SlideShare una empresa de Scribd logo

Owasp lapse

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore Chapter - April 2013 Meet

EducaciónTecnología
1 de 10
Descargar para leer sin conexión
A review from an end-user perspective by Praveen P
Agenda  Introduction  Demo  Loading LAPSE+ in Eclipse  LAPSE+ Eclipse Plug-in Views  Vulnerability Sources View  Vulnerability Sinks View  Provenance Tracker View  Advantages  Limitations  Conclusion
Introducing LAPSE+  An eclipse IDE plug-in for Java.  A static code analyzing software.  A security scanner for detecting vulnerabilities of un-trusted data injection in Java EE Applications.  Developed by the SUIF Compiler Group of Stanford University
LAPSE+  LAPSE+ is based on the static analysis of code to detect the source and the sink of a vulnerability.  The source of a vulnerability refers to the injection of un-trusted data in the parameters of an HTTP request, a Cookie, etc.  The sink of a vulnerability refers to the process of data modification to manipulate the behavior of the application, such as a servlet response or a HTML page.  The vulnerability sources can lead to sinks by simple assignments, method calls or parameters passing.
Demo- Loading LAPSE+ in Eclipse  D:techeclipse  LAPSE+ plugin consists of a Java JAR file called LapsePlus_2.8.X.jar.  To load the plugin we have to copy it in the plugins folder of our Eclipse Helios  Once we have copied the Java JAR file in plugins folder we can run Eclipse.  LAPSE+ is ready!
LAPSE+ Eclipse Plug-in Views LAPSE+ provides three different views for the analysis of vulnerabilities:  Vulnerability Sources View: It shows the points of code that can be source of un-trusted data injection.  Vulnerability Sinks View: It shows the points of code that can insert the un-trusted data in the application, manipulating its behavior.  Provenance Tracker View: This view traces the backward propagation tree from a vulnerability sink in order to check if it reaches a vulnerability source. If this happens we have a vulnerability in our code.
Advantages  Accurate result.  It automatically places cursor to the relevant source code.  It helps you to test your validation logic from a security perspective even without compiling your code.
Limitations  Limited to Java.  Limited to eclipse environment hence cannot be triggered during build phase.  Copy-to-clipboard functionality is not proper.  Does not analyze JSP/web pages.  Cannot identify whether a code contains any compilation errors.  Cannot block a vulnerable code from entering the code repository (subversion).
Conclusion  LAPSE+ is not a complete fool proof solution for static code analysis but it provides very accurate results.  LAPSE+ is better than YASCA and ARACHNI in terms of results and convenience.
THANK YOU

Recomendados

XPATH
XPATHXPATH
XPATHSun Technlogies
 
NDT for Boilers
NDT for BoilersNDT for Boilers
NDT for BoilersHemanth Krishnan R
 
pdfslide.net_120174253-twi-radiographic-interpretation-weld-defects-repair.pdf
pdfslide.net_120174253-twi-radiographic-interpretation-weld-defects-repair.pdfpdfslide.net_120174253-twi-radiographic-interpretation-weld-defects-repair.pdf
pdfslide.net_120174253-twi-radiographic-interpretation-weld-defects-repair.pdfThirupathiSokkar
 
Weld 1 (nx power lite) (nxpowerlite) (nxpowerlite)
Weld 1 (nx power lite) (nxpowerlite) (nxpowerlite)Weld 1 (nx power lite) (nxpowerlite) (nxpowerlite)
Weld 1 (nx power lite) (nxpowerlite) (nxpowerlite)Jitesh Gaurav
 
Presentation on non destructive testing
Presentation on non destructive testingPresentation on non destructive testing
Presentation on non destructive testingMd. Shahin Manjurul Alam
 
Eddy current testing
Eddy current testingEddy current testing
Eddy current testingDENNY OTTARACKAL
 
Agfa ndt brochure
Agfa ndt brochureAgfa ndt brochure
Agfa ndt brochureRafikThaalbi
 
College Network
College NetworkCollege Network
College NetworkPrince Kumar
 

Recomendados

XPATH
XPATHXPATH
XPATHSun Technlogies
 
NDT for Boilers
NDT for BoilersNDT for Boilers
NDT for BoilersHemanth Krishnan R
 
pdfslide.net_120174253-twi-radiographic-interpretation-weld-defects-repair.pdf
pdfslide.net_120174253-twi-radiographic-interpretation-weld-defects-repair.pdfpdfslide.net_120174253-twi-radiographic-interpretation-weld-defects-repair.pdf
pdfslide.net_120174253-twi-radiographic-interpretation-weld-defects-repair.pdfThirupathiSokkar
 
