Ory Segal

A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage… Show more

A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage flows. Show less

A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network… Show more

A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address. Show less

To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics… Show more

To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment. Show less

Systems and methods for learning behavioral activity correlations. A method includes intercepting a plurality of requests, wherein each of the plurality of requests is directed to a respective destination entity of a plurality of destination entities; creating a request queue by queueing the plurality of requests; inspecting contents of the plurality of requests; separately forwarding each intercepted request to its respective destination entity based on the request queue; monitoring runtime… Show more

Systems and methods for learning behavioral activity correlations. A method includes intercepting a plurality of requests, wherein each of the plurality of requests is directed to a respective destination entity of a plurality of destination entities; creating a request queue by queueing the plurality of requests; inspecting contents of the plurality of requests; separately forwarding each intercepted request to its respective destination entity based on the request queue; monitoring runtime output of each of the plurality of destination entities, wherein the runtime output includes behavioral activities of the plurality of destination entities; and training a machine learning model based on the contents of the plurality of requests the runtime output of each of the plurality of destination entities, wherein the machine learning model is trained to output request-output correlations between groups of requests and subsequent behavioral activities. Show less

The disclosed serverless security access control system leverages static analysis information about application code and runtime information to create and assign on-the-fly transient serverless function roles. A default role can be initially assigned to serverless functions of the application. The default role allows the function to communicate with a security access broker. The access broker accesses least privilege information about an invoked serverless function and then creates and assigns… Show more

The disclosed serverless security access control system leverages static analysis information about application code and runtime information to create and assign on-the-fly transient serverless function roles. A default role can be initially assigned to serverless functions of the application. The default role allows the function to communicate with a security access broker. The access broker accesses least privilege information about an invoked serverless function and then creates and assigns a transient role to the serverless function based on that information. The short life of the role reduces and possibly eliminates the security risk of an over-permissive role. The access broker can update the least privilege information based on updated analysis of the application code and runtime information to allow flexibility and adaptation over executions. Show less

A system facilitates detection of malicious properties of software packages. A generic application which comprises known functionality into which a software package has been included is analyzed through a static analysis and/or dynamic analysis, which is performed based on executing the generic application in a controlled environment The static analysis and/or dynamic analysis are performed to determine whether one or more properties associated with the software package comprise deviations from… Show more

A system facilitates detection of malicious properties of software packages. A generic application which comprises known functionality into which a software package has been included is analyzed through a static analysis and/or dynamic analysis, which is performed based on executing the generic application in a controlled environment The static analysis and/or dynamic analysis are performed to determine whether one or more properties associated with the software package comprise deviations from the known behavior of the generic application. Behavior deviations identified based on the static and/or dynamic analysis are associated with a score. An aggregate score is calculated for the software package based on the scores which have been assigned to the identified behavior deviations and may be adjusted based on a reputation multiplier determined based on metadata of the software package. If the aggregate score of the software package exceeds a score threshold, the software package is flagged as malicious. Show less

A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage… Show more

A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage flows. Show less

This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as "TLS fingerprinting." Preferably, TLS fingerprinting herein comprises combining different parameters from the initial "Hello" packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the "TLS signature") are: record layer version, client version, ordered TLS extensions, ordered… Show more

This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as "TLS fingerprinting." Preferably, TLS fingerprinting herein comprises combining different parameters from the initial "Hello" packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the "TLS signature") are: record layer version, client version, ordered TLS extensions, ordered cipher list, ordered elliptic curve list, and ordered signature algorithms list. Preferably, the edge server persists the TLS signature for the duration of a session. Show less

This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as “TLS fingerprinting.” Preferably, TLS fingerprinting herein comprises combining different parameters from the initial “Hello” packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the “TLS signature”) are: record layer version, client version, ordered TLS extensions, ordered… Show more

This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as “TLS fingerprinting.” Preferably, TLS fingerprinting herein comprises combining different parameters from the initial “Hello” packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the “TLS signature”) are: record layer version, client version, ordered TLS extensions, ordered cipher list, ordered elliptic curve list, and ordered signature algorithms list. Preferably, the edge server persists the TLS signature for the duration of a session. Show less

A system and methods for protecting a serverless application, the system including: (a) a serverless application firewall configured to inspect input of the serverless function so as to ascertain whether the input contains malicious, suspicious or abnormal data; and (b) a behavioral protection engine configured to monitor behaviors and actions of the serverless functions during execution thereof.

