SlideShare a Scribd company logo
1 of 30
For further information please contact:
sales@buguroo.com
Current Issues


          Threats
 ‘Creating an extension that
enable unauthorized access to
    Facebook and Twitter
          accounts’                                                    Fines
      Source: www.elmundo.es                                 ‘Record fine of € 2.8M to the
                                                                British subsidiary of the
                                                            insurer Zurich for having lost
                                                               data from tens thousands
                                 Vulnerability                         customers’
                             ‘How was Stuxnet attack                   Source: AFP

                           directed against Iran’ nuclear
                                     facilities’
                                  Source: www.elpais.com
Risks of unsafe programming


        Threats
‘ 95% of intending attacks
     are against the
       application’                                        Fines
                                                 ‘The result of an attack or
                                                 data loss involves serious
                                                 legal consequences to the
                         Vulnerability                   company’
                     ‘Over 90% of Internet
                    vulnerabilities are in the
                             code’
Statistics: Vulnerabilities in Internet applications (1 of 2)


               % Vulnerabilities located for each type of test

       100
        80
        60                                                                    Urgent
        40                                                                    Critical

        20                                                                    High

         0                                                                    Medium

             % Sites (All)   % Sites       % Sites         % Sites            Low
                             (Scans)     (Blackbox)      (WhiteBox)

                                           Source: WASC (web application security consortium)
Statistics: Vulnerabilities in Internet applications (2 of 2)


     % Most common vulnerabilities                 % Sectors affected by attacks

                                                                  7%
               11%                                                              5%
          3%                                            12%
                               XSS
     4%                                                                                          Finance
                                                                                                 Education
                         39%                                                               19%
4%                             Information                                                       Social/Web
                               Leakage           12%                                             Media
                                                                                                 Retail
7%                             SQLi                                                              Technology
                                                                                                 Internet
                                                                                                 Goverment
                               Insufficent
                                                                                                 Entertainment
                               Transport Layer
                               Protection                                            16%
                               Fingerprinting           12%
                32%




                                                       Source: WASC (web application security consortium)
Limitations on current solutions


                                                                           Black box audit limitations
                                                                •   Do not audit the whole application
              Manual audits limitations
•   Costs. Despite of being one of the most effective
                                                                •   Are less accurate
    solutions, the magnitude of the source code is so vast in
    this type that are often scrapped on cost grounds
                                                                •   May incur in service degradation
•   Timeouts. The delivery of reports in a manual audit
    code requires such long wait times, which often
    decisions are made before results delivery

                                                                      Common limitations to both audits
•   Depend on development completion                            •   They do not address future vulnerabilities.
                                                                    Everyday new security holes are found

                                                                •   Do not include software updates, causing the
                                                                    rapid obsolescence of work audited
Our Solution:

•   buguroo has designed and implemented bugScout, the most powerful managed service on
    the market, regarding analysis of vulnerabilities in source code:

      bugScout automatically detects over 94% of vulnerabilities in the code. Is the most powerful
         solution on the market: its competition only detects 60% of existing vulnerabilities

      Operates in a decentralized manner in cloud, allowing unlimited scalability

      bugScout enables its partners, through its solution’ appliances, building and managing their own
         clouds

      bugScout is designed to audit multiple codes simultaneously without performance penalty
Advantages (1 of 2)



 bugScout reduces the
  cost of manual audit in
  more than 90%                               bugScout is integrated
                                               into the software
                                               development cycle,
                                               speeding up business
                                               processes
                   bugScout minimizes
                    waiting time result in
                    more than 99%
Advantages (2 of 2)

•   bugScout allows correction of errors in real time, encouraging the learning of the developers’ team

•   bugScout enables to audit of the entire application in full

•   bugScout audits are more accurate, its technology can effectively track the whole code

•   Avoid uncontrolled errors: Denial of Service attacks, untended spam…

•   bugScout update real-time signatures of public and private, due to the recurrent nature of its technology

•   bugScout easily integrates with the software development cycle

•   bugScout connects directly to the development repository, can audit the software, from minute one,
    without interrupting the production process
- Technology and features


•   bugScout consists of a Web console from which to offer multiple functionalities to easily operate on the
    code, avoiding any heavy agents or prior installation of software on the client

•   Also includes:
        A detection system of public and private vulnerabilities updated daily

        Multi-audit platform, capable of analyzing code simultaneously without interfering with the performance at the same
         time

