Eoin Keary, profile picture
Uploaded byEoin Keary
PPTX, PDF365 views

Security by the numbers

The document discusses Edgescan, a cloud-based vulnerability assessment tool that provides a full-stack view of security, emphasizing the prevalence of vulnerabilities in web applications over network layers. Key issues include the importance of proper patching, automation, and the challenges of testing dynamic elements in modern applications. The report suggests leveraging multiple tools for comprehensive security coverage and addresses common pitfalls in vulnerability scanning.

Embed presentation

Download to read offline
“Security by the numbers“ セキュリティ 統計 OWASP Sendai
Hello! こんにちは Eoin Keary edgescan CEO & Founder OWASP Global Board Member 2009-2015 Developer Breaker / Hacker @eoinkeary @edgescan ここにグレート (Koko ni gurēto)
Contents • Fullstack Security • Vulnerability Statistics • Conclusions
Introducing edgescan™ • edgescan™ is a sophisticated, enterprise-grade vulnerability assessment and management solution that gives you the tools you need to control and manage IT security risk • edgescan™ helps from small & medium-sized to large enterprises identify and remediate known vulnerabilities in any platform or web application • edgescan™ is a cloud based SaaS which provides a unique combination of technology and human expertise to assist you with maintaining a strong security posture 4
How we get the Statistical model • 1000’s of vulnerability assessments globally. • #Fullstack view of security • False positive free (99%)  • Industries: Media, Energy, Government, Pharma, Finance, Software etc….
Fullstack
Agile Risk Model Fail Early – Fail Often “Push Left” Spread-Risk
Risk Dispersion 73% of all vulnerabilities are not in the application layer . Which has more risk/weakness? Network or Web Application?
What does this mean? • We are finding more vulnerabilities in the non Web layer but here’s where it gets interesting…
Web Application Layer (Layer 7) Lots of high or critical risk issues!! Easily exploitable Very Damaging Very Bad
Infrastructure Layer (Non Web app) Lots of vulnerabilities!! Not many high or Critical Risk. More problems but less vulnerable
What does this mean? • Even though we are finding MORE issues in the NETWORK layer, MOST serious / high risk issues are in the web application layer. • The web application layer has a higher “Risk Density”
More Detail SSL is Dead. June 30th 2018 SSL and TLS 1.0 need to be killed off. – Payment Card Industry (PCI) Patching is still a big issue. Some CVE’s are common and easily exploitable.
More Detail System configuration and secure deployment is a big issue. Client-Side security: XSS, HTML Injection, Browser based issues are still very common. Insecure JavaScript Libraries are common. Version control of software components is required.
Known Vulnerabilities - age Patching and version maintenance is still a key part of maintaining a secure posture.
Known Vulnerabilities (CVE) Vulnerabilities: Still finding issues from 1999 The most common issue found in 2017 is from 2004 34% of all systems had two (or more) CVE’s
How do we improve? • Automation? • Visibility?
Coverage is King! • Automation is very useful. • It works with DevSecOps. • Helps us scale and “move quickly”. • It has many challenges and can result in poor assessment coverage and poor security!
Pitfall Explanation Solution CSRF Tokens Preventing Crawling Cross-Site-Request Forgery tokens need to be resent with every request. If the token is not valid the application may invalidate the session. Tokens can be embedded in the HTML and not automatically used by the scanner. This results in the scanner not crawling or testing the site adequately. Using tools which can be configured to “replay” the appropriate token with the request. Not all tools are capable of this. In some cases multiple tools require to be “chained” in order to satisfy this restriction. Macros need to be written. Tools running a virtual browser. DOM Security Vulnerabilities Client-Side security issues which do not generate HTTP requests may go undiscovered due to tools only testing the application via sending and receiving HTTP requests. DOM (Document Object Model) vulnerabilities may go undiscovered as the tool does not process client side scripts. Using tools which can provide virtual browser capability solves this issue as dynamic scripts in the browser are processed and tested by the security tool. This is also important in relation to systems built using client-side frameworks (Angular, Node.js etc) and detects issues such as DOM XSS. Taint analysis of JavaScript code is also important to help discover client-side security issues.
