SlideShare uma empresa Scribd logo

Presentation on vulnerability analysis

Asif Anik
Asif Anik

This is a presentation on the paper of vulnerability analysis paper which is passed as reference.

Tecnologia
1 de 19
Baixar para ler offline
SAVI: Static-Analysis Vulnerability Indicator JAMES WALDEN AND MAUREEN DOYLE NORTHERN KENTUCKY UNIVERSITY PRESENTED BY: ASIF IMRAN (MSSE0119), JOBAER ISLAM KHAN (MSSE0109)
Addressed Problem  Frequently the target of attackers [1]  Largest source of security vulnerabilities [1]  Identity theft , phishing, malware, etc erode trust and cause financial loss [2]
Proposed Solution  Static analysis of source code to detect vulnerabilities of web application.  SAVI: Static- Analysis Vulnerability Indicator  Combines several static-analysis results  Ranks vulnerability of Web Applications
Sources of vulnerability count  Vulnerability repositories [2]:  National Vulnerability Database (NVD)  Microsoft Security Bulletins  Drupal Security Advisories  Output of static-analysis tools  Output of security-focused dynamic-analysis tools  Note: source types comprises many sources with different vulnerability databases and analysis tools  application’s vulnerability history can be obtained from reported databases
Vulnerability Detection Techniques  Static Analysis: Static-analysis tools find an application’s current vulnerabilities by evaluating its source code without executing it. Advantages Disadvantages 1. Find vulnerabilities objectively 1. Produce false negatives 2. Find vulnerabilities rapidly 2. Produce false positives  Example: Fortify SCA  Reduce business risk by identifying vulnerabilities that pose the biggest threat  Identify and remove exploitable vulnerabilities quickly with a repeatable process  Reduce development cost by identifying vulnerabilities early in the SDLC  Educate developers in secure coding practices while they work
Vulnerability Detection Techniques [cont]  Dynamic Analysis: identify vulnerabilities in running Web applications Advantages Disadvantages 1. Simulates a malicious user by 1. Increased efforts attacking and probing 2. Independent of Programming 2. False Positives and False Languages Negatives  Examples: Veracode-DA
False positives and False negatives  False negatives occur when tools don’t report existing security bugs  False positives occur when tools report vulnerabilities that do not exist  Triaging: Manually auditing source code to identify false positives [3] Manually auditing enough results, a security team can predict the rate at which false positives and false negatives occur for a given project and extrapolate the number of true positives from a set of raw results [3].
Methodology  Static Analysis  Fast results  Current Bugs can be detected  Repeatability  Vulnerability Repository: NVD to validate the predictions of static analysis metrics.  Correlation between static-analysis and reported vulnerability for the analyzed software in the future.
Methodology [cont]  Normalize vulnerabilities based on code  SAVD (Static Analysis Vulnerability Density)  NVD  Correlation between SAVD and NVD
SAVD [4]
Methodology [cont]  Open Source applications as test cases  Dokuwiki :wiki  Mediawiki: wiki  phpBB: web forum Source code: PHP  phpMyAdmin: system administration  Squirrelmail: email client
Methodology [cont]  Fortify Source Code Analyzer (SCA)  Output in XML : vulnerability data  Custom Ruby scripts used to convert the vulnerability data and line counts into a form that could be analyze with statistical software  29,000 LOC <= code <= 162,000 LOC  180 second <= time <= 3600 seconds  Core i5 processor and 8 Gbytes of RAM
Results  17<= vulnerability <= 96 from NVD  Dokuwiki : 17  PHPmyAdmin: 96
Reults [cont]  SCA founded 57,811 vulnerabilities  LOC: 1.5 million  PHPmyAdmin: 96
Result[cont]
Discussion  Context independent metric: applications have same data, functionality and same installation standards  SAVI indicates postrelease vulnerability density.  SAVI lets organizations choose less vulnerable applications  Further investigation is required to determine whether similar results might hold for other application classes
Conclusion[cont]  SAVD for each application version correlated significantly with the NVD vulnerability density for that version’s year and subsequent years. For example, the SAVD of a project for 2009 correlated with the project’s NVD density for 2010, and 2011. This result means that static-analysis tools indicate an application’s postrelease vulnerability.
References [1] M. Gegick and L. Williams, “Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-Prone Components,” Proc. 2nd Int’l Conf. Internet Monitoring and Protection (ICIMP 07), IEEE CS, 2007, p. 18. [2] M. Gegick et al., “Prioritizing Software Security Fortification through Code-Level Metrics,” Proc. 4th ACM Workshop Quality of Protection (QoP 08), ACM, 2008, pp. 31–38. [3] “Coverity Scan: 2010 Open Source Integrity Report,” Coverity, 1 Nov. 2010; www.coverity.com/library/pdf/coverity-scan-2010-open-source- integrity-report.pdf. [4] http://www.informit.com/articles/article.aspx?p=768662&seqNum=3
Thank You