        Multi-user access platform and permissions granularity
The environment   - Portal access
The environment                                       - Modular, extensive and scalable


           …                                      ……                                  …
   Tasks        Licenses      Query                                         Tasks               Licenses   Query

            FRAMEWORK 1                                                                      FRAMEWORK N


DISTRIBUTED COMMUNICATIONS BUS (BACKEND)                         DISTRIBUTED COMMUNICATION BUS (BACKEND)


                           CORE 1 …. N                          ENGINE



                                           Scheduler
Tasks       Licenses                                                                                       Result
                                                                  Motor N




                                                                …
                                           Decompression

                                                                                    Fam. 1         P1      Cond. 1
                                            Decoded




                                                                                              ..
                                                                                              ..
                                                                             ..
                                                                  Motor 1

Core                                         Engine                                 Fam. N         PN      Cond. N
The environment                          - Modular, extensible and scalable




         1. Framework. Interface to access up to 6 modules




         2. Core. Source code analyzer




         3. BackEnd. Secure storage of codes, reports and Vulnerability Data
             Bases and solutions
Framework - Modules (1 of 5)


    1. Dashboard

•    User configurable start menu where you can, take a look, review the security of the company s
     applications

•    The work area is editable, can be added, modified and/ or delete graphics, and rearrange or resize them
     using Drag & Drop

•    The graphics also are interacting, so moving pointer can be seen the values they represent

•    To make this possible, the design has been done relying on the latest web 2.0 techniques, without
     sacrificing security and performance
Framework - Modules: Dashboard (2 of 5)
Framework - Modules (3 of 5)


    2. Projects


•    From this module can be classified projects and applications, for later analysis, also from this section can
     be requested manual audits, re-audited code to check on progress, asked for auditor to perform a
     penetration test or a report or check vulnerabilities

•    Also from this section can be requested manual audits, re-audited code to check on progress, asked for an
     auditor to perform penetration test or a report to check vulnerabilities

    3. Document management


•    Simple Document Management System enables to consult reports generated automatically or manually,
     as well as help documentation on the tool, generate asymmetric encryption keys, perform secure uploads
     of source code to audit
Framework - Modules (4 of 5)


    4. Vulnerabilities

•    Module from which to work with the results of audits, enabled to verify the proposed solutions,
     references, explanations of the vulnerabilities, etc.


    5. Reports

•    Enabled module to generate reports and technical executives at different levels


    6. Administration

•    Enabled module for managing users, groups and roles
•    Oriented menu creation and hierarchical structure of companies (customers, suppliers)
•    You can configure the look & feel of the interface according to the standards and corporate logos of each
     company, and generate reports tailored to each company
Framework - Modules: Projects (5 de 5)
The environment                        - Modular, extensible and scalable




         1. Framework. User interface to access up to 6 modules




         2. Core. Source code analyzer




         3. BackEnd. Secure storage of codes, reports and Vulnerability Data
             Bases and Solutions
Core (1 of 4)


    2. Core

•    bugScout Core consists of a vulnerability pattern recognition system on analyzed software. The entire
     process provides an analysis of reliability code to detect patterns that would allow attacker to access
     unauthorized data

•    Main functionalities:
      1.   Detection of language processing

      2.   Lexical Analysis

      3.   Parsing

      4.   Generation of modeling software application architecture

      5.   Data flow analysis

      6.   Vulnerable pattern detection

      7.   Discrimination of false positives

      8.   Communication of potential vulnerabilities found
Core (2 of 4) – Main features




                                                                          Generation of modeling
    Detection of               Lexical analysis          Parsing
                                                                           software application
language processing                                                            architecture




  Communication of              Discrimination of    Vulnerable pattern      Data flow analysis
potential vulnerabilities        false positives         detection
         found
Core – Main features (3 of 4)


     2. Core

1.    Detection of language processing: using different filters and patterns, bugScout Core determines which
      language contains every file and proceeds to generate the basic structure to continue the process

2.    Lexical analysis: essential process to begin analysis of a language, to do so, bugScout Core integrates
      directly with the lexical analyzer for each language

3.    Parsing: bugScout Core uses the parser that defines each own language, since it is the most accurate way
      to profile the sources. Requiring, at times, certain amendments in order to make the construction of
      application software architecture

4.    Generation of modeling software application architecture: is the memory representation of code to
      analyze, but with a greater degree of computation, allowing the tree to perform operations that require
      high computational effort, in minimum time
Core – Main features (4 of 4)