Pitfall Explanation Solution Dynamically Generated Requests Contemporary applications may dynamically generate HTTP requests via JavaScript functions and tools which crawl applications to establish site maps may not detect such dynamic links and requests. Using tools which leverage virtual browsers solve this problem as the JavaScript is executed as per a regular users usage of the application. This results in adequate coverage and detection of dynamic page elements. Recursive Links - Limiting Repetitive Functionality Applications with recursive links may result in 1000’s of unnecessary requests. An example of this could be a calendar control or search result function. This may result in 1000’s of extra requests being sent to the application with little value to be yielded. Example: /Item/5/view /Item/6/view Some tools have the ability to limit recursiveness and depth of requests such that if the tool starts to crawl a link with 1000’s of permutations of the same page it will stop the unnecessary resource and time spent for both the assessment and the hosting environment to service the assessment. SSL/TLS Vulnerabilities Many tools which are designed to detect cryptographic issues simply do it incorrectly. We have worked with some major tool vendors to assist them with bug fixes in this area. Using multiple tools to detect the same issue results in clarity if the issues is present or it’s a false positive. Non Standard Protocols Some protocoals simply are not handled by certain tools. If protocols wuch as Websockets, CORS, AMT, GWTK are not supported they will not get adequately tested Using multiple tools in this case helps with coverage. The tools chosen to deliver the assessment are based on initial manual enumeration of the target system. Insufficient Testing vectors used All tools test for defined vulnerabilities using a defined set of vectors. Other tools also include tests for “known” vulnerabilities. Using one scanning engine may result in not testing for security vulnerabilitys adequately due to a restricted list of testing vectors used. Leveraging multiple tools to test for particular vulnerabilities results in more test cases and a larger set of vectors being sued to test to the vulnerability.
Pitfall Explanation Solution Non Standard 404 Some sites will use the standard 404 handler, but many have started to customize them to offer a better user experience. Custom 404 that response as a 200. This is the simple one, but many scanners will get caught by this Using tools which can be configured to recognise custom errors is important in order to avoid false positives. Session Management It is a challenge for any tools stay logged into an application. The scanner must avoid logout functions, must properly pass along session tokens wherever they happen to be at the moment (sometimes cookies, sometimes on the URL, sometimes in hidden form field) and adjust to multiple possibilities taking place on a single app. The scanner must also properly identify when it has lost its session, and then be able to re-login (requires automated login process mentioned above) to continue its scan. Using multiple tools assists with this as not all tools can be configured reliable to maintain session state. Not having a reliable session state or locking out accounts results in poor coverage and disruption to the engagement. Ability to Test Web 2.0 (AJAX), Web Services and Mobile Related to a number of pitfalls above; application with dynamic API calls via JavaScript, Restful requests etc can go undiscovered and not get invoked at all. Using multiple tools avoids configured with REST-awareness can avoid missing area of the application leaving it untested or requiring that entire section to tested by hand.
Automation • So Automation is not always easy and has challenges…
Conclusion
THANKS! edgescan™ 2018 Vulnerability Stats Report: Available now on: edgescan.com eoin@edgescan.com @eoinkeary NO ANNOYING REGISTRATION NECESSARY!