Recomendados

Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
Mayur Mehta
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
Mayur Mehta
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision Points
PivotPointSecurity
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 

Recomendados

Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
Mayur Mehta
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
Mayur Mehta
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision Points
PivotPointSecurity
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies 6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies
EC-Council
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Falgun Rathod
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration Testing
EC-Council
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant maliVAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USM
AlienVault
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
btpsec
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Cigital
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
Marco Morana
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability Assessment
Sirius
 

Mais conteúdo relacionado

Mais procurados

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USM
AlienVault
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA
 

Mais procurados (20)

6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies 6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration Testing
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant maliVAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant mali
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USM
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 

Destaque

Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability Assessment
Sirius
 
PERIODE C ET A
PERIODE C ET APERIODE C ET A
PERIODE C ET A
CHS
 
Vulnerability in Health Research
Vulnerability in Health ResearchVulnerability in Health Research
Vulnerability in Health Research
Dr Ghaiath Hussein
 
World health day_2008_15_vulnerability
World health day_2008_15_vulnerabilityWorld health day_2008_15_vulnerability
World health day_2008_15_vulnerability
ravi rajpurohit
 
Disaster and Poverty: The Differential Impacts of Disaster on the Poor in the...
Disaster and Poverty: The Differential Impacts of Disaster on the Poor in the...Disaster and Poverty: The Differential Impacts of Disaster on the Poor in the...
Disaster and Poverty: The Differential Impacts of Disaster on the Poor in the...
Abu M. Sufiyan, PhD
 
Omedo: Vulnerability of urban informal settlements to environmental hazards: ...
Omedo: Vulnerability of urban informal settlements to environmental hazards: ...Omedo: Vulnerability of urban informal settlements to environmental hazards: ...
Omedo: Vulnerability of urban informal settlements to environmental hazards: ...
AfricaAdapt
 
Monte carlo presentation for analysis of business growth
Monte carlo presentation for analysis of business growthMonte carlo presentation for analysis of business growth
Monte carlo presentation for analysis of business growth
Asif Anik
 

Destaque (20)

Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability Assessment
 
PERIODE C ET A
PERIODE C ET APERIODE C ET A
PERIODE C ET A
 
Visualizing Natural Disasters: Floods, Storms, Hurricanes, Volcanoes, Earthqu...
Visualizing Natural Disasters: Floods, Storms, Hurricanes, Volcanoes, Earthqu...Visualizing Natural Disasters: Floods, Storms, Hurricanes, Volcanoes, Earthqu...
Visualizing Natural Disasters: Floods, Storms, Hurricanes, Volcanoes, Earthqu...
 
Green deep
Green deepGreen deep
Green deep
 
Selim Miled, French Ministry of Health
Selim Miled, French Ministry of HealthSelim Miled, French Ministry of Health
Selim Miled, French Ministry of Health
 
Vulnerability in Health Research
Vulnerability in Health ResearchVulnerability in Health Research
Vulnerability in Health Research
 
UCL IEDE urban heatwave vulnerability mapping
UCL IEDE urban heatwave vulnerability mappingUCL IEDE urban heatwave vulnerability mapping
UCL IEDE urban heatwave vulnerability mapping
 
Climate Change, Health and Transportation by Enrique Jacoby
Climate Change, Health and Transportation by Enrique JacobyClimate Change, Health and Transportation by Enrique Jacoby
Climate Change, Health and Transportation by Enrique Jacoby
 
World health day_2008_15_vulnerability
World health day_2008_15_vulnerabilityWorld health day_2008_15_vulnerability
World health day_2008_15_vulnerability
 
Disaster and Poverty: The Differential Impacts of Disaster on the Poor in the...
Disaster and Poverty: The Differential Impacts of Disaster on the Poor in the...Disaster and Poverty: The Differential Impacts of Disaster on the Poor in the...
Disaster and Poverty: The Differential Impacts of Disaster on the Poor in the...
 