     2. Core

5.    Data flow analysis: is the compression of the source code itself and will be analyzed to determine if the
      code contains vulnerability patterns

6.    Pattern Detection vulnerable: the search for vulnerabilities, bugScout Core bet a complex plug-ins
      architecture that will facilitate future updates of signatures based on new patterns vulnerable. Through
      these plug-ins based on regular expressions formed expressly for each specific language, you can
      determine with a high degree of probability if there is a vulnerability in the code

7.    Discrimination of false positives: Performs the necessary backtracking and discard, depending on the
      conditions that the pattern found, representing this particular code, confirming whether or not a real risk
      in a such pattern

8.    Communication of potential vulnerabilities found: in this process bugScout Core communicates the
      visual, the existence of security flaws in the code to display
The environment                        - Modular, extensible and scalable




         1. Framework. User interface to access up to 6 modules




         2. Core. Source code analyzer




         3. BackEnd. Secure storage of codes, reports and Vulnerability Data
             Bases and solutions
BackEnd (1 of 4)


    3. BackEnd

•    bugScout BackEnd stores in Cloud the data the tool works with. Our BackEnd model, incorporates the
     latest technologies, which allow maximum efficiency compatibility of stored data, secure environment
     essential feature of a maximum security environment

•    Advantages
         Improved development time

         Improved effectiveness

         Scalability

         Flexibility

         Availability

         Management

         Security
BackEnd (2 of 4)




                Data flow        Control flow




               Controller Unit    Connector
Data


                                                  BBDD
                                            1…N




               BBDD Controller                    BBDD
BackEnd (3 de 4)


    3. BackEnd

•    bugScout BackEnd architecture provides a flexible and conceptuality simple design, which allows to
     develop a fast and flexible environment

•    Integration Cloud Storage technology, provides systems and networks our capacity to grow and scale,
     with a minimum manual handling

•    Safety is an integral part of computing in cloud. Architectural design of a group of systems that work
     directly on highly sensitive information, to protect the information accordingly. bugScout BackEnd goes a
     step further by considering that involves integration Cloud Storage with three key additional services:
         Resizing

         Disaster Recovery

         Data security and communications
BackEnd (4 of 4)


    3. BackEnd

•    bugScout BackEnd presents a secure, flexible and scalable management system:

         FileNetSystem, paradigm implies that from a single console can be managed independently, each of the Cloud
          Storage Systems

         Management System enabling self-configuration in expansion modules. Driver modules themselves are capable of
          detecting a new infrastructure and adapt the present configuration, giving the administrator the options available,
          facilitating the scaling system

•    bugScout BackEnd provides the following benefits:
         Compliance with laws and regulations

         Hardware failover

         Long feasibility of IT resources

         Secured assets in physical environments

         Data isolation
Why                           is the best solution?


•   bugScout has been designed by one of the best and qualified teams with projects worldwide

•   Does not require extensive knowledge of security

•   bugScout gets the best detection and false positive rates on the market

•   This is the first tool that has other language independent, rejecting the pseudo-code
    conversion. Thus extending the detection rate, being able to locate errors and deprecated
    library functions, vulnerabilities, sensitive information in comments, ectc.

•   bugScout automatically corrects the vulnerable parts of the code, proposing effective
    solutions to build secure applications

•   Lets you easily manage vulnerabilities, reporting, storing documentation, see statistics,
    historical control…
www.buguroo.com




                         For further information please contact:
                                            sales@buguroo.com
                                           Tel.: (34) 917 816 160
                  Plaza Marqués de Salamanca, 3-4, 28006 Madrid

More Related Content

What's hot

Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009
Kim Jensen
 
Cyber Sec Project Proposal
Cyber Sec Project ProposalCyber Sec Project Proposal
Cyber Sec Project Proposal
Chris Young
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)
AP DealFlow
 

What's hot (20)

Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs,  PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs,  PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk  Management In The  Web 2.0  EnvironmentSivasubramanian Risk  Management In The  Web 2.0  Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
 
Is Information Security Worth It?
Is Information Security Worth It?Is Information Security Worth It?
Is Information Security Worth It?
 
