Global ETD Search

1	Aplikace na podporu testování bezpečnosti webových aplikací / Application that supports penetration tests of web applications Holovová, Simona January 2020 (has links) This master´s thesis is about the security of web applications and penetration testing. The main goal is to gain knowledge about testing methodologies OWASP Testing Guide and ASVS and to implement this knowledge into a web application to assist during manual penetration testing. The theoretical part of the thesis describes both methodologies and web technologies used during the development of the application. The practical part of the thesis is about the design of the application based on the specification, its implementation, and security hardening.
2	Verktyg för säker kodning : En jämförande studie / Tools for secure coding : A comparative study Fransson, Robin, Hiltunen, Tommi January 2023 (has links) Bakgrund I dagens programvara finns det problem som försämrar kvaliteten hos system och ökar kostnaderna. Det är viktigt att tänka på säkerheten redan under programmeringsfasen för att underlätta underhåll. The Open Web Application Security Project (OWASP) erbjuder dokument, verktyg och projekt för att skapa och underhålla produkter på ett säkrare sätt. För att upptäcka säkerhetsproblem i koden kan verktyg för Static Application Security Testing (SAST) användas. SAST-verktyg kan rapportera både false negatives och false positives, därför är det viktigt att undersöka hur precisa verktygen är i sin rapportering. Syfte Studien ämnar kartlägga vilka SAST-verktyg utvecklare kan ta hjälp av för att skriva säkrare kod. Undersökningen skall även jämföra hur bra de är på att hitta sårbarheter i kod och hur stort antal false positives de rapporterar. Metod En sökning gjordes för att samla information om vilka SAST-verktyg som finns tillgängliga och en lista sammanställdes med krav för att kunna genomföra likvärdiga tester. För att utföra testerna användes kod med planterade sårbarheter och resultaten från testerna genererade kvantitativa data som fördes in i en tabell. Resultat I studiens resultat kartlades tolv SAST-verktyg. Från dessa valdes HCL AppScan CodeSweep, Snyk och SonarLint ut för vidare testning. Därefter beräknades recall, precision och false positives för verktygen. Snyk hade 71,43% på både recall och precision och 33,33% false positives. HCL AppScan CodeSweep hade 28,57% på recall, 57,14% på precision och 25% på false positives. SonarLint hittade inga sårbarheter och blev därav inte analyserat. Slutsatser Studien kartlade tolv olika SAST-verktyg och valde tre för likvärdiga tester av JavaScript i Visual Studio Code. Resultaten visade att Snyk presterade bäst gällande rapportering av sårbarheter och hade högre resultat gällande precision, medan HCL AppScan CodeSweep presterade bäst på att undvika false positives. Överlag anses Snyk vara studiens bästa SAST-verktyg då det hade högst resultat på både recall och precision. / Background In today's software, there are issues that degrade system quality and increase costs. It is important to consider security during the programming phase to facilitate maintenance. The Open Web Application Security Project (OWASP) provides documentation, tools, and projects to create and maintain products in a more secure manner. To detect security issues in the code, tools for Static Application Security Testing (SAST) can be used. SAST-tools can report both false negatives and false positives, so it is important to investigate the accuracy of the tools in their reporting. Aim The study aims to map which SAST-tools developers can utilize to write more secure code. The investigation will also compare their effectiveness inidentifying vulnerabilities in code and the numberof false positives they report. Method A search was conducted to gather information on available SAST-tools, and a list was compiled with requirements to perform equivalent tests. To carry out the tests, code with planted vulnerabilities was used, and the test results generated quantitative data that were entered into a table. Results The study's results mapped twelve SAST-tools. From these, HCL AppScan CodeSweep, Snyk, and SonarLint were selected for further testing. Then, the recall, precision, and false positives were calculated for the tools. Snyk achieved 71.43% for both recall and precision and had 33.33% false positives. HCL AppScan CodeSweep achieved 28.57% recall, 57.14% precision, and 25% false positives. SonarLint did not find any vulnerabilities and was therefore not analyzed. Conclusions The study surveyed twelve different SAST-tools and selected three for tests on JavaScript in Visual Studio Code. The results showed that Snyk performed the best in terms of vulnerability reporting and achieved higher precision results, while HCL AppScan CodeSweep excelled in avoiding false positives. Overall, Snyk is considered the best SAST-tool in the study as it had the highest results in both recall and precision. OWASP CVSS SAST CWE false positive false negative SAST-tools OWASP CVSS SAST CWE false positive false nega- tive SAST-verktyg Information Systems
3	Zabezpečení webových portálů veřejné správy / Security of Web Portals in Public Administration Rašín, Petr January 2017 (has links) The thesis is concerned with the issues of web portals security which are operated by the public sector in the Czech Republic. The theoretical part describes the basic terms and principles of public administrative with an emphasis on the computerization of the public administrative (or so called the eGovernment). In connection with the cybernetic security act there are described the standards of the information security management system ISO/IEC27001 and ISO/IEC27002 and the current OWASP methodology, which is focused on the area of web application´s security. Furthermore there is formulated the specific methodology of testing the web portal´s security of municipalities in the Czech Republic, the identification of weaknesses and interpretation of the ascertained outcomes. The methodology is verified within the case study of web portal´s security testing of particular municipalities. The established outcomes are documented, evaluated and the owners of web portals are given the recommendations to improve the level of their application´s security.