Vulnerable groups and labour rights in india
Vulnerable groups and labour rights in indiaVulnerable groups and labour rights in india
Vulnerable groups and labour rights in india
 
Hydraulic Fracturing or ‘Fracking’: A Short Summary of Current Knowledge and ...
Hydraulic Fracturing or ‘Fracking’: A Short Summary of Current Knowledge and ...Hydraulic Fracturing or ‘Fracking’: A Short Summary of Current Knowledge and ...
Hydraulic Fracturing or ‘Fracking’: A Short Summary of Current Knowledge and ...
 
Omedo: Vulnerability of urban informal settlements to environmental hazards: ...
Omedo: Vulnerability of urban informal settlements to environmental hazards: ...Omedo: Vulnerability of urban informal settlements to environmental hazards: ...
Omedo: Vulnerability of urban informal settlements to environmental hazards: ...
 
The Human Impacts of Heatwaves & Extreme Weather
The Human Impacts of Heatwaves & Extreme WeatherThe Human Impacts of Heatwaves & Extreme Weather
The Human Impacts of Heatwaves & Extreme Weather
 
Heatwaves, climate change and Melbourne
Heatwaves, climate change and MelbourneHeatwaves, climate change and Melbourne
Heatwaves, climate change and Melbourne
 
fracking
frackingfracking
fracking
 
¿Que es el fracking? ¿Cuáles son sus impactos?
¿Que es el fracking? ¿Cuáles son sus impactos?¿Que es el fracking? ¿Cuáles son sus impactos?
¿Que es el fracking? ¿Cuáles son sus impactos?
 
Monte carlo presentation for analysis of business growth
Monte carlo presentation for analysis of business growthMonte carlo presentation for analysis of business growth
Monte carlo presentation for analysis of business growth
 
Climate Change & Disaster Preparedness by Hospicio Conanan
Climate Change & Disaster Preparedness by Hospicio ConananClimate Change & Disaster Preparedness by Hospicio Conanan
Climate Change & Disaster Preparedness by Hospicio Conanan
 

Semelhante a Presentation on vulnerability analysis

Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
ijseajournal
 
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
University of Antwerp
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
Ram G Athreya
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
IJNSA Journal
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
OWASP-Qatar Chapter
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
guest609a5ed
 
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
IJNSA Journal
 

Semelhante a Presentation on vulnerability analysis (20)

Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
 
IRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine LearningIRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine Learning
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability Assessment
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
 
Threat modelling
Threat modellingThreat modelling
Threat modelling
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
 
Software design Project Presentation-1.pptx
Software design Project Presentation-1.pptxSoftware design Project Presentation-1.pptx
Software design Project Presentation-1.pptx
 
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
 

Mais de Asif Anik

Analysis of mysql and postgresql
Analysis of mysql and postgresqlAnalysis of mysql and postgresql
Analysis of mysql and postgresql
Asif Anik
 
Panacea presentation for teh institute of information technology (2)
Panacea presentation for teh institute of information technology (2)Panacea presentation for teh institute of information technology (2)
Panacea presentation for teh institute of information technology (2)
Asif Anik
 

Mais de Asif Anik (8)

Analysis of mysql and postgresql
Analysis of mysql and postgresqlAnalysis of mysql and postgresql
Analysis of mysql and postgresql
 
Provenance based presentation on cloud computing security
Provenance based presentation on cloud computing securityProvenance based presentation on cloud computing security
Provenance based presentation on cloud computing security
 
Panacea presentation for teh institute of information technology (2)
Panacea presentation for teh institute of information technology (2)Panacea presentation for teh institute of information technology (2)
Panacea presentation for teh institute of information technology (2)
 
Core values of IIT
Core values of IITCore values of IIT
Core values of IIT
 
Internship report presentation on cloud computing
Internship report presentation on cloud computingInternship report presentation on cloud computing
Internship report presentation on cloud computing
 
Midterm presentation
Midterm presentationMidterm presentation
Midterm presentation
 
Cloud presentation for marketing purpose
Cloud presentation for marketing purposeCloud presentation for marketing purpose
Cloud presentation for marketing purpose
 
Cloud presentation for marketing purpose
Cloud presentation for marketing purposeCloud presentation for marketing purpose
Cloud presentation for marketing purpose
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Presentation on vulnerability analysis

