Add to collection(s) Add to saved
  1. Engineering & Technology
Uploaded by Ердос Жубатов

Презентация Ашимжанова Коваленко Акимбаев

advertisement 
DEVELOPMENT SYSTEM OF
APPLICATION SECURITY TESTING
Done by:
Kovalenko E.
Akimbayev A.
Ashimzhanova D.
Research Advisor: Amanzholova S.T
Reviewer: Shaykulova A. A
Almaty 2022
The main goal and tasks
The main goal of the project is to develop a system for checking
applications for security vulnerabilities and issuing
recommendations for elimination.
Tasks:
- Analyze in detail all the requirements for the needed knowledge, information, and any aspects
that will affect it .
- Determine the necessary technologies, tools, and platforms to create an application security
testing system.
- Develop or modify an algorithm for checking the code for security vulnerabilities.
- Provide testing of the application security testing system.
02
Team members
Akimbayev Amir
•
•
•
•
Web structure
SAST Front-end
JSON Formatting
CSRF session security
with cookies
Kovalenko Emil
• Base64 encrypting
• Custom regex/semantic
search rules
• Database interaction
• Options management
Ashimzhanova Dilnaz
• Compliance vulnerabilities with
pattern matching
• TOTP authenthification/SMTP
• RBAC permission hierarchy
• DC flow analysis
03
Novelty&Relevance
4 000
3 000
2 000
1 000
0
2017
2018
2019
2020
AST integration statistics
2021
04
Analogues
Name of product
Date of
foundation
Location
Advantages
Disadvantages
HCL Appscan
1991
India, USA
Cloud and on-premise
deployment. Less
False positive case
Expensive product
Synopsys
1986
California, USA
First place in the
Gartner of Application
Security Testing
Expensive product. Not good support and sale
system
PT Application Inspector
2002
Russia
Solution is Russia
made, has a Russian
interface
The solution is in the progress of evolve
Solar appScreener
2015
Russia
Has a russian
interface,
Deobfuscation of code
The solution have cases with false positive
SonarQube
2008
Switzerland
Have free package
Taking more care about code quality than code
security
Checkmarx
2006
Israel
Have a good database Expensive product
of security
vulnerabilities
Veracode
2006
USA
Have possibilities to
Only a cloud solution, not on-premise
integrate with different
systems
05
Architecture of the system
06
06
Workflow & user possibilities
07
02
ER DIAGRAM & Sqlite
08
Corporate security features
•
•
•
•
•
•
•
•
•
•
•
Security search custom patterns
SAST integration
Regex analysis
Semantic analysis
Base64 Encrypting
CSRF session security with cookies
Encryption SSL/HTTPS
RBAC permission hierarchy
Host OS Validation
JSON Security
TOTP
EternalSec
09
Login & Home page
10
Project page
11
Vulnerability page
12
Dashboard page
13
Option page
14
THANK YOU
FOR ATTENTION
Related documents
This worksheet
This worksheet
Team-assessment-of-risks-and-protective-factors
Team-assessment-of-risks-and-protective-factors
agency report redacted (1)
agency report redacted (1)
10 General Security Rules
10 General Security Rules
Section 3 Directives & Best Practices
Section 3 Directives & Best Practices
your-guide-to-application-security-solutions-veracode-guide
your-guide-to-application-security-solutions-veracode-guide
Download
advertisement