forked from OWASP-Benchmark/BenchmarkJava
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathOWASP_Benchmark_Guide.html
More file actions
171 lines (137 loc) · 11 KB
/
Copy pathOWASP_Benchmark_Guide.html
File metadata and controls
171 lines (137 loc) · 11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
<meta name="description" content="">
<meta name="author" content="">
<link rel="icon" href="../../favicon.ico">
<title>Guide to the OWASP Benchmark v1.1,1.2</title>
<!-- Bootstrap core CSS -->
<link href="content/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="content/dashboard.css" rel="stylesheet">
<!-- Just for debugging purposes. Don't actually copy these 2 lines! -->
<!--[if lt IE 9]><script src="../../assets/js/ie8-responsive-file-warning.js"></script><![endif]-->
<script src="content/js/ie-emulation-modes-warning.js" type="text/javascript"></script>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container-fluid">
<div class="navbar-header">
<a class="navbar-brand" href="OWASP_Benchmark_Home.html">OWASP Benchmark v1.1,1.2</a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="OWASP_Benchmark_Home.html">Home</a></li>
<li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Tools<span class="caret"></span></a>
<ul class="dropdown-menu">
<li><a href="Benchmark_v1.2_Scorecard_for_FBwFindSecBugs_v1.4.0.html">FBwFindSecBugs v1.4.0</a></li>
<li><a href="Benchmark_v1.2_Scorecard_for_FBwFindSecBugs_v1.4.3.html">FBwFindSecBugs v1.4.3</a></li>
<li><a href="Benchmark_v1.2_Scorecard_for_FBwFindSecBugs_v1.4.4.html">FBwFindSecBugs v1.4.4</a></li>
<li><a href="Benchmark_v1.2_Scorecard_for_FBwFindSecBugs_v1.4.5.html">FBwFindSecBugs v1.4.5</a></li>
<li><a href="Benchmark_v1.2_Scorecard_for_FBwFindSecBugs_v1.4.6.html">FBwFindSecBugs v1.4.6</a></li>
<li><a href="Benchmark_v1.2_Scorecard_for_FindBugs_v3.0.1.html">FindBugs v3.0.1</a></li>
<li><a href="Benchmark_v1.2_Scorecard_for_OWASP_ZAP_vD-2015-08-24.html">OWASP ZAP vD-2015-08-24</a></li>
<li><a href="Benchmark_v1.2_Scorecard_for_OWASP_ZAP_vD-2016-09-05.html">OWASP ZAP vD-2016-09-05</a></li>
<li><a href="Benchmark_v1.2_Scorecard_for_PMD_v5.2.3.html">PMD v5.2.3</a></li>
<li><a href="Benchmark_v1.1_Scorecard_for_SAST-01.html">SAST-01</a></li>
<li><a href="Benchmark_v1.1_Scorecard_for_SAST-02.html">SAST-02</a></li>
<li><a href="Benchmark_v1.1_Scorecard_for_SAST-03.html">SAST-03</a></li>
<li><a href="Benchmark_v1.1_Scorecard_for_SAST-04.html">SAST-04</a></li>
<li><a href="Benchmark_v1.1_Scorecard_for_SAST-05.html">SAST-05</a></li>
<li><a href="Benchmark_v1.1_Scorecard_for_SAST-06.html">SAST-06</a></li>
<li><a href="Benchmark_v1.2_Scorecard_for_SonarQube_Java_Plugin_v3.14.html">SonarQube Java Plugin v3.14</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_Commercial_Tools.html">Commercial Average</a></li>
</ul></li>
<li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Vulnerabilities<span class="caret"></span></a>
<ul class="dropdown-menu">
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_Command_Injection.html">Command Injection</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_Cross-Site_Scripting.html">Cross-Site Scripting</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_Insecure_Cookie.html">Insecure Cookie</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_LDAP_Injection.html">LDAP Injection</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_Path_Traversal.html">Path Traversal</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_SQL_Injection.html">SQL Injection</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_Trust_Boundary_Violation.html">Trust Boundary Violation</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_Weak_Encryption_Algorithm.html">Weak Encryption Algorithm</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_Weak_Hash_Algorithm.html">Weak Hash Algorithm</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_Weak_Random_Number.html">Weak Random Number</a></li>
<li><a href="Benchmark_v1.1,1.2_Scorecard_for_XPath_Injection.html">XPath Injection</a></li>
</ul></li>
<li><a href="OWASP_Benchmark_Guide.html">Guide</a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
<div class="starter-template">
<div>empty</div>
<div>empty</div>
<h2>Introduction</h2>
<p>The OWASP Benchmark is a test suite designed to evaluate the speed, coverage, and accuracy of automated vulnerability detection tools. Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. The Benchmark contains thousands of test cases that are fully runnable and exploitable.</p>
<p>You can currently use the Benchmark with Static Application Security Testing (SAST) tools. A future goal is to support the evaluation of Dynamic Application Security Testing (DAST) tools like OWASP ZAP and Interactive Application Security Testing (IAST). The current version is implemented in Java. Future versions may expand to include other languages.</p>
<p>
For more information, please visit the <a href="https://www.owasp.org/index.php/Benchmark">OWASP Benchmark Project Site</a>.
