Large Scale Generation of Complex and Faulty PHP Test Cases
Size: px
Start display at page:

Download "Large Scale Generation of Complex and Faulty PHP Test Cases"

Transcription

1 Large Scale Generation of Complex and Faulty PHP Test Cases Bertrand STIVALET Elizabeth FONG ICST 2016 Chicago, IL, USA April 15th,

2 Authors Bertrand STIVALET National Institute of Standards and Technology Elizabeth FONG National Institute of Standards and Technology 2

3 "If debugging is the process of removing software bugs, then programming must be the process of putting them in" E. Dijkstra 3

4 NIST - SAMATE - SARD NIST - National Institute of Standards and Technology Part of the US Department Of Commerce Promote U.S. Innovation and Industrial Competitiveness SAMATE - Software Assurance Metrics And Tool Evaluation Improve Software Assurance by: developing materials, specifications, and methods testing tools and techniques and measure their effectiveness SARD - Software Assurance Reference Dataset Provide database of known security flaws C/C++, JAVA, PHP, C# 148,903 Test cases / 665,481 Files 4

5 Outline 1. Software Testing 5

6 Outline 1. Software Testing Static Application Security Testing 6

7 Outline 2. Design of Test Cases 1. Software Testing Test Cases Static Application Security Testing 7

8 Outline 3. PHP Vulnerability Test Cases Generator 2. Design of Test Cases 1. Software Testing Test Cases Generator Test Cases Static Application Security Testing 8

9 Outline 3. PHP Vulnerability Test Cases Generator 2. Design of Test Cases 1. Software Testing Test Cases Generator Test Cases Static Application Security Testing 4. Live Demo 9

10 1. Software Testing Introduction to Static Analysis 10

11 Static Analysis Automated analysis of large software Defect detection and remediation Use different approaches: Syntax checking Heuristics Formal methods 11

12 Static Analysis Automated analysis of large software Defect detection and remediation Use different approaches Buggy Source Compilation Buggy Software 12

13 Static Analysis Automated analysis of large software Defect detection and remediation Use different approaches Buggy Source Static Analysis Bug Report Remediation 13

14 Static Analysis Automated analysis of large software Defect detection and remediation Use different approaches Fixed Source Compilation Secure Software 14

15 Static Analysis Automated analysis of large software Defect detection and remediation Use different approaches Buggy Source Static Analysis Bug Report? 15

16 Static Analysis Testing Static Analysis Bug Report True Negative 16

17 Static Analysis Testing Static Analysis Bug Report True Negative Static Analysis Bug Report False Positive 17

18 Static Analysis Testing Static Analysis Bug Report True Negative Static Analysis NOISE Bug Report False Positive 18

19 Static Analysis Testing Static Analysis Bug Report True Negative Static Analysis NOISE Bug Report False Positive Buggy Static Analysis Bug Report True Positive 19

20 Static Analysis Testing Static Analysis Bug Report True Negative Static Analysis NOISE Bug Report False Positive Buggy Static Analysis Bug Report True Positive Buggy Static Analysis Bug Report False Negative 20

21 Static Analysis Testing Static Analysis Bug Report True Negative Static Analysis NOISE Bug Report False Positive Buggy Static Analysis Bug Report True Positive Buggy MISSED DEFECT Static Analysis Bug Report False Negative 21

22 Pros and Cons Improves software assurance Saves time and money Takes customized rule sets False positive (noise) False negative (missed defects) Limited scope 22

23 2. Design of Test Cases Test cases features 23

24 Test Cases Design Cover the most vulnerabilities possible Various complexities Statistically significant Ground truth Paired safe and flawed test cases Representative of production code 24

25 PHP Test Case Example 25

26 PHP Test Case Example INPUT 26

27 PHP Test Case Example INPUT FILTERING 27

28 PHP Test Case Example INPUT FILTERING SINK 28

29 3. PHP Vulnerability Test Cases Generator Overview of the Test Cases generator 29

30 Test Cases Generator Conditional Loops Functions Classes Multiple Files Complexities: choose none, one, or combine several Input Templates Filtering Templates Sink Templates Selected Input Selected Filtering Selected Sink Buggy File Structure: Input + Filtering + Sink 30

31 Test Cases Design Various complexities Statistically significant Ground truth Paired safe and flawed test cases Cover the more vulnerabilities possible Representative of production code 31

