SlideShare une entreprise Scribd logo

Benchmarking Web Application Scanners for YOUR Organization

Denim Group
Denim Group

Web applications pose significant risks for organizations. The selection of an appropriate scanning product or service can be challenging because every organization develops their web applications differently and decisions made by developers can cause wide swings in the value of different scanning technologies. To make a solid, informed decision, organizations need to create development team- and organization-specific benchmarks for the effectiveness of potential scanning technologies. This involves creating a comprehensive model of false positives, false negatives and other factors prior to mandating analysis technologies and making decisions about application risk management. This presentation provides a model for evaluating application analysis technologies, introduces an open source tool for benchmarking and comparing tool effectiveness, and outlines a process for making organization-specific decisions about analysis technology selection.

Technologie
1  sur  35
Télécharger pour lire hors ligne
Benchmarking Web Application Scanners for YOUR Organization Dan Cornell! CTO, Denim Group! @danielcornell © Copyright 2012 Denim Group - All Rights Reserved
My Background •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio, Global Membership Committee © Copyright 2012 Denim Group - All Rights Reserved 2
Denim Group Background •  Secure software services and products company –  Builds secure software –  Helps organizations assess and mitigate risk of in-house developed and third party software –  Provides classroom training and e-Learning so clients can build software securely •  Software-centric view of application security –  Application security experts are practicing developers –  Development pedigree translates to rapport with development managers –  Business impact: shorter time-to-fix application vulnerabilities •  Culture of application security innovation and contribution –  Develops open source tools to help clients mature their software security programs •  Remediation Resource Center, ThreadFix –  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI –  World class alliance partners accelerate innovation to solve client problems © Copyright 2012 Denim Group - All Rights Reserved 3
What Do You Want From a Scanner? •  Coverage •  Low False Positives •  Low False Negatives © Copyright 2012 Denim Group - All Rights Reserved 4
Scanner Coverage •  You can’t test what you can’t see •  How effective is the scanner’s crawler? •  How are URLs mapped to functionality? –  RESTful –  Parameters •  Possible issues: –  Login routines –  Multi-step processes –  Anti-CSRF protection © Copyright 2012 Denim Group - All Rights Reserved 5
Are You Getting a Good Scan? Large financial firm: “Our 500 page website is secure because the scanner did not find any vulnerabilities!” Me: “Did you teach the scanner to log in so that it can see more than just the homepage?” Large financial firm: “…” © Copyright 2012 Denim Group - All Rights Reserved 6
Can Your Scanner Do This? •  Two-step login procedure: –  Enter username / password (pretty standard) –  Enter answer to one of several arbitrary questions •  Challenge was that the parameter indicating the question was dynamic –  Question_1, Question_2, Question_3, and so on –  Makes standard login recording ineffective © Copyright 2012 Denim Group - All Rights Reserved 7
It All Started With A Simple Blog Post… •  Ran into an application with a complicated login procedure •  Wrote blog post about the toolchain used to solve the problem –  http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling- complicated-logins-with-appscan-and-burp-suite.html •  Other scanner teams responded: –  IBM Rational AppScan •  http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-complicated- logins-with-appscan-only.html –  HP WebInspect •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-hp- webinspect.html –  Mavituna Security Netsparker •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-mavituna- netsparker.html –  NTObjectives NTOSpider •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-ntospider.html © Copyright 2012 Denim Group - All Rights Reserved 8
Scanner Authentication Scenario Examples •  Built as a response to the previously-mentioned blog conversation •  Example implementations of different login routines –  How can different scanners be configured to successfully scan? •  GitHub site: –  https://github.com/denimgroup/authexamples © Copyright 2012 Denim Group - All Rights Reserved 9
Did I Get a Good Scan? •  Scanner training is really important –  Read the Larry Suto reports… •  Must sanity-check the results of your scans •  What URLs were accessed? –  If only two URLs were accessed on a 500 page site, you probably have a bad scan –  If 5000 URLs were accessed on a five page site, you probably have a bad scan •  What vulnerabilities were found and not found? –  Scan with no vulnerabilities – probably not a good scan –  Scan with excessive vulnerabilities – possibly a lot of false positives © Copyright 2012 Denim Group - All Rights Reserved 10
Low False Positives •  Reports of vulnerabilities that do not actually exist •  How “touchy” is the scanner’s testing engine? •  Why are they bad? –  Take time to manually review and filter out –  Can lead to wasted remediation time © Copyright 2012 Denim Group - All Rights Reserved 11
Low False Negatives •  Scanner failing to report vulnerabilities that do exist •  How effective is the scanner’s testing engine? •  Why are they bad? –  You are exposed to risks you do not know about –  You expect that the scanner would have found certain classes of vulnerabilities •  What vulnerability classes do you think scanners will find? © Copyright 2012 Denim Group - All Rights Reserved 12
