Secure Application Development / Static Application Security Testing (SAST)

Alwan, Alaa

January 2022

Security testing is a widely applied measure to evaluate and improve software security by identifying vulnerabilities and ensuring security requirements related to properties like confidentiality, integrity, and availability. A confidentiality policy guarantees that attackers will not be able to expose secret information. In the context of software programs, the output that attackers observe will not carry any information about the confidential input information. Integrity is the dual of confidentiality, i.e., unauthorized and untrusted data provided to the system will not affect or modify the system’s data. Availability means that systems must be available at a reasonable time. Information flow control is a mechanism to enforce confidentiality and integrity. An accurate security assessment is critical in an age when the open nature of modern software-based systems makes them vulnerable to exploitation. Security testing that verifies and validates software systems is prone to false positives, false negatives, and other such errors, requiring more resilient tools to provide an efficient way to evaluate the threats and vulnerabilities of a given system. Therefore, the newly developed tool Reax controls information flow in Java programs by synthesizing conditions under which a method or an application is secure. Reax is a command-line application, and it is hard to be used by developers. This project has its primary goal to integrate Reax by introducing a plugin for Java IDEs to perform an advanced analysis of security flaws. Specifically, by design, a graphical plugin performs advanced security analysis that detects and reacts directly to security flaws within the graphical widget toolkit environment (SWT). The project proposed a new algorithm to find the root cause of security violations through a graphical interface as a second important goal. As a result, developers will be able to detect security violations and fix their code during the implementation phase, reducing costs.

secure development

application security

static application security testing

SAST

Computer Systems

Datorsystem

A Comparative Analysis of Open Source Dynamic Application Security Testing Tools / En jämförelseanalys av dynamiska testverktyg för applikationssäkerhet med öppen källkod

Chorell, Isak, Ekberg, Christoffer

January 2024

In today’s digital era, the increase of internet usage presents a growing challenge in cyber security. An increase in cyber attacks underscore the need for robust software systems to protect them. One way of detecting vulnerabilities is by using Dynamic Application Security Testing (DAST) tools, which simulate cyber attacks without knowledge of the internal structure of its target. This thesis investigates the four open source DAST tools Black Widow, Nuclei, Wapiti and ZAP in their ability to identify security vulnerabilities in web applications. A comparative analysis was performed, focusing on the tools vulnerability detection capabilities, how different web applications affect their results as well as their practical applicability. Each DAST tool was run against web applications, both with and without intentional vulnerabilities, where measures such as scan time and reported vulnerabilities were collected. The tools were also run against a benchmark to be able to calculate the metrics accuracy, precision, recall and F-measure. The results show that ZAP reported the most vulnerabilities, where Cross Site Scripting and SQL injection are the most common types, but also had the largest number of false positives. However, on the benchmark, none of the DAST tools had any false positives. It was also found that the architecture of the web application highly influenced the tools' attack capabilities. Conclusively, DAST tools can help to improve the security of web applications but come with some drawbacks and limitations. To achieve a more comprehensive scan, one can use more than one DAST tool, but it comes with a cost of longer scan times and an increase in manual effort to review the reported vulnerabilities.

Web security

DAST

Dynamic Application Security Testing

Black Widow

Nuclei

Wapiti

ZAP

Computer Sciences

Datavetenskap (datalogi)

A framework to unify application security testing in DevOps environment / Ett ramverk för enhetlig testning av applikationssäkerhet i DevOps-miljöer

