1 / 27

Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools Lewis Sykalski

Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools Lewis Sykalski SMU D.E. Software Engineering Student Lockheed Martin - Flight Simulation Engineer lsykalski@smu.edu. OWASP 2013 Candidate List. Injection. Cross-Site Scripting. CSRF. Insecure Direct Object Reference.

elise
Télécharger la présentation

Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools Lewis Sykalski

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools Lewis Sykalski SMU D.E. Software Engineering Student Lockheed Martin - Flight Simulation Engineer lsykalski@smu.edu

  2. OWASP 2013 Candidate List

  3. Injection

  4. Cross-Site Scripting

  5. CSRF

  6. Insecure Direct Object Reference

  7. What is Static Analysis? • Static program analysis is: • an analysis method to determine whether vulnerabilities exist by simply looking at the code in a non-dynamic (running) state. • Usually the source code is used, however some tools allow for analysis of object code. • most successful tools are ones that analyze the whole scope of the program in relation to a line of code as opposed to only analyzing a single line of code at a time completely independent from the rest of the program.

  8. Dynamic Analysis? • Dynamic analysis: • analysis of the software while the webapp is running. • could be performed in either a white box situation where everything is known or from the black-box situation where nothing is very minimal is known.

  9. Open Source Options

  10. Open Source Options (cont.)

  11. LAPSE+ • OWASP LAPSE+ • Java plug-in which integrates tightly with the Eclipse IDE (Helios+, 1.6 JRE+). • useful for detecting & subsequently analyzing security vulnerabilities due to untrusted data injection in Java webapps. • operates on the concept of sinks and sources, the source referring to the injection of untrusted data (e.g. perhaps a cookie, parameters from HTTP, etc) and the sink referring to the process of data modification to manipulate the behavior of the application (e.g. servlet response or HTML page).

  12. LAPSE+

  13. FindBugs • FindBugs: • program which uses static analysis to look for bugs in Java code.  • relatively easy to install and purports to find all types of bugs. • user interface, where one can filter between various bug categories that are found, a bug review panel which will describe the bug in detail with resolution measures, and a Bug Info Panel which shows a detailed stack trace and description.

  14. FindBugs

  15. Orizon • OWASP Orizon: • allows one to perform a security code review over your code making sure it fits recommendations contained into the Owasp Build Guide and the Owasp Code review Guide. • standalone console-based tool with it's own shell engine. • provides for certain commands which when executed allow one to model the code, crawl through all traces, and then subsequently generate a report for viewing.

  16. Orizon

  17. PMD • PMD: • static analysis tool for Java source code. • identifies possible bugs, dead code, suboptimal code, high cyclomatic complexity, and duplicate code. • extensible rule-set capability for one to create their own rules. • supports a vulnerability view where aforementioned problems are displayed, and the Copy-Paste Detector (CPD) view, where one can view copy-pasted code (code that should likely be consolidated into a single logical block). • GDS PMD Secure Coding Ruleset

  18. PMD

  19. PMD

  20. PMD

  21. FlawFinder • Flawfinder: • a tool that works on C++ source-code. • console-based and specifically targets security vulnerabilities. • works by using a built-in database of C/C++ functions with well-documented security problems, such “as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random())”. 19

  22. FlawFinder

  23. RIPS • RIPS: • written in PHP and for PHP specifically to find vulnerabilities.. • can create a program model of the source code. • can detect vulnerable functions (sinks) that can be utilized by malicious user-input. Additionally an audit framework is provided for further analysis in an IDE-style visual user-interface. • claims to detect XSS, SQL Injection, LFI/RFI, and RCE vulnerabilities.

  24. RIPS

  25. Commercial Tools

  26. References • 1 OWASP Top-10: https://www.owasp.org/index.php/Top_10_2013-Top_10 • 2. LAPSE+: http://evalues.es/downloads/owasp/LapsePlus_Tutorial.pdf • 3. FindBugs: http://findbugs.sourceforge.net/ • 4. FxCop: http://msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx • 5. PMD: http://pmd.sourceforge.net/ • 6. RATS: https://www.fortify.com/ssa-elements/threat-intelligence/rats.html • 7. RIPS: http://rips-scanner.sourceforge.net/ • 8. SWAAT: https://www.owasp.org/index.php/Category:OWASP_SWAAT_Project • 9. Orizon: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project • 10. HP Fortify: http://www8.hp.com/us/en/software-solutions/software.html?compURI=1338812#.UXvVjxzREQc • 11. CodeSonar: http://www.grammatech.com/codesonar

  27. References (cont.) • 12. Amorize CodeSecure: http://www.armorize.com/codesecure/ • 13. CheckMarx: http://www.checkmarx.com/technology/static-code-analysis-sca/ • 14. Veracode: http://www.veracode.com/ • 15. IBM Security AppScan: http://www-01.ibm.com/software/rational/products/appscan/source/ • 16. Coverity: http://www.coverity.com/products/static-analysis.html • 17. Klocwork Insight: http://www.klocwork.com/products/insight.asp • 18. Parasoft Static Analysis: http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 • 19. FlawFinder: http://www.dwheeler.com/flawfinder/ • 20. PreFast: http://msdn.microsoft.com/en-us/library/ms933794.aspx • 21. BrakeMan: http://brakemanscanner.org/ • 22. PMD GDS Ruleset: https://github.com/GDSSecurity/GDSPMDSECRULES • 23. PMD Rulesets http://pmd.sourceforge.net/pmd-5.0.3/rules/index.html#Security_Code_Guidelines

More Related