The document discusses Subgraph Technologies, an open source security startup based in Montreal. It introduces the company and its founders' backgrounds in security. The main topics covered are:
- Kerckhoffs' principle of security through open scrutiny rather than secrecy.
- How open source development has benefited the security research community and led to important tools through collaboration.
- Both advantages and disadvantages of commercial and open source web security software. While commercial tools have better usability, open source allows for transparency and avoids vendor lock-in.
- The existing landscape of both commercial and open source web security tools, noting some open source tools lack integration or are outdated.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
Standards and methodology for application security assessment Mykhailo Antonishyn
Based on the research results, it can be concluded that the ISO / IEC 27034 standard regulates that vulnerability testing should be carried out, but it is not specified how and what should be tested for vulnerabilities, but how and what is not described. NIST and NIAP both refer to OWASP MASVS and contain controls by which the mobile application is tested, mainly focusing on vulnerabilities that relate to vulnerabilities in data storage and authorization. This is confirmed by statistics provided by Digital Security. The most recognized is MASVS. One of the parts of MASVS describes what, how and how to test.
It should be noted that all standards rather weakly assess vulnerabilities that relate to interaction with the API. As can be seen from the tests described in Section 2.2, the most critical vulnerabilities are vulnerabilities that are associated with interaction with the application server.
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems.
I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest
(=attack) painful, or just rendered the scenarios irrelevant.
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
Hackers, meet your match. No longer are web applications an easy target. You have been getting away for too long with laughing at poor programming practices, pissing on every parameter,
and downloading entire tables from Web requests. In this talk, I will show a hands-on demo of a live application with a RASP, and without. I will cover the benefits of a RASP over a WAF, and explain
how web sites should no longer rely on dumb traffic level regex tools for their security.
I will attack a vulnerable web application, and demonstrate how a typical attack is carried out on it. Afterwards I will repeat the exercise on the same application, but this time with a RASP installed.
I will point out what the key differences are, and in a vendor neutral manner show key mechanisms which differentiate a RASP from a WAF or a firewall.
I will cover how brute force protection is done right, how aggregating application usage and sharing this data is beneficial, and how using a RASP can even be integrated into a SDLC.
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference. Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.
Some of the very things that make JavaScript awesome can also leave it exposed. Guy Podjarny and Danny Grander walk through some sample security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop—and show how these could occur in your own code or in npm dependencies.
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.
The presentation was done as part of null/OWASP/G4H Monthly Meet
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
Standards and methodology for application security assessment Mykhailo Antonishyn
Based on the research results, it can be concluded that the ISO / IEC 27034 standard regulates that vulnerability testing should be carried out, but it is not specified how and what should be tested for vulnerabilities, but how and what is not described. NIST and NIAP both refer to OWASP MASVS and contain controls by which the mobile application is tested, mainly focusing on vulnerabilities that relate to vulnerabilities in data storage and authorization. This is confirmed by statistics provided by Digital Security. The most recognized is MASVS. One of the parts of MASVS describes what, how and how to test.
It should be noted that all standards rather weakly assess vulnerabilities that relate to interaction with the API. As can be seen from the tests described in Section 2.2, the most critical vulnerabilities are vulnerabilities that are associated with interaction with the application server.
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems.
I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest
(=attack) painful, or just rendered the scenarios irrelevant.
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
Hackers, meet your match. No longer are web applications an easy target. You have been getting away for too long with laughing at poor programming practices, pissing on every parameter,
and downloading entire tables from Web requests. In this talk, I will show a hands-on demo of a live application with a RASP, and without. I will cover the benefits of a RASP over a WAF, and explain
how web sites should no longer rely on dumb traffic level regex tools for their security.
I will attack a vulnerable web application, and demonstrate how a typical attack is carried out on it. Afterwards I will repeat the exercise on the same application, but this time with a RASP installed.
I will point out what the key differences are, and in a vendor neutral manner show key mechanisms which differentiate a RASP from a WAF or a firewall.