Weld 1 (nx power lite) (nxpowerlite) (nxpowerlite)
Weld 1 (nx power lite) (nxpowerlite) (nxpowerlite)Weld 1 (nx power lite) (nxpowerlite) (nxpowerlite)
Weld 1 (nx power lite) (nxpowerlite) (nxpowerlite)Jitesh Gaurav
 
Presentation on non destructive testing
Presentation on non destructive testingPresentation on non destructive testing
Presentation on non destructive testingMd. Shahin Manjurul Alam
 
Eddy current testing
Eddy current testingEddy current testing
Eddy current testingDENNY OTTARACKAL
 
Agfa ndt brochure
Agfa ndt brochureAgfa ndt brochure
Agfa ndt brochureRafikThaalbi
 
College Network
College NetworkCollege Network
College NetworkPrince Kumar
 
Selection sort
Selection sortSelection sort
Selection sortstella D
 
Internship Project Report - Vaibhav
Internship Project Report - VaibhavInternship Project Report - Vaibhav
Internship Project Report - VaibhavVaibhav Dhattarwal
 
Selection sort lab mannual
Selection sort lab mannualSelection sort lab mannual
Selection sort lab mannualmaamir farooq
 
Everything about Database JOINS and Relationships
Everything about Database JOINS and RelationshipsEverything about Database JOINS and Relationships
Everything about Database JOINS and RelationshipsAbdul Rahman Sherzad
 
ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad
ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad
ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad Dr.Samir Saad
 
Tutorial - Eddy Current Testing
Tutorial - Eddy Current TestingTutorial - Eddy Current Testing
Tutorial - Eddy Current TestingEthan Gros
 
Shell sort
Shell sortShell sort
Shell sortNauman Ali
 
Introduction to Radiographic Testing
Introduction to Radiographic TestingIntroduction to Radiographic Testing
Introduction to Radiographic TestingHareesha N Gowda, Dayananda Sagar College of Engg, Bangalore
 
MULTI THREADING IN JAVA
MULTI THREADING IN JAVAMULTI THREADING IN JAVA
MULTI THREADING IN JAVAVINOTH R
 
Comprender y utilizar layouts FireMonkey
Comprender y utilizar layouts FireMonkey Comprender y utilizar layouts FireMonkey
Comprender y utilizar layouts FireMonkey Fernando Rizzato
 
What is Ethernet
What is EthernetWhat is Ethernet
What is EthernetSimplilearn
 
Covariance and contravariance. Say what?! (Agile Talks #22)
Covariance and contravariance. Say what?! (Agile Talks #22)Covariance and contravariance. Say what?! (Agile Talks #22)
Covariance and contravariance. Say what?! (Agile Talks #22)Alin Pandichi
 
Interview questions reference liaison academic
Interview questions reference liaison academicInterview questions reference liaison academic
Interview questions reference liaison academicJulie Anne Kent
 
18CSL58 DBMS LAB Manual.pdf
18CSL58 DBMS LAB Manual.pdf18CSL58 DBMS LAB Manual.pdf
18CSL58 DBMS LAB Manual.pdfSyed Mustafa
 
OSI Model - Open Systems Interconnection
OSI Model - Open Systems InterconnectionOSI Model - Open Systems Interconnection
OSI Model - Open Systems InterconnectionAdeel Rasheed
 
ADVANCED WELDING PROCESS
ADVANCED WELDING PROCESS ADVANCED WELDING PROCESS
ADVANCED WELDING PROCESS HOME
 
Magnetic Particle Inspection
Magnetic Particle InspectionMagnetic Particle Inspection
Magnetic Particle Inspectionsaravana kumar
 
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoAntonio Parata
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceMasoud Kalali
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 

Más contenido relacionado

La actualidad más candente

Selection sort
Selection sortSelection sort
Selection sortstella D
 
Internship Project Report - Vaibhav
Internship Project Report - VaibhavInternship Project Report - Vaibhav
Internship Project Report - VaibhavVaibhav Dhattarwal
 
Selection sort lab mannual
Selection sort lab mannualSelection sort lab mannual
Selection sort lab mannualmaamir farooq
 
Everything about Database JOINS and Relationships
Everything about Database JOINS and RelationshipsEverything about Database JOINS and Relationships
Everything about Database JOINS and RelationshipsAbdul Rahman Sherzad
 
ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad
ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad
ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad Dr.Samir Saad
 
Tutorial - Eddy Current Testing
Tutorial - Eddy Current TestingTutorial - Eddy Current Testing
Tutorial - Eddy Current TestingEthan Gros
 
MULTI THREADING IN JAVA
MULTI THREADING IN JAVAMULTI THREADING IN JAVA
MULTI THREADING IN JAVAVINOTH R
 
Comprender y utilizar layouts FireMonkey
Comprender y utilizar layouts FireMonkey Comprender y utilizar layouts FireMonkey
Comprender y utilizar layouts FireMonkey Fernando Rizzato
 
What is Ethernet
What is EthernetWhat is Ethernet
What is EthernetSimplilearn
 
Covariance and contravariance. Say what?! (Agile Talks #22)
Covariance and contravariance. Say what?! (Agile Talks #22)Covariance and contravariance. Say what?! (Agile Talks #22)
Covariance and contravariance. Say what?! (Agile Talks #22)Alin Pandichi
 
Interview questions reference liaison academic
Interview questions reference liaison academicInterview questions reference liaison academic
Interview questions reference liaison academicJulie Anne Kent
 
18CSL58 DBMS LAB Manual.pdf
18CSL58 DBMS LAB Manual.pdf18CSL58 DBMS LAB Manual.pdf
18CSL58 DBMS LAB Manual.pdfSyed Mustafa
 
OSI Model - Open Systems Interconnection
OSI Model - Open Systems InterconnectionOSI Model - Open Systems Interconnection
OSI Model - Open Systems InterconnectionAdeel Rasheed
 
ADVANCED WELDING PROCESS
ADVANCED WELDING PROCESS ADVANCED WELDING PROCESS
ADVANCED WELDING PROCESS HOME
 
Magnetic Particle Inspection
Magnetic Particle InspectionMagnetic Particle Inspection
Magnetic Particle Inspectionsaravana kumar
 

La actualidad más candente (17)

Selection sort
Selection sortSelection sort
Selection sort
 
Internship Project Report - Vaibhav
Internship Project Report - VaibhavInternship Project Report - Vaibhav
Internship Project Report - Vaibhav
 
Selection sort lab mannual
Selection sort lab mannualSelection sort lab mannual
Selection sort lab mannual
 
Everything about Database JOINS and Relationships
Everything about Database JOINS and RelationshipsEverything about Database JOINS and Relationships
Everything about Database JOINS and Relationships
 
ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad
ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad
ASNT Magnetic Particle Testing (MT) Notes-Dr. Samir Saad
 
Tutorial - Eddy Current Testing
Tutorial - Eddy Current TestingTutorial - Eddy Current Testing
Tutorial - Eddy Current Testing
 
Shell sort
Shell sortShell sort
Shell sort
 
Introduction to Radiographic Testing
Introduction to Radiographic TestingIntroduction to Radiographic Testing
Introduction to Radiographic Testing
 
MULTI THREADING IN JAVA
MULTI THREADING IN JAVAMULTI THREADING IN JAVA
MULTI THREADING IN JAVA
 
Comprender y utilizar layouts FireMonkey
Comprender y utilizar layouts FireMonkey Comprender y utilizar layouts FireMonkey
Comprender y utilizar layouts FireMonkey
 
What is Ethernet
What is EthernetWhat is Ethernet
What is Ethernet
 
Covariance and contravariance. Say what?! (Agile Talks #22)
Covariance and contravariance. Say what?! (Agile Talks #22)Covariance and contravariance. Say what?! (Agile Talks #22)
Covariance and contravariance. Say what?! (Agile Talks #22)
 
Interview questions reference liaison academic
Interview questions reference liaison academicInterview questions reference liaison academic
Interview questions reference liaison academic
 
18CSL58 DBMS LAB Manual.pdf
18CSL58 DBMS LAB Manual.pdf18CSL58 DBMS LAB Manual.pdf
18CSL58 DBMS LAB Manual.pdf
 
OSI Model - Open Systems Interconnection
OSI Model - Open Systems InterconnectionOSI Model - Open Systems Interconnection
OSI Model - Open Systems Interconnection
 
