Vulnerability Assessment and Penetration Testing On The Xyz Website Using Nist 800-115 Standard

Currently the website has become an effective communication tool. However, it is essential to have vulnerabilities assessment and penetration testing using specific standards on released websites to the public for securing information. The problems raised in this research are conducting vulnerability testing on the XYZ website to analyze security gaps in the XYZ website, as well as conducting penetration testing on high vulnerabilities found. Testing was conducted using the NIST 800 – 115 Standard through 4 main stages: planning, discovery, attack, and report. Several tools were used: Nmap, OWASP ZAP, Burp Suite, and Foxy Proxy. This research results are presented and analyzed. There were seven vulnerabilities found, one high-level vulnerability, two medium-level vulnerabilities, and four low-level vulnerabilities. At the high level, SQL Injection types are found, at the medium level, Cross-Domains Misconfiguration and vulnerabilities are found, at the low level, Absence of Anti-CSRF Tokens, Incomplete or No Cache-control and Pragma HTTP Header Set, Server Leaks Information via “X-Powered-By” HTTP Response Header Field and X-Content-Type-Options Header Missing are found.

Giải pháp đánh giá và quản lý rủi ro an toàn thông tin trong Chính phủ điện tử

Tóm tắt—Bài báo này trình bày kết quả nghiên cứu xây dựng giải pháp đánh giá và quản lý rủi ro an toàn hệ thống thông tin trong Chính phủ điện tử. Trong bài toán này, chúng tôi tập chung vào xây dựng (i) quy trình đánh giá, quản lý rủi ro an toàn thông tin (ATTT), và (ii) hệ thống phần mềm UET.SRA (Security Risk Assessment System) hỗ trợ đánh giá, quản lý rủi ro theo quy trình đã xây dựng. Việc quản lý và đánh giá rủi ro ATTT được kết hợp theo các tiêu chuẩn trong nước và quốc tế bao gồm các quy trình trong ISO/IEC 27005:2011 và NIST SP 800-39, nhưng được tuỳ biến để phù hợp với thực tiễn của các cơ quan chính phủ. Hệ thống phần mềm UET.SRA đánh giá rủi ro ATTT dựa theo phương pháp kiểm tra các lỗ hổng và sự phơi nhiễm phổ biến (Common Vulnerabilities and Exposures – CVE); việc ước lượng rủi ro định lượng theo Hệ thống chấm điểm lỗ hổng phổ biến (Common Vulnerability Scoring System - CVSS) và Dự án mở về bảo mật ứng dụng web (Open Web Application Security Project - OWASP). Ngoài ra, UET.SRA còn cung cấp chức năng phân tích, phát hiện các lỗ hổng, các đoạn mã độc trong mã nguồn ứng dụng Web sử dụng công nghệ học sâu (deep learning). Kết quả thử nghiệm giải pháp UET.SRA tại Bộ Tài nguyên và Môi trường (TN&MT) bước đầu đã minh chứng được ý nghĩa thực tiễn và cho phép quản lý được các rủi ro ATTT đối với một số hệ thống trọng yếu của Bộ TN&MT. Abstract—This article presents the results of building a solution to access and manage security risks for the e-Government information system. We focus on building a process and software system UET.SRA to manage and assess security risks. The process was developed using a combination of international and domestic standards including ISO/IEC 27005:2011 and NIST SP 800-39, but customized to match the practice of government agencies. UET.SRA evaluates security risks based on CVEs vulnerability testing; quantitative risk based on CVSS and OWASP standards. In addition, UET.SRA also provides the function of detecting vulnerabilities and webshell in the source code of web applications using deep learning algorithms. The experimental results of UET.SRA at the Ministry of Natural Resources and Environment have initially demonstrated practical effectiveness in managing security risks for a number of critical systems.

ANALISIS KEAMANAN WEBSITE SMAN 1 SUMBAWA MENGGUNAKAN METODE VULNERABILITY ASESEMENT

SMAN 1 Sumbawa is a school that provides information to students through a website-based information system to facilitate school administration services. Considering that the Website can be accessed widely, it is necessary to pay attention to the security of the Website. One of them is by using the Vulnerability Assessment method. The Vulnerability Assessment method is a method for conducting vulnerability testing on a website or application that has the potential to enter an attack which consists of several stages such as Network Discovering, Vulnerability Scanning, and Result Analysis. This stage aims to identify security holes on the SMAN 1 Sumbawa website. The tests that have been carried out have identified four levels of vulnerability, namely high, medium, low, and informational on the SMAN 1 Sumbawa website. The hight vulnerability level obtained is SQL Injection. The SQL Injection vulnerability makes it easy for attackers to access the entire database. The results of the tests that have been carried out show that the SMAN 1 Sumbawa Website has many vulnerabilities or Vulnerability that the SMAN 1 Sumbawa Website is still in an unsafe state.

