This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

Slides:



Advertisements
Similar presentations
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Advertisements

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology
Verification and Validation
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
OWASP Periodic Table of Vulnerabilities James Landis
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
TGDC Meeting, December 2011 Michael Kass National Institute of Standards and Technology Update on SAMATE Automated Source Code Conformance.
0 Kluge Burch Zimmerling GRC Advisors Commodity Services Specification Penetration Testing & Application Security Assessment January 2015.
SCOTT KURODA ADVISOR: DR. FRANZ KURFESS Encouraging Secure Programming Practice in Academia.
Information Systems Security Computer System Life Cycle Security.
A Framework for Automated Web Application Security Evaluation
CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,
Honeypot and Intrusion Detection System
Computer Security and Penetration Testing
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
An Overview of the DHS/NIST SAMATE Project SSE Seminar April 10, 2006 Michael Kass Information Technology Laboratory National Institute of Standards and.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier.
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
CPRG 215 Introduction to Object-Oriented Programming with Java Module 1-Introduction to Java Topic 1.1 Basics of Java Produced by Harvey Peters, 2008 Copyright.
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Mobile Agent Security Presented By Sayuri Yonekawa October 17, 2000.
High Confidence Software and Systems HCMDSS Workshop Brad Martin June 2, 2005.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lecture 4 Mechanisms & Kernel for NOSs. Mechanisms for Network Operating Systems  Network operating systems provide three basic mechanisms that support.
SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to Programming 1 1 2Introduction to Java.
Redmond Protocols Plugfest 2016 Jinghui Zhang Office Interoperability Test Tools (Test Suites and Open Source Projects) Software Engineer Microsoft Corporation.
Tool Support for Testing
Internet Quarantine: Requirements for Containing Self-Propagating Code
Presented by Rob Carver
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
CSCE 548 Secure Software Development Risk-Based Security Testing
C IBM Security QRadar SIEM V7.2.6 Associate Analyst
Security Testing Methods
YAHMD - Yet Another Heap Memory Debugger
Security Issues Formalization
Secure Software Development: Theory and Practice
High Coverage Detection of Input-Related Security Faults
Software Verification and Validation
Security.
Software Verification and Validation
CULLEN ACHESON Samuel Garcia Zachary Blum
Software Verification and Validation
Operating System Concepts
Presentation transcript:

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October A Taxonomy of Software Assurance Tools and the Security Bugs they Catch Michael Kass Information Technology Laboratory National Institute of Standards and Technology

2 OWASP AppSec DC 2005 SAMATE Goals:  A taxonomy of software assurance tools and their functions  A taxonomy of the software flaws that those tools find  A reference dataset (RDS) of tests to measure if SA tools correctly detect those flaws

3 OWASP AppSec DC 2005 Why a Tool Taxonomy?  Provide a common reference/classification of functions for evaluation of a tool’s effectiveness  A “first step” in defining a tool functional specification  Tool specification becomes basis for creating tool reference dataset/benchmarks  A common specification and reference dataset for comparing SA tools of the same class

4 OWASP AppSec DC 2005 Workshop SA tool classes focus group tool function taxonomy select tool class and functions functional specification test plan Tool Taxonomy and Follow-on Products test suite

5 OWASP AppSec DC 2005 Tool Survey and Taxonomy  ”External” Tools  Network Scanners  Web Application Scanners  Web Services Scanners  Dynamic Analysis Tools  “Internal” Tools  Software Requirements Verifiers  Software Design/Model Verifiers  Compilers  Static Source Code Scanners  Static Byte Code Scanners  Static Binary Code Scanners  Database Scanners Much of the information in the Software Security Tool Taxonomy is derived from the DISA Application Security Assessment Tool Survey, July 2004, to be published as a DISA STIG.

6 OWASP AppSec DC 2005 Network Scanners Remotely scan targeted machines, performing port scans, and probing for vulnerabilities known in operating systems and third party network software.  Functions - scan for known vulnerabilities in:  operating systems  applications  web servers  network devices  network protocols  RDS requirements:  networked testbed  customize-able deployment scenarios for vulnerability environment  test case documentation against a functional specification for general network scanner SA tools

7 OWASP AppSec DC 2005 Web Application Scanners A more “specialized” class of SA tool that focuses specifically on web applications only, and are not considered generalized network scanners.  Scan for vulnerabilities by:  simulating a web browser client  performing field manipulation/cookie poisoning  exploiting relative URL paths  injecting malicious data via form fields to exploit server  RDS requirements:  HTTP(S) server with applications having known security flaws and vulnerabilities  networked testbed  customize-able deployment environment for vulnerability scenarios  test case documentation against a functional specification for web application scanner SA tools

8 OWASP AppSec DC 2005 Web Services Scanner Functions A relatively new class of SA tool whose purpose is the analysis of web service applications. Web service scanners have functions of the following type:  Scan for vulnerabilities by:  functional test of SOAP server  test XML encryption, signatures and signature verification  test WS-Security  perform XML validation of received messages  RDS requirements:  a networked testbed of web services with known security flaws and vulnerabilities  networked testbed  customize-able deployment environment for vulnerability scenarios  test case documentation against a functional specification for web services scanner SA tools

9 OWASP AppSec DC 2005 Dynamic Analysis Tool Functions Dynamic analysis tools generate runtime vulnerability scenarios through the following functions:  Scan for vulnerabilities by:  performing file corruption  resource/network/system/interface fault injection  design attacks  implementation attacks  RDS requirements:  a testbed of applications with known security flaws and vulnerabilities  virtual environment (sandbox)  customize-able operating environment to create vulnerability scenarios  test case documentation against a functional specification for dynamic analysis SA tools