I will cover how brute force protection is done right, how aggregating application usage and sharing this data is beneficial, and how using a RASP can even be integrated into a SDLC.
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference. Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.
Some of the very things that make JavaScript awesome can also leave it exposed. Guy Podjarny and Danny Grander walk through some sample security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop—and show how these could occur in your own code or in npm dependencies.
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.
The presentation was done as part of null/OWASP/G4H Monthly Meet
AppSec & OWASP Top 10 Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 03/21/2019
Momentum Developer Conference
Sharonville Convention Center
#momentumdevcon
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
[CB19] tknk_scanner v2:community-based integrated malware identification syst...CODE BLUE
We presented tknk_scanner using YARA at Black Hat Europe 2018 Arsenal. tknk_scanner is a community-based integrated malware identification system, which aims to easily identify malware families by automating this process using an integration of open source community-based tools and freeware.
The previous tknk_scanner only supported binary based scanning(Scanning by YARA, a summary of VirusTotal using AVClass, file signatures by Detect It Easy). This major update adds packet capture and network based scanning mode. It allows the scanner to use network based signatures (snot rules, suricata rules). Not only that, you can get process communication information and associate network signatures with binary signatures. Of course, those results can be easily checked from the cool Web-UI. Support for binary based and network based signatures enabled simple dynamic analysis and provided malware identification accuracy. With this update, tknk_scanner further supports analysis by SOC operators, CSIRT members, and malware analysts.
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
The progress of AI in the last decade has seemed almost magical. But we will discuss the unique challenges posed by Security and what makes this domain the biggest challenge for AI. Reporting from the frontlines, we will describe the deployment of large-scale production-grade AI systems to combat security breaches, using lessons learned at Avast from defending over 400 million consumers every single day. Topics will cover the recent AI advancements in file-based anti-malware solutions, behavior-based on-device solutions, and network-based IoT security solutions.
Construye tu stack de ciberseguridad con open sourceSoftware Guru
Construir software de forma ágil pero segura no es trivial. En esta sesión compartiré algunas recomendaciones de cómo construir un stack para desarrollar aplicaciones de forma segura utilizando herramientas open source en un stack de integración continua.
Presentado por Eryx Paredes en SG Virtual Conference 2020
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
In this talk I’ll present the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts.
There will be also a demo of the mentioned tools in action to implement a secure supply chain pipeline for your Drupal projects.
Open Source, Sourceforge Projects, & Apache FoundationMohammad Kotb
This presentation is made by my group in our Computer and Increasing Productivity Course in 2nd term - 1st year - Computer and Systems Engineering Department - Faculty of Engineering - Alexandria University...
GOST TEAM
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetessparkfabrik
In this talk we will talk about how to ensure the security and quality of the software we deploy on Kubernetes using open-source tools like Sigstore, Kyverno and Syft/Grype.
We will explain what a secure supply chain is, why it is important and how to implement it with these tools. We will also show you how to generate and verify SBOMs (Software Bill of Materials) of your OCI (Open Container Initiative) artifacts. And finally, we will show you some practical examples of how to use these technologies in action.
We hope you enjoy it and find it useful!
Similar to hacking your website with vega, confoo2011 (20)
1. Hacking
Your
Website
With
David
Mirza,
Subgraph
Technologies
Montreal
http://www.subgraph.com
2. Introduc>on
Who
we
are
Open-‐source
security
startup
Based
in
Montreal
Experienced
founders:
o Secure
Networks
Inc.
o SecurityFocus
(Symantec)
o Core
Security
Technologies
o Ne>fera
o REcon
http://www.subgraph.com
3. About
us
Subgraph
is
an
open
source
security
company
Helping
organiza>ons
protect
their
websites
o Building
high
quality
soRware
o Penetra>on
tes>ng
o Code
/
architecture
review
Incorporated
in
February
2010
Philosophy
of
openness
important
to
us
o More
than
just
releasing
the
code
http://www.subgraph.com
4. Open
Source
and
Security
I
say!