ADVANCED WELDING PROCESS
ADVANCED WELDING PROCESS ADVANCED WELDING PROCESS
ADVANCED WELDING PROCESS
 
Magnetic Particle Inspection
Magnetic Particle InspectionMagnetic Particle Inspection
Magnetic Particle Inspection
 

Destacado

Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoAntonio Parata
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceMasoud Kalali
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONSMarkus Eisele
 

Destacado (6)

Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
 

Similar a Owasp lapse

Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party DependenciesSecure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependenciesthariyarox
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Introduction to Spring sec1.pptx
Introduction to Spring sec1.pptxIntroduction to Spring sec1.pptx
Introduction to Spring sec1.pptxNourhanTarek23
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependenciesthariyarox
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software DependenciesTharindu Edirisinghe
 
Dependency-Check Ecosystem - OWASP Summit 2017
Dependency-Check Ecosystem - OWASP Summit 2017Dependency-Check Ecosystem - OWASP Summit 2017
Dependency-Check Ecosystem - OWASP Summit 2017Steve Springett
 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...Andrey Karpov
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 

Similar a Owasp lapse (20)

Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party DependenciesSecure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependencies
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Introduction to Spring sec1.pptx
Introduction to Spring sec1.pptxIntroduction to Spring sec1.pptx
Introduction to Spring sec1.pptx
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependencies
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependencies
 
Dependency-Check Ecosystem - OWASP Summit 2017
Dependency-Check Ecosystem - OWASP Summit 2017Dependency-Check Ecosystem - OWASP Summit 2017
Dependency-Check Ecosystem - OWASP Summit 2017
 
Dependency check
Dependency checkDependency check
Dependency check
 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 

Más de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Más de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Último

Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 

Último (20)

Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 

Owasp lapse

  • 1. A review from an end-user perspective by Praveen P
  • 2. Agenda  Introduction  Demo  Loading LAPSE+ in Eclipse  LAPSE+ Eclipse Plug-in Views  Vulnerability Sources View  Vulnerability Sinks View  Provenance Tracker View  Advantages  Limitations  Conclusion
  • 3. Introducing LAPSE+  An eclipse IDE plug-in for Java.  A static code analyzing software.  A security scanner for detecting vulnerabilities of un-trusted data injection in Java EE Applications.  Developed by the SUIF Compiler Group of Stanford University
  • 4. LAPSE+  LAPSE+ is based on the static analysis of code to detect the source and the sink of a vulnerability.  The source of a vulnerability refers to the injection of un-trusted data in the parameters of an HTTP request, a Cookie, etc.  The sink of a vulnerability refers to the process of data modification to manipulate the behavior of the application, such as a servlet response or a HTML page.  The vulnerability sources can lead to sinks by simple assignments, method calls or parameters passing.
  • 5. Demo- Loading LAPSE+ in Eclipse  D:techeclipse  LAPSE+ plugin consists of a Java JAR file called LapsePlus_2.8.X.jar.  To load the plugin we have to copy it in the plugins folder of our Eclipse Helios  Once we have copied the Java JAR file in plugins folder we can run Eclipse.  LAPSE+ is ready!
  • 6. LAPSE+ Eclipse Plug-in Views LAPSE+ provides three different views for the analysis of vulnerabilities:  Vulnerability Sources View: It shows the points of code that can be source of un-trusted data injection.  Vulnerability Sinks View: It shows the points of code that can insert the un-trusted data in the application, manipulating its behavior.  Provenance Tracker View: This view traces the backward propagation tree from a vulnerability sink in order to check if it reaches a vulnerability source. If this happens we have a vulnerability in our code.
  • 7. Advantages  Accurate result.  It automatically places cursor to the relevant source code.  It helps you to test your validation logic from a security perspective even without compiling your code.
  • 8. Limitations  Limited to Java.  Limited to eclipse environment hence cannot be triggered during build phase.  Copy-to-clipboard functionality is not proper.  Does not analyze JSP/web pages.  Cannot identify whether a code contains any compilation errors.  Cannot block a vulnerable code from entering the code repository (subversion).
  • 9. Conclusion  LAPSE+ is not a complete fool proof solution for static code analysis but it provides very accurate results.  LAPSE+ is better than YASCA and ARACHNI in terms of results and convenience.