32 Vulnerabilities covered Vulnerabilities based on OWASP Top [ #safe / #unsafe ] Injection [ / 5920 ] Broken Authentication and Session Management Cross Site Scripting (XSS) [ 5728 / 4352 ] Insecure Direct Object References [ 400 / 80 ] Security Misconfiguration [ 5 / 3 ] Sensitive Data Exposure [ 5 / 7 ] Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Known Vulnerable Component Unvalidated Redirects and Forwards [ 2208 / 2592 ] 32

33 4. Live Demo Generating Test Cases to Testing 33

34 Live Demo <?PHP Vulnerability Test Case Generator?> PHP Test Cases 34

35 RIPS - Metrics Missed defects - present : found : 312* Recall = 312 / 912 = 34.2% * considering all findings are True positives 35

36 Report SQL Injection : Userinput reaches sensitive sink. RIPS - True Positive INPUT FILTERING SINK CWE_89 GET no_sanitizing multiple_select-interpretation.php 36

37 Report SQL Injection : Userinput returned by function getinput() reaches sensitive sink. RIPS - False Positive INPUT FILTERING SINK CWE_89 object-directget CAST-func_settype_float multiple_as-sprintf_%u.php 37

38 Conclusion Tools need evaluation! Test cases need improvement PHP Vulnerability Test Suite Generator: Automated generation Modular and expandable Customizable with options PHP test cases generated 38

39 Conclusion Tool is available on Github: Test cases are hosted in the SARD: Project is already used by researchers: M. K. Gupta, et al, Security Vulnerabilities in Web Applications", JCSSE 2015 M. K. Gupta, et al, "XSSDM: Towards Detection and Mitigation of Cross-Site Scripting Vulnerabilities in Web Applications", ICACCI 2015 SATE VI - Static Analysis Tool Exposition, NIST

40 Thanks! Any questions? Find us at: 40

Similar documents

Evaluating Bug Finders

Evaluating Bug Finders Evaluating Bug Finders Test and Measurement of Static Code Analyzers Aurelien DELAITRE Bertrand STIVALET http://samate.nist.gov ICSE - COUFLESS 2015 May 23, 2015 Authors Aurelien DELAITRE West Virginia

More information

Large Scale Generation of Complex and Faulty PHP Test Cases

Large Scale Generation of Complex and Faulty PHP Test Cases Large Scale Generation of Complex and Faulty PHP Test Cases Bertrand Stivalet, Elizabeth Fong Software and Systems Divison, National Institute of Standards and Technology Gaithersburg, MD, 20899, USA {bertrand.stivalet,

More information

Application Security Approach

Application Security Approach Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..

More information

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017 OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers

More information

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut. OWASP Review Amherst Security Group June 14, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut

More information

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically

More information

Using and Customizing Microsoft Threat Modeling Tool 2016

Using and Customizing Microsoft Threat Modeling Tool 2016 Using and Customizing Microsoft Threat Modeling Tool 2016 Boston Code Camp 27 March 25, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Boston Code Camp 27 - Thanks to our Sponsors! Platinum Gold

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew

More information

Secure Programming Techniques

Secure Programming Techniques Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP

More information

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large

More information

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA) EPRI Software Development 2016 Guide for Testing Your Software Software Quality Assurance (SQA) Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial

More information

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security

More information

Application vulnerabilities and defences

Application vulnerabilities and defences Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database

More information

Development*Process*for*Secure* So2ware

Development*Process*for*Secure* So2ware Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Vulnerabilities: OWASP Top 10 Revisited Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and

More information

OWASP TOP 10. By: Ilia

OWASP TOP 10. By: Ilia OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB

More information

6-Points Strategy to Get Your Application in Security Shape

6-Points Strategy to Get Your Application in Security Shape 6-Points Strategy to Get Your Application in Security Shape Sherif Koussa OWASP Ottawa Chapter Leader Static Analysis Technologies Evaluation Criteria Project Leader Application Security Specialist - Software

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Charting the Course to Your Success! Securing.Net Web Applications Lifecycle Course Summary Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based

More information

Your Turn to Hack the OWASP Top 10!

