Early Vulnerability Detection for Supporting Secure Programming

Size: px
Start display at page:

Download "Early Vulnerability Detection for Supporting Secure Programming"

Transcription

1 Early Vulnerability Detection for Supporting Secure Programming Luciano Sampaio - rio.br Alessandro Garcia - rio.br OPUS Research Group LES DI PUC- Rio - Brazil OPUS Research Group

2 Introduction Secure programming is the practice of writing programs that are resistant to attacks by malicious people or programs; Check for SQL Injection. Check for XSS. Check for Cookie Poisoning. Security vulnerability or just vulnerability is a flaw that can be exploited to allow an attacker to cause unintended operations. 2

3 Introduction In 2001 a single vulnerability in Microsoft s Internet Information Server, cost an estimated $2 billion in repair, lost productivity, and support (pcworld );! It is almost never present in computer science courses;! 86% of audited websites has at least 1 serious security vulnerability (WhiteHat );! Developers usually find out about vulnerabilities too late. 3

4 Top 10 Vulnerabilities Open Web Application Security Project (OWASP) 2003, 2004, 2007, 2010, 2013;! OWASP Top From 8 datasets from 7 companies with over 500,000 vulnerabilities; 01 (SQL/Command) Injection; 02 Broken Authentication and Session Management; 03 Cross- Site Scripting (XSS); 04 Insecure Direct Object References; 05 Security Misconfiguration; 06 Sensitive Data Exposure; 07 Missing Function Level Access Control; 08 Cross- Site Request Forgery (CSRF); 09 Using Known Vulnerable Components; 10 Unvalidated Redirects and Forwards. 4

5 Denial of Service XSS (Cross-Site Scripting) SQL Injection Cookie Poisoning Information Leakage Security Misconfiguration 5 5

6 Tools can help On average 17% cost savings (Dejan Baca );! Manual Inspection Daunting and error prone;! Static Analysis! It analyzes the application by examining the source code without executing it Dynamic Analysis Exact location of the problem; Higher rate of false positives; IBM AppScan, Fortify, Lapse+, CodePro, ASIDE, It analyzes the application during runtime Usually can not inform the exact location of the problem; Low rate of false positives; Fortify,. 6

7 Limitations Late Detection;! High rate of false positives;! Do not provide possible solutions. 7

8 Creates Limitations >> Late Detection Developer Source code Runs Report Generates Plug-in 8

9 Limitations >> High rate of false positives 20-30% - (Nadeem 2012). 9

10 Limitations >> High rate of false positives >> Pattern Matching ASIDE s false positive of XSS. ASIDE s false negative of SQL Injection. 10

11 Limitations >> Do not provide possible solutions 11

12 Motivation and Objectives Developers might not have the necessary knowledge and even if they have, it is a complex task;! There are available tools. However, they do not fully support secure programming We call them "security vulnerability pointers ;! Help developers create secure software. 12

13 Proposal >> Early Detection Possible solutions Creating Developer Source code String login = request.getparameter("login"); String sql = "SELECT * FROM USER WHERE LOGIN = '" + login + "'"; Statement statement = conn.createstatement(); ResultSet resultset = statement.executequery(sql); request.setattribute("login", login); Report Runs Generates Plug-in 13

14 Proposal >> Early Detection ASIDE ESVD 14

15 Pattern Matching vs Data Flow Analysis 15

16 Data Flow Analysis >> Context Insensitive vs Context Sensitive CodePro ESVD CodePro ESVD 16

17 Data Flow Analysis >> Infinite Loop ESVD 17

18 Data Flow Analysis >> What we do not understand Containers;! Reflection;! InnerClasses ESVD Dillig, I., Dillig, T. and Aiken, A. (2011). Precise reasoning for programs using containers. ACM SIGPLAN Notices Tripp, O., Pistoia, M., Fink, S. J., Sridharan, M. and Weisman, O. (2009). TAJ: Effective Taint Analysis of Web Applications. In Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation - PLDI 09., PLDI 09. ACM Press. 18

19 Evaluation >> Empirical Studies Rate of False Positive Benchmark on 5 open- source projects and 1 custom- made project; Early Detection effectiveness Participants were asked to create a code using our tool. 19