Kerckhoffs’
principle
Auguste
Kerckhoffs:
19th
Century
Dutch
linguist
and
cryptographer
Made
an
important
realiza>on:
o “The
security
of
any
cryptographic
system
does
not
rest
in
its
secrecy,
it
must
be
able
to
fall
into
the
enemy’s
hands
without
inconvenience”
o More
succinctly,
the
adversary
knows
the
system
As
opposed
to
“security
through
obscurity”
http://www.subgraph.com
5. Open
Source
and
Security
Kerckhoffs’
Principle
Well
understood
in
the
world
of
cryptography
o New
ciphers
are
not
trusted
without
public
scru>ny
over
years
o Because
cryptography
is
used
as
a
“black
box”
It’s
the
only
way
to
be
sure
o Once
in
a
while,
less
now,
companies
try
to
market
proprietary
ciphers
There’s
a
term
for
this:
“snake
oil”
But
what
about
everyone
else?
http://www.subgraph.com
6. Beyond
Cryptography
Security
Research
Community
Ac>ve,
global
community
of
passionate
professionals,
amateurs,
students
and
hackers
o Collabora>ve
o Open
Examples
o Phrack
magazine
o Bugtraq
o Defcon
o Blackhat
o REcon!
This
community
changed
the
soRware
industry
Full-‐disclosure
won
Beaer
security
for
all
Bug
boun>es
o Google,
Mozilla
http://www.subgraph.com
7. Open
Source
and
Security
Tools
These
researchers
write
tools
o Exploits
o Network
security
(e.g.
nmap)
Enough
to
have
specialized,
dedicated
LiveCDs..
o BackTrack
–
Penetra>on
tes>ng
LiveCD
o Helix
–
Forensics
LiveCD
The
security
industry
owes
all
so
much
o Grassroots,
open
source
innova>on
o Some
open
source
projects
became
commercial
successes
Snort
IDS
Metasploit
http://www.subgraph.com
8. Open
Source
and
Security
Open
source
has
always
been
a
part
of
security
Collabora>ve,
open
research
Open
source
tool
development
Kerckhoffs’
Law:
open
code
scru>ny
Means
beaer
security,
in
general
Open
source
security
soRware
Is
more
trustworthy:
read
the
source,
compile
it
yourself
No
worries,
no
maaer
where
in
the
world
you
live
Why
doesn’t
everyone
demand
open
source
for
security?
http://www.subgraph.com
9. Open
Source
and
Security
Web
applica>on
security
Followed
the
same
path
Collabora>ve,
open
research,
advocacy
o E.g.
OWASP
Great
open
source
tools,
frameworks
Also,
the
cueng
edge
of
web
applica>on
development
En>rely
open
source!
http://www.subgraph.com
11. Commercial
Web
Security
SoRware
Advantages
of
commercial
tools
Ease
of
installa>on,
upgrade,
use
User
experience
Quality
Assurance,
bug
fixing
Documenta>on/Help
Development
driven
by
demand/need
Disadvantages
Expensive
Bizarre
license
restric>ons
EOL,
acquisi>ons,
other
events
Proprietary,
closed
source
http://www.subgraph.com
12. Open
Source
Web
Security
SoRware
Since
I’ve
already
talked
about
the
advantages..
Disadvantages
No
integra>on
/
sharing
of
data
between
the
various
tools
Poor
or
non-‐existent
UI,
documenta>on,
help
Painful,
broken
installa>ons
Code
is
of
inconsistent
quality
Developer,
contributor
unreliability
Development
driven
by
whim,
interest,
skill
level
Forks
Abandonment
o Developer
finished
college,
got
a
job
o Successfully
reproduced
http://www.subgraph.com
13. Exis>ng
Landscape
of
Web
Tools
There
are
very
good
commercial
tools
HP,
IBM,
Qualys
SAAS,
such
as
Whitehat
NetSparker
BurpSuite
(free
version
available)
Expensive
Some
free/community
versions,
crippled
Proprietary
http://www.subgraph.com
14. Open
Source
Tools
There
are
also
some
fantas>c
open
source
tools
Specialized
o Various
specialized
fuzzers
o Standalone
proxies
o Standalone
scanners
o Standalone
brute-‐forcing
tools
They
do
not
share
a
data
model
o Integrate
them
yourself
In
our
experience:
o Some>mes
buggy
o Last
commit
was
in
2008..