4	HTML5 Web application security with OWASP / HTML5 Webbapplikation säkerhet med OWASP Nilsson, Daniel, Åberg, Hampus January 2013 (has links) HTML5 has gained a lot of interest the last couple of years from web developers. HTML5 is the new upcoming standard for HTML set to be released in the end of 2014 (W3C). In this report HTML5 is reviewed in order to determine if it has made web applications more secure. This is done with information study and the use of experimental test cases. We use the latest OWASP top ten list of security risks in web applications as a benchmark. As a result we found ve correlations between OWASP top ten list and HTML5 functionality. The results clearly indicates that HTML5 is a ecting web application security. The security risks that was successfully exploited is Cross-site scripting, Security Miscon guration, Sensitive Data Exposure, Cross-site request forgery and Unvalidated redirects and forwards. We suggest countermeasures for the tests performed and discuss how developers should have security in mind when it comes to developing with HTML5. HTML5 OWASP W3C WHATWG Computer Sciences Datavetenskap (datalogi) Information Systems
5	Android Environment Security Andersson, Gustaf, Andersson, Fredrik January 2012 (has links) In modern times mobile devices are a increasing technology and malicious users are increasing as well. On a mobile device it often exist valuable private information that a malicious user is interested in and it often has lower security features implemented compared to computers. It is therefore important to be aware of the security risks that exist when using a mobile device in order to stay protected.In this thesis information about what security risks and attacks that are possible to execute towards a mobile device running Android will be presented. Possible attack scenarios are attacking the device itself, the communication between the device and a server and finally the server. Android mobile device penetration testing exploit OWASP application security root Computer Sciences Datavetenskap (datalogi)
6	Rules Based Analysis Engine for Application Layer IDS Scrobonia, David 01 May 2017 (has links) Web application attack volume, complexity, and costs have risen as people, companies, and entire industries move online. Solutions implemented to defend web applications against malicious activity have traditionally been implemented at the network or host layer. While this is helpful for detecting some attacks, it does not provide the gran- ularity to see malicious behavior occurring at the application layer. The AppSensor project, an application level intrusion detection system (IDS), is an example of a tool that operates in this layer. AppSensor monitors users within the application by observing activity in suspicious areas not able to be seen by traditional network layer tools. This thesis aims to improve the state of web application security by supporting the development of the AppSensor project. Specifically, this thesis entails contributing a rules-based analysis engine to provide a new method for determining whether suspicious activity constitutes an attack. The rules-based method aggregates information from multiple sources into a logical rule to identify malicious activity, as opposed to relying on a single source of information. The rules-based analysis engine is designed to offer more flexible configuration for administrators and more accurate results than the incumbent analysis engine. Tests indicate that the new engine should not hamper the performance of AppSensor and use cases highlight how rules can be leveraged for more accurate results. web application security security intrustion detection system appsensor rule engine owasp Digital Communications and Networking
7	Framework pro bezpečný vývoj webových aplikací / Secure Development Framework for Web Applications Mazura, František January 2017 (has links) This thesis deals with the theoretical analysis of vulnerabilities in web applications, especially the most frequent vulnerabilities of OWAST TOP 10 are examined. These vulnerabilities are subsequently analyzed for the design of a web application development framework and practically implemented in this framework to prevent the vulnerabilities or, if necessary, defend itself. The main goal of the implementation is to achieve such a framework so that the programmer of the resulting web application is protected to the utmost.