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009
 
SIA-Q1-2016
SIA-Q1-2016SIA-Q1-2016
SIA-Q1-2016
 
ISTR Volume 18
ISTR Volume 18ISTR Volume 18
ISTR Volume 18
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection Platforms
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security Deployment
 
Evolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam BotEvolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam Bot
 
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
 
2012 ab is-your-browser-putting-you-at-risk
2012 ab is-your-browser-putting-you-at-risk2012 ab is-your-browser-putting-you-at-risk
2012 ab is-your-browser-putting-you-at-risk
 
A6704d01
A6704d01A6704d01
A6704d01
 
Presentation gdl
Presentation gdlPresentation gdl
Presentation gdl
 
Cyber Sec Project Proposal
Cyber Sec Project ProposalCyber Sec Project Proposal
Cyber Sec Project Proposal
 
Widyatama Lecture Applied Networking-IV Week05 Mobile Security 1
Widyatama Lecture Applied Networking-IV Week05 Mobile Security 1Widyatama Lecture Applied Networking-IV Week05 Mobile Security 1
Widyatama Lecture Applied Networking-IV Week05 Mobile Security 1
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection Methods
 

Similar to We present Bugscout

State of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteState of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon Institute
Jeremiah Grossman
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
20101012 CIOnet Cyber Security Final Results
20101012 CIOnet Cyber Security Final Results20101012 CIOnet Cyber Security Final Results
20101012 CIOnet Cyber Security Final Results
CIONET
 

Similar to We present Bugscout (20)

State of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteState of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon Institute
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan   vulnerability stats report 2019 - h-isac-2-2-2019Edgescan   vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
ISTR XV
ISTR XVISTR XV
ISTR XV
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Global Cyber Security Industry
Global Cyber Security IndustryGlobal Cyber Security Industry
Global Cyber Security Industry
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
edgescan vulnerability stats report (2018)
 edgescan vulnerability stats report (2018)  edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana   iisf...Web security – application security roads to software security nirvana   iisf...
Web security – application security roads to software security nirvana iisf...
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
20101012 CIOnet Cyber Security Final Results
20101012 CIOnet Cyber Security Final Results20101012 CIOnet Cyber Security Final Results
20101012 CIOnet Cyber Security Final Results
 
Ponemon survey cloud security webcast
Ponemon survey cloud security webcastPonemon survey cloud security webcast
Ponemon survey cloud security webcast
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 

Recently uploaded (20)

Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 

We present Bugscout

  • 1. For further information please contact: sales@buguroo.com
  • 2. Current Issues Threats ‘Creating an extension that enable unauthorized access to Facebook and Twitter accounts’ Fines Source: www.elmundo.es ‘Record fine of € 2.8M to the British subsidiary of the insurer Zurich for having lost data from tens thousands Vulnerability customers’ ‘How was Stuxnet attack Source: AFP directed against Iran’ nuclear facilities’ Source: www.elpais.com
  • 3. Risks of unsafe programming Threats ‘ 95% of intending attacks are against the application’ Fines ‘The result of an attack or data loss involves serious legal consequences to the Vulnerability company’ ‘Over 90% of Internet vulnerabilities are in the code’
  • 4. Statistics: Vulnerabilities in Internet applications (1 of 2) % Vulnerabilities located for each type of test 100 80 60 Urgent 40 Critical 20 High 0 Medium % Sites (All) % Sites % Sites % Sites Low (Scans) (Blackbox) (WhiteBox) Source: WASC (web application security consortium)
  • 5. Statistics: Vulnerabilities in Internet applications (2 of 2) % Most common vulnerabilities % Sectors affected by attacks 7% 11% 5% 3% 12% XSS 4% Finance Education 39% 19% 4% Information Social/Web Leakage 12% Media Retail 7% SQLi Technology Internet Goverment Insufficent Entertainment Transport Layer Protection 16% Fingerprinting 12% 32% Source: WASC (web application security consortium)
  • 6. Limitations on current solutions Black box audit limitations • Do not audit the whole application Manual audits limitations • Costs. Despite of being one of the most effective • Are less accurate solutions, the magnitude of the source code is so vast in this type that are often scrapped on cost grounds • May incur in service degradation • Timeouts. The delivery of reports in a manual audit code requires such long wait times, which often decisions are made before results delivery Common limitations to both audits • Depend on development completion • They do not address future vulnerabilities. Everyday new security holes are found • Do not include software updates, causing the rapid obsolescence of work audited
  • 7. Our Solution: • buguroo has designed and implemented bugScout, the most powerful managed service on the market, regarding analysis of vulnerabilities in source code:  bugScout automatically detects over 94% of vulnerabilities in the code. Is the most powerful solution on the market: its competition only detects 60% of existing vulnerabilities  Operates in a decentralized manner in cloud, allowing unlimited scalability  bugScout enables its partners, through its solution’ appliances, building and managing their own clouds  bugScout is designed to audit multiple codes simultaneously without performance penalty
  • 8. Advantages (1 of 2)  bugScout reduces the cost of manual audit in more than 90%  bugScout is integrated into the software development cycle, speeding up business processes  bugScout minimizes waiting time result in more than 99%
  • 9. Advantages (2 of 2) • bugScout allows correction of errors in real time, encouraging the learning of the developers’ team • bugScout enables to audit of the entire application in full • bugScout audits are more accurate, its technology can effectively track the whole code • Avoid uncontrolled errors: Denial of Service attacks, untended spam… • bugScout update real-time signatures of public and private, due to the recurrent nature of its technology • bugScout easily integrates with the software development cycle • bugScout connects directly to the development repository, can audit the software, from minute one, without interrupting the production process
  • 10. - Technology and features • bugScout consists of a Web console from which to offer multiple functionalities to easily operate on the code, avoiding any heavy agents or prior installation of software on the client • Also includes:  A detection system of public and private vulnerabilities updated daily  Multi-audit platform, capable of analyzing code simultaneously without interfering with the performance at the same time  Multi-user access platform and permissions granularity
  • 11. The environment - Portal access
  • 12. The environment - Modular, extensive and scalable … …… … Tasks Licenses Query Tasks Licenses Query FRAMEWORK 1 FRAMEWORK N DISTRIBUTED COMMUNICATIONS BUS (BACKEND) DISTRIBUTED COMMUNICATION BUS (BACKEND) CORE 1 …. N ENGINE Scheduler Tasks Licenses Result Motor N … Decompression Fam. 1 P1 Cond. 1 Decoded .. .. .. Motor 1 Core Engine Fam. N PN Cond. N
  • 13. The environment - Modular, extensible and scalable 1. Framework. Interface to access up to 6 modules 2. Core. Source code analyzer 3. BackEnd. Secure storage of codes, reports and Vulnerability Data Bases and solutions
  • 14. Framework - Modules (1 of 5) 1. Dashboard • User configurable start menu where you can, take a look, review the security of the company s applications • The work area is editable, can be added, modified and/ or delete graphics, and rearrange or resize them using Drag & Drop • The graphics also are interacting, so moving pointer can be seen the values they represent • To make this possible, the design has been done relying on the latest web 2.0 techniques, without sacrificing security and performance
  • 15. Framework - Modules: Dashboard (2 of 5)
  • 16. Framework - Modules (3 of 5) 2. Projects • From this module can be classified projects and applications, for later analysis, also from this section can be requested manual audits, re-audited code to check on progress, asked for auditor to perform a penetration test or a report or check vulnerabilities • Also from this section can be requested manual audits, re-audited code to check on progress, asked for an auditor to perform penetration test or a report to check vulnerabilities 3. Document management • Simple Document Management System enables to consult reports generated automatically or manually, as well as help documentation on the tool, generate asymmetric encryption keys, perform secure uploads of source code to audit