</p>
<h2>Interpretation Guide</h2>
<p>Security tools (SAST, DAST, and IAST) are amazing when they find a complex vulnerability in your code. But they can drive everyone crazy with complexity, false alarms, and missed vulnerabilities. Using these tools without understanding their strengths and weaknesses can lead to a dangerous false sense of security.</p>
<p>We are on a quest to measure just how good these tools are at discovering and properly diagnosing security problems in applications. We rely on the long history of military and medical evaluation of detection technology as a foundation for our research. Therefore, the test suite tests both real and fake vulnerabilities.</p>
<p>There are four possible test outcomes in the Benchmark:</p>
<ul>
<li>Tool correctly identifies a real vulnerability (True Positive - TP)</li>
<li>Tool fails to identify a real vulnerability (False Negative - FN)</li>
<li>Tool correctly ignores a false alarm (True Negative - TN)</li>
<li>Tool fails to ignore a false alarm (False Positive - FP)</li>
</ul>
<p>We can learn a lot about a tool from these four metrics. A tool that simply flags every line of code as vulnerable will perfectly identify all vulnerabilities in an application, but will also have 100% false positives. Similarly, a tool that reports nothing will have zero false positives, but will also identify zero real vulnerabilities. Imagine a tool that flips a coin to decide whether to report each vulnerability for every test case. The result would be 50% true positives and 50% false positives. We need a way to distinguish valuable security tools from these trivial ones.</p>
<p>If you imagine the line that connects all these points, from 0,0 to 100,100 establishes a line that roughly translates to "random guessing." The ultimate measure of a security tool is how much better it can do than this line. The diagram below shows how we will evaluate security tools against the Benchmark.</p>
<img src="content/benchmark_guide.png" alt="" />
<h3>Key:</h3>
<table class="table">
<tr>
<th>True Positive (TP)</th>
<td>Tests with real vulnerabilities that were correctly reported as vulnerable by the tool.</td>
</tr>
<tr>
<th>False Negative (FN)</th>
<td>Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool.</td>
</tr>
<tr>
<th>True Negative (TN)</th>
<td>Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool.</td>
</tr>
<tr>
<th>False Positive (FP)</th>
<td>Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool.</td>
</tr>
<tr>
<th>True Positive Rate (TPR) = TP / ( TP + FN )</th>
<td>The rate at which the tool correctly reports real vulnerabilities. Also referred to as Recall, as defined at <a href="https://en.wikipedia.org/wiki/Precision_and_recall">Wikipedia</a>.
</td>
</tr>
<tr>
<th>False Positive Rate (FPR) = FP / ( FP + TN )</th>
<td>The rate at which the tool incorrectly reports fake vulnerabilities as real.</td>
</tr>
<tr>
<th>Score = TPR - FPR</th>
<td>Normalized distance from the random guess line.</td>
</tr>
</table>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js" type="text/javascript"></script>
<!-- Include all compiled plugins (below), or include individual files as needed -->
<script src="content/js/bootstrap.min.js" type="text/javascript"></script>
</body>
</html>