SlideShare ist ein Scribd-Unternehmen logo

Owasp lapse

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore Chapter - April 2013 Meet

BildungTechnologie
1 von 10
Downloaden Sie, um offline zu lesen
A review from an end-user perspective by Praveen P
Agenda  Introduction  Demo  Loading LAPSE+ in Eclipse  LAPSE+ Eclipse Plug-in Views  Vulnerability Sources View  Vulnerability Sinks View  Provenance Tracker View  Advantages  Limitations  Conclusion
Introducing LAPSE+  An eclipse IDE plug-in for Java.  A static code analyzing software.  A security scanner for detecting vulnerabilities of un-trusted data injection in Java EE Applications.  Developed by the SUIF Compiler Group of Stanford University
LAPSE+  LAPSE+ is based on the static analysis of code to detect the source and the sink of a vulnerability.  The source of a vulnerability refers to the injection of un-trusted data in the parameters of an HTTP request, a Cookie, etc.  The sink of a vulnerability refers to the process of data modification to manipulate the behavior of the application, such as a servlet response or a HTML page.  The vulnerability sources can lead to sinks by simple assignments, method calls or parameters passing.
Demo- Loading LAPSE+ in Eclipse  D:techeclipse  LAPSE+ plugin consists of a Java JAR file called LapsePlus_2.8.X.jar.  To load the plugin we have to copy it in the plugins folder of our Eclipse Helios  Once we have copied the Java JAR file in plugins folder we can run Eclipse.  LAPSE+ is ready!
LAPSE+ Eclipse Plug-in Views LAPSE+ provides three different views for the analysis of vulnerabilities:  Vulnerability Sources View: It shows the points of code that can be source of un-trusted data injection.  Vulnerability Sinks View: It shows the points of code that can insert the un-trusted data in the application, manipulating its behavior.  Provenance Tracker View: This view traces the backward propagation tree from a vulnerability sink in order to check if it reaches a vulnerability source. If this happens we have a vulnerability in our code.
Advantages  Accurate result.  It automatically places cursor to the relevant source code.  It helps you to test your validation logic from a security perspective even without compiling your code.
Limitations  Limited to Java.  Limited to eclipse environment hence cannot be triggered during build phase.  Copy-to-clipboard functionality is not proper.  Does not analyze JSP/web pages.  Cannot identify whether a code contains any compilation errors.  Cannot block a vulnerable code from entering the code repository (subversion).
Conclusion  LAPSE+ is not a complete fool proof solution for static code analysis but it provides very accurate results.  LAPSE+ is better than YASCA and ARACHNI in terms of results and convenience.
THANK YOU

Empfohlen

Pertemuan 11 thread dan asyntask
Pertemuan 11 thread dan asyntaskPertemuan 11 thread dan asyntask
Pertemuan 11 thread dan asyntaskheriakj
 
Osha 3 step fall protection
Osha 3 step fall protectionOsha 3 step fall protection
Osha 3 step fall protectionsaleshenry
 
Was sind virtuelle Maschinen? Wie nutzt man sie? Und welchen Nutzen kann man...
Was sind virtuelle Maschinen? Wie nutzt man sie? Und welchen Nutzen kann man...Was sind virtuelle Maschinen? Wie nutzt man sie? Und welchen Nutzen kann man...
Was sind virtuelle Maschinen? Wie nutzt man sie? Und welchen Nutzen kann man...GFU Cyrus AG
 
Health and Safety Handbook
Health and Safety HandbookHealth and Safety Handbook
Health and Safety HandbookAbu Bakr Ali
 
Modul Web Programming - Framework CodeIgniter
Modul Web Programming - Framework CodeIgniterModul Web Programming - Framework CodeIgniter
Modul Web Programming - Framework CodeIgniterIsmoyoDjayusman
 
HMT Machine Tools Summer Training Report
HMT Machine Tools Summer Training ReportHMT Machine Tools Summer Training Report
HMT Machine Tools Summer Training ReportPuneet Parihar
 