More Related Content

PPTX
Keeping the wolf from 1000 doors.
byEoin Keary
 
PPT
Get Ready for Web Application Security Testing
byAlan Kan
 
PDF
The Complete Web Application Security Testing Checklist
byCigital
 
PPTX
Evaluation of Web Application Vulnerability Scanners
byyuliana_mar
 
PDF
Testing Web Application Security
byTed Husted
 
PDF
The International Journal of Engineering and Science (The IJES)
bytheijes
 
PPT
Owasp Top 10
byShivam Porwal
 
PDF
Owasp top 10
byYasserElsnbary
 
Keeping the wolf from 1000 doors.
byEoin Keary
 
Get Ready for Web Application Security Testing
byAlan Kan
 
The Complete Web Application Security Testing Checklist
byCigital
 
Evaluation of Web Application Vulnerability Scanners
byyuliana_mar
 
Testing Web Application Security
byTed Husted
 
The International Journal of Engineering and Science (The IJES)
bytheijes
 
Owasp Top 10
byShivam Porwal
 
Owasp top 10
byYasserElsnbary
 

What's hot

PDF
Acunetix Training and ScanAssist
byBryan Ferrario
 
PDF
React security vulnerabilities
byAngelinaJasper
 
PDF
Unisys_AppDefender_Symantec_CFD_0_1_final
byKoko Fontana
 
PPT
Step by step guide for web application security testing
byAvyaan, Web Security Company in India
 
PDF
Web Application Security 101
byCybersecurity Education and Research Centre
 
PDF
Security-testing presentation
byEzhilan Elangovan (Eril)
 
PDF
Prevention of SQL Injection Attacks having XML Database
byIOSR Journals
 
PPTX
Security For Application Development
by6502programmer
 
PDF
Oh, WASP! Security Essentials for Web Apps
byTechWell
 
PPTX
From the Frontline of RASP Adoption
byGoran Begic
 
PPTX
The bare minimum that you should know about web application security testing ...
byKen DeSouza
 
PPT
Web Application Security
byAbdul Wahid
 
PDF
OWASP TOP 10 & .NET
byDaniel Krasnokucki
 
PPT
Web Application Security
byColin English
 
PPTX
Parameter tampering
byDilan Warnakulasooriya
 
PDF
Application Security Workshop
byPriyanka Aash
 
PDF
Owasp Top 10
byShivam Porwal
 
PPT
Application Security
byReggie Niccolo Santos
 
PPTX
Web Application Penetration Testing Introduction
bygbud7
 
PPT
Mobile application security Guidelines
byEntersoft Security
 
Acunetix Training and ScanAssist
byBryan Ferrario
 
React security vulnerabilities
byAngelinaJasper
 
Unisys_AppDefender_Symantec_CFD_0_1_final
byKoko Fontana
 
Step by step guide for web application security testing
byAvyaan, Web Security Company in India
 
Web Application Security 101
byCybersecurity Education and Research Centre
 
Security-testing presentation
byEzhilan Elangovan (Eril)
 
Prevention of SQL Injection Attacks having XML Database
byIOSR Journals
 
Security For Application Development
by6502programmer
 
Oh, WASP! Security Essentials for Web Apps
byTechWell
 
From the Frontline of RASP Adoption
byGoran Begic
 
The bare minimum that you should know about web application security testing ...
byKen DeSouza
 
Web Application Security
byAbdul Wahid
 
OWASP TOP 10 & .NET
byDaniel Krasnokucki
 
Web Application Security
byColin English
 
Parameter tampering
byDilan Warnakulasooriya
 
Application Security Workshop
byPriyanka Aash
 
Owasp Top 10
byShivam Porwal
 
Application Security
byReggie Niccolo Santos
 
Web Application Penetration Testing Introduction
bygbud7
 
Mobile application security Guidelines
byEntersoft Security
 

Similar to Security by the numbers

PPTX
Hide and seek - Attack Surface Management and continuous assessment.
byEoin Keary
 
PDF
edgescan vulnerability stats report (2018)
byEoin Keary
 
PPTX
Full stack vulnerability management at scale
byEoin Keary
 
PPTX
Skillful scalefull fullstack security in a state of constant flux
byEoin Keary
 
PDF
edgescan vulnerability stats report (2019)
byEoin Keary
 
PDF
Scaling security in a cloud environment v0.5 (Sep 2017)
byDinis Cruz
 
ODP
Effective DevSecOps
byPawel Krawczyk
 
PDF
ProActive Security
byIbnisina Sina
 
PDF
ProActive Security
byIbnisina Sina
 
PDF
Tech w23
bySelectedPresentations
 
PPTX
How to Get the Most Out of Security Tools
bySecurity Innovation
 
PPTX
Allianz Global CISO october-2015-draft
byEoin Keary
 
PPTX
Application security testing in the age of Agile development - by Julio Cesar...
byBlaze Information Security
 