20 Evaluation >> Benchmark Blueblog Personalblog WebGoat Roller Pebble NCO Version Number of packages Number of classes Number of methods Lines of Code Number of Vulnerabilities Applications 20

21 Benchmark >> Analyzed vulnerabilities Nr Vulnerability ASIDE Lapse+ CodePro ESVD 1 Command Injection Cookie Poisoning Cross- Site Scripting (XSS) HTTP Response Splitting LDAP Injection Log Forging Path Traversal Reflection Injection Security Misconfiguration SQL Injection XPath Injection Total

22 Benchmark >> BlueBlog Precision Recall F1 Score ASIDE 0,26 0,61 0,36 CodePro 0,80 0,22 0,35 Lapse+ 0,41 0,72 0,52 ESVD 1,00 0,44 0,62 22

23 Benchmark >> PersonalBlog Precision Recall F1 Score ASIDE 0,87 0,40 0,55 CodePro 0,75 0,02 0,04 Lapse+ 0,83 0,24 0,37 ESVD 0,97 0,78 0,87 23

24 Benchmark >> PersonalBlog - False Positive 24

25 Benchmark >> WebGoat Precision Recall F1 Score ASIDE 0,49 0,71 0,58 CodePro 0,50 0,09 0,15 Lapse+ 0,68 0,65 0,67 ESVD 0,79 0,41 0,54 25

26 Benchmark >> WebGoat - False Positive 26

27 Benchmark >> Roller Precision Recall F1 Score ASIDE 0,30 0,12 0,17 CodePro 0,78 0,09 0,16 Lapse+ 0,41 0,17 0,24 ESVD 0,99 0,89 0,94 27

28 Benchmark >> Roller - False Positive 28

29 Benchmark >> Pebble Precision Recall F1 Score ASIDE 0,50 0,36 0,42 CodePro 0,71 0,06 0,11 Lapse+ 0,46 0,27 0,34 ESVD 0,95 0,63 0,75 29

30 Benchmark >> Pebble - False Positive 30

31 Benchmark >> NCO Precision Recall F1 Score ASIDE 0,71 0,35 0,47 CodePro 0,36 0,05 0,09 Lapse+ 0,39 0,42 0,40 ESVD 0,39 0,61 0,47 31

32 Benchmark >> NCO - False Positive 32

33 Benchmark >> Summary Precision Recall F1 Score % False Positive ASIDE 0,48 0,39 0,43 51,78% CodePro 0,62 0,07 0,13 37,62% Lapse+ 0,55 0,36 0,43 44,73% ESVD 0,88 0,66 0,75 11,70% 33

34 Benchmark >> Summary Blueblog Personalblo WebGoat Roller Pebble NCO Total % LDAP Injection 0 g Vulnerabilit 0,0% Command Injection ,1% XPath Injection ,1% Hard- code content ,2% Security ,5% Misconfiguration HTTP Response ,6% Splitting Cookie Poisoning ,7% Reflection Injection ,1% String concatenation ,4% Information Leakage ,8% SQL Injection ,5% Cross- Site Scripting ,9% Path Traversal ,4% Log Forging ,3% Input not sanitized ,4% Total ,00% 34

35 Benchmark >> Memory 1000" 900" Memory' 800" 700" 600" 500" 400" 300" 200" Blueblog" Personalblog" NCO" WebGoat" Roller" Pebble" 100" 0" ASIDE" CodePro" Lapse+" ESVD" Blueblog Personalblog NCO WebGoat Roller Pebble ASIDE 272,46 123,12 142,12 486,24 395,32 472,4 CodePro 314,14 89,24 148,54 254,3 189,5 267 Lapse+ 462,56 425,6 351,06 456,92 324,34 521,4 ESVD 209,82 257,64 465,42 556,02 725,02 961,7 35

36 Benchmark >> Time 10:04,80$ 08:38,40$ Time% 07:12,00$ 05:45,60$ 04:19,20$ 02:52,80$ Blueblog$ Personalblog$ NCO$ WebGoat$ Roller$ Pebble$ 01:26,40$ 00:00,00$ ASIDE$ CodePro$ Lapse+$ ESVD$ Blueblog Personalblog NCO WebGoat Roller Pebble ASIDE 00:01,61 00:01,74 00:02,71 00:06,54 00:04,12 00:10,58 CodePro 00:26,91 00:35,93 00:37,76 01:42,91 09:34,71 05:13,30 Lapse+ 00:22,46 00:21,49 00:28,27 00:25,73 00:20,39 01:15,11 ESVD 00:00,68 00:00,77 00:07,34 00:22,63 00:43,89 06:11,49 36