QMRS OSH 01 Health and Safety Policy
QMRS OSH 01 Health and Safety PolicyQMRS OSH 01 Health and Safety Policy
QMRS OSH 01 Health and Safety PolicyQuorum Mill Relining Services
 
Akta nikah
Akta nikahAkta nikah
Akta nikahSeptian Muna Barakati
 

Empfohlen

Pertemuan 11 thread dan asyntask
Pertemuan 11 thread dan asyntaskPertemuan 11 thread dan asyntask
Pertemuan 11 thread dan asyntaskheriakj
 
Osha 3 step fall protection
Osha 3 step fall protectionOsha 3 step fall protection
Osha 3 step fall protectionsaleshenry
 
Was sind virtuelle Maschinen? Wie nutzt man sie? Und welchen Nutzen kann man...
Was sind virtuelle Maschinen? Wie nutzt man sie? Und welchen Nutzen kann man...Was sind virtuelle Maschinen? Wie nutzt man sie? Und welchen Nutzen kann man...
Was sind virtuelle Maschinen? Wie nutzt man sie? Und welchen Nutzen kann man...GFU Cyrus AG
 
Health and Safety Handbook
Health and Safety HandbookHealth and Safety Handbook
Health and Safety HandbookAbu Bakr Ali
 
Modul Web Programming - Framework CodeIgniter
Modul Web Programming - Framework CodeIgniterModul Web Programming - Framework CodeIgniter
Modul Web Programming - Framework CodeIgniterIsmoyoDjayusman
 
HMT Machine Tools Summer Training Report
HMT Machine Tools Summer Training ReportHMT Machine Tools Summer Training Report
HMT Machine Tools Summer Training ReportPuneet Parihar
 
QMRS OSH 01 Health and Safety Policy
QMRS OSH 01 Health and Safety PolicyQMRS OSH 01 Health and Safety Policy
QMRS OSH 01 Health and Safety PolicyQuorum Mill Relining Services
 
Akta nikah
Akta nikahAkta nikah
Akta nikahSeptian Muna Barakati
 
Alphorm.com Formation Red Hat RH124
Alphorm.com Formation Red Hat RH124Alphorm.com Formation Red Hat RH124
Alphorm.com Formation Red Hat RH124Alphorm
 
Bucket elevator-o&m-5-21-13
Bucket elevator-o&m-5-21-13Bucket elevator-o&m-5-21-13
Bucket elevator-o&m-5-21-13Edisson Valencia
 
PM Project communication management plan
PM Project communication management planPM Project communication management plan
PM Project communication management planBagus Wahyu
 
Standart operating procedures sop warung makan
Standart operating procedures sop warung makanStandart operating procedures sop warung makan
Standart operating procedures sop warung makanDanang suryo Wardhono
 
Total Productive Maintenance
Total Productive MaintenanceTotal Productive Maintenance
Total Productive MaintenanceEndang Sulistiawati
 
Virtual networking computing
Virtual networking computingVirtual networking computing
Virtual networking computingAhmed Khan
 
Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"
Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"
Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"Kanaidi ken
 
Quality checker job description
Quality checker job descriptionQuality checker job description
Quality checker job descriptionqualitymanagement246
 
Mandays Dan Total Cost Estimation For Application Development Project
Mandays Dan Total Cost Estimation For Application Development ProjectMandays Dan Total Cost Estimation For Application Development Project
Mandays Dan Total Cost Estimation For Application Development ProjectAntonius Adi
 
program aplikasi system It inventory kawasan berikat bea cukai
program aplikasi system It inventory kawasan berikat bea cukaiprogram aplikasi system It inventory kawasan berikat bea cukai
program aplikasi system It inventory kawasan berikat bea cukaiImamswp Tea
 
Sindhujha Gopi- Ariba - 7 Yrs Resume
Sindhujha Gopi- Ariba - 7 Yrs ResumeSindhujha Gopi- Ariba - 7 Yrs Resume
Sindhujha Gopi- Ariba - 7 Yrs Resumesindhujha gopi
 