  • 17. Framework - Modules (4 of 5) 4. Vulnerabilities • Module from which to work with the results of audits, enabled to verify the proposed solutions, references, explanations of the vulnerabilities, etc. 5. Reports • Enabled module to generate reports and technical executives at different levels 6. Administration • Enabled module for managing users, groups and roles • Oriented menu creation and hierarchical structure of companies (customers, suppliers) • You can configure the look & feel of the interface according to the standards and corporate logos of each company, and generate reports tailored to each company
  • 18. Framework - Modules: Projects (5 de 5)
  • 19. The environment - Modular, extensible and scalable 1. Framework. User interface to access up to 6 modules 2. Core. Source code analyzer 3. BackEnd. Secure storage of codes, reports and Vulnerability Data Bases and Solutions
  • 20. Core (1 of 4) 2. Core • bugScout Core consists of a vulnerability pattern recognition system on analyzed software. The entire process provides an analysis of reliability code to detect patterns that would allow attacker to access unauthorized data • Main functionalities: 1. Detection of language processing 2. Lexical Analysis 3. Parsing 4. Generation of modeling software application architecture 5. Data flow analysis 6. Vulnerable pattern detection 7. Discrimination of false positives 8. Communication of potential vulnerabilities found
  • 21. Core (2 of 4) – Main features Generation of modeling Detection of Lexical analysis Parsing software application language processing architecture Communication of Discrimination of Vulnerable pattern Data flow analysis potential vulnerabilities false positives detection found
  • 22. Core – Main features (3 of 4) 2. Core 1. Detection of language processing: using different filters and patterns, bugScout Core determines which language contains every file and proceeds to generate the basic structure to continue the process 2. Lexical analysis: essential process to begin analysis of a language, to do so, bugScout Core integrates directly with the lexical analyzer for each language 3. Parsing: bugScout Core uses the parser that defines each own language, since it is the most accurate way to profile the sources. Requiring, at times, certain amendments in order to make the construction of application software architecture 4. Generation of modeling software application architecture: is the memory representation of code to analyze, but with a greater degree of computation, allowing the tree to perform operations that require high computational effort, in minimum time
  • 23. Core – Main features (4 of 4) 2. Core 5. Data flow analysis: is the compression of the source code itself and will be analyzed to determine if the code contains vulnerability patterns 6. Pattern Detection vulnerable: the search for vulnerabilities, bugScout Core bet a complex plug-ins architecture that will facilitate future updates of signatures based on new patterns vulnerable. Through these plug-ins based on regular expressions formed expressly for each specific language, you can determine with a high degree of probability if there is a vulnerability in the code 7. Discrimination of false positives: Performs the necessary backtracking and discard, depending on the conditions that the pattern found, representing this particular code, confirming whether or not a real risk in a such pattern 8. Communication of potential vulnerabilities found: in this process bugScout Core communicates the visual, the existence of security flaws in the code to display
  • 24. The environment - Modular, extensible and scalable 1. Framework. User interface to access up to 6 modules 2. Core. Source code analyzer 3. BackEnd. Secure storage of codes, reports and Vulnerability Data Bases and solutions
  • 25. BackEnd (1 of 4) 3. BackEnd • bugScout BackEnd stores in Cloud the data the tool works with. Our BackEnd model, incorporates the latest technologies, which allow maximum efficiency compatibility of stored data, secure environment essential feature of a maximum security environment • Advantages  Improved development time  Improved effectiveness  Scalability  Flexibility  Availability  Management  Security
  • 26. BackEnd (2 of 4) Data flow Control flow Controller Unit Connector Data BBDD 1…N BBDD Controller BBDD
  • 27. BackEnd (3 de 4) 3. BackEnd • bugScout BackEnd architecture provides a flexible and conceptuality simple design, which allows to develop a fast and flexible environment • Integration Cloud Storage technology, provides systems and networks our capacity to grow and scale, with a minimum manual handling • Safety is an integral part of computing in cloud. Architectural design of a group of systems that work directly on highly sensitive information, to protect the information accordingly. bugScout BackEnd goes a step further by considering that involves integration Cloud Storage with three key additional services:  Resizing  Disaster Recovery  Data security and communications
  • 28. BackEnd (4 of 4) 3. BackEnd • bugScout BackEnd presents a secure, flexible and scalable management system:  FileNetSystem, paradigm implies that from a single console can be managed independently, each of the Cloud Storage Systems  Management System enabling self-configuration in expansion modules. Driver modules themselves are capable of detecting a new infrastructure and adapt the present configuration, giving the administrator the options available, facilitating the scaling system • bugScout BackEnd provides the following benefits:  Compliance with laws and regulations  Hardware failover  Long feasibility of IT resources  Secured assets in physical environments  Data isolation
  • 29. Why is the best solution? • bugScout has been designed by one of the best and qualified teams with projects worldwide • Does not require extensive knowledge of security • bugScout gets the best detection and false positive rates on the market • This is the first tool that has other language independent, rejecting the pseudo-code conversion. Thus extending the detection rate, being able to locate errors and deprecated library functions, vulnerabilities, sensitive information in comments, ectc. • bugScout automatically corrects the vulnerable parts of the code, proposing effective solutions to build secure applications • Lets you easily manage vulnerabilities, reporting, storing documentation, see statistics, historical control…
  • 30. www.buguroo.com For further information please contact: sales@buguroo.com Tel.: (34) 917 816 160 Plaza Marqués de Salamanca, 3-4, 28006 Madrid