PPTX
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
byEoin Keary
 
KEY
How to break web applications
byDinis Cruz
 
PPTX
CISSP - Security Assessment
byKarthikeyan Dhayalan
 
PPTX
Web security – everything we know is wrong cloud version
byEoin Keary
 
PDF
Zen and the art of Security Testing
byTEST Huddle
 
PDF
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
PDF
Strategies for Web Application Security
byOpSource
 
Hide and seek - Attack Surface Management and continuous assessment.
byEoin Keary
 
edgescan vulnerability stats report (2018)
byEoin Keary
 
Full stack vulnerability management at scale
byEoin Keary
 
Skillful scalefull fullstack security in a state of constant flux
byEoin Keary
 
edgescan vulnerability stats report (2019)
byEoin Keary
 
Scaling security in a cloud environment v0.5 (Sep 2017)
byDinis Cruz
 
Effective DevSecOps
byPawel Krawczyk
 
ProActive Security
byIbnisina Sina
 
ProActive Security
byIbnisina Sina
 
Tech w23
bySelectedPresentations
 
How to Get the Most Out of Security Tools
bySecurity Innovation
 
Allianz Global CISO october-2015-draft
byEoin Keary
 
Application security testing in the age of Agile development - by Julio Cesar...
byBlaze Information Security
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
byEoin Keary
 
How to break web applications
byDinis Cruz
 
CISSP - Security Assessment
byKarthikeyan Dhayalan
 
Web security – everything we know is wrong cloud version
byEoin Keary
 
Zen and the art of Security Testing
byTEST Huddle
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
Strategies for Web Application Security
byOpSource
 

More from Eoin Keary

PPTX
IISF-March2023.pptx
byEoin Keary
 
PDF
Validation of vulnerabilities.pdf
byEoin Keary
 
PDF
Does a Hybrid model for vulnerability Management Make Sense.pdf
byEoin Keary
 
PDF
Edgescan 2022 Vulnerability Statistics Report
byEoin Keary
 
PPTX
Edgescan 2021 Vulnerability Stats Report
byEoin Keary
 
PPTX
One login enemy at the gates
byEoin Keary
 
PDF
Edgescan vulnerability stats report 2020
byEoin Keary
 
PPTX
Vulnerability Intelligence - Standing Still in a world full of change
byEoin Keary
 
PPTX
Online Gaming Cyber security and Threat Model
byEoin Keary
 
PPTX
Cybersecurity by the numbers
byEoin Keary
 
PPTX
Ebu class edgescan-2017
byEoin Keary
 
PPTX
Vulnerability management and threat detection by the numbers
byEoin Keary
 
PPTX
14. html 5 security considerations
byEoin Keary
 
PPTX
04. xss and encoding
byEoin Keary
 
PPTX
03. sql and other injection module v17
byEoin Keary
 
PPTX
02. input validation module v5
byEoin Keary
 
PPTX
01. http basics v27
byEoin Keary
 
PPTX
00. introduction to app sec v3
byEoin Keary
 
PPTX
Media-web_application_security_and_vulnerabilities
byEoin Keary
 
PPTX
Web security – application security roads to software security nirvana iisf...
byEoin Keary
 
IISF-March2023.pptx
byEoin Keary
 
Validation of vulnerabilities.pdf
byEoin Keary
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
byEoin Keary
 
Edgescan 2022 Vulnerability Statistics Report
byEoin Keary
 
Edgescan 2021 Vulnerability Stats Report
byEoin Keary
 
One login enemy at the gates
byEoin Keary
 
Edgescan vulnerability stats report 2020
byEoin Keary
 
Vulnerability Intelligence - Standing Still in a world full of change
byEoin Keary
 
