1-855-263-7328
Automated Web Vulnerability Remediation
Automated Web Vulnerability Remediation
4 Easy steps to scan and immunize your web application source Code!
App Immunizer is built with unique intelligence having a mindset of secure developer; it helps development teams to automate vulnerability remediation process by introducing a various security methods and libraries in the web application source code as a result cuts manual effort and boosts security confidence to deliver secure applications thruautomating the majority of manual effort essentialto roll out secure web application.
App Immunizer in short known as AI and its test framework is derived from OWASP and WASC standards. AI is focused to enable a secure defense mechanism at your web application source code for most critical web security issues such as Cross Site Scripting, SQL Injection, LDAP Injection, Command Injection, Malicious File Inclusion & many more.
How does it work?
AI is the outcome of application security principles and standard secure coding guidelines & popular belief i.e. "Never trust input from users" by "Treating all user input as if it were malicious and perform input validation on all user input".
AI considers all inputs as malicious and determines the behavioral outcomes of input data by calculating all possible execution paths, by reading each line of code, and systematically checking for user inputs and introduces a security library as a result of Immunized web application source code.
AI was developed keeping customer/industry pain point for achieving maximum web application security right at source code.
The approach of AI is to:
Request a Quote
Lets our representative contact you.
Pilot Project
Let we demonstrate our solution delivery
Live Meeting Request
For live meeting request
Corporate Training
For various training requirements
Contact Us
Reach our global representatives.
A code-level security review of applications can validate the strength of your application security at the lowest layer
A code-level security review of applications can validate the strength of your application security at the lowest layer
What does it cover?
App Immunizer boasts huge set of scenarios covered from wide variety of web applications researched from different verticals such as BFSI, IT, Retail, Hi-Tech, Open Source, commercials & etc. Therefore, making this tool more efficient to scan & uncover most common and complex scenarios within the application source code for discovering instances of code that make the web application vulnerable and cause exploitation. Customers can directly benefit from the most common and wide coverage of web technologies that AI supports and they are:
Supported Technologies and Frameworks
ASP.Net
Java
PHP
Ruby on Rails
ColdFusion
CGI/Perl
Springs
Struts
Web Services (JAVA, PHP, ASP.NET & Ruby on Rails)
Vulnerability Coverage
Below are the latest web vulnerability mappings from OWASP Top 10,2010 vs. WASC Threat Classification v2.0 vs. 2010 CWE/SANS Top 25 vs. Common Vulnerability Weakness vs. CAPEC (Common Attack Pattern Enumeration and Classification)in comparison to vulnerability remediation achieved thru App Immunizer.
App Immunizer - Vulnerability Coverage:
S. No |
Vulnerability |
Respective vulnerability ID from the Standards |
Business Impact |
||||
|
|
|
|
|
|||
1 |
SQL Injection |
A1 |
WASC-19 |
89 |
89 |
66 |
Consider the business value of the exposed functions and the data they process. Also consider the impact to your reputation if this vulnerability became public. |
2 |
XPATH Injection |
WASC-39 |
- |
643 |
83 |
||
3 |
XQuery Injection |
WASC-46 |
- |
652 |
84 |
||
4 |
LDAP Injection |
WASC-29 |
- |
90 |
136 |
||
5 |
XML Injection |
WASC-23 |
- |
91 |
250 |
Such flaws can alter the intend logic of the application and further cause the insertion of malicious content resulting message/document exposure. |
|
6 |
SSI Injection |
WASC-36 |
- |
97 |
101 |
Such flaws can allow an attacker to execute commands at web server level and gain access to the restricted file contents. |
|
7 |
Mail Command Injection |
WASC-30 |
- |
88 |
134 |
Consider the business value of the affected system and the user data exposure. |
|
8 |
OS Command Injection |
WASC-31 |
78 |
78 |
88 |
Attackers modify or misuse operating system commands to control data and resources. |
|
9 |
Null Byte Injection |
WASC-28 |
- |
158 |
52 |
Consider the business value of the affected system and the user data exposure. This injection process can alter the intended logic of the application and allow malicious adversary to get unauthorized access to the system files. |
|
10 |
Cross Site Scripting |
A2 |
WASC-08 |
79 |
79 |
18, 19, 63 |
Consider the business value of the affected system and all the data it processes. Consider the business impact of public exposure of the vulnerability. |
11 |
Session Fixation |
A3 |
WASC-37 |
732 |
384 |
61 |
Consider the business value of the affected data and the Session Fixation leads to Identity theft, Session hijacking & User Impersonation. |
12 |
Directory Indexing |
A4 |
WASC-16 |
- |
548 |
127 |
Such flaws could allow an information leak that supplies an attacker with the information necessary to launch further attacks against the system. |
13 |
Path Traversal |
A4 |
WASC-33 |
73, 426 |
22 |
126 |
Consider the business value of the affected system and the user data exposure. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server |
14 |
Application Misconfiguration |
A6 |
WASC-15 |
- |
16 |
- |