Le, Duc Quang

January 2021

In recent years, companies and organizations have increasingly integrated software security testing into the software development life cycle using DevOps practices. The current integration approach introduces multiple challenges in an information technology environment that consists of a large number of software development projects and multiple software security testing tools. This thesis aims to address these challenges by proposing a microservice-based framework to unify application security testing. The thesis first identifies the challenges, then proposes a design for a framework based on relevant literature and common characteristics of application security testing tools. The main components of the proposed framework are implemented and evaluated. The evaluation result shows that the framework offers many benefits: more secure credential management process, reduced execution time for Continuous Integration (CI) pipelines, and more efficient project onboarding and management. Furthermore, the integration of the proposed framework does not introduce major security threats to the current environment. / Under de senaste åren har företag och organisationer i allt högre grad integrerat testning av programvarusäkerhet i livscykeln för programvaruutveckling med hjälp av DevOps-metoder. Den nuvarande integrationsmetoden medför flera utmaningar i en informationsteknisk miljö som består av ett stort antal programvaruutvecklingsprojekt och flera verktyg för testning av programvarusäkerhet. Detta examensarbete syftar till att ta itu med dessa utmaningar genom att föreslå en mikrotjänstbaserat ramverk för enhetlig testning av programsäkerhet. I arbetet identifieras först utmaningarna och därefter föreslås en konstruktion baserad på relevant litteratur och gemensamma egenskaper hos verktyg för testning av applikationssäkerhet. De viktigaste komponenterna i det föreslagna ramverket implementeras och utvärderas. Utvärderingsresultatet visar att ramverket erbjuder många fördelar: säkrare process för hantering av autentiseringsuppgifter, kortare genomförandetid för Continuous Integration (CI)-pipelines och effektivare projektstart och -hantering. Dessutom medför integrationen av det föreslagna ramverket inga större säkerhetshot i den nuvarande miljön.

Application security testing

software security

security in DevOps (DevSec- Ops)

microservice framework

Testning

applikationssäkerhet

programvarusäkerhet

DevOps

mikrotjänst -arkitektur

Computer and Information Sciences

Data- och informationsvetenskap

Detection of Vulnerability Scanning Attacks using Machine Learning : Application Layer Intrusion Detection and Prevention by Combining Machine Learning and AppSensor Concepts / Detektering av sårbarhetsscanning med maskininlärning : Detektering och förhindrande av attacker i applikationslagret genom kombinationen av maskininlärning och AppSensor koncept

Shahrivar, Pojan

January 2022

It is well-established that machine learning techniques have been used with great success in other domains and has been leveraged to deal with sources of evolving abuse, such as spam. This study aims to determine whether machine learning techniques can be used to create a model that detects vulnerability scanning attacks using proprietary real-world data collected from tCell, a web application firewall. In this context, a vulnerability scanning attack is defined as an automated process that detects and classifies security weaknesses and flaws in the web application. To test the hypothesis that machine learning techniques can be used to create a detection model, twenty four models were trained. The models showed a high level of precision and recall, ranging from 91% to 0.96% and 85% to 0.93%, respectively. Although the classification performance was strong, the models were not calibrated sufficiently which resulted in an underconfidence in the predictions. The results can therefore been viewed as a performance baseline. Nevertheless, the results demonstrate an advancement over the simplistic threshold-based techniques developed in the early days of the internet, but require further research and development to tune and calibrate the models. / Det är väletablerat att tekniker för maskininlärning har använts med stor framgång inom andra domäner och har utnyttjats för att hantera källor till växande missbruk, såsom spam. Denna studie syftar till att avgöra om maskininlärningstekniker kan tillämpas för att skapa en modell som upptäcker sårbarhets-skanningsattacker med hjälp av proprietär data som samlats in från tCell, en webbapplikationsbrandvägg. I detta sammanhang definieras en sårbarhetsskanningsattack som en automatiserad process som upptäcker och klassificerar säkerhetsbrister och brister i webb-applikationen. För att testa hypotesen att maskininlärningstekniker kan användas för att skapa en detektionsmodell, tränades tjugofyra modeller. Modellerna visade en hög nivå av precision och sensitivitet, från 91% till 0,96% och 85% till 0,93%, respektive. Även om klassificeringsprestandan var god, var modellerna inte tillräckligt kalibrerade, vilket resulterade i ett svagt förtoende för förutsägelserna. De presenterade resultaten kan därför ses som en prestationsbaslinje. Resultaten visar ett framsteg över de förenklade tröskelbaserade teknikerna som utvecklades i begynnelsen av internet, men kräver ytterligare forskning och utveckling för att kalibrera modellerna.

Vulnerability Scanning

Random Forest

Web application security

Next-Gen Web application Firewall

Machine learning

Dynamic application security testing

Intrusion detection & prevention

Computer and Information Sciences

Data- och informationsvetenskap