miss
TheoreticalLogic flaws (business and application)Design flaws
Practical
Difficulty interacting with Rich Internet ApplicationsComplex variants of common attacks (SQL Injection, XSS, etc)Cross-Site Request Forgery (CSRF)Uncommon or custom infrastructureAbstract information leakage
6
Conducting the Assessment
If you are using automated scanning tools, beware of false positives and negatives
Pattern recognition has limitationsCombine various testing methods Automated scanning Code review Manual testing
Learn what tools do and do not do wellValidate every findingKeep detailed notes
7
Commercial Dynamic Scanning Tools
Web Inspect – by HP
Rational AppScan – by IBM
Acunetix WVS – by Acunetix
Hailstorm – by Cenzic
NTOSpider – by NT OBJECTives
8
Open Source and Low Cost Scanners
W3af - http://w3af.sourceforge.net/
Burp Suite - http://portswigger.net/
Grendel Scan - http://grendel-scan.com/
Wapiti - http://wapiti.sourceforge.net/
Arachni - http://zapotek.github.com/arachni/
Skipfish - http://code.google.com/p/skipfish/
Paros - http://www.parosproxy.org/ (Free version no longer maintained)
9
Code Scanning Tools
Fortify – by HP
Rational AppScan Source Edition – by IBM
Coverity Static Analysis – by Coverity
CxSuite – by Checkmarx
Yasca – by OWASP
Veracode binary analysis – Veracode(Veracode uses a different methodology than other scanners)
10
Client Side Web Proxies
Paros - http://www.parosproxy.org/ (Free version no longer maintained)
Burp Suite - http://portswigger.net/
WebScarab NG - https://www.owasp.org/index.php/OWASP_WebScarab_NG_Project
Charles Proxy - www.charlesproxy.com/
Browser Plugins:Internet Explorer: FiddlerFirefox: Tamper Data
11
Paros Proxy
Paros Proxy is a security scanning tool. Through Paros's proxy all HTTP and
HTTPS data between server and client, including cookies and form fields, can
be intercepted and modified.
Paros Proxy is a security scanning tool. Through Paros's proxy all HTTP and
HTTPS data between server and client, including cookies and form fields, can
be intercepted and modified.
12
Paros Proxy- Interface
13
Paros Proxy- Options Dialog
14
Paros Proxy- Reporting
15
W3AF by OWASP
Web application attack and audit
framework
Web application attack and audit
framework
16
W3af - Web application attack and audit framework
17
W3af - Web application attack and audit framework
18
W3af - Exploit
19
IBM Rational App Scan
Commercial Scanning ToolCommercial
Scanning Tool
20
IBM Rational App Scan InterfaceOnline Risk Mitigation and Compliance SolutionsOnline Risk Mitigation and Compliance Solutions
21
Scan Configuration – URL and server
22
Scan Configuration – Login Management
23
Scan Configuration – Test Policy
24
Scan Configuration – Complete
25
Reporting Industry Standard
26
Reporting Industry Standard
27
Web Inspect
Commercial Scanning ToolCommercial
Scanning Tool
28
Scan mode
29
Audit Policy
30
Requester Thread
31
Http Parsing
32
Report Type
33
Summary Over 90% of ecommerce PCI breaches are from
application flaws
Application security is not a percentage game. One missed flaw is all it takes
Vulnerabilities can come from more than one avenue:AcquisitionsOld or dead codeThird-party libraries
Over 90% of ecommerce PCI breaches are from application flaws
Application security is not a percentage game. One missed flaw is all it takes
Vulnerabilities can come from more than one avenue:AcquisitionsOld or dead codeThird-party libraries
34