Presentation on vulnerability analysis

1,306 views

Published on

This is a presentation on the paper of vulnerability analysis paper which is passed as reference.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,306
On SlideShare
0
From Embeds
0
Number of Embeds
106
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Presentation on vulnerability analysis

  1. 1. SAVI: Static-AnalysisVulnerability IndicatorJAMES WALDEN AND MAUREEN DOYLENORTHERN KENTUCKY UNIVERSITYPRESENTED BY: ASIF IMRAN (MSSE0119), JOBAER ISLAM KHAN (MSSE0109)
  2. 2. Addressed Problem  Frequently the target of attackers [1]  Largest source of security vulnerabilities [1]  Identity theft , phishing, malware, etc erode trust and cause financial loss [2]
  3. 3. Proposed Solution  Static analysis of source code to detect vulnerabilities of web application.  SAVI: Static- Analysis Vulnerability Indicator  Combines several static-analysis results  Ranks vulnerability of Web Applications
  4. 4. Sources of vulnerability count  Vulnerability repositories [2]:  National Vulnerability Database (NVD)  Microsoft Security Bulletins  Drupal Security Advisories  Output of static-analysis tools  Output of security-focused dynamic-analysis tools  Note: source types comprises many sources with different vulnerability databases and analysis tools  application’s vulnerability history can be obtained from reported databases
  5. 5. Vulnerability Detection Techniques  Static Analysis: Static-analysis tools find an application’s current vulnerabilities by evaluating its source code without executing it. Advantages Disadvantages 1. Find vulnerabilities objectively 1. Produce false negatives 2. Find vulnerabilities rapidly 2. Produce false positives  Example: Fortify SCA  Reduce business risk by identifying vulnerabilities that pose the biggest threat  Identify and remove exploitable vulnerabilities quickly with a repeatable process  Reduce development cost by identifying vulnerabilities early in the SDLC  Educate developers in secure coding practices while they work
  6. 6. Vulnerability Detection Techniques[cont]  Dynamic Analysis: identify vulnerabilities in running Web applications Advantages Disadvantages 1. Simulates a malicious user by 1. Increased efforts attacking and probing 2. Independent of Programming 2. False Positives and False Languages Negatives  Examples: Veracode-DA
  7. 7. False positives and False negatives  False negatives occur when tools don’t report existing security bugs  False positives occur when tools report vulnerabilities that do not exist  Triaging: Manually auditing source code to identify false positives [3] Manually auditing enough results, a security team can predict the rate at which false positives and false negatives occur for a given project and extrapolate the number of true positives from a set of raw results [3].
  8. 8. Methodology  Static Analysis  Fast results  Current Bugs can be detected  Repeatability  Vulnerability Repository: NVD to validate the predictions of static analysis metrics.  Correlation between static-analysis and reported vulnerability for the analyzed software in the future.
  9. 9. Methodology [cont]  Normalize vulnerabilities based on code  SAVD (Static Analysis Vulnerability Density)  NVD  Correlation between SAVD and NVD
  10. 10. SAVD [4]
  11. 11. Methodology [cont]  Open Source applications as test cases  Dokuwiki :wiki  Mediawiki: wiki  phpBB: web forum Source code: PHP  phpMyAdmin: system administration  Squirrelmail: email client
  12. 12. Methodology [cont] Fortify Source Code Analyzer (SCA) Output in XML : vulnerability data Custom Ruby scripts used to convert the vulnerability data and line counts into a form that could be analyze with statistical software 29,000 LOC <= code <= 162,000 LOC 180 second <= time <= 3600 seconds Core i5 processor and 8 Gbytes of RAM
  13. 13. Results  17<= vulnerability <= 96 from NVD  Dokuwiki : 17  PHPmyAdmin: 96
  14. 14. Reults [cont]  SCA founded 57,811 vulnerabilities  LOC: 1.5 million  PHPmyAdmin: 96
  15. 15. Result[cont]
  16. 16. Discussion  Context independent metric: applications have same data, functionality and same installation standards  SAVI indicates postrelease vulnerability density.  SAVI lets organizations choose less vulnerable applications  Further investigation is required to determine whether similar results might hold for other application classes
  17. 17. Conclusion[cont]  SAVD for each application version correlated significantly with the NVD vulnerability density for that version’s year and subsequent years. For example, the SAVD of a project for 2009 correlated with the project’s NVD density for 2010, and 2011. This result means that static-analysis tools indicate an application’s postrelease vulnerability.
  18. 18. References [1] M. Gegick and L. Williams, “Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-Prone Components,” Proc. 2nd Int’l Conf. Internet Monitoring and Protection (ICIMP 07), IEEE CS, 2007, p. 18. [2] M. Gegick et al., “Prioritizing Software Security Fortification through Code-Level Metrics,” Proc. 4th ACM Workshop Quality of Protection (QoP 08), ACM, 2008, pp. 31–38. [3] “Coverity Scan: 2010 Open Source Integrity Report,” Coverity, 1 Nov. 2010; www.coverity.com/library/pdf/coverity-scan-2010-open-source- integrity-report.pdf. [4] http://www.informit.com/articles/article.aspx?p=768662&seqNum=3
  19. 19. Thank You

×