Other Benchmarking Efforts •  Larry Suto’s 2007 and 2010 reports –  Analyzing the Accuracy and Time Costs of Web Application Security Standards –  http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf –  Vendor reactions were … varied –  [Ofer Shezaf attended this talk at AppSecEU 2012 and had some great questions and comments. See his reactions to the latest Larry Suto scanner report here : http://www.xiom.com/2010/02/09/wafs-are-not-perfect-any-security-tool-perfect ] •  Shay Chen’s Blog and Site –  http://sectooladdict.blogspot.com/ –  http://www.sectoolmarket.com/ •  Web Application Vulnerability Scanner Evaluation Project (wavsep) –  http://code.google.com/p/wavsep/ © Copyright 2012 Denim Group - All Rights Reserved 13
So I Should Just Buy the Best Scanner, Right? •  Or the cheapest? •  Well… –  What do you mean by “best”? •  Follow-on questions –  How well do the scanners work on your organization’s applications? –  How many false positives are you willing to deal with? –  What depth and breadth of coverage do you need? © Copyright 2012 Denim Group - All Rights Reserved 14
ThreadFix - Overview •  ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. •  Freely available under the Mozilla Public License (MPL) •  Hosted at Google Code: http://code.google.com/p/threadfix/ © Copyright 2012 Denim Group - All Rights Reserved 15
What is a Unique Vulnerability? •  (CWE, Relative URL) –  Predictable resource location –  Directory listing misconfiguration •  (CWE, Relative URL, Injection Point) –  SQL injection –  Cross-site Scripting (XSS) •  Injection points –  Parameters – GET/POST –  Cookies –  Other headers © Copyright 2012 Denim Group - All Rights Reserved 16
What Do The Scanner Results Look Like? •  Usually XML –  Skipfish uses JSON and gets packaged as a ZIP •  Scanners have different concepts of what a “vulnerability” is –  We normalize to the (CWE, location, [injection point]) noted before •  Look at some example files •  Several vendors have been really helpful adding additional data to their APIs and file formats to accommodate requests © Copyright 2012 Denim Group - All Rights Reserved 17
Why Common Weakness Enumeration (CWE)? •  Every tool has their own “spin” on naming vulnerabilities •  OWASP Top 10 / WASC 24 are helpful but not comprehensive •  CWE is exhaustive (though a bit sprawling at times) •  Reasonably well-adopted standard •  Many tools have mappings to CWE for their results •  Main site: http://cwe.mitre.org/ © Copyright 2012 Denim Group - All Rights Reserved 18
Demo •  Unpack and install ThreadFix •  Use ThreadFix to normalize and report on the use of multiple scanning technologies on a given application •  Import multiple scans and de-duplicate the results •  These screenshots are based on UNTUNED scans and are NOT meant to show a real benchmark of these scanners – only the process © Copyright 2012 Denim Group - All Rights Reserved 19
Unzip the ThreadFix Package (like WebGoat!) © Copyright 2012 Denim Group - All Rights Reserved 20
Make threadfix.sh Executable © Copyright 2012 Denim Group - All Rights Reserved 21
Run ThreadFix Pre-Configured Tomcat Server © Copyright 2012 Denim Group - All Rights Reserved 22
Login to ThreadFix (“user” and “password”) © Copyright 2012 Denim Group - All Rights Reserved 23
Upload Various Scan Results Files © Copyright 2012 Denim Group - All Rights Reserved 24
This Vulnerability Found By Three Scanners © Copyright 2012 Denim Group - All Rights Reserved 25
Mark False Positives (wavsep Uses “FalsePositives” In the URL…) © Copyright 2012 Denim Group - All Rights Reserved 26
Summary Report – Found, Not Found, False Positives (Again – NOT Based on Tuned Scans) © Copyright 2012 Denim Group - All Rights Reserved 27
Report By Vulnerability Type © Copyright 2012 Denim Group - All Rights Reserved 28
Detail Report Can Be Used To Error-Check Merge Process © Copyright 2012 Denim Group - All Rights Reserved 29
Current Limitations •  Vulnerability importers are not currently formally vendor-supported –  Though a number have helped us test and refine them (thanks!) –  After you get a good scan make sure you also got a good import •  Summary report should show data by severity rating –  Make it easier to focus on vulnerabilities you probably care more about –  But you can look at the data by vulnerability type © Copyright 2012 Denim Group - All Rights Reserved 30
Try This At Home, Kids •  Pick some applications to test –  Representative sample for your organization –  Common languages, frameworks •  Run scans with the targeted scanning technologies –  Make sure you get good scans: login, other state-based issues –  If you train the scans (always a good idea) be consistent •  Import the scans into ThreadFix –  Make sure you’re happy with the import •  Run some reports © Copyright 2012 Denim Group - All Rights Reserved 31
You Know What Would Make All This Way Easier? •  Common data standards for scanning tools! •  Current efforts: –  MITRE Software Assurance Findings Expression Schema (SAFES) •  http://www.mitre.org/work/tech_papers/ 2012/11_3671/ –  OWASP Data Exchange Format Project •  https://www.owasp.org/index.php/ OWASP_Data_Exchange_Format_Project © Copyright 2012 Denim Group - All Rights Reserved 32
Simple Software Vulnerability Language (SSVL) •  Common way to represent static and dynamic scanner findings •  Based on our experience building importers for ThreadFix –  It “works” for real-world applications because we are essentially using it •  Love to hear feedback –  Send me a request and I can share the document for editing/annotation •  Online: –  https://docs.google.com/document/d/ 1H5hWUdj925TtoZ7ZvnfHdFABe7hBCGuZtLUas29yBGI/edit?pli=1 –  Or http://tinyurl.com/cslqv47 © Copyright 2012 Denim Group - All Rights Reserved 33
Simple Software Vulnerability Language (SSVL) © Copyright 2012 Denim Group - All Rights Reserved 34
Questions Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com www.denimgroup.com/threadfix code.google.com/p/threadfix (210) 572-4400 © Copyright 2012 Denim Group - All Rights Reserved 35

