Syhunt Presentation 2011
-
Upload
syhunt -
Category
Technology
-
view
546 -
download
1
description
Transcript of Syhunt Presentation 2011
SYHUNTWeb Application Security Assessment Provider
Sandcat Assessment SuiteWhat is Sandcat?
PSandcat is a hybrid multilanguage webapplication security assessment suite
PA software suite that simulates web-based attacksPProactively guards an organization's Web
infrastructure against web application securitythreats< Finds the vulnerabilities before the hackers
Sandcat Assessment SuiteEvolution
P Initially an evasion-capable web server scanner< With CGI/directory brute force scanning and a very
extensive database of checks. (2001-2003)PAdded spidering & injection capabilities.< Became a remote web app sec scanner (2004)
PAdded source code scanning capabilities (2008)
Sandcat Assessment SuiteHow It Works
PScans live websites for multiple classes ofvulnerabilities - an external pen-test< This is the hacker’s perspective (aka blackbox)
PScans locally, its source for the same multipleclasses of vulnerabilities - an internal code review(aka whitebox)
PWhen it combines both approaches, you havewhat is called a hybrid analysis (or greybox)
Sandcat Assessment SuiteSandcat’s hybrid multilanguage web application securityscanning capabilities
Source ScannerInternal
Any Web AppScans
EmulationJavaScript
Aware SpiderHTML5-
Remote ScannerExternal
FeaturesCore Functionality
PConcurrency/Scan Queue Support (Multithreads)PDeep Crawling (Spidering)< Maps the entire web site structure (all links, forms,
XHR requests and other entry points)PMultiple Versions (Windows Only)< GUI (Graphical User Interface)< CLI (Command-Line Interface)< Web-Interface (Apache-Based)
Sandcat Assessment SuiteCore Functionality
PReport Generation< Multiple formats and templates< Compliance - OWASP Top 10, PHP Top 5,
CWE/SANS Top 25, Payment Card Industry (PCI),etc. Also includes:
< OSVDB references< CVE & CWE references< Charts
Vulnerability CoverageSandcat Database
POver 460 remote web application security checksin over 24 categories of web attacks< XSS, SQL Injection, File Inclusion, Command
Execution, etcPOWASP's Top Ten Most Critical Web
Application Security Vulnerabilities & PHP Top5 Vulnerabilities
Vulnerability CoverageSandcat Database
POver 561 source checks, covering several typesof web attacks:< SQL Injection
– Both remote and source checks tailored to cover MySQL,Oracle, PostgreSQL, Microsoft Access, Microsoft SQLServer, SQLite, Firebird, Sybase...
< Cross-Site Scripting (XSS), Arbitrary FileManipulation, Command Execution, File Inclusion(Local & Remote) and more.
Vulnerability CoverageSandcat Database
P29K (29 thousand) web vulnerabilities researchedsince 2003 affecting specific webapplications/servers.
PExamples:< StatPressCN Plugin for Wordpress wp-
admin/admin.php Multiple Parameter XSS (CVE-2011-0641)
< PHPCMS 2008 data.php where_time Parameter SQLInjection (CVE-2011-0645)
Additional ComponentsOther Sandcat Components
PSandcat Log Analyzer< Scans HTTP logs (created by web servers) for
intrusion attemptsPSandcat Apache/PHP Hardener< Scans Apache and PHP configuration files for weak
security settings
WAVSEP 2011 ComparisonWAVSEP Comparison
P Independent web application scanner accuracytests produced every year by Shay Chen (OWASPIsrael), an application security consultant
PThe most comprehensive ever made (a total of 60tools were included this year, including theleading commercial tools)
PWhat did we find out?
WAVSEP 2011 ComparisonSandcat Accuracy Tests (August 2011)
PWe’ve the best XSS vulnerability detection ratein the market< #1 when the Free Edition of Sandcat is compared with
other free and open source tools< #2 when Sandcat Pro is compared to other commercial
tools such as IBM AppScan, HP WebInspect andothers– Sandcat Pro, AppScan and ParosPro top the WAVSEP
benchmark charts with 100 percent or near-100 percent XSSdetection rates
WAVSEP 2011 ComparisonSandcat Accuracy Tests (August 2011)
PSQL Injection (SQLi)< Sandcat also scored a 100 percent error-based SQL
Injection detection rate– Sandcat excelled at identifying an additional large set of 80
error-based SQL Injection vulnerabilities (detected 100% ofthe vulnerabilities, both GET-based and POST-based)
– Sandcat’s SQL Injection checks covers several types ofdatabases
WAVSEP 2011 ComparisonSandcat Accuracy Tests (August 2011)
PSandcat scored a 100 percent detection raterunning at half its capabilities< Sandcat’s white-box (source code) scanning
capabilities were not covered in the tests.
Additional HighlightsStandards & Additional Info
PSandcat makes the list of CVE-compatibleproducts and services provided by the MitreCorporation who created the standard.
P Invited this year by the U.S. NIST (NationalInstitute of Standards and Technology) toparticipate the Static Analysis Tool Exposition(SATE)< SATE’s goal: advance research in the field of static
analysis tools
Additional HighlightsStandards & Additional Info
PUsed by the U.S. Department of DefensePListed and covered in the Information Assurance
Tools Report published this year (2011) by theU.S. Department of Defense’s IATAC(Information Assurance Technology AnalysisCenter), alongside leading tools
CustomersWhere they come from
PFrom over 26 countries. Mainly from the UnitedStates, United Kingdom and Canada
PFrom different markets and industries< Consulting, Education/Government, Finance, Banking,
and Insurance, High Technology & Software,Hospitality, Travel & Tourism, Telecommunications,etc
CustomersWhere they come from (Government & Military)
PNASA, US NOAA, US DoE (Department ofEnergy) and others
PUS Navy, UK’s Royal Air ForceP Intelligence Agencies< CSE (Canada’s intelligence agency)< CISEN (Mexico’s intelligence agency)
The EndThank You
More Info: www.syhunt.comTwitter: @syhuntEmail: [email protected]