Sunday, January 18, 2015

RvR, WAFEP and WAVSEP results update

Most of my time these days is spent on creating a dynamic interface for updating benchmark results, and on two major projects aimed at enhancing the WAVSEP evaluations and adding additional comparison content, in addition to accuracy, crawling and automation.

The first project, RvR (Relative Vulnerability Rating), is a project I already mentioned in the past which merges vulnerabilities from well known vulnerability classifications (WASC, CWE, CAPEC, OWASP, Blogs, Conferences, etc) into a list customized specifically for product feature evaluations.

The list, originally planned to include 233 attack vectors, already includes 284 (!!!) different attack vectors with unique classifications, links, repository mapping and videos,
A web site containing the content was published last week, and although all the content is very much usable, I'm still delaying the publication until I get some vendor feedback (expect an official publication soon).

The purpose of the project is not only to evaluate features of dynamic vulnerability scanners (DAST), but also to cover source code analysis tools (SAST), interactive application testing tools (IAST), and in contrast to the past - various software protection products, including application-level IDS/IPS mechanisms and web application firewalls (WAF).

Which leads me to the second project -

WAFEP - The Web Application Firewall Evaluation Project

WAFEP is an upcoming project aimed to serve a WAVSEP-like role for various application-level protection products.

Unlike WAVSEP, WAFEP is planned on being completely automated in terms of payload execution AND result calculation, and would enable the evaluation of web application firewalls in relatively short timeframes.

The "accuracy" aspect is implemented as attack vector specific payloads meant to simulate context-specific exploits that an IDS/IPS/WAF should identify and/or prevent, false positive scenarios that should not be identified, and in the future, evasion techniques that may circumvent the detection process.

The project already includes thousands of payloads imitating flavors of +-10 high-impact attack vectors, some of which were already published in an early alpha version uploaded to the project source forge repository last week.

The published alpha version is just a technology POC, and does not include most of the vector payloads or content, but in the upcoming weeks I'll make an effort to finish up some sections in the platform and release a v1.0 public version.
I'll also publish updated versions with relevant payloads in the meantime, at least until I reach the 1.0 goal.

WAVSEP Results Update

Finally, from time to time, I still try to squeeze in additional WAVSEP product assessments for additional vendors, the latest of which is Tinfoil Security, alongside certain version upgrades,

As always, the full list is found in SecToolMarket, and the following image summarizes the updates:

If all goes well, in the near future, the list will be updated with the results of a couple of more.

I didn't update the results of any of the open source products, and will try to find the time to do so in the near future, at least for some of the projects - a task that should be much easier once the dynamic interface is finally online.