Recommandé

Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
Denim Group
 

Recommandé

Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Chapter No:3 Web Productivity Measurement and Benchmarking
Chapter No:3 Web Productivity Measurement and BenchmarkingChapter No:3 Web Productivity Measurement and Benchmarking
Chapter No:3 Web Productivity Measurement and Benchmarking
Softhat IT Solutions
 
Benchmarking and assessing your web strategy
Benchmarking and assessing your web strategyBenchmarking and assessing your web strategy
Benchmarking and assessing your web strategy
lisamarieram
 

Contenu connexe

Tendances

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 

Tendances (20)

RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 

En vedette

Benchmarking and assessing your web strategy
Benchmarking and assessing your web strategyBenchmarking and assessing your web strategy
Benchmarking and assessing your web strategy
lisamarieram
 
Benchmarking Web Accessibility Evaluation Tools: Measuring the Harm of Sole R...
Benchmarking Web Accessibility Evaluation Tools: Measuring the Harm of Sole R...Benchmarking Web Accessibility Evaluation Tools: Measuring the Harm of Sole R...
Benchmarking Web Accessibility Evaluation Tools: Measuring the Harm of Sole R...
Markel Vigo
 
Case competitive benchmarking
Case competitive benchmarkingCase competitive benchmarking
Case competitive benchmarking
Nandeep Nagarkar
 

En vedette (6)

Chapter No:3 Web Productivity Measurement and Benchmarking
Chapter No:3 Web Productivity Measurement and BenchmarkingChapter No:3 Web Productivity Measurement and Benchmarking
Chapter No:3 Web Productivity Measurement and Benchmarking
 
Benchmarking and assessing your web strategy
Benchmarking and assessing your web strategyBenchmarking and assessing your web strategy
Benchmarking and assessing your web strategy
 
Benchmarking Web Accessibility Evaluation Tools: Measuring the Harm of Sole R...
Benchmarking Web Accessibility Evaluation Tools: Measuring the Harm of Sole R...Benchmarking Web Accessibility Evaluation Tools: Measuring the Harm of Sole R...
Benchmarking Web Accessibility Evaluation Tools: Measuring the Harm of Sole R...
 