Your Turn to Hack the OWASP Top 10! OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application

More information

Introductions. Jack Katie

Introductions. Jack Katie Main Screen Turn On Hands On Workshop Introductions Jack Skinner @developerjack Katie McLaughlin @glasnt And what about you? (not your employer) What s your flavour? PHP, Ruby, Python? Wordpress, Drupal,

More information

Source Code Patterns of Cross Site Scripting in PHP Open Source Projects

Source Code Patterns of Cross Site Scripting in PHP Open Source Projects in PHP Open Source Projects Felix Schuckert 12, Max Hildner 1, Basel Katt 2, and Hanno Langweg 12 1 HTWG Konstanz, Department of Computer Science, Konstanz, Baden-Württemberg, Germany felix.schuckert@htwg-konstanz.de

More information

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite: Securing Java/ JEE Web Applications (TT8320-J) Day(s): 4 Course Code: GK1123 Overview Securing Java Web Applications is a lab-intensive, hands-on Java / JEE security training course, essential for experienced

More information

SECURITY TESTING. Towards a safer web world

SECURITY TESTING. Towards a safer web world SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September

More information

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by

More information

Developing Secure Systems. Associate Professor

Developing Secure Systems. Associate Professor Developing Secure Systems Introduction Aug 27, 2014 James Joshi, Associate Professor Contact t James Joshi 706A, IS Building Phone: 412-624-9982 E-mail: jjoshi@mail.sis.pitt.edu Web: http://www.sis.pitt.edu/~jjoshi/courses/is2620/fall14/

More information

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite: Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE

More information

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

WEB APPLICATION SCANNERS. Evaluating Past the Base Case WEB APPLICATION SCANNERS Evaluating Past the Base Case GREG OSE PATRICK TOOMEY Presenter Intros Overview An overview of web application scanners Why is it hard to evaluate scanner efficacy? Prior Work

More information

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web Application Threats and Remediation. Terry Labach, IST Security Team Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage

More information

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application

More information

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report. Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock OWASP Top 10 2017 David Johansson Principal Consultant, Synopsys Presentation material contributed by Andrew van der Stock David Johansson Security consultant with 10 years in AppSec Helping clients design

More information

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies

More information

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017. Atlassian Software Development and Collaboration Tools Atlassian Bugcrowd Bounty Program Results Report created on October 04, 2017 Prepared by Ryan Black, Director of Technical Operations Table of Contents

More information

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech PEACH API SECURITY AUTOMATING API SECURITY TESTING Peach.tech Table of Contents Introduction... 3 Industry Trends... 3 API growth... 3 Agile and Continuous Development Frameworks... 4 Gaps in Tooling...

More information

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis Static Analysis (SA) Track Session 1: Intro to Static Analysis Eric Dalci Cigital edalci at cigital dot com 5/07/09 Copyright The Foundation Permission is granted to copy, distribute and/or modify this

More information

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance IBM Innovate 2010 CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance Anthony Lim MBA CISSP CSSLP FCITIL Director, Asia Pacific, Software Security Solutions IBM,

More information

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach 2016 Presented by James Tarala (@isaudit) Principal Consultant Enclave Security 2 Historic Threat Hunting German

More information

Developing Secure Systems. Introduction Aug 30, James Joshi, Professor, SCI

Developing Secure Systems. Introduction Aug 30, James Joshi, Professor, SCI Developing Secure Systems Introduction Aug 30, 2017 James Joshi, Professor, SCI Contact James Joshi 706A, IS Building Phone: 412-624-9982 E-mail: jjoshi@mail.sis.pitt.edu Web: http://www.sis.pitt.edu/~jjoshi/courses/is2620/fall17/

More information

Applications Security

Applications Security Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger

More information

SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview. Tim Boland NIST May 29,

SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview. Tim Boland NIST May 29, SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview Tim Boland NIST May 29, 2012 http://samate.nist.gov t.boland@nist.gov 1 NationaI Institute of Standards and Technology (NIST) NIST,

More information

V Conference on Application Security and Modern Technologies

V Conference on Application Security and Modern Technologies V Conference on Application Security and Modern Technologies In collaborazione con Venezia, Università Ca Foscari 6 Ottobre 2017 1 Matteo Meucci OWASP Nuovi standard per la sicurezza applicativa 2

More information

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Apostol Vassilev, Principal Consultant September 23,2009. Product Testing in Common Criteria Product Testing in Common Criteria

