Escolar Documentos
Profissional Documentos
Cultura Documentos
What is a vulnerability?
API Abuse
Authentication Vulnerability
Authorization Vulnerability
Availability Vulnerability
Code Permission Vulnerability
Code Quality Vulnerability
Configuration Vulnerability
Cryptographic Vulnerability
Encoding Vulnerability
Environmental Vulnerability
Error Handling Vulnerability
General Logic Error Vulnerability
Input Validation Vulnerability
Logging and Auditing Vulnerability
Password Management Vulnerability
Path Vulnerability
Protocol Errors
Range and Type Error Vulnerability
Sensitive Data Protection Vulnerability
Session Management Vulnerability
Synchronization and Timing Vulnerability
Unsafe Mobile Code
Use of Dangerous API
Cryptographic Vulnerability
This category is for tagging vulnerabilities that related to cryptographic modules.
Examples
Algorithm Problems
Insecure Algorithm
Use algorithms that are proven flawed or weak (DES, 3DES, MD5, Sha1,
AES, Blowfish, Diffie Hellman)
Implementation errors
Weak keys
Key disclosure
Key updates
Use the same seed for the random number generator every time
Sniffing
Web Application Vulnerability Scanners are the automated tools that scan web applications to
look for known security vulnerabilities such as cross-site scripting, SQL injection, command
execution, directory traversal and insecure server configuration. A large number of both
commercial and open source tools are available and and all these tools have their own strengths
and weaknesses.
Disclaimer: The tools listing in the table below has been presented in an alphabetical order. OWASP does
not endorse any of the Vendors or Scanning Tools by listing them in the table below. We have made every
effort to put this information as accurately as possible. If you are the vendor of a tool below and think that
this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make
every effort to correct this information.
Tools Listing
Name
Owner
Acunetix WVS
Acunetix
AppScan
IBM
Licence
Commercial / Free
(Limited Capability)
Commercial
Platforms
Windows
Windows
Name
Owner
AVDS
Beyond Security
Burp Suite
PortSwiger
Contrast
Contrast Security
GamaScan
GamaSec
Licence
Commercial / Free
(Limited Capability)
Platforms
N/A
Commercial / Free
Most platforms
(Limited Capability)
supported
Commercial / Free
(Limited Capability)
Commercial
SaaS or On-Premises
Windows
Python 2.4,
Grabber
Romain Gaucher
Open Source
BeautifulSoup and
PyXML
Grendel-Scan
David Byrne
Open Source
Hailstorm
Cenzic
Commercial
Windows
IKare
ITrust
Commercial
N/A
N-Stealth
N-Stalker
Commercial
Windows
Netsparker
MavitunaSecurity
Commercial
Windows
NeXpose
Rapid7
Commercial / Free
(Limited Capability)
Macintosh
Windows/Linux
Name
Owner
Licence
Platforms
Nikto
CIRT
Open Source
Unix/Linux
NTOSpider
NT OBJECTives
Commercial
Windows
ParosPro
MileSCAN
Commercial
Windows
Proxy.app
Websecurify
Commercial
Macintosh
QualysGuard
Qualys
Commercial
N/A
Retina
BeyondTrust
Commercial
Windows
Securus
Orvant, Inc
Commercial
N/A
Sentinel
WhiteHat Security
Commercial
N/A
Vega
Subgraph
Open Source
Wapiti
WebApp360
TripWire
Commercial
Windows
WebInspect
HP
Commercial
Windows
SOATest
Parasoft
Commercial
Windows, Unix/Linux
and Macintosh
Name
Trustkeeper Scanner
WebReaver
WebScanService
Owner
Trustwave
SpiderLabs
Websecurify
German Web
Security
Licence
Platforms
Commercial
SaaS
Commercial
Macintosh
Commercial
N/A
Commercial / Free
Windows, Linux,
(Limited Capability)
Macintosh
Websecurify Suite
Websecurify
Wikto
Sensepost
Open Source
Windows
OWASP
Open Source
Windows
Windows, Unix/Linux
Zed Attack Proxy
OWASP
Open Source
and Macintosh
Holders of
CISSP certifications can earn additional certifications in areas of specialty. There are three
possibilities: 1. Information Systems Security Architecture Professional(CISSP-ISSAP)
2. Information Systems Security Engineering Professional (CISSP-ISSEP) 3. Information
Systems Security Management Professional (CISSP-ISSMP)
(ISC) is now[when?] releasing the Third Edition Official Guide to the CISSP CBK one domain at a
time on iTunes and for the Kindle.[10] The entire book is also now available in hard copy.