Web Analytics Benchmarking Solution
Web Analytics Benchmarking SolutionWeb Analytics Benchmarking Solution
Web Analytics Benchmarking Solution
 
Case competitive benchmarking
Case competitive benchmarkingCase competitive benchmarking
Case competitive benchmarking
 
UserZoom Webinar: How to Conduct Web Customer Experience Benchmarking
UserZoom Webinar: How to Conduct Web Customer Experience BenchmarkingUserZoom Webinar: How to Conduct Web Customer Experience Benchmarking
UserZoom Webinar: How to Conduct Web Customer Experience Benchmarking
 

Similaire à Benchmarking Web Application Scanners for YOUR Organization

Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
Dan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software RemediationDan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software Remediation
Source Conference
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
Denim Group
 
Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterprise
Marcel de Vries
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 

Similaire à Benchmarking Web Application Scanners for YOUR Organization (20)

Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
WE-06-Testing.ppt
WE-06-Testing.pptWE-06-Testing.ppt
WE-06-Testing.ppt
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Dan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software RemediationDan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software Remediation
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
 
Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterprise
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content Handling
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
SOA: What It Means To The Enterprise
SOA: What It Means To The EnterpriseSOA: What It Means To The Enterprise
SOA: What It Means To The Enterprise
 
USG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 DaysUSG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 Days
 
Securing a Moving Target
Securing a Moving TargetSecuring a Moving Target
Securing a Moving Target
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for Security
 
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEE2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
 
Twelve Factor - Designing for Change
Twelve Factor - Designing for ChangeTwelve Factor - Designing for Change
Twelve Factor - Designing for Change
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 

Plus de Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

Plus de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Dernier (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Benchmarking Web Application Scanners for YOUR Organization