Transforming clinical phamacy into a seven day service
Transforming clinical phamacy into a seven day serviceTransforming clinical phamacy into a seven day service
Transforming clinical phamacy into a seven day serviceNHS England
 
Paper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdf
Paper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdfPaper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdf
Paper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdfsiti ismail
 
Telecom argentina datacenters
Telecom argentina datacentersTelecom argentina datacenters
Telecom argentina datacentersMario Lostri
 
Management of document control
Management of document controlManagement of document control
Management of document controlToyo Gustaman
 
Software Engineering Internship
Software Engineering InternshipSoftware Engineering Internship
Software Engineering InternshipMd. Shafiuzzaman Hira
 
Edital Anatel 2014
Edital Anatel 2014Edital Anatel 2014
Edital Anatel 2014Concurso Virtual
 
O que é Munck?
O que é Munck?O que é Munck?
O que é Munck?Munckmaq Guindastes
 
Autonomous Maintenance - TPM ATI (1).pptx
Autonomous Maintenance - TPM ATI (1).pptxAutonomous Maintenance - TPM ATI (1).pptx
Autonomous Maintenance - TPM ATI (1).pptxRobi Cahyadi
 
Alphorm.com Formation VMware vSphere 7 : What's New 2/2
Alphorm.com Formation VMware vSphere 7 : What's New 2/2Alphorm.com Formation VMware vSphere 7 : What's New 2/2
Alphorm.com Formation VMware vSphere 7 : What's New 2/2Alphorm
 
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoAntonio Parata
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceMasoud Kalali
 

Weitere ähnliche Inhalte

Was ist angesagt?

Alphorm.com Formation Red Hat RH124
Alphorm.com Formation Red Hat RH124Alphorm.com Formation Red Hat RH124
Alphorm.com Formation Red Hat RH124Alphorm
 
Bucket elevator-o&m-5-21-13
Bucket elevator-o&m-5-21-13Bucket elevator-o&m-5-21-13
Bucket elevator-o&m-5-21-13Edisson Valencia
 
PM Project communication management plan
PM Project communication management planPM Project communication management plan
PM Project communication management planBagus Wahyu
 
Standart operating procedures sop warung makan
Standart operating procedures sop warung makanStandart operating procedures sop warung makan
Standart operating procedures sop warung makanDanang suryo Wardhono
 
Virtual networking computing
Virtual networking computingVirtual networking computing
Virtual networking computingAhmed Khan
 
Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"
Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"
Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"Kanaidi ken
 
Mandays Dan Total Cost Estimation For Application Development Project
Mandays Dan Total Cost Estimation For Application Development ProjectMandays Dan Total Cost Estimation For Application Development Project
Mandays Dan Total Cost Estimation For Application Development ProjectAntonius Adi
 
program aplikasi system It inventory kawasan berikat bea cukai
program aplikasi system It inventory kawasan berikat bea cukaiprogram aplikasi system It inventory kawasan berikat bea cukai
program aplikasi system It inventory kawasan berikat bea cukaiImamswp Tea
 
Sindhujha Gopi- Ariba - 7 Yrs Resume
Sindhujha Gopi- Ariba - 7 Yrs ResumeSindhujha Gopi- Ariba - 7 Yrs Resume
Sindhujha Gopi- Ariba - 7 Yrs Resumesindhujha gopi
 
Transforming clinical phamacy into a seven day service
Transforming clinical phamacy into a seven day serviceTransforming clinical phamacy into a seven day service
Transforming clinical phamacy into a seven day serviceNHS England
 
Paper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdf
Paper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdfPaper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdf
Paper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdfsiti ismail
 
Telecom argentina datacenters
Telecom argentina datacentersTelecom argentina datacenters
Telecom argentina datacentersMario Lostri
 