8	Bezpečnostní testování obfuskovaných Android aplikací / Security Testing of Obfuscated Android Applications Michalec, Pavol January 2020 (has links) Diplomová práca je o bezpečnostnom testovaní obfuskovaných Android aplikácií. Teoretická časť práce opisuje základy obfuskácie a spomína niektoré vybrané obfuskátory. Dopad obfuskácie na penetračné testovanie je taktiež zmienený. Práca navrhuje dynamickú analýzu ako hlavný nástroj pri obchádzaní obfuskácie. Praktická časť práce popisuje ochrany aplikácie v reálnom čase a spôsoby, ako tieto ochrany obísť pomocou dynamickej analýzy. Druhá polovica praktickej časti je venovaná pokročilým technikám obfuskácie a spôsobom ich obídenia.
9	Hacka dig själv och upptäck attacker Fransén, Johan, Sorlija, Adnan January 2019 (has links) Denna uppsats bygger på idén om att hacka det egna systemet före en utomstående hackare gör det för att upptäcka systemets läckor. Detta görs med ett automatiserat hackingverktyg som utför penetrationstester mot en utvecklad hemsida. Lagringstekniken som används är en eventdatabas med namnet Event Store som lagrar varje händelse som skedde mot hemsidan. Syftet med Event Store är att upptäcka de olika penetrationstesterna och lagra dess händelser för att sedan ge indikationer till administratören att hemsidan var under attack. Uppsatsen riktar sig främst på ifall Event Store är lämpligt att implementera tillsammans med en hemsida som blir attackerad med penetrationstester och vilka för- och nackdelar det finns med att använda Event Store. Resultatet visar att Event Store kan användas för att identifiera anomalier mot en hemsida vid hackingattacker. Med stor sannolikhet kan intrång mot hemsidan bevisas med hjälp utav det utvecklade systemet med Event Store. / This thesis is based on the idea of hacking your own system before an outside hacker does it to find the system vulnerabilities. This is done with an automated hacking tool that performs penetration tests against the created website. The database technology that is used is the event database Event Store that stores every event that take place against the website. The task of Event Store in this case is to discover the different penetration tests and to store the events and to give indications to the administrator that the website was under attack. The study is primarily aimed at finding out whether Event Store is advisable to implement with a website where different penetration testing shall be made, and what the advantages and disadvantages are to using Event Store. Results show that Event Store can be used to identify anomalies against a website during attacks. Intrusions against the website can with great probability be proven with the help of the developed system with Event Store. Hacking Event Store Event database OWASP Zed Attack Proxy ZAP Engineering and Technology Teknik och teknologier
10	Framework and Tools for IT Security within Logistics and Infrastructure oriented Operations : With a focus on Static Application Security Testing Seger, Elias, Schedin, Fredrick January 2022 (has links) Static Application Security Testing Tools (SAST) is a security tool that claims to help with security in an IT system. Static Application Security Testing tools are technical solutions that operate within the continuous integration of the system. The tool uses frameworks such as OWASP and CWE to detect common vulnerabilities in the codebase by analysing code in the building and testing phase of continuous integration. The problem with SAST tools is that there are many different beliefs surrounding them. Some say they are crucial for security, while some believe they are less helpful and can even inhibit projects by introducing false positives. This thesis determines if SAST tools are an effective solution to security problems within in an IT system. The focus was on logistics- and infrastructure-oriented operations, which the partner company Triona operates within. We use literature review to look at previously similarly conducted research combined with interviews with experienced people within the fields. This gives qualitative results that coupled with previous research can be generalized. The results show that SAST tools are effective tools if used responsibly. Both the literature and interviews conclude that SAST tools are not enough on their own to satisfy the security requirements but must be combined with responsible use of the tools as well as code reviews and other types of testing. SAST tools are also shown to have some problems, mainly false positives, and false negatives. There are also problems related to the implementation of the tools. These problems are costs that comes with implementation, as well as the time spent on it. Other problems are bad communication with developer teams that led to developers not knowing what to do in case of errors shown by the tool. Interviews conducted provides information that SAST tools are not only tools for security but also helps with manageability of code bases. SAST Continuous integration SonarQube OWASP CWE Security tools Information Systems

Search results