A Review of Static Code Analysis Methods for Detecting Security Flaws

Static checkers are commonly used by programmers; they verify our programmers for flaws without executing them, a process known as static code analysis. It works with a program that has an early indication of correctness in this way, attempting to avoid well-known traps and problems before comparing it to its specifications. Software security is becoming increasingly crucial in order for programmers to be universally accepted for a wide range of transactions. During the development process, automated code analyzers can be used to detect security flaws. The purpose of this paper is to provide an overview of static code analysis and how it may be used to uncover security flaws. This document summarizes and presents the most recent discoveries and publications. The gains flow, and methods of static code analyzers are discussed in this study. It can be viewed as a stepping stone toward more research in this area. In Java, there are two types of static code checkers: those that work directly on the source code and those that work on the produced bytecode. Although each code checker is unique, they all share some common characteristics. They read the software and build a model of it, an abstract representation that they may use to match the error patterns they notice. They also perform a data-flow analysis, attempting to deduce the probable values of variables at various stages in the program. Vulnerability testing, an increasingly significant field for code checkers, necessitates data-flow analysis.

Categorization of CVE Based on Vulnerability Software By Using Machine Learning Techniques

Public Platform is designed as an online website for researchers to collect reliable data for the study. NVD plays a significant role in analyzing The result of analysis in association influence metrics CVSS, type of CWE and applicability reports weakness CPE. The vulnerability testing is not performed by NVD while third-party security researchers and vulnerability controllers give information that has been assigned these attributes. ML plays a significant part in our daily life for the classification of huge data and is giving fruitful results. Because of that result, major steps have been made against criminal activities or unauthorized use of electronic data and protect the data from attackers. The major goal of this research is to categorize CVE Based Vulnerability Software throughout the last two years, 2019-2020.The findings of this study were used to ML for the categorization of CVE and compared and will open door for the fresh researchers and professionals.

Meningkatkan Keamanan Webserver Aplikasi Pelaporan Pajak Daerah Menggunakan Metode Penetration Testing Execution Standar

Regional Tax Reporting Application Webserver is one of the public services for taxpayers to report their sales transactions. This application can be accessed on the domain http://sptpd.payakumbuhkota.go.id. This application is public, so the principles of information security must be applied to prevent cyber attacks. The principles of information security include confidentiality, integrity, and availability. To apply this information security principle, it is necessary to conduct vulnerability assesment of the application webserver. This study aims to improve the security of the application webserver so that the data and information in it is secure. The method used in this study is the Penetration Testing Execution Standard which is one of the methods developed by the Pentest Organization to become a standard in analyzing or auditing security systems. The results of vulnerability testing using software Acunetix, Nikto, BurpSuite and Owasp, there are seven types of vulnerabilities, namely: X-Frame Header Options is Missing, CSRF Attack, Cookie Without Only Flash, DNS Vulnerability, Ddos Attack, Bruteforce Page Login and Open Port. The vulnerability can be exploited, where the level of application vulnerability is in the medium category. The recommendations for fixing vulnerabilities can be applied by the developer, so that after repairs are made, the vulnerability level of the application webserver is in the low category and there is only one type of vulnerability, namely Brute Force Page Login.

The Analysis of Top Cyber Investigation Trends

Cybersecurity is an ever-evolving area of technology. As such, there will always be myriad trends to consider. Through the progression of cybersecurity comes the increased need for organizations to keep pace with the rapid development of technology. However, the current skills gap of cybersecurity professionals has overwhelmingly become a cause for concern. The spread of cloud computing has created a need for new cloud forensics procedures, and the use of internet-connected medical devices has added concerns for the information security structure of many organizations. In order to resolve these issues, proper vulnerability testing and implementation of new processes to keep up with the changes in technology have to be introduced to reduce the possibility of hacking incidents and aid in remediation. If more organizations leverage the skills and personnel available to them, there are ways to reduce the skills gap and other issues affecting cybersecurity.

Improving Webserver Security for Local Tax Reporting Applications Using Standard Penetration Testing Execution Methods

Regional Tax Reporting Application Webserver is one of the public services for taxpayers to report their sales transactions. This application can be accessed on the domain http://sptpd.payakumbuhkota.go.id. This application is public, so the principles of information security must be applied to prevent cyber attacks. The principles of information security include confidentiality, integrity, and availability. To apply this information security principle, it is necessary to conduct vulnerability assesment of the application webserver. This study aims to improve the security of the application webserver so that the data and information in it is secure. The method used in this study is the Penetration Testing Execution Standard which is one of the methods developed by the Pentest Organization to become a standard in analyzing or auditing security systems. The results of vulnerability testing using software Acunetix, Nikto, BurpSuite and Owasp, there are seven types of vulnerabilities, namely: X-Frame Header Options is Missing, CSRF Attack, Cookie Without Only Flash, DNS Vulnerability, Ddos Attack, Bruteforce Page Login and Open Port. The vulnerability can be exploited, where the level of application vulnerability is in the medium category. The recommendations for fixing vulnerabilities can be applied by the developer, so that after repairs are made, the vulnerability level of the application webserver is in the low category and there is only one type of vulnerability, namely BruteForce Page