Embed Size (px)
DESCRIPTION
Vega 1.0 presentation at Countermeasure 2012.
Citation preview
Who We Are
Open-source security startup
Based in Montreal
Experienced founders:
•Secure Networks Inc.
•SecurityFocus (Symantec)
•Core Security Technologies
•Netifera
•REcon
Introduction
www.subgraph.com
Open Source and Security Kerckhoffs’ principle
Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer
Made an important realization:
“The security of any cryptographic
system does not rest in its secrecy, it
must be able to fall into the enemy’s
hands without inconvenience”
The adversary knows the system (Claude
Shannon)
As opposed to “security through obscurity”
“ ”
“ ”
The security of any cryptographic system does
not rest in its secrecy, it must be able to fall
into the enemy’s hands without inconvenience.
The adversary knows the system (Claude Shannon)
www.subgraph.com
Open Source and Security
Kerckhoffs’ Principle
Well understood in the world of cryptography
New ciphers not trusted
Because cryptography is a
“black box”
Once in a while, less now, companies try to market proprietary ciphers There’s a term for this: “snake oil”
Kerckhoffs’ principle can be understood as “open source is good security”
www.subgraph.com
Commercial Web Security Software Advantages
Ease of installation, upgrade, use
User experience
Quality assurance, bug fixes
Documentation and help
Development driven by demand and need
Disadvantages
Expensive
Sometimes bizarre licensing restrictions
EOL, acquisitions, other events
Proprietary / closed source
www.subgraph.com
Open Source Web Security Tools
Let’s just talk about disadvantages..
No integration / sharing between tools
Poor or non-existent UI, documentation / help
Painful, broken installations
Code is of inconsistent quality
Developer / contributor unreliability
Developer interest driven by interest, skill level, whim
Forks
Abandonment Developer finished college, got a job
Successfully reproduced
www.subgraph.com
Our Vision One web, one web security tool
Open source
Consistent, well-designed UI
Functions really well as an automated scanner Shouldn’t need to be a penetration tester
Advanced features for those who are
User extensibility Community
Plus all that boring stuff Documentation, help, business friendly features
We are building the ultimate platform for web security Rapidly prototype attacks
Nobody should have to use commercial tools Because Vega is free
www.subgraph.com
Introducing Vega Platform
‣ Open-source web application vulnerability assessment platform
‣ Easy to use Graphical Interface
‣ Works on Windows, Mac, Linux
‣ Automated scanner, attacking proxy finds vulnerabilities
‣ Based on Eclipse RCP
‣ Extensible: Javascript – language every web developer knows
‣ Shipped first release July 1
‣ EPL 1.0
www.subgraph.com
Vega is Built On:
Eclipse RCP / Equinox OSGi
Apache HC
JSoup
Mozilla Rhino
Eliteness
www.subgraph.com
Automated Scanner
Recursive crawl over target scope 404 detection Probes path nodes to determine if files, directories Builds tree-like internal representation of target
application Vega runs injection modules on nodes, abstracted in API
Response processing modules run on all responses Modules written in Javascript New for 1.0
Expanded scope, more than one base URI Support for authentication: HTTP, form-based, NTLM Much better scanner modules Very annoying crawler bugs fixed
www.subgraph.com
Vega Proxy
Intercepting proxy SSL MITM, including CA signing cert
http://vega/ca.crt through the proxy
Edit requests, responses Request replay Response processing modules run on all responses Modules written in Javascript New for 1.0
Proxy scanning Fuzzes pages in target scope when enabled Finds lots of vulnerabilities
www.subgraph.com
www.subgraph.com
General proxy use. Green “play” button enables proxy, red stops it.
Proxy Scanning
Gathers parameters and path information observing client-server interaction
Sees things the crawler can’t see
RPC endpoints
Links in flash, Java, other active content
Very effective at finding vulnerabilities
To try it, configure the proxy, create a proxy target scope, enable proxy scanning
www.subgraph.com
www.subgraph.com
Alert Notification Icon, aka SQL Injection Blinker
Enable Proxy Scanning
Extending Vega
Modules written in Javascript
In the Vega/scripts/ subdirectory tree
Well on OS X they’re in some weird place
Two kinds of modules:
Injection, AKA “Basic”
Send fuzzing requests, do stuff with the responses
Response processing
Pattern matching, regex, checking response properties
www.subgraph.com
Extending Vega
Rich API
Check documentation at https://support.subgraph.com
DOM Analysis with Jquery
E.g. file upload, password input submitted over HTTP..
Alerts based on XML templates
In the XML/ subdirectory
Freemarker Macro / CSS components www.subgraph.com
Where are we at?
Feature complete for 1.0 Testing and fixing bugs Additional module refinement and testing Vega 1.0 release in November? Or early December Visit my github (or github.com/brl) if you want what you
see here Download link on our website is the beta..
Can provide builds for OS X, Windows users Just ask me – email, irc (#subgraph / freenode), twitter, whatever
www.subgraph.com
What’s coming?
Even more improvements in detections Fuzzer / brute forcer Better reporting Better encoding, decoding, representation and
manipulation of structured data Headless scanner HAR export Scriptable proxy We’re open to ideas and feedback!
www.subgraph.com
Thank you!
Web
http://www.subgraph.com
Us: @subgraph
Me: @attractr
IRC
irc.freenode.org, #subgraph
Try Vega / get the source
http://github.com/dma/Vega (newer, less stable)
http://github.com/subgraph/Vega (more stable)
E-mail us
www.subgraph.com
