2. Current Issues
Threats
‘Creating an extension that
enable unauthorized access to
Facebook and Twitter
accounts’ Fines
Source: www.elmundo.es ‘Record fine of € 2.8M to the
British subsidiary of the
insurer Zurich for having lost
data from tens thousands
Vulnerability customers’
‘How was Stuxnet attack Source: AFP
directed against Iran’ nuclear
facilities’
Source: www.elpais.com
3. Risks of unsafe programming
Threats
‘ 95% of intending attacks
are against the
application’ Fines
‘The result of an attack or
data loss involves serious
legal consequences to the
Vulnerability company’
‘Over 90% of Internet
vulnerabilities are in the
code’
4. Statistics: Vulnerabilities in Internet applications (1 of 2)
% Vulnerabilities located for each type of test
100
80
60 Urgent
40 Critical
20 High
0 Medium
% Sites (All) % Sites % Sites % Sites Low
(Scans) (Blackbox) (WhiteBox)
Source: WASC (web application security consortium)
5. Statistics: Vulnerabilities in Internet applications (2 of 2)
% Most common vulnerabilities % Sectors affected by attacks
7%
11% 5%
3% 12%
XSS
4% Finance
Education
39% 19%
4% Information Social/Web
Leakage 12% Media
Retail
7% SQLi Technology
Internet
Goverment
Insufficent
Entertainment
Transport Layer
Protection 16%
Fingerprinting 12%
32%
Source: WASC (web application security consortium)
6. Limitations on current solutions
Black box audit limitations
• Do not audit the whole application
Manual audits limitations
• Costs. Despite of being one of the most effective
• Are less accurate
solutions, the magnitude of the source code is so vast in
this type that are often scrapped on cost grounds
• May incur in service degradation
• Timeouts. The delivery of reports in a manual audit
code requires such long wait times, which often
decisions are made before results delivery
Common limitations to both audits
• Depend on development completion • They do not address future vulnerabilities.
Everyday new security holes are found
• Do not include software updates, causing the
rapid obsolescence of work audited
7. Our Solution:
• buguroo has designed and implemented bugScout, the most powerful managed service on
the market, regarding analysis of vulnerabilities in source code:
bugScout automatically detects over 94% of vulnerabilities in the code. Is the most powerful
solution on the market: its competition only detects 60% of existing vulnerabilities
Operates in a decentralized manner in cloud, allowing unlimited scalability
bugScout enables its partners, through its solution’ appliances, building and managing their own
clouds
bugScout is designed to audit multiple codes simultaneously without performance penalty
8. Advantages (1 of 2)
bugScout reduces the
cost of manual audit in
more than 90% bugScout is integrated
into the software
development cycle,
speeding up business
processes
bugScout minimizes
waiting time result in
more than 99%
9. Advantages (2 of 2)
• bugScout allows correction of errors in real time, encouraging the learning of the developers’ team
• bugScout enables to audit of the entire application in full
• bugScout audits are more accurate, its technology can effectively track the whole code
• Avoid uncontrolled errors: Denial of Service attacks, untended spam…
• bugScout update real-time signatures of public and private, due to the recurrent nature of its technology
• bugScout easily integrates with the software development cycle
• bugScout connects directly to the development repository, can audit the software, from minute one,
without interrupting the production process
10. - Technology and features
• bugScout consists of a Web console from which to offer multiple functionalities to easily operate on the
code, avoiding any heavy agents or prior installation of software on the client
• Also includes:
A detection system of public and private vulnerabilities updated daily
Multi-audit platform, capable of analyzing code simultaneously without interfering with the performance at the same
time
Multi-user access platform and permissions granularity
12. The environment - Modular, extensive and scalable
… …… …
Tasks Licenses Query Tasks Licenses Query
FRAMEWORK 1 FRAMEWORK N
DISTRIBUTED COMMUNICATIONS BUS (BACKEND) DISTRIBUTED COMMUNICATION BUS (BACKEND)
CORE 1 …. N ENGINE
Scheduler
Tasks Licenses Result
Motor N
…
Decompression
Fam. 1 P1 Cond. 1
Decoded
..
..
..
Motor 1
Core Engine Fam. N PN Cond. N
13. The environment - Modular, extensible and scalable
1. Framework. Interface to access up to 6 modules
2. Core. Source code analyzer
3. BackEnd. Secure storage of codes, reports and Vulnerability Data
Bases and solutions
14. Framework - Modules (1 of 5)
1. Dashboard
• User configurable start menu where you can, take a look, review the security of the company s
applications
• The work area is editable, can be added, modified and/ or delete graphics, and rearrange or resize them
using Drag & Drop
• The graphics also are interacting, so moving pointer can be seen the values they represent
• To make this possible, the design has been done relying on the latest web 2.0 techniques, without
sacrificing security and performance
16. Framework - Modules (3 of 5)
2. Projects
• From this module can be classified projects and applications, for later analysis, also from this section can
be requested manual audits, re-audited code to check on progress, asked for auditor to perform a
penetration test or a report or check vulnerabilities
• Also from this section can be requested manual audits, re-audited code to check on progress, asked for an
auditor to perform penetration test or a report to check vulnerabilities
3. Document management
• Simple Document Management System enables to consult reports generated automatically or manually,
as well as help documentation on the tool, generate asymmetric encryption keys, perform secure uploads
of source code to audit
17. Framework - Modules (4 of 5)
4. Vulnerabilities
• Module from which to work with the results of audits, enabled to verify the proposed solutions,
references, explanations of the vulnerabilities, etc.