More information

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application

More information

Clojure Web Security. FrOSCon Joy Clark & Simon Kölsch

Clojure Web Security. FrOSCon Joy Clark & Simon Kölsch Clojure Web Security FrOSCon 2016 Joy Clark & Simon Kölsch Clojure Crash Course (println "Hello Sankt Augustin!") Lisp + JVM Functional programming language Simple programming model Immutable Data Structures

More information

Security Communications and Awareness

Security Communications and Awareness Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated

More information

Security Communications and Awareness

Security Communications and Awareness Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated

More information

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST Agenda Chapter I - Brief Introduction Chapter II - Why OWASP ASVS? Chapter III - OWAS ASVS in Practice Chapter IV

More information

Sichere Webanwendungen mit Java

Sichere Webanwendungen mit Java Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP

More information

Finding Architectural Flaws in Android Apps Is Easy

Finding Architectural Flaws in Android Apps Is Easy Finding Architectural Flaws in Android Apps Is Easy By Radu Vanciu and Marwan Abi-Antoun Department of Computer Science Wayne State University Detroit, Michigan, USA This work was supported in part by

More information

Simplifying Application Security and Compliance with the OWASP Top 10

Simplifying Application Security and Compliance with the OWASP Top 10 Simplifying Application Security and Compliance with the OWASP Top 10 An Executive Perspective 187 Ballardvale Street, Wilmington, MA 01887 978.694.1008 ExECuTivE PErSPECTivE 2 introduction From a management

More information

F5 Application Security. Radovan Gibala Field Systems Engineer

F5 Application Security. Radovan Gibala Field Systems Engineer 1 F5 Application Security Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223 2007 2 Agenda Challenge Websecurity What are the problems? Building blocks of Web Applications Vulnerabilities

More information

ShiftLeft. Real-World Runtime Protection Benchmarking

ShiftLeft. Real-World Runtime Protection Benchmarking ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits

More information

Presentation Overview

Presentation Overview Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Understanding the Software Attack Surface Mean Time to Fix (MTTF) Explained Application

More information

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,

More information

1 About Web Security. What is application security? So what can happen? see [?]

1 About Web Security. What is application security? So what can happen? see [?] 1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi

More information

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11 Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:

More information

Aguascalientes Local Chapter. Kickoff

Aguascalientes Local Chapter. Kickoff Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark

More information

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Case Study Virtual Patching/Legacy Applications May 2017 Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Instant security and operations improvement without code changes

More information

Continuously Discover and Eliminate Security Risk in Production Apps

Continuously Discover and Eliminate Security Risk in Production Apps White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application

More information

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers

More information

eb Security Software Studio

eb Security Software Studio eb Security Software Studio yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control

More information

IronWASP (Iron Web application Advanced Security testing Platform)

IronWASP (Iron Web application Advanced Security testing Platform) IronWASP (Iron Web application Advanced Security testing Platform) 1. Introduction: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability

More information

Application. Security. on line training. Academy. by Appsec Labs

Application. Security. on line training. Academy. by Appsec Labs Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving

More information

Web Applications Penetration Testing

Web Applications Penetration Testing Web Applications Penetration Testing Team Members: Rahul Motwani (2016ME10675) Akshat Khare (2016CS10315) ftarth Chopra (2016TT10829) Supervisor: Prof. Ranjan Bose Before proceeding further, we would like

More information

Exploiting and Defending: Common Web Application Vulnerabilities

Exploiting and Defending: Common Web Application Vulnerabilities Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,

More information

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes

More information

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University SECURITY OF VEHICLE TELEMATICS SYSTEMS Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University 1 2 3 TELEMATICS 4 TELEMATICS 5 OBD-II On-Board Diagnostic Perform emissions related

More information

16th Annual Karnataka Conference

16th Annual Karnataka Conference 16th Annual Karnataka Conference GRC Compliance to Culture JULY 19 & 20, 2013 Topic OWASP Top 10 An Overview Speakers Akash Mahajan & Tamaghna Basu OWASP Top 10 An Overview The Open Web Application Security

More information

Managed Application Security trends and best practices in application security

Managed Application Security trends and best practices in application security Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B

More information

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications

More information

Important Points to Note

Important Points to Note Important Points to Note All Participating colleges are requested to mute your telephone lines during the webinar session. Participants are requested to make note of questions / responses to questions,