37 Experiment 2 groups of participants (students and professionals), divided in 2 groups (Early Detection and Late Detection): Both using ESVD; ESVD modified version;! 2 questionnaires (1 before and 1 after): Understand the participant s profile and collect feedback; 37

38 Experiment Asked them to develop some functionalities of a small system: Initial project and basic jsp pages already created; Login and logout; Add, Update, Delete and List comments;! Record their screen, audio and Eclipse s interactions: ScreenFlow; Rabbit- eclipse; 38

39 Experiment >> Participants Early Late Total Total Student Professional # 14# 12# 10# 8# 6# 4# 2# 0# 15# Quan/ty# 12# Student# 7,25# 1,67# Average#of#Years# Professional# 39

40 Experiment >> Completed tasks Participant Id Task 1 Task 2 Task 3 Task 4 Task

41 Experiment >> Participants - Final numbers Early Late Total Total Student Professional Early Late Total Total Student Professional

42 Experiment >> Participant s profile 42

43 Experiment >> Number of vulnerabilities Added Removed Left Early Late Early Late Early Late Professional Student Vulnerability Added Removed Left Cookie Poisoning HTTP Response Splitting SQL Injection Log forging Cross- Site Scripting Misconfiguration Total

44 The plug- in ESVD - Early Security Vulnerability Detector ;! Download at: https://marketplace.eclipse.org/content/early- security- vulnerability- detector- esvd/! A project containing several security vulnerabilities: rio.br/~lsampaio/plugin/ early_vulnerability_detector/latest/webdemo.zip! More info at: 44

45 The plug- in >> Menu 45

46 The plug- in >> Preferences Page 46

47 The plug- in >> Preferences Page 47

48 The plug- in >> Preferences Page 48

49 The plug- in >> UI 49

50 The plug- in >> Provide possible solutions 50

51 The plug- in >> Provide possible solutions 51

52 Thank you! Luciano Sampaio - rio.br Alessandro Garcia - rio.br OPUS Research Group LES DI PUC- Rio - Brazil OPUS Research Group

53 Questions? LES DI PUC- Rio - Brazil OPUS Research Group

Security vulnerabilities: should they be early detected?

Security vulnerabilities: should they be early detected? Security vulnerabilities: should they be early detected? - lsampaio@inf.puc-rio.br Alessandro Garcia afgarcia@inf.puc-rio.br OPUS Research Group Agenda 1. Background; 2.Motivation; 3.Research Questions;

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

Web Application Vulnerability Testing with Nessus

Web Application Vulnerability Testing with Nessus The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information

More information

Attack Vector Detail Report Atlassian

Attack Vector Detail Report Atlassian Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp. and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

OWASP Top Ten Tools and Tactics

OWASP Top Ten Tools and Tactics OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),

More information

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Annex B - Content Management System (CMS) Qualifying Procedure

Annex B - Content Management System (CMS) Qualifying Procedure Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum

More information

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia.

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Table of Contents. Page 2/13

Table of Contents. Page 2/13 Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

Testing the OWASP Top 10 Security Issues

Testing the OWASP Top 10 Security Issues Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are

More information

Secure Coding in Node.js

Secure Coding in Node.js Secure Coding in Node.js Advanced Edition Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 1 Introduction Seth Law VP of Research & Development @

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Using Free Tools To Test Web Application Security

Using Free Tools To Test Web Application Security Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,

More information

Executive Summary On IronWASP

Executive Summary On IronWASP Executive Summary On IronWASP CYBER SECURITY & PRIVACY FOUNDATION 1 Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open

More information

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

Project OWASP and two most frequent vulnerabilities in web applications

Project OWASP and two most frequent vulnerabilities in web applications Project OWASP and two most frequent vulnerabilities in web applications Filip Šebesta, Wilson Tuladhar 2010 Abstract With the rapid use of the Internet, there has been a rapid growth in websites and web