Management of document control
Management of document controlManagement of document control
Management of document controlToyo Gustaman
 
Autonomous Maintenance - TPM ATI (1).pptx
Autonomous Maintenance - TPM ATI (1).pptxAutonomous Maintenance - TPM ATI (1).pptx
Autonomous Maintenance - TPM ATI (1).pptxRobi Cahyadi
 
Alphorm.com Formation VMware vSphere 7 : What's New 2/2
Alphorm.com Formation VMware vSphere 7 : What's New 2/2Alphorm.com Formation VMware vSphere 7 : What's New 2/2
Alphorm.com Formation VMware vSphere 7 : What's New 2/2Alphorm
 

Was ist angesagt? (20)

Alphorm.com Formation Red Hat RH124
Alphorm.com Formation Red Hat RH124Alphorm.com Formation Red Hat RH124
Alphorm.com Formation Red Hat RH124
 
Bucket elevator-o&m-5-21-13
Bucket elevator-o&m-5-21-13Bucket elevator-o&m-5-21-13
Bucket elevator-o&m-5-21-13
 
PM Project communication management plan
PM Project communication management planPM Project communication management plan
PM Project communication management plan
 
Standart operating procedures sop warung makan
Standart operating procedures sop warung makanStandart operating procedures sop warung makan
Standart operating procedures sop warung makan
 
Total Productive Maintenance
Total Productive MaintenanceTotal Productive Maintenance
Total Productive Maintenance
 
Virtual networking computing
Virtual networking computingVirtual networking computing
Virtual networking computing
 
Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"
Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"
Inventory Management _ Materi Training "INVENTORY & WAREHOUSING MANAGEMENT"
 
Quality checker job description
Quality checker job descriptionQuality checker job description
Quality checker job description
 
Mandays Dan Total Cost Estimation For Application Development Project
Mandays Dan Total Cost Estimation For Application Development ProjectMandays Dan Total Cost Estimation For Application Development Project
Mandays Dan Total Cost Estimation For Application Development Project
 
program aplikasi system It inventory kawasan berikat bea cukai
program aplikasi system It inventory kawasan berikat bea cukaiprogram aplikasi system It inventory kawasan berikat bea cukai
program aplikasi system It inventory kawasan berikat bea cukai
 
Sindhujha Gopi- Ariba - 7 Yrs Resume
Sindhujha Gopi- Ariba - 7 Yrs ResumeSindhujha Gopi- Ariba - 7 Yrs Resume
Sindhujha Gopi- Ariba - 7 Yrs Resume
 
Transforming clinical phamacy into a seven day service
Transforming clinical phamacy into a seven day serviceTransforming clinical phamacy into a seven day service
Transforming clinical phamacy into a seven day service
 
Paper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdf
Paper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdfPaper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdf
Paper 3 - Seminar Pengurusan Kimia Efektif_IKS NCOSH.pdf
 
Telecom argentina datacenters
Telecom argentina datacentersTelecom argentina datacenters
Telecom argentina datacenters
 
Management of document control
Management of document controlManagement of document control
Management of document control
 
Software Engineering Internship
Software Engineering InternshipSoftware Engineering Internship
Software Engineering Internship
 
Edital Anatel 2014
Edital Anatel 2014Edital Anatel 2014
Edital Anatel 2014
 
O que é Munck?
O que é Munck?O que é Munck?
O que é Munck?
 
Autonomous Maintenance - TPM ATI (1).pptx
Autonomous Maintenance - TPM ATI (1).pptxAutonomous Maintenance - TPM ATI (1).pptx
Autonomous Maintenance - TPM ATI (1).pptx
 
Alphorm.com Formation VMware vSphere 7 : What's New 2/2
Alphorm.com Formation VMware vSphere 7 : What's New 2/2Alphorm.com Formation VMware vSphere 7 : What's New 2/2
Alphorm.com Formation VMware vSphere 7 : What's New 2/2
 

Andere mochten auch

Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoAntonio Parata
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceMasoud Kalali
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONSMarkus Eisele
 

