Security at the Source

Fundamental Security Issues Poor Design Poor Configuration Software Coding Errors Human Error

Software Vulnerabilities Cross Site Scripting SQL Injection Buffer Overflow Unintentional / Intentional Functionality Complexity

Advisories Dec 15, 2004 (MS04-043) Buffer Over In HyperTerminal, Nov 23, 2004 Winamp IN_CDDA Buffer Overflow Nov 23, 2004 SecureCRT - Remote Command Execution Oct 14, 2004 (MS04-033) Buffer Over In Microsoft Excel Oct 14, 2004 (MS04-032) SetWindowLong() Shatter Attacks Jul 14, 2004 (MS04-022) CHM File Heap Overflow Jul 14, 2004 (MS04 -011) Utility Manager Loads Winhlp32 As SYSTEM Nov 11, 2003 (MS03-051) FrontPage Extensions Remote Command Execution Oct 15, 2003 (MS03-045) Listbox and ComboBox Overflow Advisory Jul 16, 2003 (MS03-028) ISA Server XSS Advisory Jun 25, 2003 (MS03-022) Windows Media Services Overflow #2 Advisory May 30, 2003 (MS03-019) Windows Media Services Overflow #1 Advisory

The Cost and Impact Software bugs cost the U.S. economy an estimated $59.5 billion annually. More than a third of those costs, $22.2 billion, could be eliminated with improved testing and earlier identification of errors. “Software vendors need automated tools that look for bugs in their code, but it may be a decade before many of those tools are mature and widely used”, Amit Yoran, former director of cybersecurity for the U.S. Department of Homeland Security.

Some Issues Coding Securely Education Copying Code Open Source Bespoke Development

Current Protections Application Attack and Penetration Automated Attack Tools Configuration Analysis Vulnerability Analysis and Management Code Reviews Inspections Architecture Reviews Peer Reviews

What’s the need? Developers: Include security testing in the development life cycle Auditors: Improved Quality and Reduced Time of Source Code Analysis and Inspection Quality Assurance: Measure quality of code from development or outsourcers Change Control: Retest code in every release rather than on first development

Security at the Source ™ Design Security In Keep up to date with security weaknesses Automate / Reduce the Cost of the Process Build Better Systems

CodeScan Testing Internet application source code for security weaknesses Approach Start with most widely used languages (Microsoft .ASP vbscript, PHP) Start with common coding problems Evolve the product over time to meet ongoing customer requirements

Features Client Based automation of Web Source Code inspection Automated variable tracking Rating of vulnerabilities General and Language Specific testing Includes Emailers Cross Site Scripting SQL Injection User Input Filtering Extensive Reporting and “fix” information Code “Healing”

Outcomes Demonstrable duty of care Reduced development costs Security within the Project Lifecycle Improved Security in end products Third party code inspections at affordable prices

Product Direction Developer Versions (ASP, PHP) Language Directions Microsoft .NET .JSP / Java Higher Level Languages Versions Developer (Mass Market) Consultant (Pay Per Application) Enterprise (Client / Server) Comparative Analysis Enhanced Reporting Web Sales and Support

Demonstration