More information

Hacking de aplicaciones Web

Hacking de aplicaciones Web HACKING SCHOOL Hacking de aplicaciones Web Gabriel Maciá Fernández Fundamentos de la web CLIENTE SERVIDOR BROWSER HTTP WEB SERVER DATOS PRIVADOS BASE DE DATOS 1 Interacción con servidores web URLs http://gmacia:pass@www.ugr.es:80/descarga.php?file=prueba.txt

More information

Overview of the Penetration Test Implementation and Service. Peter Kanters

Overview of the Penetration Test Implementation and Service. Peter Kanters Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing

More information

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell Stanford Computer Security Lab State of The Art: Automated Black Box Web Application Vulnerability Testing, Elie Bursztein, Divij Gupta, John Mitchell Background Web Application Vulnerability Protection

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. OWASP Top Ten 2010 The Ten Most Critical Web Application Report This report was created by IBM Rational

More information

Application Code Development Standards

Application Code Development Standards Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by Concept and Realization of a Security Component in Moodle a project by Andreas Gigli, Lars-Olof Krause, Björn Ludwig, Kai Neumann, Lars Schmidt and Melanie Schwenk 2 Agenda Plugin Installation in Moodle

More information

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

OWASP AND APPLICATION SECURITY

OWASP AND APPLICATION SECURITY SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly

More information

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes

More information

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them

More information

Intrusion detection for web applications

Intrusion detection for web applications Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities

More information

Benjamin Livshits and Monica S. Lam

Benjamin Livshits and Monica S. Lam Benjamin Livshits and Monica S. Lam 1. PHPList Admin Page SQL Injection Vulnerability 2. Fetchmail POP3 Client Buffer Overflow Vulnerability 3. Zlib Compression Library Buffer Overflow Vulnerability 4.

More information

Web Application Vulnerabilities

Web Application Vulnerabilities Securing Web Applications with Information Flow Tracking with Michael Martin, Benjamin Livshits, John Whaley, Michael Carbin, Dzin Avots, Chris Unkel Web Application Vulnerabilities 50% databases had a

More information

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be

More information

Columbia University Web Application Security Standards and Practices. Objective and Scope

Columbia University Web Application Security Standards and Practices. Objective and Scope Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline

More information

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business 6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web

More information

2,000 Websites Later Which Web Programming Languages are Most Secure?

2,000 Websites Later Which Web Programming Languages are Most Secure? 2,000 Websites Later Which Web Programming Languages are Most Secure? Jeremiah Grossman Founder & Chief Technology Officer 2010 WhiteHat Security, Inc. WhiteHat Security Founder & Chief Technology Officer

More information

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

IJMIE Volume 2, Issue 9 ISSN: 2249-0558

IJMIE Volume 2, Issue 9 ISSN: 2249-0558 Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance

More information

Model-Based Vulnerability Testing for Web Applications

Model-Based Vulnerability Testing for Web Applications Model-Based Vulnerability Testing for Web Applications F. Lebeau, B. Legeard, F. Peureux, A. VERNOTTE FEMTO-ST Institute / University of Franche-Comté UMR CNRS 6174, 25030 Besancon, France. Smartesting

More information

Essential IT Security Testing

Essential IT Security Testing Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Learning objectives for today s session

Learning objectives for today s session Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify

More information

Certified Secure Web Application Security Test Checklist

Certified Secure Web Application Security Test Checklist www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Web Engineering Web Application Security Issues

Web Engineering Web Application Security Issues Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend

More information

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

Web Application Security Assessment and Vulnerability Mitigation Tests

Web Application Security Assessment and Vulnerability Mitigation Tests White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software

More information

Web application vulnerability statistics for 2010-2011

Web application vulnerability statistics for 2010-2011 Web application vulnerability statistics for 2010-2011 SERGEY GORDEYCHIK DMITRY EVTEEV ALEXANDER ZAITSEV DENIS BARANOV SERGEY SCHERBEL ANNA BELIMOVA GLEB GRITSAI YURI GOLTSEV TIMUR YUNUSOV ILYA KRUPENKO

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Security Assessment through Google Tools -Focusing on the Korea University Website