Online Gaming Cyber security and Threat Model
byEoin Keary
 
Cybersecurity by the numbers
byEoin Keary
 
Ebu class edgescan-2017
byEoin Keary
 
Vulnerability management and threat detection by the numbers
byEoin Keary
 
14. html 5 security considerations
byEoin Keary
 
04. xss and encoding
byEoin Keary
 
03. sql and other injection module v17
byEoin Keary
 
02. input validation module v5
byEoin Keary
 
01. http basics v27
byEoin Keary
 
00. introduction to app sec v3
byEoin Keary
 
Media-web_application_security_and_vulnerabilities
byEoin Keary
 
Web security – application security roads to software security nirvana iisf...
byEoin Keary
 

Recently uploaded

PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 

Security by the numbers

  • 1.
    “Security by thenumbers“ セキュリティ 統計 OWASP Sendai
  • 2.
    Hello! こんにちは Eoin Keary edgescanCEO & Founder OWASP Global Board Member 2009-2015 Developer Breaker / Hacker @eoinkeary @edgescan ここにグレート (Koko ni gurēto)
  • 3.
    Contents • Fullstack Security •Vulnerability Statistics • Conclusions
  • 4.
    Introducing edgescan™ • edgescan™is a sophisticated, enterprise-grade vulnerability assessment and management solution that gives you the tools you need to control and manage IT security risk • edgescan™ helps from small & medium-sized to large enterprises identify and remediate known vulnerabilities in any platform or web application • edgescan™ is a cloud based SaaS which provides a unique combination of technology and human expertise to assist you with maintaining a strong security posture 4
  • 5.
    How we getthe Statistical model • 1000’s of vulnerability assessments globally. • #Fullstack view of security • False positive free (99%)  • Industries: Media, Energy, Government, Pharma, Finance, Software etc….
  • 6.
  • 7.
    Agile Risk Model FailEarly – Fail Often “Push Left” Spread-Risk
  • 8.
    Risk Dispersion 73% ofall vulnerabilities are not in the application layer . Which has more risk/weakness? Network or Web Application?
  • 9.
    What does thismean? • We are finding more vulnerabilities in the non Web layer but here’s where it gets interesting…
  • 10.
    Web Application Layer(Layer 7) Lots of high or critical risk issues!! Easily exploitable Very Damaging Very Bad
  • 11.
    Infrastructure Layer (NonWeb app) Lots of vulnerabilities!! Not many high or Critical Risk. More problems but less vulnerable
  • 12.
    What does thismean? • Even though we are finding MORE issues in the NETWORK layer, MOST serious / high risk issues are in the web application layer. • The web application layer has a higher “Risk Density”
  • 13.
    More Detail SSL isDead. June 30th 2018 SSL and TLS 1.0 need to be killed off. – Payment Card Industry (PCI) Patching is still a big issue. Some CVE’s are common and easily exploitable.
  • 14.
    More Detail System configurationand secure deployment is a big issue. Client-Side security: XSS, HTML Injection, Browser based issues are still very common. Insecure JavaScript Libraries are common. Version control of software components is required.
  • 15.
    Known Vulnerabilities -age Patching and version maintenance is still a key part of maintaining a secure posture.
  • 16.
    Known Vulnerabilities (CVE) Vulnerabilities:Still finding issues from 1999 The most common issue found in 2017 is from 2004 34% of all systems had two (or more) CVE’s
  • 17.
    How do weimprove? • Automation? • Visibility?
  • 19.
    Coverage is King! •Automation is very useful. • It works with DevSecOps. • Helps us scale and “move quickly”. • It has many challenges and can result in poor assessment coverage and poor security!
  • 20.
    Pitfall Explanation Solution CSRFTokens Preventing Crawling Cross-Site-Request Forgery tokens need to be resent with every request. If the token is not valid the application may invalidate the session. Tokens can be embedded in the HTML and not automatically used by the scanner. This results in the scanner not crawling or testing the site adequately. Using tools which can be configured to “replay” the appropriate token with the request. Not all tools are capable of this. In some cases multiple tools require to be “chained” in order to satisfy this restriction. Macros need to be written. Tools running a virtual browser. DOM Security Vulnerabilities Client-Side security issues which do not generate HTTP requests may go undiscovered due to tools only testing the application via sending and receiving HTTP requests. DOM (Document Object Model) vulnerabilities may go undiscovered as the tool does not process client side scripts. Using tools which can provide virtual browser capability solves this issue as dynamic scripts in the browser are processed and tested by the security tool. This is also important in relation to systems built using client-side frameworks (Angular, Node.js etc) and detects issues such as DOM XSS. Taint analysis of JavaScript code is also important to help discover client-side security issues.