All of these mis-configurations may lead to unauthorized access to sensitive information. |
15 |
Server Misconfiguration |
A6 |
WASC-14 |
- |
16 |
- |
The system could be completely compromised without you knowing it. All your data could be stolen or modified slowly over time. Recovery costs could be expensive. |
16 |
Failure To Restrict URL Access |
A4, A8 |
WASC-02 |
285 |
284 |
- |
Consider the business value of theexposed functions and the data theyprocess. Such flaws allow attackers toaccess unauthorized functionality.Administrative functions are key targets for this type of attack. |
17 |
Insecure Transport Layer Security |
A9 |
WASC-04 |
319 |
311, 523 |
- |
Consider the business value of the data exposed on the communications channel in terms of its confidentiality and integrity needs, and the need to authenticate both participants.e.g, credit cards, health care records, financial data (yours or your customers) |
18 |
URL Redirection |
A10 |
WASC-38 |
- |
601 |
- |
Helps attacker By modifying the URL value to a malicious site, he may successfully launch a phishing scam and steal user credentials. |
19 |
Information Leakage and Error Handling |
A6 (2007), A4 (2004) |
WASC-13 |
209 |
200 |
118 |
Such loose handled information can help attacker gain more information of the server and further help him launch a focused attack. |
20 |
Remote File Inclusion |
A3 (2007) |
WASC-5 |
426 |
98 |
193, 253 |
Consider the business value of the affected system and the user data exposure. This could lead to inclusion of malicious file and execution of the same on the server. |
21 |
Format String |
- |
WASC-6 |
- |
134 |
67 |
Consider the business value of the affected system and the user data exposure. |
22 |
Content Spoofing |
- |
WASC-12 |
- |
345 |
148 |
The attacker tricks victim to spoof content and this appears as authentic and delivered from a legitimate source. |
23 |
Improper Input Handling |
- |
WASC-20 |
20, 73 |
20 |
- |
Attackers modify or misuse the input values to control data and resources. |
24 |
Improper Output Handling |
- |
WASC-22 |
116 |
116 |
- |
Attackers modify or misuse the Output values to control data and resources. |
25 |
HTTP Response Splitting |
- |
WASC-25 |
- |
113 |
34 |
Consider the business value of the affected system and the user data exposure that is embedded in scripts from the server. |
26 |
HTTP Response Smuggling |
- |
WASC-27 |
- |
436 |
273 |
|
27 |
Fingerprinting |
- |
WASC-45 |
- |
205 |
224 |
The most common methodology for attackers is to first footprint the target's web presence and enumerates as much information as possible. |
OWASP Top Ten 2010
WASC v2.0
2010 Release
Common
Common Attack PatternThe above vulnerability mapping was inspired from Denim Group "Mapping Between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25" originally posted on January 13th 2010 by Dan Cornell and Web Application Security Consortium(WASC) Threat Classification 'Taxonomy Cross Reference View'. However, this coverage is not comprehensive as defined in the respective standards (OWASP, WASC, CWE/SANS Top 25, CWE, CAPEC) and the vulnerability list is restricted to "App Immunizer" vulnerability coverage.
Vulnerability Remediation Efficiency
Before we move ahead let us understand a little bit about these standards with automated vulnerability remediation capabilities in comparison to # of vulnerabilities addressed in each of these standards let us understand a little bit about these standards:
Standards |
Description |
Reference |
OWASP |
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. App Immunizer remediates. |
|
WASC |
The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. |
|
2010 CWE/SANS Top 25 |
The 2010 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. The CWE Top 25 breaks down into 3 separate categories like so 1. Insecure Interaction Between Components 2. Risky Resource Management 3. Porous Defenses |
|
CAPEC |
CAPEC is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. CAPEC classification is a community knowledge resource for building secure software. |
|
CWE |
Common Weakness Enumeration is a community developed dictionary of software weakness types |
The below is "Vulnerability Remediation Count" table which depicts total number of vulnerabilities that are automated by App Immunizer for achieving maximum vulnerability remediation against prevalent application security standards and are classified as critical application security issues.
|
OWASP Top 10 (2010) |
WASC V2.0 |
2010 CWE/SANS Top 25 |
CWE |
CAPEC |
# Vulnerabilities Immunized |
8 |
27 |
13 |
27 |
23 |
Notes |
AI automates remediation for 8 vulnerabilities out of OWASP Top 10 2010. |
AI automates remediation for 27 vulnerabilities out of WASC v2.0 out of 49 |
AI automates remediation for 13 vulnerabilities out of 2010 CWE/SAN Top 25 |
AI automates remediation for 27 vulnerabilities from Common Weakness Enumeration (CWE). |
AI automates remediation for 23 vulnerabilities from Common Attack Pattern Enumeration and Classification (CAPEC) |
The support staff is great and they offer excellence solutions and a high level of advice for any problem. What I appreciate is that t 'They've taken away the worries for IT systems. The support staff is great and they offer excellence solutions and a high level of advice for any problem. What I appreciate is that they take ownership of their clients. No matter what time is, there is always someone there. That's very reassuring.'
Hakan Skoglund
Director