A system and methods for protecting a serverless function including analyzing the serverless function to identify vulnerabilities or insecure configurations and a strict set of security permissions required by the serverless function in order to interact with a computing environment as intended.

Described herein are systems, methods and apparatus for detecting and classifying malicious agents on a computer network. Many attacks require that the malicious message or messages employ certain characters. Such sets of characters can be indicative of an attack and referred to as a “malicious alphabet.” All clients on a network are likely to use characters from malicious alphabets in legitimate and valid network messages. However, malicious clients are likely to use characters from malicious… Show more

Described herein are systems, methods and apparatus for detecting and classifying malicious agents on a computer network. Many attacks require that the malicious message or messages employ certain characters. Such sets of characters can be indicative of an attack and referred to as a “malicious alphabet.” All clients on a network are likely to use characters from malicious alphabets in legitimate and valid network messages. However, malicious clients are likely to use characters from malicious alphabets in different ways than legitimate clients. According to the teachings hereof, a particular client's use of a malicious alphabet can be tracked and used to identify it as a potential attacker. Such tracking may take place across the applications and/or websites to which the traffic is directed. Based on the nature and extent of the client's use of the malicious alphabet, a reputation score for the client can be developed. Show less

Methods and systems for secure web form submission may implement one or more operations including: receiving web content including at least one web form from a web server at a client; determining a value of at least one web form submission security attribute of the at least one web form; and transmitting submission data associated with the at least one web form from the client to the web server according to the value of the web form submission security attribute.

Testing a system under test includes intercepting, within a proxy system, a request from a client system sent to the system under test. The request is analyzed within the proxy system and sent to the system under test. Within the proxy system, a response from the system under test sent to the client system is intercepted. The response is instrumented creating a modified response indicating test coverage according to the request. The modified response is sent to the client system.

A method, computer program product, and computer system for performing, at a computing device, an analysis of a web application. A response is annotated by the web application with coverage data based upon, at least in part, the analysis, wherein the coverage data indicates which actions have been performed on the web application and which actions have not been performed on the web application according to results of the analysis. The response that includes the coverage data is shared with one… Show more

A method, computer program product, and computer system for performing, at a computing device, an analysis of a web application. A response is annotated by the web application with coverage data based upon, at least in part, the analysis, wherein the coverage data indicates which actions have been performed on the web application and which actions have not been performed on the web application according to results of the analysis. The response that includes the coverage data is shared with one or more users. Show less

Testing a computer software application by detecting an arrival of input data provided as input to a computer software application from a source external to the computer software application, modifying the detected input data to include test data configured to test the computer software application in accordance with a predefined test, thereby creating a modified version of the detected input data, and processing the modified version of the detected input data, thereby performing the predefined… Show more

Testing a computer software application by detecting an arrival of input data provided as input to a computer software application from a source external to the computer software application, modifying the detected input data to include test data configured to test the computer software application in accordance with a predefined test, thereby creating a modified version of the detected input data, and processing the modified version of the detected input data, thereby performing the predefined test on the computer software application using the test data. Show less

Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured… Show more

Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output. Show less

In one aspect of the invention a system is provided for injection context based static analysis of computer software applications, the system including a sink selector configured to select a sink within a computer software application, an output stream tracer configured to trace a character output stream leading to the sink within the computer software application, and determine an injection context of the character output stream at the sink, where the injection context is predefined in… Show more

In one aspect of the invention a system is provided for injection context based static analysis of computer software applications, the system including a sink selector configured to select a sink within a computer software application, an output stream tracer configured to trace a character output stream leading to the sink within the computer software application, and determine an injection context of the character output stream at the sink, where the injection context is predefined in association with a state of the character output stream at the sink, and a context action identifier configured to identify any actions that have been predefined in association with the identified injection context, and provide a report of the actions, where the sink selector, output stream tracer, and context action identifier are implemented in at least one of a) computer hardware, and b) computer software embodied in a physically-tangible computer-readable storage medium.