5. Reports
• Enabled module to generate reports and technical executives at different levels
6. Administration
• Enabled module for managing users, groups and roles
• Oriented menu creation and hierarchical structure of companies (customers, suppliers)
• You can configure the look & feel of the interface according to the standards and corporate logos of each
company, and generate reports tailored to each company
19. The environment - Modular, extensible and scalable
1. Framework. User interface to access up to 6 modules
2. Core. Source code analyzer
3. BackEnd. Secure storage of codes, reports and Vulnerability Data
Bases and Solutions
20. Core (1 of 4)
2. Core
• bugScout Core consists of a vulnerability pattern recognition system on analyzed software. The entire
process provides an analysis of reliability code to detect patterns that would allow attacker to access
unauthorized data
• Main functionalities:
1. Detection of language processing
2. Lexical Analysis
3. Parsing
4. Generation of modeling software application architecture
5. Data flow analysis
6. Vulnerable pattern detection
7. Discrimination of false positives
8. Communication of potential vulnerabilities found
21. Core (2 of 4) – Main features
Generation of modeling
Detection of Lexical analysis Parsing
software application
language processing architecture
Communication of Discrimination of Vulnerable pattern Data flow analysis
potential vulnerabilities false positives detection
found
22. Core – Main features (3 of 4)
2. Core
1. Detection of language processing: using different filters and patterns, bugScout Core determines which
language contains every file and proceeds to generate the basic structure to continue the process
2. Lexical analysis: essential process to begin analysis of a language, to do so, bugScout Core integrates
directly with the lexical analyzer for each language
3. Parsing: bugScout Core uses the parser that defines each own language, since it is the most accurate way
to profile the sources. Requiring, at times, certain amendments in order to make the construction of
application software architecture
4. Generation of modeling software application architecture: is the memory representation of code to
analyze, but with a greater degree of computation, allowing the tree to perform operations that require
high computational effort, in minimum time
23. Core – Main features (4 of 4)
2. Core
5. Data flow analysis: is the compression of the source code itself and will be analyzed to determine if the
code contains vulnerability patterns
6. Pattern Detection vulnerable: the search for vulnerabilities, bugScout Core bet a complex plug-ins
architecture that will facilitate future updates of signatures based on new patterns vulnerable. Through
these plug-ins based on regular expressions formed expressly for each specific language, you can
determine with a high degree of probability if there is a vulnerability in the code
7. Discrimination of false positives: Performs the necessary backtracking and discard, depending on the
conditions that the pattern found, representing this particular code, confirming whether or not a real risk
in a such pattern
8. Communication of potential vulnerabilities found: in this process bugScout Core communicates the
visual, the existence of security flaws in the code to display
24. The environment - Modular, extensible and scalable
1. Framework. User interface to access up to 6 modules
2. Core. Source code analyzer
3. BackEnd. Secure storage of codes, reports and Vulnerability Data
Bases and solutions
25. BackEnd (1 of 4)
3. BackEnd
• bugScout BackEnd stores in Cloud the data the tool works with. Our BackEnd model, incorporates the
latest technologies, which allow maximum efficiency compatibility of stored data, secure environment
essential feature of a maximum security environment
• Advantages
Improved development time
Improved effectiveness
Scalability
Flexibility
Availability
Management
Security
26. BackEnd (2 of 4)
Data flow Control flow
Controller Unit Connector
Data
BBDD
1…N
BBDD Controller BBDD
27. BackEnd (3 de 4)
3. BackEnd
• bugScout BackEnd architecture provides a flexible and conceptuality simple design, which allows to
develop a fast and flexible environment
• Integration Cloud Storage technology, provides systems and networks our capacity to grow and scale,
with a minimum manual handling
• Safety is an integral part of computing in cloud. Architectural design of a group of systems that work
directly on highly sensitive information, to protect the information accordingly. bugScout BackEnd goes a
step further by considering that involves integration Cloud Storage with three key additional services:
Resizing
Disaster Recovery
Data security and communications
28. BackEnd (4 of 4)
3. BackEnd
• bugScout BackEnd presents a secure, flexible and scalable management system:
FileNetSystem, paradigm implies that from a single console can be managed independently, each of the Cloud
Storage Systems
Management System enabling self-configuration in expansion modules. Driver modules themselves are capable of
detecting a new infrastructure and adapt the present configuration, giving the administrator the options available,
facilitating the scaling system
• bugScout BackEnd provides the following benefits:
Compliance with laws and regulations
Hardware failover
Long feasibility of IT resources
Secured assets in physical environments
Data isolation
29. Why is the best solution?
• bugScout has been designed by one of the best and qualified teams with projects worldwide
• Does not require extensive knowledge of security
• bugScout gets the best detection and false positive rates on the market
• This is the first tool that has other language independent, rejecting the pseudo-code
conversion. Thus extending the detection rate, being able to locate errors and deprecated
library functions, vulnerabilities, sensitive information in comments, ectc.
• bugScout automatically corrects the vulnerable parts of the code, proposing effective
solutions to build secure applications
• Lets you easily manage vulnerabilities, reporting, storing documentation, see statistics,
historical control…
30. www.buguroo.com
For further information please contact:
sales@buguroo.com
Tel.: (34) 917 816 160
Plaza Marqués de Salamanca, 3-4, 28006 Madrid