Security Assessment through Google Tools -Focusing on the Korea University Website , pp.9-13 http://dx.doi.org/10.14257/astl.2015.93.03 Security Assessment through Google Tools -Focusing on the Korea University Website Mi Young Bae 1,1, Hankyu Lim 1, 1 Department of Multimedia Engineering,

More information

An Introduction to Application Security In ASP.NET Environments. Houston.NET User Group. February 23 rd, 2006

An Introduction to Application Security In ASP.NET Environments. Houston.NET User Group. February 23 rd, 2006 An Introduction to Application Security In ASP.NET Environments Houston.NET User Group February 23 rd, 2006 Overview Background What is Application Security and Why Is It Important? Examples ASP.NET Specific

More information

Web application testing

Web application testing CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration

More information

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications Ray Lai, Intuit TS-5358 Share experience how to detect and defend security vulnerabilities in Web 2.0 applications using

More information

An Introduction to Application Security in J2EE Environments

An Introduction to Application Security in J2EE Environments An Introduction to Application Security in J2EE Environments Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool

MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application

More information

Web Application Attacks And WAF Evasion

Web Application Attacks And WAF Evasion Web Application Attacks And WAF Evasion Ahmed ALaa (EG-CERT) 19 March 2013 What Are We Going To Talk About? - introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering

More information

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non

More information

SQuAD: Application Security Testing

SQuAD: Application Security Testing SQuAD: Application Security Testing Terry Morreale Ben Whaley June 8, 2010 Why talk about security? There has been exponential growth of networked digital systems in the past 15 years The great things

More information

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications

More information

Pentests more than just using the proper tools

Pentests more than just using the proper tools Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security

More information

How to Build a Trusted Application. John Dickson, CISSP

How to Build a Trusted Application. John Dickson, CISSP How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.

More information

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only Conducting Web Application Pentests From Scoping to Report For Education Purposes Only Web App Pen Tests According to OWASP: A Web Application Penetration Test focuses only on evaluating the security of

More information

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006 Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From

More information

Unbreakable ABAP? Vulnerabilities in custom ABAP Code Markus Schumacher, Co-Founder Virtual Forge GmbH

Unbreakable ABAP? Vulnerabilities in custom ABAP Code Markus Schumacher, Co-Founder Virtual Forge GmbH Unbreakable ABAP? Vulnerabilities in custom ABAP Code Markus Schumacher, Co-Founder Virtual Forge GmbH 10.- 12. März 2010 Print Media Academy, Heidelberg Page 2 Virtual Forge GmbH - http://virtualforge.de

More information

AppDefend Application Firewall Overview

AppDefend Application Firewall Overview AppDefend Application Firewall Overview May 2014 Stephen Kost Chief Technology Officer Integrigy Corporation Agenda Web Application Security AppDefend Overview Q&A 1 2 3 4 5 Oracle EBS Web Architecture

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Auditing Web Applications

Auditing Web Applications Auditing Web Applications IT Audit strategies for web applications August 2015 ISACA Geek Week Robert Morella MBA, CISA, CGEIT, CISSP Rob.morella@gmail.com 1 About Me Been there done that: IT Systems IT

More information

Application Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com

Application Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com Application Security and the SDLC Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference Examples Integrating Security

More information

HTTPParameter Pollution. ChrysostomosDaniel

HTTPParameter Pollution. ChrysostomosDaniel HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider

More information

Web Application Firewall on SonicWALL SSL VPN

Web Application Firewall on SonicWALL SSL VPN Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following

More information

Web application security: Testing for vulnerabilities

Web application security: Testing for vulnerabilities Web application security: Testing for vulnerabilities Using open source tools to test your site Jeff Orloff Technology Coordinator/Consultant Sequoia Media Services Inc. Skill Level: Intermediate Date:

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Web Application Security

Web Application Security Web Application Security Security Mitigations Halito 26 juni 2014 Content Content... 2 Scope of this document... 3 OWASP Top 10... 4 A1 - Injection... 4... 4... 4 A2 - Broken Authentication and Session

More information

Web Vulnerability Assessment Report

Web Vulnerability Assessment Report Web Vulnerability Assessment Report Target Scanned: www.daflavan.com Report Generated: Mon May 5 14:43:24 2014 Identified Vulnerabilities: 39 Threat Level: High Screenshot of www.daflavan.com HomePage

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information