10 OWASP AppSec DC 2005 Software Requirements Verification Tool Functions Functions of some requirements verification tools that have been developed include determining whether requirements are: (from NASA’s Automated Requirements Measurement Tool )  Scan for vulnerabilities by verifying that application requirements are:  verifiable  complete  consistent  unambiguous  RDS requirements:  a corpus of application requirement documents that introduce security vulnerabilities into application design and/or implementation  test case documentation against a functional specification for requirements verification SA tools

11 OWASP AppSec DC 2005 Design/Model Verification Tool Functions Design/model verification tools provide are a vital “first line of defense“ in software assurance.  Identify potential flaws/vulnerabilities by performing:  application simulation  exhaustive verification  proof of design  RDS requirements:  a corpus of design documents that introduce security vulnerabilities into application design and/or implementation  test case documentation against a functional specification for design/model verification SA tools

12 OWASP AppSec DC 2005 Compilers Choosing “type safe” compilers, or extending the capability of some compilers can provide an additional level of software security (although not guaranteed). Some security functions of “extended compilers” include:  Identify potential flaws/vulnerabilities by injecting run-time code to identify:  buffer overflows  race conditions  un-initialised variables  RDS requirements:  a testbed of applications with known security flaws and vulnerabilities  A virtual test environment  customize-able operating environment to create vulnerability scenarios  test case documentation against functional specification for dynamic binary analysis SA tools

13 OWASP AppSec DC 2005 Source Code Scanners A relatively “new” class of SA tool that can perform data-flow, control-flow, inter-procedural analysis of code and identify software security flaws and potential vulnerabilities.  Some key functions include:  Identify security flaws and vulnerabilities  filter results based upon flaw type/priority  scale to large code sets  generate code metrics  RDS requirements:  a corpus of source code examples with known security flaws and vulnerabilities  test case documentation against functional specification for source code analysis SA tools

14 OWASP AppSec DC 2005 Static Bytecode Analysis Tools A step below “source code scanners’”, but above binary analysis tools, byte code analysis tools have similar functions to source code scanning tools.  Some key functions include:  Identify security flaws and vulnerabilities  filter results based upon flaw type/priority  scale to large code sets  RDS requirements:  a corpus of byte code examples with known security flaws and vulnerabilities  test case documentation against functional specification for static bytecode analysis tools

15 OWASP AppSec DC 2005 Static Binary Analysis Tools The “last line of defense” in SA tools. Performs similar SA functions as source code analysis tools, but does so at “runtime”.  Some key functions include:  perform boundary checks  identify memory leaks  identify unreachable code  identify race conditions  identify type mismatches  RDS requirements:  a corpus of binary executable examples with known security flaws and vulnerabilities  test case documentation against functional specification for static binary code analysis tools

16 OWASP AppSec DC 2005 Defining a Software Security Flaw Taxonomy Because of the nature of software development (new technologies, new languages and language features) a taxonomy of software security flaws will be a living and changing entity. Additional characteristics that must be considered include:  Program vulnerabilities are usually a combination of security flaws  Mutual flaw exclusion will be difficult to deal with (examples : authentication vs. logic flaw problem)  Some of the flaws in the taxonomy cannot be identified by tools today  Some flaws have never been seen in real world code… yet  Some flaws can be introduced at multiple points in the SDLC

17 OWASP AppSec DC 2005 A Taxonomy of Software Security Flaws and their Point of Introduction in the SDLC One of the first steps in comparing tools of the same class is to determine what software flaws all tools of that class should be able to identify. The following hierarchical classification of software flaw root causes is taken from Secure Software’s CLASP V1.1 Training Manual identify range and type errors Stack overflow – (requirements, design, implementation) Command injection (design, implementation) Double Free (implementation) identify environmental problems Resource exhaustion (design, implementation) identify synchronization and timing errors TOCTOU (time-of-check time-of-use) race condition (design, implementation) identify protocol errors Use of a broken/risky cryptographic algorithm (design) identify general logic errors  Performing a “chroot” without a “chdir” (implementation)

18 OWASP AppSec DC 2005 Reference Dataset The SAMATE team is creating a reference dataset of test cases to measure SA tool performance against the functions defined for that particular type of tool. Currently, we are focusing on source code scanning tools.  Existing source code material for a reference dataset include:  OWASP WebGoat  Foundstone HacmeBook and HacmeBank  CVE listing of known vulnerabilities  MIT Lincoln Lab Source Code Contribution (1000+ test cases)  Fortify Software Source Code Contribution (80+ test cases)  Both “In the Wild” and “Manufactured” code will be part of the reference dataset  Dataset will include representation of software flaws from the SA security flaw taxonomy  The SAMATE Reference Dataset will include testing artifacts from requirements, modelling and design, implementation and deployment phases of the SDLC

19 OWASP AppSec DC 2005 Ongoing Work  NIST is developing prototype reference dataset for SA tools, for review by SAMATE working group members  November 7,8 -- Workshop on Software Security Assurance Tools, Techniques, and Metrics, Long Beach, CA (  DAY #1 – Papers  DAY #2 - “Target Practice” for source code scanner tool developers against SAMATE SA Tool Reference Dataset  Continue work through SAMATE focus groups (online and at follow-on workshops) to refine:  a taxonomy of common functions for source code scanners  a common taxonomy of software security flaws  content of a reference dataset for testing SA tools

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.