In another aspect of the invention a method is provided for injection context based static analysis of computer software applications, the method including selecting a sink within a computer software application, tracing a character output stream leading to the sink within the computer software application, determining an injection context of the character output stream at the sink, where the injection context is predefined in association with a state of the character output stream at the sink, identifying any actions that have been predefined in association with the identified injection context, and providing a report of the actions. A computer program product embodying the invention is also provided. Show less

A system and method for automated security testing are disclosed. The disclosure provides for automated discovery of security vulnerabilities through the monitoring of activities that occur throughout the separate components of a computing platform during a testing session through a communications interface.

Collecting log file data from at least one log file. From the collected log file data, at least one HTTP request can be generated to exercise a web application to perform a security analysis of the web application. The HTTP request can be communicated to the web application. At least one HTTP response to the HTTP request can be received. The HTTP response can be analyzed to perform validation of the web application. Results of the validation can be output.

An illustrative embodiment of a computer-implemented process for identifying a request invalidating a session excludes all marked logout requests of a Web application, crawls an identified next portion of the Web application and responsive to a determination, in one instance, that the state of the crawl is out of session, logs in to the Web application. The computer-implemented process further selects all crawl requests sent since a last time the crawl was in-session, excluding all marked… Show more

An illustrative embodiment of a computer-implemented process for identifying a request invalidating a session excludes all marked logout requests of a Web application, crawls an identified next portion of the Web application and responsive to a determination, in one instance, that the state of the crawl is out of session, logs in to the Web application. The computer-implemented process further selects all crawl requests sent since a last time the crawl was in-session, excluding all marked logout requests and responsive to a determination that requests remain, crawls a selected next unprocessed request. Responsive to a determination, in the next instance, that state of the crawl is out of session and the selected request meets logout request criteria, the computer-implemented process marks the selected request as a logout request. Show less

Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry… Show more

Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium. Show less

A computer-implemented process, computer program product, and apparatus for identifying session identification information. A recording is initiated and an operation sequence of interest is performed while recording and the recording ceases. Responsive to a determination that the operation sequence of interest was successful, information from the operation sequence of interest is saved as recorded information and responsive to a determination that a same operation sequence of interest was… Show more

A computer-implemented process, computer program product, and apparatus for identifying session identification information. A recording is initiated and an operation sequence of interest is performed while recording and the recording ceases. Responsive to a determination that the operation sequence of interest was successful, information from the operation sequence of interest is saved as recorded information and responsive to a determination that a same operation sequence of interest was recorded, the recorded information from each operation sequence of interest is compared. Differences in the recorded information are identified to form identified differences and a session identifier is constructed using the identified differences. Show less

Source code of a plurality of web pages including script code is statically analyzed. A page including a potential vulnerability is identified based on the static analysis. A page not including a potential vulnerability is identified based on the static analysis. The web page including the potential vulnerability is dynamically analyzed using a set of test payloads. The page not including the potential vulnerability is dynamically analyzed using a subset of the set of test payloads, the subset… Show more

Source code of a plurality of web pages including script code is statically analyzed. A page including a potential vulnerability is identified based on the static analysis. A page not including a potential vulnerability is identified based on the static analysis. The web page including the potential vulnerability is dynamically analyzed using a set of test payloads. The page not including the potential vulnerability is dynamically analyzed using a subset of the set of test payloads, the subset including fewer test payloads than the set of test payloads. Show less