  • 1. SAVI: Static-Analysis Vulnerability Indicator JAMES WALDEN AND MAUREEN DOYLE NORTHERN KENTUCKY UNIVERSITY PRESENTED BY: ASIF IMRAN (MSSE0119), JOBAER ISLAM KHAN (MSSE0109)
  • 2. Addressed Problem  Frequently the target of attackers [1]  Largest source of security vulnerabilities [1]  Identity theft , phishing, malware, etc erode trust and cause financial loss [2]
  • 3. Proposed Solution  Static analysis of source code to detect vulnerabilities of web application.  SAVI: Static- Analysis Vulnerability Indicator  Combines several static-analysis results  Ranks vulnerability of Web Applications
  • 4. Sources of vulnerability count  Vulnerability repositories [2]:  National Vulnerability Database (NVD)  Microsoft Security Bulletins  Drupal Security Advisories  Output of static-analysis tools  Output of security-focused dynamic-analysis tools  Note: source types comprises many sources with different vulnerability databases and analysis tools  application’s vulnerability history can be obtained from reported databases
  • 5. Vulnerability Detection Techniques  Static Analysis: Static-analysis tools find an application’s current vulnerabilities by evaluating its source code without executing it. Advantages Disadvantages 1. Find vulnerabilities objectively 1. Produce false negatives 2. Find vulnerabilities rapidly 2. Produce false positives  Example: Fortify SCA  Reduce business risk by identifying vulnerabilities that pose the biggest threat  Identify and remove exploitable vulnerabilities quickly with a repeatable process  Reduce development cost by identifying vulnerabilities early in the SDLC  Educate developers in secure coding practices while they work
  • 6. Vulnerability Detection Techniques [cont]  Dynamic Analysis: identify vulnerabilities in running Web applications Advantages Disadvantages 1. Simulates a malicious user by 1. Increased efforts attacking and probing 2. Independent of Programming 2. False Positives and False Languages Negatives  Examples: Veracode-DA
  • 7. False positives and False negatives  False negatives occur when tools don’t report existing security bugs  False positives occur when tools report vulnerabilities that do not exist  Triaging: Manually auditing source code to identify false positives [3] Manually auditing enough results, a security team can predict the rate at which false positives and false negatives occur for a given project and extrapolate the number of true positives from a set of raw results [3].
  • 8. Methodology  Static Analysis  Fast results  Current Bugs can be detected  Repeatability  Vulnerability Repository: NVD to validate the predictions of static analysis metrics.  Correlation between static-analysis and reported vulnerability for the analyzed software in the future.
  • 9. Methodology [cont]  Normalize vulnerabilities based on code  SAVD (Static Analysis Vulnerability Density)  NVD  Correlation between SAVD and NVD
  • 11. Methodology [cont]  Open Source applications as test cases  Dokuwiki :wiki  Mediawiki: wiki  phpBB: web forum Source code: PHP  phpMyAdmin: system administration  Squirrelmail: email client
  • 12. Methodology [cont]  Fortify Source Code Analyzer (SCA)  Output in XML : vulnerability data  Custom Ruby scripts used to convert the vulnerability data and line counts into a form that could be analyze with statistical software  29,000 LOC <= code <= 162,000 LOC  180 second <= time <= 3600 seconds  Core i5 processor and 8 Gbytes of RAM
  • 13. Results  17<= vulnerability <= 96 from NVD  Dokuwiki : 17  PHPmyAdmin: 96
  • 14. Reults [cont]  SCA founded 57,811 vulnerabilities  LOC: 1.5 million  PHPmyAdmin: 96
  • 16. Discussion  Context independent metric: applications have same data, functionality and same installation standards  SAVI indicates postrelease vulnerability density.  SAVI lets organizations choose less vulnerable applications  Further investigation is required to determine whether similar results might hold for other application classes
  • 17. Conclusion[cont]  SAVD for each application version correlated significantly with the NVD vulnerability density for that version’s year and subsequent years. For example, the SAVD of a project for 2009 correlated with the project’s NVD density for 2010, and 2011. This result means that static-analysis tools indicate an application’s postrelease vulnerability.
  • 18. References [1] M. Gegick and L. Williams, “Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-Prone Components,” Proc. 2nd Int’l Conf. Internet Monitoring and Protection (ICIMP 07), IEEE CS, 2007, p. 18. [2] M. Gegick et al., “Prioritizing Software Security Fortification through Code-Level Metrics,” Proc. 4th ACM Workshop Quality of Protection (QoP 08), ACM, 2008, pp. 31–38. [3] “Coverity Scan: 2010 Open Source Integrity Report,” Coverity, 1 Nov. 2010; www.coverity.com/library/pdf/coverity-scan-2010-open-source- integrity-report.pdf. [4] http://www.informit.com/articles/article.aspx?p=768662&seqNum=3