Download Tara and Orcun

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
Document related concepts

Carrier IQ wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Computer security wikipedia , lookup

Microsoft Security Essentials wikipedia , lookup

Cross-site scripting wikipedia , lookup

Malware wikipedia , lookup

Mobile security wikipedia , lookup

Transcript 
By Tara Lingle and Orcun Tagtekin
CAP6135 – Malware and Software Vulnerability Analysis

Web Application Vulnerability Scanning searches for
software vulnerabilities within web applications:
-


Web Application Security (Scripting issues)
Technical Vulnerabilities (Cross-site Scripting)
Security Vulnerabilities (Denial of Service)
Architectural/Logical Vulnerabilities (Information Leakage)
Can be used to help identify potential security
vulnerabilities within commercial and proprietary
based web applications.
Frequently used in both the pre-deployment and postdeployment test cycles.
CAP6135 – Malware and Software Vulnerability Analysis

The goal of this project is to explore both the
commercial and open source web application
vulnerability scanners that currently exist and
determine which one(s) we would recommend
to an organization.
-
-
Evaluate leading commercial products, to include features,
strengths and weaknesses
Compare our findings with other research
Review a number of open source tools available
Decide how the commercial products compare against the open
source tools
CAP6135 – Malware and Software Vulnerability Analysis
CAP6135 – Malware and Software Vulnerability Analysis





Limited number of false positives and false negatives
Ability to customize configuration options for internal
needs
Covers all major platforms (Java, JavaScript, PHP, ASP,
ASP.NET), including dynamic content
Ease of use for non-security professionals
Powerful, automated scanning engine that can handle
complexities by default (i.e. minimal manual
intervention)
CAP6135 – Malware and Software Vulnerability Analysis






Vendor Support
Tests both application vulnerabilities and known web
server vulnerabilities
Usable reports and data
Maintenance/upgrade costs
Expandability for future needs of the organization
Can obtain periodic updates as new vulnerabilities are
introduced
CAP6135 – Malware and Software Vulnerability Analysis

Acunetix Web Vulnerability Scanner by
Acunetix



AppScan by IBM/Watchfire, Inc.
WebInspect by HP/SPI-Dynamics
Hailstorm by Cenzic
CAP6135 – Malware and Software Vulnerability Analysis
Web Application Vulnerability Scanning Software - Comparison of Strengths/Weaknesses
Product
AppScan (IBM)
Web Vulnerability Scanner
(Acunetix)
WebInspect (HP)
Hailstorm (Cenzic)
Strengths
Design and Ease of Use
Documentation and Help
Files
Ease in manual
adjustments/administration
Reports
Ability to map and scan Ajax
applications (client-side
functionality)
CAP6135 – Malware and Software Vulnerability Analysis
Web Application Vulnerability Software - Comparison of Strengths/Weaknesses
Product
AppScan (IBM)
Web Vulnerability Scanner
(Acunetix)
WebInspect (HP)
Hailstorm (Cenzic)
Weaknesses
Prevalence of False
Positives
Prevalence of False
Negatives
Documentation and Help
Files
Reports
Ability to map and scan Ajax
applications (client-side
functionality)
Pricing
License/Support
CAP6135 – Malware and Software Vulnerability Analysis
CAP6135 – Malware and Software Vulnerability Analysis


What are the trade-offs of using an open source tool over
a commercial product?
Do any of them meet the requirements statement
outlined?
CAP6135 – Malware and Software Vulnerability Analysis









Nikto by Sullo
Paros by Chinotec
WebScarab by Rogan Dawes
Grabber by Romain Gaucher
Grendel-Scan by David Byrne and Eric Duprey
Pantera by Simon Roses Femerling
Powerfuzzer by Marcin Kozlowski
Scuba by Imperva
Wapiti by Nicolas Surribas
CAP6135 – Malware and Software Vulnerability Analysis
CAP6135 – Malware and Software Vulnerability Analysis
Related documents
This Article argues that intellectual property law stifles critical
This Article argues that intellectual property law stifles critical
Assessing vulnerability to climate change in South East Europe
Assessing vulnerability to climate change in South East Europe
GHG Inventory review - E-Learning Module
GHG Inventory review - E-Learning Module
Climate Change and Health A Framework for Discussion
Climate Change and Health A Framework for Discussion
Acronyms abbreviations
Acronyms abbreviations
Cybersecurity of Medical Devices
Cybersecurity of Medical Devices
Presentation - National Forest Foundation
Presentation - National Forest Foundation
Vulnerability analysis consists of several steps: Defining and
Vulnerability analysis consists of several steps: Defining and
Remember to use a large enough font
Remember to use a large enough font
ppt - Vula
ppt - Vula
Vulnerability
Vulnerability
Climate Change Impacts in the Context of Economic Globalization
Climate Change Impacts in the Context of Economic Globalization
Careless Delegation of Trust
Careless Delegation of Trust
Oihana Blanco, ReRisk
Oihana Blanco, ReRisk
Vulnerability Analysis & Patches Management Using Secure Mobile
Vulnerability Analysis & Patches Management Using Secure Mobile