  • 1. Benchmarking Web Application Scanners for YOUR Organization Dan Cornell! CTO, Denim Group! @danielcornell © Copyright 2012 Denim Group - All Rights Reserved
  • 2. My Background •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio, Global Membership Committee © Copyright 2012 Denim Group - All Rights Reserved 2
  • 3. Denim Group Background •  Secure software services and products company –  Builds secure software –  Helps organizations assess and mitigate risk of in-house developed and third party software –  Provides classroom training and e-Learning so clients can build software securely •  Software-centric view of application security –  Application security experts are practicing developers –  Development pedigree translates to rapport with development managers –  Business impact: shorter time-to-fix application vulnerabilities •  Culture of application security innovation and contribution –  Develops open source tools to help clients mature their software security programs •  Remediation Resource Center, ThreadFix –  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI –  World class alliance partners accelerate innovation to solve client problems © Copyright 2012 Denim Group - All Rights Reserved 3
  • 4. What Do You Want From a Scanner? •  Coverage •  Low False Positives •  Low False Negatives © Copyright 2012 Denim Group - All Rights Reserved 4
  • 5. Scanner Coverage •  You can’t test what you can’t see •  How effective is the scanner’s crawler? •  How are URLs mapped to functionality? –  RESTful –  Parameters •  Possible issues: –  Login routines –  Multi-step processes –  Anti-CSRF protection © Copyright 2012 Denim Group - All Rights Reserved 5
  • 6. Are You Getting a Good Scan? Large financial firm: “Our 500 page website is secure because the scanner did not find any vulnerabilities!” Me: “Did you teach the scanner to log in so that it can see more than just the homepage?” Large financial firm: “…” © Copyright 2012 Denim Group - All Rights Reserved 6
  • 7. Can Your Scanner Do This? •  Two-step login procedure: –  Enter username / password (pretty standard) –  Enter answer to one of several arbitrary questions •  Challenge was that the parameter indicating the question was dynamic –  Question_1, Question_2, Question_3, and so on –  Makes standard login recording ineffective © Copyright 2012 Denim Group - All Rights Reserved 7
  • 8. It All Started With A Simple Blog Post… •  Ran into an application with a complicated login procedure •  Wrote blog post about the toolchain used to solve the problem –  http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling- complicated-logins-with-appscan-and-burp-suite.html •  Other scanner teams responded: –  IBM Rational AppScan •  http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-complicated- logins-with-appscan-only.html –  HP WebInspect •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-hp- webinspect.html –  Mavituna Security Netsparker •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-mavituna- netsparker.html –  NTObjectives NTOSpider •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-ntospider.html © Copyright 2012 Denim Group - All Rights Reserved 8
  • 9. Scanner Authentication Scenario Examples •  Built as a response to the previously-mentioned blog conversation •  Example implementations of different login routines –  How can different scanners be configured to successfully scan? •  GitHub site: –  https://github.com/denimgroup/authexamples © Copyright 2012 Denim Group - All Rights Reserved 9
  • 10. Did I Get a Good Scan? •  Scanner training is really important –  Read the Larry Suto reports… •  Must sanity-check the results of your scans •  What URLs were accessed? –  If only two URLs were accessed on a 500 page site, you probably have a bad scan –  If 5000 URLs were accessed on a five page site, you probably have a bad scan •  What vulnerabilities were found and not found? –  Scan with no vulnerabilities – probably not a good scan –  Scan with excessive vulnerabilities – possibly a lot of false positives © Copyright 2012 Denim Group - All Rights Reserved 10
  • 11. Low False Positives •  Reports of vulnerabilities that do not actually exist •  How “touchy” is the scanner’s testing engine? •  Why are they bad? –  Take time to manually review and filter out –  Can lead to wasted remediation time © Copyright 2012 Denim Group - All Rights Reserved 11
  • 12. Low False Negatives •  Scanner failing to report vulnerabilities that do exist •  How effective is the scanner’s testing engine? •  Why are they bad? –  You are exposed to risks you do not know about –  You expect that the scanner would have found certain classes of vulnerabilities •  What vulnerability classes do you think scanners will find? © Copyright 2012 Denim Group - All Rights Reserved 12
  • 13. Other Benchmarking Efforts •  Larry Suto’s 2007 and 2010 reports –  Analyzing the Accuracy and Time Costs of Web Application Security Standards –  http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf –  Vendor reactions were … varied –  [Ofer Shezaf attended this talk at AppSecEU 2012 and had some great questions and comments. See his reactions to the latest Larry Suto scanner report here : http://www.xiom.com/2010/02/09/wafs-are-not-perfect-any-security-tool-perfect ] •  Shay Chen’s Blog and Site –  http://sectooladdict.blogspot.com/ –  http://www.sectoolmarket.com/ •  Web Application Vulnerability Scanner Evaluation Project (wavsep) –  http://code.google.com/p/wavsep/ © Copyright 2012 Denim Group - All Rights Reserved 13
