ITT320 Proposal Assignment PDF

Preview

Summary

DIPLOMA IN COMPUTER SCIENCEUNIVERSITI TEKNOLOGI MARA (TERENGGANU)(SEMESTER MARCH 2021 – AUGUST 2021)ITT320 – INTRODUCTION TO COMPUTER SECURITY(GROUP PROJECT)CASE STUDY REPORT – NTOSpider/AppSpider Web ScannerPrepared by: STUDENT NAME MATRIC NO NUR KHALIDA BINTI SAHARUM 2019236342 NOOR HAZRIENA AFIZA...

Description

DIPLOMA IN COMPUTER SCIENCE UNIVERSITI TEKNOLOGI MARA (TERENGGANU) (SEMESTER MARCH 2021 – AUGUST 2021) ITT320 – INTRODUCTION TO COMPUTER SECURITY (GROUP PROJECT) CASE STUDY REPORT – NTOSpider/AppSpider Web Scanner Prepared by: STUDENT NAME

MATRIC NO

1. NUR KHALIDA BINTI SAHARUM

2019236342

2. NOOR HAZRIENA AFIZAH BINTI AWANG

2019412858

3. MIM MELIA MELATI BINTI MAZLAN

2019433386

4. NURSHAHIRAH BINTI IZAN

2019869304

Prepared for: MADAM NORMALINA BINTI IBRAHIM @ MAT NOR DUE DATE: 13 MAY 2021

Table of Contents

INTRODUCTION....................................................................................................................2 OBJECTIVE.............................................................................................................................2

INTRODUCTION

1|Page

NTOSpider makes use of NT OBJECTIVES' industry-leading application security experience, as it was the first web application scanner using a technique evolved over years of software development, security analysis, and professional services engagements. This enables NTOSpider to fully automate network assessments while ensuring the highest level of competence of any device vulnerability scanner available. On 4 May 2015, NTOBJECTIVES became a member of the Rapid7 family. NT OBJECTIVES is a privately held company based in Irvine, California. NTOSpider is a complex application security monitoring (DAST) approach offered by NT OBJECTIVES as software or as a SaaS. The combination of NTOSpider's extensive application scope and advanced attack methodologies yields the highest rates in the industry for the removal of false positive and false negative findings. Rapid7 is a leading provider of security data and analytics tools, enabling businesses to take an aggressive, analytics-driven approach to cyber security. To make sense of the volumes of information available to companies regarding their IT ecosystems and customers, we integrate our strong capabilities in security data and analytics with deep insight into intruder patterns and strategies. Rapid7 solutions enable organisations to avoid attacks by delivering insight into vulnerabilities, as well as to identify compromises, react to breaches, and address the root causes of attacks. Rapid7 is used by over 3,500 companies in 78 countries, including 30 percent of the Fortune 1000.

OBJECTIVE The objective of the task assigned to us is to recognise challenges and solutions in the field of cybersecurity that often exist around the world, such as security issues, patterns, and threats by technical uses and defence strategies. As a result, it will help us develop and enhance our cybersecurity abilities and knowledge. We were assigned to be in a group to discuss between the various topics given and end up choosing the NTOSpider topic. The outcome and effect of this topic's learning or case study is that we obtain some awareness and knowledge about the benefits and drawbacks of NTOSpider, as well as basic skills in cyber security.

ADVANTAGES AND DISADVANTAGES 2|Page

The main advantage of using this web application is that it has a wide variety of capabilities. The new Universal Translator from the NTO provides fast, broad coverage for complex and modern applications with an automated tool that only requires minimal workforce per scan. The NTOSpider application also provides advantages to the smartphone users because it scans the backend resources that support device-installed mobile applications, including apps that use standard formats like JSON, REST, and XML, as well as the ability to handle custom formats. Other than that, it dynamically crawls and imports traffic that was recorded from the Rich Internet Applications including AJAX, JQuery and Flash Remoting (AMF) to automate attacks to these complex applications. The NTOSpider is also a CSRF protected site where the application performs CSRF token detection to enable collection and use of valid tokens during each attack. CSRF is short for Cross-Site Request Forgery which are attacks that are used to send malicious requests from an authenticated user to a web application which can lead to serious consequences if the attacks are successful. The attacker is unable to see the responses to the forged requests, so the attacks focus on the state changes and not theft of data. Besides that, it also has increased the level of automation where now the execution of the program is repeatable therefore making the testing of security for the applications more efficient and systematically reducing the risks more effectively than ever before by leveraging a more automated process. Unfortunately, there are a few disadvantages of DAST in the NTOSpider. The dynamic application security testing tools are helpful in preventing security issues, but DAST rely on security experts to create the right test procedures. Comprehensive testing for and programme is difficult to come up with. Furthermore, DAST tools can generate false-positive test results by misunderstanding a real application feature as a problem. False positives add to an analyst's workload while analyzing whether DAST outcomes are true. As the number of false-positive outcomes rises, test reliability decreases. Another disadvantage to the software is that they can only detect whether a bug exists and can’t define the bug that exists inside the code itself. Developers may not know where to begin searching for a solution if DAST is used alone. DAST methods also rely on questions and responses, which can leave a lot of defects hidden in the architectural design. The NTOSpider is known for its slow speed, which can take days or weeks to complete. Moreover, since it occurs late in the SDLC, the challenges will be the affect the

3|Page

production teams, as it will extending schedules and increasing costs. Furthermore, since testing can take days or weeks, as bugs are detected, more members of the project lifecycle teams are affected. In some lengthy cases, developers may need to go back and re-familiarize themselves with older code in some situations before they can reach a final repair.

SUMMARY According to a report, web application scanners normally cannot detect vulnerabilities in applications built on top of complex technologies such as HTML5 and AJAX. However, using the NTOSpider, a security scanner for web applications developed by NT OBJECTIVES, a developer of the most comprehensive and accurate automated security testing tools for web applications can solve the problems. This web scanner has several features that are developed to enable organisations in developing a user-friendly and effective web application security policy. Many features have been provided based on the report on this security scanner, such as analysing for any site that has been exposed in risk, arranging the threats received by priorities, producing highly graphical HTML files, and pointing out the security status of the site by weaknesses and vulnerability to all threats. In a nutshell, NTOSpider's comprehensive system coverage combined with advanced attack methodologies would have the highest rates in the industry for removing false positive and false negative feelings.

4|Page...