Sandcat Assessment SuiteWhat is Sandcat?P Sandcat is a hybrid multilanguage web application security assessment suiteP A software suite that simulates web-based attacksP Proactively guards an organizations Web infrastructure against web application security threats < Finds the vulnerabilities before the hackers
Sandcat Assessment SuiteEvolutionP Initially an evasion-capable web server scanner < With CGI/directory brute force scanning and a very extensive database of checks. (2001-2003)P Added spidering & injection capabilities. < Became a remote web app sec scanner (2004)P Added source code scanning capabilities (2008)
Sandcat Assessment SuiteHow It WorksP Scans live websites for multiple classes of vulnerabilities - an external pen-test < This is the hacker’s perspective (aka blackbox)P Scans locally, its source for the same multiple classes of vulnerabilities - an internal code review (aka whitebox)P When it combines both approaches, you have what is called a hybrid analysis (or greybox)
FeaturesCore FunctionalityP Concurrency/Scan Queue Support (Multithreads)P Deep Crawling (Spidering) < Maps the entire web site structure (all links, forms, XHR requests and other entry points)P Multiple Versions (Windows Only) < GUI (Graphical User Interface) < CLI (Command-Line Interface) < Web-Interface (Apache-Based)
Sandcat Assessment SuiteCore FunctionalityP Report Generation < Multiple formats and templates < Compliance - OWASP Top 10, PHP Top 5, CWE/SANS Top 25, Payment Card Industry (PCI), etc. Also includes: < OSVDB references < CVE & CWE references < Charts
Vulnerability CoverageSandcat DatabaseP Over 460 remote web application security checks in over 24 categories of web attacks < XSS, SQL Injection, File Inclusion, Command Execution, etcP OWASPs Top Ten Most Critical Web Application Security Vulnerabilities & PHP Top 5 Vulnerabilities
Vulnerability CoverageSandcat DatabaseP Over 561 source checks, covering several types of web attacks: < SQL Injection – Both remote and source checks tailored to cover MySQL, Oracle, PostgreSQL, Microsoft Access, Microsoft SQL Server, SQLite, Firebird, Sybase... < Cross-Site Scripting (XSS), Arbitrary File Manipulation, Command Execution, File Inclusion (Local & Remote) and more.
Vulnerability CoverageSandcat DatabaseP 29K (29 thousand) web vulnerabilities researched since 2003 affecting specific web applications/servers.P Examples: < StatPressCN Plugin for Wordpress wp- admin/admin.php Multiple Parameter XSS (CVE- 2011-0641) < PHPCMS 2008 data.php where_time Parameter SQL Injection (CVE-2011-0645)
Additional ComponentsOther Sandcat ComponentsP Sandcat Log Analyzer < Scans HTTP logs (created by web servers) for intrusion attemptsP Sandcat Apache/PHP Hardener < Scans Apache and PHP configuration files for weak security settings
WAVSEP 2011 ComparisonWAVSEP ComparisonP Independent web application scanner accuracy tests produced every year by Shay Chen (OWASP Israel), an application security consultantP The most comprehensive ever made (a total of 60 tools were included this year, including the leading commercial tools)P What did we find out?
WAVSEP 2011 ComparisonSandcat Accuracy Tests (August 2011)P We’ve the best XSS vulnerability detection rate in the market < #1 when the Free Edition of Sandcat is compared with other free and open source tools < #2 when Sandcat Pro is compared to other commercial tools such as IBM AppScan, HP WebInspect and others – Sandcat Pro, AppScan and ParosPro top the WAVSEP benchmark charts with 100 percent or near-100 percent XSS detection rates
WAVSEP 2011 ComparisonSandcat Accuracy Tests (August 2011)P SQL Injection (SQLi) < Sandcat also scored a 100 percent error-based SQL Injection detection rate – Sandcat excelled at identifying an additional large set of 80 error-based SQL Injection vulnerabilities (detected 100% of the vulnerabilities, both GET-based and POST-based) – Sandcat’s SQL Injection checks covers several types of databases
WAVSEP 2011 ComparisonSandcat Accuracy Tests (August 2011)P Sandcat scored a 100 percent detection rate running at half its capabilities < Sandcat’s white-box (source code) scanning capabilities were not covered in the tests.
Additional HighlightsStandards & Additional InfoP Sandcat makes the list of CVE-compatible products and services provided by the Mitre Corporation who created the standard.P Invited this year by the U.S. NIST (National Institute of Standards and Technology) to participate the Static Analysis Tool Exposition (SATE) < SATE’s goal: advance research in the field of static analysis tools
Additional HighlightsStandards & Additional InfoP Used by the U.S. Department of DefenseP Listed and covered in the Information Assurance Tools Report published this year (2011) by the U.S. Department of Defense’s IATAC (Information Assurance Technology Analysis Center), alongside leading tools
CustomersWhere they come fromP From over 26 countries. Mainly from the United States, United Kingdom and CanadaP From different markets and industries < Consulting, Education/Government, Finance, Banking, and Insurance, High Technology & Software, Hospitality, Travel & Tourism, Telecommunications, etc
CustomersWhere they come from (Government & Military)P NASA, US NOAA, US DoE (Department of Energy) and othersP US Navy, UK’s Royal Air ForceP Intelligence Agencies < CSE (Canada’s intelligence agency) < CISEN (Mexico’s intelligence agency)
The EndThank YouMore Info: www.syhunt.comTwitter: @syhuntEmail: firstname.lastname@example.org
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.