SlideShare une entreprise Scribd logo

Automating Security Assessments with Web Scanners

Télécharger en tant que PPTX, PDF
N
nfteodoro

Presented on IBWAS\'10

Technologie
1  sur  28
Automating Web Applications Security Assessments through Scanners
Agenda Motivation Web Scanners Web Scanners Evaluation Case Study
Motivation Lack of security awareness Organizations don’t properly invest into security Critical programmers don’t understand security issues Finish my master thesis....
Motivation
Testing Methods White box Gray box Source code access and internal infrastructure knowledge of some kind Black box - Testing with automatic tools (Web scanners) - Confirm scanners results Online access to the Web Application
Web Scanners “Try” to find applicational vulnerabilities Perform pre-defined tests – active analysis through atacks simulation HTTP messages manipulation HTTP messagens inspection Find weird attributes fuzzing Code analysis … Scan web application Content analysis Specific crafted requests Results generation
Web Scanners Very important in some scenarios Point and Shot Scan Vulnerabilities
Web Scanners
Web Scanners Evaluation NIST SAMATE Software Assurance Metrics and Tools Evaluation WASSEC Web Application Security Scanner Evaluation Criteria
Web Scanners Evaluation NIST SAMATE Web Applications Issues Technical vulnerabilities Security Vulnerabilities Architectural/Logical Vulnerabilities Other vulnerabilities 1st January 2010 – no longer supported
Web Scanners Evaluation WASSEC Protocol Support Authentication Session Management Crawling Parsing Testing Command and Control Reporting <Customized>
Web Scanners Evaluation Complementary evaluation method Select vulnerability to test Create exploitation levels based on information on how to protect against it Explore Web scanner behavior for each level
Web Scanners Evaluation Ideally we would create a Web application to assess each level Optionally we can just use pre defined available ones Cenzic Watchfire WebMaven / Buggy Bank Updated HackmeBank OWASP WebGoat Stanford SecuriBench
Manual Analysis Why? Vulnerability analysis There are always false positives Understand how to test it [For each vulnerability] Impacts Mitigation Manual confirmation needed Documentation [end]
Case Study Related with my master thesis 17 Real Web Applications Government Education Other relevant service providers
Case Study Choose Web Scanners Apply Web Scanners to Web Applications Evaluate Results
Case Study – Choose Web Scanners Overall Web scanners discovery on the Open Source community Discard the less accepted Web scanners Apply customized WASSEC
Case Study – Choose Web Scanners Overall Web scanners discovery on the Open Source community Grabber Grendel-Scan Paros Proxy Powerfuzzer SecurityQA Toolbar Skipfish W3AF Wapiti Watcher Websecurify Netsparker OpenAcunetix RatProxy
Case Study – Choose Web Scanners Discard the less accepted Web scanners Grabber Grendel-Scan Paros Proxy Powerfuzzer SecurityQA Toolbar Skipfish W3AF Wapiti Watcher Websecurify Netsparker OpenAcunetix RatProxy
Case Study – Choose Web Scanners Apply customized WASSEC OWASP Top 10 coverage Recent activity and updates New technologies support Fast bugs solving (easy to interact with developers)
Case Study – Choose Web Scanners
Case Study –Apply Web Scanners to Web Applications PHP Java .NET/Aspx 8 Web Applications 1 Web Application 8 Web Applications
Tests Methodology Select Web application After legal authorization Use Web scanner [for each web scanner] [for each web scanner] Create detailed report Document found vulnerabilities Using different tools and live CDs [test’s end] Delivr the report to the organization Manual verification
Case Study –Apply Web Scanners to Web Applications
Case Study –Apply Web Scanners to Web Applications
Case Study –Apply Web Scanners to Web Applications On a total of 1387 vulnerabilities found.... ....~ 319 are false positives
Evaluate Results Maybe these tools are not so bad In the right context Leverage security awareness False positives are also good (am I crazy?)
Questions?

Recommandé

Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Dmitriy Gumeniuk
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseKatherine Golovinova
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testingNagasahas DS
 

Recommandé

Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Dmitriy Gumeniuk
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseKatherine Golovinova
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testingNagasahas DS
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreJosh Sokol
 
Security Operations
Security OperationsSecurity Operations
Security Operationsankitmehta21
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phasesTestingXperts
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP AdoptionGoran Begic
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
XSS filter on Server side
XSS filter on Server sideXSS filter on Server side
XSS filter on Server sidecuteboysmith
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Threat Detection using Analytics &amp; Machine Learning
Threat Detection using Analytics &amp; Machine LearningThreat Detection using Analytics &amp; Machine Learning
Threat Detection using Analytics &amp; Machine LearningPriyanka Aash
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security TestingvodQA
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application TestingHari Pudipeddi
 

Contenu connexe

Tendances

Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreJosh Sokol
 
Security Operations
Security OperationsSecurity Operations
Security Operationsankitmehta21
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phasesTestingXperts
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP AdoptionGoran Begic
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
XSS filter on Server side
XSS filter on Server sideXSS filter on Server side
XSS filter on Server sidecuteboysmith
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Threat Detection using Analytics &amp; Machine Learning
Threat Detection using Analytics &amp; Machine LearningThreat Detection using Analytics &amp; Machine Learning
Threat Detection using Analytics &amp; Machine LearningPriyanka Aash
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security TestingvodQA
 

Tendances (20)

Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And More
 
Security Operations
Security OperationsSecurity Operations
Security Operations
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phases
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
XSS filter on Server side
XSS filter on Server sideXSS filter on Server side
XSS filter on Server side
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Threat Detection using Analytics &amp; Machine Learning
Threat Detection using Analytics &amp; Machine LearningThreat Detection using Analytics &amp; Machine Learning
Threat Detection using Analytics &amp; Machine Learning
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 