  • 14. So I Should Just Buy the Best Scanner, Right? •  Or the cheapest? •  Well… –  What do you mean by “best”? •  Follow-on questions –  How well do the scanners work on your organization’s applications? –  How many false positives are you willing to deal with? –  What depth and breadth of coverage do you need? © Copyright 2012 Denim Group - All Rights Reserved 14
  • 15. ThreadFix - Overview •  ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. •  Freely available under the Mozilla Public License (MPL) •  Hosted at Google Code: http://code.google.com/p/threadfix/ © Copyright 2012 Denim Group - All Rights Reserved 15
  • 16. What is a Unique Vulnerability? •  (CWE, Relative URL) –  Predictable resource location –  Directory listing misconfiguration •  (CWE, Relative URL, Injection Point) –  SQL injection –  Cross-site Scripting (XSS) •  Injection points –  Parameters – GET/POST –  Cookies –  Other headers © Copyright 2012 Denim Group - All Rights Reserved 16
  • 17. What Do The Scanner Results Look Like? •  Usually XML –  Skipfish uses JSON and gets packaged as a ZIP •  Scanners have different concepts of what a “vulnerability” is –  We normalize to the (CWE, location, [injection point]) noted before •  Look at some example files •  Several vendors have been really helpful adding additional data to their APIs and file formats to accommodate requests © Copyright 2012 Denim Group - All Rights Reserved 17
  • 18. Why Common Weakness Enumeration (CWE)? •  Every tool has their own “spin” on naming vulnerabilities •  OWASP Top 10 / WASC 24 are helpful but not comprehensive •  CWE is exhaustive (though a bit sprawling at times) •  Reasonably well-adopted standard •  Many tools have mappings to CWE for their results •  Main site: http://cwe.mitre.org/ © Copyright 2012 Denim Group - All Rights Reserved 18
  • 19. Demo •  Unpack and install ThreadFix •  Use ThreadFix to normalize and report on the use of multiple scanning technologies on a given application •  Import multiple scans and de-duplicate the results •  These screenshots are based on UNTUNED scans and are NOT meant to show a real benchmark of these scanners – only the process © Copyright 2012 Denim Group - All Rights Reserved 19
  • 20. Unzip the ThreadFix Package (like WebGoat!) © Copyright 2012 Denim Group - All Rights Reserved 20
  • 21. Make threadfix.sh Executable © Copyright 2012 Denim Group - All Rights Reserved 21
  • 22. Run ThreadFix Pre-Configured Tomcat Server © Copyright 2012 Denim Group - All Rights Reserved 22
  • 23. Login to ThreadFix (“user” and “password”) © Copyright 2012 Denim Group - All Rights Reserved 23
  • 24. Upload Various Scan Results Files © Copyright 2012 Denim Group - All Rights Reserved 24
  • 25. This Vulnerability Found By Three Scanners © Copyright 2012 Denim Group - All Rights Reserved 25
  • 26. Mark False Positives (wavsep Uses “FalsePositives” In the URL…) © Copyright 2012 Denim Group - All Rights Reserved 26
  • 27. Summary Report – Found, Not Found, False Positives (Again – NOT Based on Tuned Scans) © Copyright 2012 Denim Group - All Rights Reserved 27
  • 28. Report By Vulnerability Type © Copyright 2012 Denim Group - All Rights Reserved 28
  • 29. Detail Report Can Be Used To Error-Check Merge Process © Copyright 2012 Denim Group - All Rights Reserved 29
  • 30. Current Limitations •  Vulnerability importers are not currently formally vendor-supported –  Though a number have helped us test and refine them (thanks!) –  After you get a good scan make sure you also got a good import •  Summary report should show data by severity rating –  Make it easier to focus on vulnerabilities you probably care more about –  But you can look at the data by vulnerability type © Copyright 2012 Denim Group - All Rights Reserved 30
  • 31. Try This At Home, Kids •  Pick some applications to test –  Representative sample for your organization –  Common languages, frameworks •  Run scans with the targeted scanning technologies –  Make sure you get good scans: login, other state-based issues –  If you train the scans (always a good idea) be consistent •  Import the scans into ThreadFix –  Make sure you’re happy with the import •  Run some reports © Copyright 2012 Denim Group - All Rights Reserved 31
  • 32. You Know What Would Make All This Way Easier? •  Common data standards for scanning tools! •  Current efforts: –  MITRE Software Assurance Findings Expression Schema (SAFES) •  http://www.mitre.org/work/tech_papers/ 2012/11_3671/ –  OWASP Data Exchange Format Project •  https://www.owasp.org/index.php/ OWASP_Data_Exchange_Format_Project © Copyright 2012 Denim Group - All Rights Reserved 32
  • 33. Simple Software Vulnerability Language (SSVL) •  Common way to represent static and dynamic scanner findings •  Based on our experience building importers for ThreadFix –  It “works” for real-world applications because we are essentially using it •  Love to hear feedback –  Send me a request and I can share the document for editing/annotation •  Online: –  https://docs.google.com/document/d/ 1H5hWUdj925TtoZ7ZvnfHdFABe7hBCGuZtLUas29yBGI/edit?pli=1 –  Or http://tinyurl.com/cslqv47 © Copyright 2012 Denim Group - All Rights Reserved 33
  • 34. Simple Software Vulnerability Language (SSVL) © Copyright 2012 Denim Group - All Rights Reserved 34
  • 35. Questions Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com www.denimgroup.com/threadfix code.google.com/p/threadfix (210) 572-4400 © Copyright 2012 Denim Group - All Rights Reserved 35