More information

Atlassian Crowdsourced Penetration Test Results: January 2018

Atlassian Crowdsourced Penetration Test Results: January 2018 Atlassian Software Development and Collaboration Tools Atlassian Crowdsourced Penetration Test Results: January 2018 Bugcrowd Ongoing program results Report created on February 16, 2018 Report date range:

More information

Application Layer Security

Application Layer Security Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side

More information

Vulnerabilities in web applications

Vulnerabilities in web applications Vulnerabilities in web applications Web = Client + Server Client (browser) request HTTP response Server HTTP request contains the URL of the resource and the header HTTP response contains a status code,

More information

The Top 6 WAF Essentials to Achieve Application Security Efficacy

The Top 6 WAF Essentials to Achieve Application Security Efficacy The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and

More information

PRESENTED BY:

PRESENTED BY: PRESENTED BY: scheff@f5.com APPLICATIONS ARE The reason people use the Internet The business the target The gateway to DATA 765 Average # of Apps in use per enterprise 6 min before its scanned 1/3 If vulnerable,

More information

gfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies

gfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies gfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies Objectives Present a working tool (prototype-poc) to test the security of a given web

More information

https://tale.sh/mlin17

https://tale.sh/mlin17 First Steps to Building Secure Magento Extensions https://tale.sh/mlin17 Page 1 Talesh Seeparsan CTO Bit79 Page 2 There is no such thing as an unhackable site You just need to be able to run faster than

More information

RiskSense Attack Surface Validation for Web Applications

RiskSense Attack Surface Validation for Web Applications RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment

More information

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam. Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities

More information

Engineering Your Software For Attack

Engineering Your Software For Attack Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.

More information

The OWASP Foundation

The OWASP Foundation Application Bug Chaining July 2009 Mark Piper User Catalyst IT Ltd. markp@catalyst.net.nz Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms

More information

Web Security. Web Programming.

Web Security. Web Programming. Web Security Web Programming yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control

More information

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5

More information

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS WHO I AM Working with Django 9 years, 5 at Lawrence Journal- World Commit bit since 2007 Involved in Django s release and

More information

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -

More information

GOING WHERE NO WAFS HAVE GONE BEFORE

GOING WHERE NO WAFS HAVE GONE BEFORE GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation

More information

Top 10 Web Application Vulnerabilities

Top 10 Web Application Vulnerabilities Top 10 Web Application Vulnerabilities Why you should care about them plus a live hacking demo!! Why should you care?! Insecure so*ware is undermining our financial, healthcare, defense, energy, and other

More information

Solutions Business Manager Web Application Security Assessment

Solutions Business Manager Web Application Security Assessment White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security

More information

Table of Contents Computer Based Training - Security Awareness - General Staff AWA 007 AWA 008 AWA 009 AWA 010 AWA 012 AWA 013 AWA 014 AWA 015

Table of Contents Computer Based Training - Security Awareness - General Staff AWA 007 AWA 008 AWA 009 AWA 010 AWA 012 AWA 013 AWA 014 AWA 015 Table of Contents Computer Based Training - Security Awareness - General Staff AWA 007 - Information Privacy and Security Awareness for Executives (Duration: 45 minutes)...1 AWA 008 - Information Privacy

More information

State of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode

State of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode State of Software Security Report Volume 2 Jeff Ennis, CEH Solutions Architect Veracode 1 Agenda Background Metrics, Distribution of Applications Security of Applications Third Party Risk Summary 2 Background

More information

CIS 4360 Secure Computer Systems XSS

CIS 4360 Secure Computer Systems XSS CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection

More information

Secure Development Guide

Secure Development Guide Secure Development Guide Oracle Health Sciences InForm 6.1.1 Part number: E72493-01 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided

More information

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets

More information

Cybersecurity Education Catalog

Cybersecurity Education Catalog Cybersecurity Education Catalog CYBERSECURITY EDUCATION CATALOG Introduction The human factor what employees do or don t do is the biggest vulnerability to an organization s information security, yet it

More information

Security Solution. Web Application

Security Solution. Web Application Web Application Security Solution Netsparker is a web application security solution that can be deployed on premise, on demand or a combination of both. Unlike other web application security scanners,

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback