ContactGirl
1-855-COE-SECURITY
1-855-263-7328
Username
Password

Automated Web Vulnerability Remediation

header_img

Name

Company

Phone Number

Email

Description

Automated Web Vulnerability Remediation

 

4 Easy steps to scan and immunize your web application source Code!

App Immunizer is built with unique intelligence having a mindset of secure developer; it helps development teams to automate vulnerability remediation process by introducing a various security methods and libraries in the web application source code as a result cuts manual effort and boosts security confidence to deliver secure applications thruautomating the majority of manual effort essentialto roll out secure web application.

App Immunizer in short known as AI and its test framework is derived from OWASP and WASC standards. AI is focused to enable a secure defense mechanism at your web application source code for most critical web security issues such as Cross Site Scripting, SQL Injection, LDAP Injection, Command Injection, Malicious File Inclusion & many more.

 

How does it work?

AI is the outcome of application security principles and standard secure coding guidelines & popular belief i.e. "Never trust input from users" by "Treating all user input as if it were malicious and perform input validation on all user input".

AI considers all inputs as malicious and determines the behavioral outcomes of input data by calculating all possible execution paths, by reading each line of code, and systematically checking for user inputs and introduces a security library as a result of Immunized web application source code.

AI was developed keeping customer/industry pain point for achieving maximum web application security right at source code.

The approach of AI is to:


Crawl the entire web application code base to uncover user inputs.
Replaces the vulnerable code with secure code for most of the critical application security issues.
Generate detailed technical and compliance report covering identified insecure code vs. secure code and a list of security advices for the issues that were not fixed automatically.

Next Steps

Request a Quote


Lets our representative contact you.

Pilot Project


Let we demonstrate our solution delivery

Live Meeting Request


For live meeting request

Corporate Training


For various training requirements

Contact Us


Reach our global representatives.

A code-level security review of applications can validate the strength of your application security at the lowest layer



A code-level security review of applications can validate the strength of your application security at the lowest layer


What does it cover?

App Immunizer boasts huge set of scenarios covered from wide variety of web applications researched from different verticals such as BFSI, IT, Retail, Hi-Tech, Open Source, commercials & etc. Therefore, making this tool more efficient to scan & uncover most common and complex scenarios within the application source code for discovering instances of code that make the web application vulnerable and cause exploitation. Customers can directly benefit from the most common and wide coverage of web technologies that AI supports and they are:

 

Supported Technologies and Frameworks

 

Classic ASP
ASP.Net
Java
PHP
Ruby on Rails
ColdFusion
CGI/Perl
Springs
Struts
Web Services (JAVA, PHP, ASP.NET & Ruby on Rails)

 

Vulnerability Coverage

Below are the latest web vulnerability mappings from OWASP Top 10,2010 vs. WASC Threat Classification v2.0 vs. 2010 CWE/SANS Top 25 vs. Common Vulnerability Weakness vs. CAPEC (Common Attack Pattern Enumeration and Classification)in comparison to vulnerability remediation achieved thru App Immunizer.

App Immunizer - Vulnerability Coverage:

<

S. No

Vulnerability

Respective vulnerability ID from the Standards

Business Impact


OWASP Top Ten 2010


WASC v2.0


2010 Release


Common
Weakness Exposure


Common Attack Pattern
Enumeration and Classification

1

SQL Injection

 

 

 

 

A1

WASC-19

89

89

66

Consider the business value of the exposed functions and the data they process. Also consider the impact to your reputation if this vulnerability became public.

2

XPATH Injection

WASC-39

-

643

83

3

XQuery Injection

WASC-46

-

652

84

4

LDAP Injection

WASC-29

-

90

136

5

XML Injection

WASC-23

-

91

250

Such flaws can alter the intend logic of the application and further cause the insertion of malicious content resulting message/document exposure.

6

SSI Injection

WASC-36

-

97

101

Such flaws can allow an attacker to execute commands at web server level and gain access to the restricted file contents.

7

Mail Command Injection

WASC-30

-

88

134

Consider the business value of the affected system and the user data exposure.

8

OS Command Injection

WASC-31

78

78

88

Attackers modify or misuse operating system commands to control data and resources.

9

Null Byte Injection

WASC-28

-

158

52

Consider the business value of the affected system and the user data exposure. This injection process can alter the intended logic of the application and allow malicious adversary to get unauthorized access to the system files.

10

Cross Site Scripting

A2

WASC-08

79

79

18, 19, 63

Consider the business value of the affected system and all the data it processes. Consider the business impact of public exposure of the vulnerability.

11

Session Fixation

A3

WASC-37

732

384

61

Consider the business value of the affected data and the Session Fixation leads to Identity theft, Session hijacking & User Impersonation.

12

Directory Indexing

A4

WASC-16

-

548

127

Such flaws could allow an information leak that supplies an attacker with the information necessary to launch further attacks against the system.

