Cassio Goldschmidt May 13 th, 2009

Introduction 2

Who am I? Cassio Goldschmidt –Sr. Manager, Product Security –Chapter Leader, OWASP Los Angeles Education –MBA, USC –MS Software Engineering, SCU –BS Computer Science, PUCRS –Certified Software Sec. Lifecycle Professional – CSSLP, (ISC) 2 When I’m not in the office… –Volleyball (Indoor, Beach) –Coding –Gym… 3

Typical Project Lifecycle 4

How your workout looks like 5

METRICS How your METRICS should look like 6 Exercise type: CWE Exercise type: CWE

METRICS How your METRICS should look like 7 Number of Reps: Number of Findings Number of Reps: Number of Findings

METRICS How your METRICS should look like 8 Exercise Intensity: CVSS Exercise Intensity: CVSS

METRICS How your METRICS should look like 9

Common Weakness Enumeration

Common Weakness Enumeration What is it? A common language for describing software security weaknesses Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS). Hierarchical –Each individual CWE represents a single vulnerability type –Deeper levels of the tree provide a finer granularity –Higher levels provide a broad overview of a vulnerability 11

Common Weakness Enumeration Portion of CWE structure 12

Common Weakness Enumeration What data is available for each CWE? Weakness description Applicable platforms and programming languages Common Consequences Likelihood of Exploit Coding Examples Potential Mitigations Related Attacks Time of Introduction Taxonomy Mapping 13 Link to CWE Page on XSSCWE Page on XSS

Common Weakness Enumeration How useful is this information? 14 Pie Chart showing the frequency of CWEs found in penetration tests Pie Chart showing the frequency of CWEs found in penetration tests

Common Vulnerability Scoring System

Objective (and “perfect enough”) metric A universal way to convey vulnerability severity –Can be used for competitive analysis CVSS score ranges between 0.0 and 10.0 –Can be expressed as high, medium, low as well Composed of 3 vectors –Base Represents general vulnerability severity: Intrinsic and immutable –Temporal Time-dependent qualities of a vulnerability –Environmental Qualities of a vulnerability specific to a particular IT environment 16 Common Vulnerability Scoring System (CVSS) What is it?

17 Common Vulnerability Scoring System (CVSS) BASE Vector Access Vector Access Complexity Authenti… NetworkHighNone Adjacent Network MediumSingle Instance LocalLowMult. Instances Undefined Confident…IntegrityAvailability None Partial Complete Undefined ExploitabilityImpact Sample Score: 7.5 Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Every CVSS score should be accompanied by the corresponding vector

18 Common Vulnerability Scoring System (CVSS) The Calculator

Training and Metrics.

Training and Metrics A special activity in the SDL 20 Security training is what food is to a workout Same workout metrics do not apply Quality of your intake affects overall performance Staff needs ongoing training

Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current 21

Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current 22 Understand who is the audience Previous knowledge about secure coding and secure testing Programming languages in use Supported platforms Type of product Understand who is the audience Previous knowledge about secure coding and secure testing Programming languages in use Supported platforms Type of product

Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current 23 Train everyone involved in the SDL Developers: Secure Coding, Threat Model QA: Security Testing, Tools Managers: Secure Development Lifecycle (also known as Symmunize) Train everyone involved in the SDL Developers: Secure Coding, Threat Model QA: Security Testing, Tools Managers: Secure Development Lifecycle (also known as Symmunize)

Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current 24 Quality Assurance - Capture the flag Use Beta software Approximately 3 hours long Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group Quality Assurance - Capture the flag Use Beta software Approximately 3 hours long Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group

Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current 25 Pos Class Survey Anonymous Metrics Class content Instructor knowledge Exercises Pos Class Survey Anonymous Metrics Class content Instructor knowledge Exercises

Training and Metrics Security awareness is more than training 26

Training and Metrics Security awareness is more than training 27 What: Symantec’s company-wide knowledge sharing session. How Often: Occurs every two weeks. 2 hours long. Who: Internal and external guests present on a topic of choice to Symantec’s engineering community What: Symantec’s company-wide knowledge sharing session. How Often: Occurs every two weeks. 2 hours long. Who: Internal and external guests present on a topic of choice to Symantec’s engineering community

Training and Metrics Security awareness is more than training 28 What: Symantec’s company-wide internal technical conference. How Often: Once a year. 3 days long. Who: Top engineers present on a topic of choice to Symantec’s engineering community. 25% of the talks are related to security. What: Symantec’s company-wide internal technical conference. How Often: Once a year. 3 days long. Who: Top engineers present on a topic of choice to Symantec’s engineering community. 25% of the talks are related to security.

Training and Metrics Security awareness is more than training 29 What: Symantec’s internal newsletter. How Often: Every quarter. 50 pages long. Who: Top engineers write on a topic of choice to Symantec’s engineering community. 1-3 security article in every issue since inception. What: Symantec’s internal newsletter. How Often: Every quarter. 50 pages long. Who: Top engineers write on a topic of choice to Symantec’s engineering community. 1-3 security article in every issue since inception.

Conclusions and final thoughts

Why This Approach Makes Sense? 31 Compare Apples to Apples Quantify results in a meaningful way to “C” executives –Past results can be used to explain impact of new findings –Can be simplified to a number from 1-10 or semaphore (green, yellow and red). –Can be used for competitive analysis Harder to game CVSS CWE can be easily mapped to different taxonomies

Final Thoughts… 32 Other metrics are useful too! Defense is like forcing muscle growth. It’s a proactive, measured and well fueled endeavor.

Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Thank You! Cassio Goldschmidt