CS577b Individual Research Shi-Xuan Zeng 04/23/2012

greenpepperwhinnySecurity

Nov 3, 2013 (4 years and 6 days ago)

123 views

CS577b Individual Research

Shi
-
Xuan

Zeng

04/23/2012

1

Outline


Introduce security testing


Web
application/system
security testing


Web application/system security risks


Security testing tools
comparison


Summary

2

What is security testing?


Providing evidence


Fulfilling requirements


Fundamental processes


Boundary values


Equivalence classes


Security classes

3

*

Web Security Testing
Cookbook (O’Reilly)

Web application security testing


Functional testing V.S.
S
ecurity testing


Use variety tools manually and automatically


Simulate and stimulate activities


Goal


Produce repeatable and consistent tests


4

*

Web Security Testing
Cookbook (O’Reilly)

Web application security risks

5

*

OWASP
Top Ten
Project (2010)

Top 10 Web Application Security Risks

*

OWASP
Top Ten
Project (2010)

6

Security
testing
tools comparison 1

Ease of use

Information
provided

Item

tested

Traceability

OWASP
WebScarab

Medium

Medium

Depends

Hard

Burp

Suite
Free

Medium

Medium

Depends

Hard

Nikto

2

Hard

Medium

Many

Medium

Wapiti

Medium

Excellent

Medium

Low

Skipfish

Med Hard

Medium

Medium

Good

7

Security testing tools
comparison 2

Ease of use

Information
provided

Item

tested

Traceability

w3af

Easy

Good

Many

High

N
-
Stalker
Security
Scanner Free
Edition

Very

Easy

Good

Many

High

Acunetix

WVS


Free⁅ iti潮

Very

䕡sy

Medium

Very

limited

L潷

Webse捵rify

(br潷ser
-
exte湳i潮)

Very

䕡sy

G潯o

Few

L潷

乥tsparker

C潭mu湩ty
䕤iti潮(free)

Very

䕡sy

䕸celle湴

Ma湹

L潷

8

Summary


Security testing provides evidence and fulfill requirements.



The goal is
to produce
repeatable and consistent
tests.



Beware of top 10 web application security risks.



Choose free, easy used, and
good
traceability testing tools.


Suggest w3af and N
-
Stalker
Security Scanner
Free Edition.

9

Reference


Web Security Testing
Cookbook


Paco

Hope, Ben Walther; O’Reilly Media Inc.; Oct 28 2008


OWASP Top Ten
Project


https://www.owasp.org/index.php/Category:OWASP_Top_Ten_
Project


http://owasptop10.googlecode.com/files/OWASP%20Top%2010
%20
-
%
202010.pdf


10+ Free Web Application Security Testing
Tools


http://www.webresourcesdepot.com/10
-
free
-
web
-
application
-
security
-
testing
-
tools/


10

Questions ?

11

Thank You!!

12