Andere mochten auch (6)

Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
 

Ähnlich wie Owasp lapse

Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party DependenciesSecure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependenciesthariyarox
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Introduction to Spring sec1.pptx
Introduction to Spring sec1.pptxIntroduction to Spring sec1.pptx
Introduction to Spring sec1.pptxNourhanTarek23
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependenciesthariyarox
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software DependenciesTharindu Edirisinghe
 
Dependency-Check Ecosystem - OWASP Summit 2017
Dependency-Check Ecosystem - OWASP Summit 2017Dependency-Check Ecosystem - OWASP Summit 2017
Dependency-Check Ecosystem - OWASP Summit 2017Steve Springett
 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...Andrey Karpov
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 

Ähnlich wie Owasp lapse (20)

Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party DependenciesSecure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependencies
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Introduction to Spring sec1.pptx
Introduction to Spring sec1.pptxIntroduction to Spring sec1.pptx
Introduction to Spring sec1.pptx
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependencies
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependencies
 
Dependency-Check Ecosystem - OWASP Summit 2017
Dependency-Check Ecosystem - OWASP Summit 2017Dependency-Check Ecosystem - OWASP Summit 2017
Dependency-Check Ecosystem - OWASP Summit 2017
 
Dependency check
Dependency checkDependency check
Dependency check
 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 

Kürzlich hochgeladen (20)

Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 

Owasp lapse

  • 1. A review from an end-user perspective by Praveen P
  • 2. Agenda  Introduction  Demo  Loading LAPSE+ in Eclipse  LAPSE+ Eclipse Plug-in Views  Vulnerability Sources View  Vulnerability Sinks View  Provenance Tracker View  Advantages  Limitations  Conclusion
  • 3. Introducing LAPSE+  An eclipse IDE plug-in for Java.  A static code analyzing software.  A security scanner for detecting vulnerabilities of un-trusted data injection in Java EE Applications.  Developed by the SUIF Compiler Group of Stanford University
  • 4. LAPSE+  LAPSE+ is based on the static analysis of code to detect the source and the sink of a vulnerability.  The source of a vulnerability refers to the injection of un-trusted data in the parameters of an HTTP request, a Cookie, etc.  The sink of a vulnerability refers to the process of data modification to manipulate the behavior of the application, such as a servlet response or a HTML page.  The vulnerability sources can lead to sinks by simple assignments, method calls or parameters passing.
  • 5. Demo- Loading LAPSE+ in Eclipse  D:techeclipse  LAPSE+ plugin consists of a Java JAR file called LapsePlus_2.8.X.jar.  To load the plugin we have to copy it in the plugins folder of our Eclipse Helios  Once we have copied the Java JAR file in plugins folder we can run Eclipse.  LAPSE+ is ready!
  • 6. LAPSE+ Eclipse Plug-in Views LAPSE+ provides three different views for the analysis of vulnerabilities:  Vulnerability Sources View: It shows the points of code that can be source of un-trusted data injection.  Vulnerability Sinks View: It shows the points of code that can insert the un-trusted data in the application, manipulating its behavior.  Provenance Tracker View: This view traces the backward propagation tree from a vulnerability sink in order to check if it reaches a vulnerability source. If this happens we have a vulnerability in our code.
  • 7. Advantages  Accurate result.  It automatically places cursor to the relevant source code.  It helps you to test your validation logic from a security perspective even without compiling your code.
  • 8. Limitations  Limited to Java.  Limited to eclipse environment hence cannot be triggered during build phase.  Copy-to-clipboard functionality is not proper.  Does not analyze JSP/web pages.  Cannot identify whether a code contains any compilation errors.  Cannot block a vulnerable code from entering the code repository (subversion).
  • 9. Conclusion  LAPSE+ is not a complete fool proof solution for static code analysis but it provides very accurate results.  LAPSE+ is better than YASCA and ARACHNI in terms of results and convenience.