Security Scanning
description
Transcript of Security Scanning
![Page 1: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/1.jpg)
The OWASP Foundationhttp://www.owasp.org
OWASP EducationComputer based training
Security Scanning
Nishi KumarIT Architect Specialist
Chair, Software Security Forum FISOWASP CBT Project Lead
OWASP Global Industry [email protected]
Contributor and Reviewer Keith Turpin
![Page 2: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/2.jpg)
2
ObjectivesUnderstand different offerings available to find vulnerabilities
Learn pros and cons of those offerings
Know about some open source and commercial scanning tools
![Page 3: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/3.jpg)
3
Industry Application Security Offerings
AutomatedDynamic web application interface scanningStatic code scanningWeb app firewallsIntrusion Prevention Systems (IPS)
Manual
Application penetration testCode review
![Page 4: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/4.jpg)
4
Automated vs. Manual: Advantages
Advantages of automated solutionsLow incremental costMinimal trainingPotentially 24/7 protection
Advantages of manual solutionsNo false positivesGuaranteed code coverageAbility to identify complex vulnerabilitiesUnderstand business logicActs like a determined attackerCan combine vulnerabilities
![Page 5: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/5.jpg)
5
What Automated Solutions Miss
TheoreticalLogic flaws (business and application)Design flaws
Practical
Difficulty interacting with Rich Internet ApplicationsComplex variants of common attacks (SQL Injection, XSS, etc)Cross-Site Request Forgery (CSRF)Uncommon or custom infrastructureAbstract information leakage
![Page 6: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/6.jpg)
6
Conducting the Assessment
If you are using automated scanning tools, beware of false positives and negatives
Pattern recognition has limitationsCombine various testing methods Automated scanning Code review Manual testing
Learn what tools do and do not do wellValidate every findingKeep detailed notes
![Page 7: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/7.jpg)
7
Commercial Dynamic Scanning Tools
Web Inspect – by HP
Rational AppScan – by IBM
Acunetix WVS – by Acunetix
Hailstorm – by Cenzic
NTOSpider – by NT OBJECTives
![Page 8: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/8.jpg)
8
Open Source and Low Cost Scanners
W3af - http://w3af.sourceforge.net/
Burp Suite - http://portswigger.net/
Grendel Scan - http://grendel-scan.com/
Wapiti - http://wapiti.sourceforge.net/
Arachni - http://zapotek.github.com/arachni/
Skipfish - http://code.google.com/p/skipfish/
Paros - http://www.parosproxy.org/ (Free version no longer maintained)
![Page 9: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/9.jpg)
9
Code Scanning Tools
Fortify – by HP
Rational AppScan Source Edition – by IBM
Coverity Static Analysis – by Coverity
CxSuite – by Checkmarx
Yasca – by OWASP
Veracode binary analysis – Veracode(Veracode uses a different methodology than other scanners)
![Page 10: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/10.jpg)
10
Client Side Web Proxies
Paros - http://www.parosproxy.org/ (Free version no longer maintained)
Burp Suite - http://portswigger.net/
WebScarab NG - https://www.owasp.org/index.php/OWASP_WebScarab_NG_Project
Charles Proxy - www.charlesproxy.com/
Browser Plugins:Internet Explorer: FiddlerFirefox: Tamper Data
![Page 11: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/11.jpg)
11
Paros Proxy
Paros Proxy is a security scanning tool. Through Paros's proxy all HTTP and
HTTPS data between server and client, including cookies and form fields, can
be intercepted and modified.
Paros Proxy is a security scanning tool. Through Paros's proxy all HTTP and
HTTPS data between server and client, including cookies and form fields, can
be intercepted and modified.
![Page 12: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/12.jpg)
12
Paros Proxy- Interface
![Page 13: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/13.jpg)
13
Paros Proxy- Options Dialog
![Page 14: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/14.jpg)
14
Paros Proxy- Reporting
![Page 15: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/15.jpg)
15
W3AF by OWASP
Web application attack and audit
framework
Web application attack and audit
framework
![Page 16: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/16.jpg)
16
W3af - Web application attack and audit framework
![Page 17: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/17.jpg)
17
W3af - Web application attack and audit framework
![Page 18: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/18.jpg)
18
W3af - Exploit
![Page 19: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/19.jpg)
19
IBM Rational App Scan
Commercial Scanning ToolCommercial
Scanning Tool
![Page 20: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/20.jpg)
20
IBM Rational App Scan InterfaceOnline Risk Mitigation and Compliance SolutionsOnline Risk Mitigation and Compliance Solutions
![Page 21: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/21.jpg)
21
Scan Configuration – URL and server
![Page 22: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/22.jpg)
22
Scan Configuration – Login Management
![Page 23: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/23.jpg)
23
Scan Configuration – Test Policy
![Page 24: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/24.jpg)
24
Scan Configuration – Complete
![Page 25: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/25.jpg)
25
Reporting Industry Standard
![Page 26: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/26.jpg)
26
Reporting Industry Standard
![Page 27: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/27.jpg)
27
Web Inspect
Commercial Scanning ToolCommercial
Scanning Tool
![Page 28: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/28.jpg)
28
Scan mode
![Page 29: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/29.jpg)
29
Audit Policy
![Page 30: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/30.jpg)
30
Requester Thread
![Page 31: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/31.jpg)
31
Http Parsing
![Page 32: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/32.jpg)
32
Report Type
![Page 33: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/33.jpg)
33
Summary Over 90% of ecommerce PCI breaches are from
application flaws
Application security is not a percentage game. One missed flaw is all it takes
Vulnerabilities can come from more than one avenue:AcquisitionsOld or dead codeThird-party libraries
Over 90% of ecommerce PCI breaches are from application flaws
Application security is not a percentage game. One missed flaw is all it takes
Vulnerabilities can come from more than one avenue:AcquisitionsOld or dead codeThird-party libraries
![Page 34: Security Scanning](https://reader036.fdocuments.net/reader036/viewer/2022062309/568151ee550346895dc02827/html5/thumbnails/34.jpg)
34