  • 21.
    Pitfall Explanation Solution DynamicallyGenerated Requests Contemporary applications may dynamically generate HTTP requests via JavaScript functions and tools which crawl applications to establish site maps may not detect such dynamic links and requests. Using tools which leverage virtual browsers solve this problem as the JavaScript is executed as per a regular users usage of the application. This results in adequate coverage and detection of dynamic page elements. Recursive Links - Limiting Repetitive Functionality Applications with recursive links may result in 1000’s of unnecessary requests. An example of this could be a calendar control or search result function. This may result in 1000’s of extra requests being sent to the application with little value to be yielded. Example: /Item/5/view /Item/6/view Some tools have the ability to limit recursiveness and depth of requests such that if the tool starts to crawl a link with 1000’s of permutations of the same page it will stop the unnecessary resource and time spent for both the assessment and the hosting environment to service the assessment. SSL/TLS Vulnerabilities Many tools which are designed to detect cryptographic issues simply do it incorrectly. We have worked with some major tool vendors to assist them with bug fixes in this area. Using multiple tools to detect the same issue results in clarity if the issues is present or it’s a false positive. Non Standard Protocols Some protocoals simply are not handled by certain tools. If protocols wuch as Websockets, CORS, AMT, GWTK are not supported they will not get adequately tested Using multiple tools in this case helps with coverage. The tools chosen to deliver the assessment are based on initial manual enumeration of the target system. Insufficient Testing vectors used All tools test for defined vulnerabilities using a defined set of vectors. Other tools also include tests for “known” vulnerabilities. Using one scanning engine may result in not testing for security vulnerabilitys adequately due to a restricted list of testing vectors used. Leveraging multiple tools to test for particular vulnerabilities results in more test cases and a larger set of vectors being sued to test to the vulnerability.
  • 22.
    Pitfall Explanation Solution NonStandard 404 Some sites will use the standard 404 handler, but many have started to customize them to offer a better user experience. Custom 404 that response as a 200. This is the simple one, but many scanners will get caught by this Using tools which can be configured to recognise custom errors is important in order to avoid false positives. Session Management It is a challenge for any tools stay logged into an application. The scanner must avoid logout functions, must properly pass along session tokens wherever they happen to be at the moment (sometimes cookies, sometimes on the URL, sometimes in hidden form field) and adjust to multiple possibilities taking place on a single app. The scanner must also properly identify when it has lost its session, and then be able to re-login (requires automated login process mentioned above) to continue its scan. Using multiple tools assists with this as not all tools can be configured reliable to maintain session state. Not having a reliable session state or locking out accounts results in poor coverage and disruption to the engagement. Ability to Test Web 2.0 (AJAX), Web Services and Mobile Related to a number of pitfalls above; application with dynamic API calls via JavaScript, Restful requests etc can go undiscovered and not get invoked at all. Using multiple tools avoids configured with REST-awareness can avoid missing area of the application leaving it untested or requiring that entire section to tested by hand.
  • 23.
    Automation • So Automationis not always easy and has challenges…
  • 24.
  • 25.
    THANKS! edgescan™ 2018 VulnerabilityStats Report: Available now on: edgescan.com eoin@edgescan.com @eoinkeary NO ANNOYING REGISTRATION NECESSARY!

Editor's Notes

  • #3 Put in guide pics
  • #6 Ek – client side security. Threats and risks
  • #11 Threats and risks