Method to detect security vulnerabilities includes: interacting with a web application during its execution to identify a web page exposed by the web application; statically analyzing the web page to identify a parameter within the web page that is constrained by a client-side validation measure and that is to be sent to the web application; determining a server-side validation measure to be applied to the parameter in view of the constraint placed upon the parameter by the client-side… Show more

Method to detect security vulnerabilities includes: interacting with a web application during its execution to identify a web page exposed by the web application; statically analyzing the web page to identify a parameter within the web page that is constrained by a client-side validation measure and that is to be sent to the web application; determining a server-side validation measure to be applied to the parameter in view of the constraint placed upon the parameter by the client-side validation measure; statically analyzing the web application to identify a location within the web application where the parameter is input into the web application; determining whether the parameter is constrained by the server-side validation measure prior to the parameter being used in a security-sensitive operation; and identifying the parameter as a security vulnerability. Show less

Determining the vulnerability of computer software applications to privilege-escalation attacks, such as where an instruction classifier is configured to be used for identifying a candidate access-restricted area of the instructions of a computer software application, and a static analyzer is configured to statically analyze the candidate access-restricted area to determine if there is a conditional instruction that controls execution flow into the candidate access-restricted area, perform… Show more

Determining the vulnerability of computer software applications to privilege-escalation attacks, such as where an instruction classifier is configured to be used for identifying a candidate access-restricted area of the instructions of a computer software application, and a static analyzer is configured to statically analyze the candidate access-restricted area to determine if there is a conditional instruction that controls execution flow into the candidate access-restricted area, perform static analysis to determine if the conditional instruction is dependent on a data source within the computer software application, and designate the candidate access-restricted area as vulnerable to privilege-escalation attacks absent either of the conditional instruction and the date source. Show less

A method for controlling a computer-implemented application, the method including determining a current state of a computer-implemented application, inducing the application into a predefined state associated with a target action of the application if the current state does not match the predefined state in accordance with predefined match criteria, and causing the target action to be performed

Testing a computer software application by identifying a sink in the computer software application, identifying a source associated with the sink in the application, identifying an entry point associated with the source in the application, where the source is configured to receive input provided externally to the application via the entry point, determining a sink type represented by the sink, and providing to a testing application information identifying the entry point and in association with… Show more

Testing a computer software application by identifying a sink in the computer software application, identifying a source associated with the sink in the application, identifying an entry point associated with the source in the application, where the source is configured to receive input provided externally to the application via the entry point, determining a sink type represented by the sink, and providing to a testing application information identifying the entry point and in association with the sink type Show less

A transformation tree for an object model (OM) is defined. The transformation tree has nodes interconnected by edges, where each node is connected to at most one other tree node. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. A transformation graph for the OM is constructed by simulating the transformation tree. The transformation graph has nodes interconnected by edges, and is a… Show more

A transformation tree for an object model (OM) is defined. The transformation tree has nodes interconnected by edges, where each node is connected to at most one other tree node. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. A transformation graph for the OM is constructed by simulating the transformation tree. The transformation graph has nodes interconnected by edges, and is a directed graph in which each node is connected to one or more other nodes. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. Crawling-oriented actions are performed in relation to the OM by being performed in relation to the transformation graph. Show less

A method, system, and computer program product for cross-domain access prevention are provided. The method includes detecting a request from a first domain to access a second domain, and applying cross-domain access heuristics to determine whether to allow the request. The cross-domain access heuristics define common ownership characteristics between the first domain and the second domain. The method further includes performing the requested access in response to determining that the request… Show more

A method, system, and computer program product for cross-domain access prevention are provided. The method includes detecting a request from a first domain to access a second domain, and applying cross-domain access heuristics to determine whether to allow the request. The cross-domain access heuristics define common ownership characteristics between the first domain and the second domain. The method further includes performing the requested access in response to determining that the request complies with at least one of the cross-domain access heuristics, and blocking the requested access in response to determining that the request fails to comply with the cross-domain access heuristics Show less

This invention encompasses several heuristics used in profiling and understanding the login mechanism used by an web application in an automated fashion.