13

Path Traversal

A4

WASC-33

73, 426

22

126

Consider the business value of the affected system and the user data exposure. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server

14

Application Misconfiguration

A6

WASC-15

-

16

-

All of these mis-configurations may lead to unauthorized access to sensitive information.

15

Server Misconfiguration

A6

WASC-14

-

16

-

The system could be completely compromised without you knowing it. All your data could be stolen or modified slowly over time. Recovery costs could be expensive.

16

Failure To Restrict URL Access

A4, A8

WASC-02

285

284

-

Consider the business value of theexposed functions and the data theyprocess. Such flaws allow attackers toaccess unauthorized functionality.Administrative functions are key targets for this type of attack.

17

Insecure Transport Layer Security

A9

WASC-04

319

311, 523

-

Consider the business value of the data exposed on the communications channel in terms of its confidentiality and integrity needs, and the need to authenticate both participants.e.g, credit cards, health care records, financial data (yours or your customers)

18

URL Redirection

A10

WASC-38

-

601

-

Helps attacker By modifying the URL value to a malicious site, he may successfully launch a phishing scam and steal user credentials.

19

Information Leakage and Error Handling

A6 (2007), A4 (2004)

WASC-13

209

200

118

Such loose handled information can help attacker gain more information of the server and further help him launch a focused attack.

20

Remote File Inclusion

A3 (2007)

WASC-5

426

98

193, 253

Consider the business value of the affected system and the user data exposure. This could lead to inclusion of malicious file and execution of the same on the server.

21

Format String

-

WASC-6

-

134

67

Consider the business value of the affected system and the user data exposure.

22

Content Spoofing

-

WASC-12

-

345

148

The attacker tricks victim to spoof content and this appears as authentic and delivered from a legitimate source.

23

Improper Input Handling

-

WASC-20

20, 73

20

-

Attackers modify or misuse the input values to control data and resources.

24

Improper Output Handling

-

WASC-22

116

116

-

Attackers modify or misuse the Output values to control data and resources.

25

HTTP Response Splitting

-

WASC-25

-

113

34

Consider the business value of the affected system and the user data exposure that is embedded in scripts from the server.

26

HTTP Response Smuggling

-

WASC-27

-

436

273

27

Fingerprinting

-

WASC-45

-

205

224

The most common methodology for attackers is to first footprint the target's web presence and enumerates as much information as possible.

The above vulnerability mapping was inspired from Denim Group "Mapping Between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25" originally posted on January 13th 2010 by Dan Cornell and Web Application Security Consortium(WASC) Threat Classification 'Taxonomy Cross Reference View'. However, this coverage is not comprehensive as defined in the respective standards (OWASP, WASC, CWE/SANS Top 25, CWE, CAPEC) and the vulnerability list is restricted to "App Immunizer" vulnerability coverage.

 

Vulnerability Remediation Efficiency

Before we move ahead let us understand a little bit about these standards with automated vulnerability remediation capabilities in comparison to # of vulnerabilities addressed in each of these standards let us understand a little bit about these standards:

Standards

Description

Reference

OWASP

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. App Immunizer remediates.

http://www.owasp.org

WASC

The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site.

http://www.webappsec.org

2010 CWE/SANS Top 25

The 2010 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. The CWE Top 25 breaks down into 3 separate categories like so 1. Insecure Interaction Between Components 2. Risky Resource Management 3. Porous Defenses

http://www.sans.org/top25-software-errors/

CAPEC

CAPEC is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. CAPEC classification is a community knowledge resource for building secure software.

http://capec.mitre.org/

CWE

Common Weakness Enumeration is a community developed dictionary of software weakness types

http://cwe.mitre.org/index.html

The below is "Vulnerability Remediation Count" table which depicts total number of vulnerabilities that are automated by App Immunizer for achieving maximum vulnerability remediation against prevalent application security standards and are classified as critical application security issues.

 

OWASP Top 10 (2010)

WASC V2.0

2010 CWE/SANS Top 25

CWE

CAPEC

# Vulnerabilities Immunized

8

27

13

27

23

Notes

AI automates remediation for 8 vulnerabilities out of OWASP Top 10 2010.

AI automates remediation for 27 vulnerabilities out of WASC v2.0 out of 49

AI automates remediation for 13 vulnerabilities out of 2010 CWE/SAN Top 25

AI automates remediation for 27 vulnerabilities from Common Weakness Enumeration (CWE).

AI automates remediation for 23 vulnerabilities from Common Attack Pattern Enumeration and Classification (CAPEC)

      The support staff is great and they offer excellence solutions and a high level of advice for any problem. What I appreciate is that t 'They've taken away the worries for IT systems. The support staff is great and they offer excellence solutions and a high level of advice for any problem. What I appreciate is that they take ownership of their clients. No matter what time is, there is always someone there. That's very reassuring.'

 

Hakan Skoglund
                Director