Similaire à Automating Security Assessments with Web Scanners

Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application TestingHari Pudipeddi
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testingHarinath Pudipeddi
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testingHarinath Pudipeddi
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Swascan Cyber Security Testing Platform
Swascan Cyber Security Testing PlatformSwascan Cyber Security Testing Platform
Swascan Cyber Security Testing PlatformPierguido Iezzi
 
Swascan brochure-eng
Swascan brochure-engSwascan brochure-eng
Swascan brochure-engSWASCAN
 
Brochure SWASCAN-ENG On Premise
Brochure SWASCAN-ENG On PremiseBrochure SWASCAN-ENG On Premise
Brochure SWASCAN-ENG On PremiseSWASCAN
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security TestingRay Lai
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilitiesMohit Dholakiya
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...MrityunjayaHikkalgut1
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 

Similaire à Automating Security Assessments with Web Scanners (20)

Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application Testing
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
Swascan Cyber Security Testing Platform
Swascan Cyber Security Testing PlatformSwascan Cyber Security Testing Platform
Swascan Cyber Security Testing Platform
 
Swascan brochure-eng
Swascan brochure-engSwascan brochure-eng
Swascan brochure-eng
 
Brochure SWASCAN-ENG On Premise
Brochure SWASCAN-ENG On PremiseBrochure SWASCAN-ENG On Premise
Brochure SWASCAN-ENG On Premise
 
Swascan brochure-EN
Swascan brochure-ENSwascan brochure-EN
Swascan brochure-EN
 
Computer security
Computer securityComputer security
Computer security
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security Testing
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
 

Dernier

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Dernier (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Automating Security Assessments with Web Scanners

  • 1. Automating Web Applications Security Assessments through Scanners
  • 2. Agenda Motivation Web Scanners Web Scanners Evaluation Case Study
  • 3. Motivation Lack of security awareness Organizations don’t properly invest into security Critical programmers don’t understand security issues Finish my master thesis....
  • 5. Testing Methods White box Gray box Source code access and internal infrastructure knowledge of some kind Black box - Testing with automatic tools (Web scanners) - Confirm scanners results Online access to the Web Application
  • 6. Web Scanners “Try” to find applicational vulnerabilities Perform pre-defined tests – active analysis through atacks simulation HTTP messages manipulation HTTP messagens inspection Find weird attributes fuzzing Code analysis … Scan web application Content analysis Specific crafted requests Results generation
  • 7. Web Scanners Very important in some scenarios Point and Shot Scan Vulnerabilities
  • 9. Web Scanners Evaluation NIST SAMATE Software Assurance Metrics and Tools Evaluation WASSEC Web Application Security Scanner Evaluation Criteria
  • 10. Web Scanners Evaluation NIST SAMATE Web Applications Issues Technical vulnerabilities Security Vulnerabilities Architectural/Logical Vulnerabilities Other vulnerabilities 1st January 2010 – no longer supported
  • 11. Web Scanners Evaluation WASSEC Protocol Support Authentication Session Management Crawling Parsing Testing Command and Control Reporting <Customized>
  • 12. Web Scanners Evaluation Complementary evaluation method Select vulnerability to test Create exploitation levels based on information on how to protect against it Explore Web scanner behavior for each level
  • 13. Web Scanners Evaluation Ideally we would create a Web application to assess each level Optionally we can just use pre defined available ones Cenzic Watchfire WebMaven / Buggy Bank Updated HackmeBank OWASP WebGoat Stanford SecuriBench
  • 14. Manual Analysis Why? Vulnerability analysis There are always false positives Understand how to test it [For each vulnerability] Impacts Mitigation Manual confirmation needed Documentation [end]
  • 15. Case Study Related with my master thesis 17 Real Web Applications Government Education Other relevant service providers
  • 16. Case Study Choose Web Scanners Apply Web Scanners to Web Applications Evaluate Results
  • 17. Case Study – Choose Web Scanners Overall Web scanners discovery on the Open Source community Discard the less accepted Web scanners Apply customized WASSEC
  • 18. Case Study – Choose Web Scanners Overall Web scanners discovery on the Open Source community Grabber Grendel-Scan Paros Proxy Powerfuzzer SecurityQA Toolbar Skipfish W3AF Wapiti Watcher Websecurify Netsparker OpenAcunetix RatProxy
  • 19. Case Study – Choose Web Scanners Discard the less accepted Web scanners Grabber Grendel-Scan Paros Proxy Powerfuzzer SecurityQA Toolbar Skipfish W3AF Wapiti Watcher Websecurify Netsparker OpenAcunetix RatProxy
  • 20. Case Study – Choose Web Scanners Apply customized WASSEC OWASP Top 10 coverage Recent activity and updates New technologies support Fast bugs solving (easy to interact with developers)
  • 21. Case Study – Choose Web Scanners
  • 22. Case Study –Apply Web Scanners to Web Applications PHP Java .NET/Aspx 8 Web Applications 1 Web Application 8 Web Applications
  • 23. Tests Methodology Select Web application After legal authorization Use Web scanner [for each web scanner] [for each web scanner] Create detailed report Document found vulnerabilities Using different tools and live CDs [test’s end] Delivr the report to the organization Manual verification
  • 24. Case Study –Apply Web Scanners to Web Applications
  • 25. Case Study –Apply Web Scanners to Web Applications
  • 26. Case Study –Apply Web Scanners to Web Applications On a total of 1387 vulnerabilities found.... ....~ 319 are false positives
  • 27. Evaluate Results Maybe these tools are not so bad In the right context Leverage security awareness False positives are also good (am I crazy?)