Guía de ataques, vulnerabilidades, técnicas y herramientas para aplicaciones Web - Guide of attacks, vulnerabilities, techniques and tools for Web application
DOI:
https://doi.org/10.32870/recibe.v4i1.43Palabras clave:
Seguridad, vulnerabilidades, aplicaciones web, ataques, técnicas, herramientas, detección de vulnerabilidadesResumen
En la actualidad el riesgo para los sistemas informáticos ha aumentado debido a un crecimiento en la complejidad en las tecnologías de la información. Hoy en día cualquier computadora conectada a internet está expuesta a diversas amenazas. Una consecuencia es el aumento en el número de ataques informáticos. Una manera de prevenirlo es actuar anticipadamente, detectando las vulnerabilidades potenciales que pueden ser aprovechadas por los atacantes. De esta manera se disminuye la probabilidad de éxito de los ataques realizados. Este trabajo revisa algunas de las técnicas y herramientas utilizadas actualmente para la detección de vulnerabilidades, se presenta una matriz de trazabilidad entre ataques, vulnerabilidades, técnicas y herramientas que determinarán cuales vulnerabilidades y ataques pueden ser mitigados con la utilización de dichas técnicas y herramientas.Abstract: Currently the risk for computer system has increased due to an increase in complexity in information technology. Today any computer connected to internet is exposed to diverse threats. As a result, the number of attacks has increased around the world. One way to prevent it is to act in advance detecting potential vulnerabilities that can be exploited by attackers. Thus the probability of successful attacks decreased. This paper reviews some of the techniques and tools currently used to detect vulnerabilities, presenting a traceability matrix between attacks, vulnerabilities, techniques and tools that determine which vulnerabilities and attacks can be mitigated with the use of these techniques and tools.Keywords: Security, vulnerabilities, web application, attacks, techniques, tools, vulnerability detection.Citas
BeyondSecurity. (2014). Web Site Security Audit - WSSA by Beyond Security. Retrieved December 19, 2014, from http://www.beyondsecurity.com/vulnerability-scanner.html
Beyontrust. (2014). Web Vulnerability Management Software | Assessment Software. Retrieved December 19, 2014, from http://www.beyondtrust.com/Products/RetinaWebSecurityScanner/
Frama-C. (2014). Frama-C. Retrieved December 19, 2014, from http://frama-c.com/what_is.html
HP. (2014). análisis estáticos, prueba de seguridad de aplicaciones estáticas, SAST | HP® México. Retrieved December 20, 2014, from http://www8.hp.com/mx/es/software-solutions/software.html?compURI=1338812#.VJS9SF4AM
Jorgensen, M., & Shepperd, M. (2007). A systematic review of software development cost estimation studies. Software Engineering, IEEE …, 33(1), 33–53. Retrieved from http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4027147
Kitchenham, B. (2004). Evidence-based software engineering. Software Engineering. Retrieved from http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1317449
Landau, L. (2013). OWASP Top 10 - 2013 Los diez riesgos más críticos en Aplicaciones Web. Zhurnal Eksperimental’noi i Teoreticheskoi Fiziki. Retrieved from http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle:No+Title#0"> http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle:No+Title#0
Mammar, A., Cavalli, A., & Jimenez, W. (2011). Using testing techniques for vulnerability detection in C programs. Testing Software and …, 80–96. Retrieved from http://link.springer.com/chapter/10.1007/978-3-642-24580-0_7
McAfee. (2014). McAfee Vulnerability Manager | Soluciones de McAfee. Retrieved December 19, 2014, from http://www.mcafee.com/mx/products/vulnerability-manager.aspx
Miranda, J. M., Muñoz, M., Uribe, E., Márquez, J., Uribe, G., & Valtierra, C. (2014). New Perspectives in Information Systems and Technologies, Volume 1, 275, 171–181. doi:10.1007/978-3-319-05951-8
MorningStartSecurity. (2014). WhatWeb. Retrieved December 19, 2014, from http://www.morningstarsecurity.com/research/whatweb
OSVDB. (2014). OSVDB: Open Sourced Vulnerability Database. Retrieved December 07, 2014, from http://osvdb.org/
Parasoft. (2014). Static Analysis, static code analysis | Parasoft static analysis tools. Retrieved December 20, 2014, from http://www.parasoft.com/static-analysis
Qualys. (2014). Qualys Web Application Scanning (WAS) | Qualys, Inc. Retrieved December 19, 2014, from https://www.qualys.com/enterprises/qualysguard/web-application-scanning/
Rapid7. (2014). Vulnerability Management & Risk Management Software | Rapid7. Retrieved December 19, 2014, from http://www.rapid7.com/products/nexpose/
Sreenivasa, R., & Kuman, N. (2012). International Journal of Enterprise Computing and Business Systems ISSN ( Online ) : 2230-8849 WEB APPLICATION VULNERABILITY DETECTION USING DYNAMIC ANALYSIS International Journal of Enterprise Computing and Business Systems ISSN ( Online ) : 2230-8849, 2(1).
Tenable. (2014). Nessus. Retrieved December 19, 2014, from http://www.tenable.com/products/nessus
Tripwire. (2014). Tripwire WebApp 360 | Vulnerability Management | Tripwire. Retrieved December 20, 2014, from http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/web-application-vulnerability-scanning/
UNAM-CERT. (2014). Estadísticas - UNAM-CERT -. Retrieved December 20, 2014, from http://www.cert.org.mx/estadisticas.dsc