o Broken
user
interfaces
http://www.subgraph.com
16. Our
Vision
One
web,
one
web
security
tool
Open
source
Consistent,
well-‐designed
UI
Func>ons
really
well
as
an
automated
scanner
o Shouldn’t
need
to
be
a
penetra>on
tester
o Advanced
features
for
those
who
are
User
extensibility
o Community
Plus
all
that
boring
stuff
o Documenta>on,
help,
business
friendly
features
http://www.subgraph.com
17. Hi,
My
Name
Is:
Vega
is
a
web-‐applica>on
security
scanner
It
finds
vulnerabili>es
in
your
website
Wriaen
in
Java,
runs
on:
Mac
OS
X
Windows
Linux
A
desktop
applica>on
with
a
nice
GUI
Eclipse
RCP
http://www.subgraph.com
18. Introducing
VEGA
Currently
two
modes
of
opera>on
Automated
scanner
o Point
and
click
hacking
Intercep>ng
proxy
o Instrumenta>on
o Manual
closer
inspec>on
o Penetra>on
tes>ng
http://www.subgraph.com
19. Scanner
Automated
scanner
Crawls
your
web
applica>on
recursively
Analyzes
links
Runs
a
configurable
set
of
audit
and
aaack
ac>ons
on
these
links
Limited
brute
forcing
Tests
parameters
for
favorites,
such
as:
o Reflected,
persistent
XSS
o SQL
injec>on
o Command
injec>on
o Local
file
include
o Local
file
reading
Tries
to
iden>fy
server
misconfigura>ons
http://www.subgraph.com
20. Proxy
Intercep>ng
proxy
Intercepts
requests,
responses
o Based
on
request
method
o Filters
Can
be
edited
Requests
can
be
replayed
or
created
Data
decoding
and
encoding
Customized
automa>c
manipula>on
of
requests,
responses
Response
processing
scanner
modules
http://www.subgraph.com
21. What’s
Inside
Architecture
Eclipse
RCP
Modularity
of
design
enforced
with
OSGI
Using
Apache
HTTPComponents
JSoup
Google
Guava
DB4O
Rhino
JS
Interpreter
http://www.subgraph.com
22. Extensibility
Extending
Vega
with
ease
Scrip>ng
of
custom
modules
o Javascript
o DOM,
JQuery
o Clean,
sensible
API
Scrip>ng
of
proxy
o Automated
manipula>on
of
intercepted
requests,
responses
Custom
alerts
o XML
Templates
http://www.subgraph.com
24. Current
Status
We
are
really
close
Finish
a
few
features
Polish
Tes>ng
Fixing
bugs
Documenta>on
User
Developer
Help
Beta!
Mid-‐April
http://www.subgraph.com
25. Future
Fun
stuff
Penetra>on
tes>ng
o Exploita>on
of
vulnerabili>es
o Support
for
advanced
aaacks
Brute
Forcing
o Directories
o Username/password
Fuzzing
o E.g.
A
really
good
web
services
fuzzer
Specialized
support
for
audi>ng
apps
o CakePHP,
Rails,
J2EE
Less
fun
Really
nice
repor>ng
http://www.subgraph.com
26. Thank
you!
Interested?
Web
E-‐mail
us
hap://www.subgraph.com
info@subgraph.com
Twiaer
MTLSEC
Company:
@subgraph
(we’ve
been
quiet)
If
you’re
in
Montreal,
we
do
a
monthly,
Me:
@aaractr
informal
5@7
hap://www.mtlsec.com,
@mtlsec
IRC
irc.freenode.org,
#subgraph
http://www.subgraph.com