© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited You’re Not Done (Yet) Turning Securable Applications into Secure Installations using SCAP Charles Schmidt Sept 23, 2011

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited 2 Who Am I The MITRE Corporation –A U.S. non-profit research company chartered to work in the public interest –No products – what we are talking about is free ■Other companies can and have productize this work Charles Schmidt –11 years of work in security automation standards

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Engineers Cannot Create Secure Applications ■Perfect engineering will not produce secure applications –“secure applications” = do their part in protecting an enterprise ■No flaws, no weaknesses, no bugs - Still not secure 3

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Perfect Engineering 4 A very well engineered barrier… … in a sub-optimal configuration

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Security ■Security = well built software that is correctly deployed and managed given an enterprise’s mission needs –Developed using good security engineering practices –Placed in a user environment, configured, and maintained ■At best, engineering makes an application securable ■Why should you care? –Because you want your customers & yourself to have actual security, not the illusion thereof ■Otherwise you wouldn’t be here –Because most examples of bad configuration are not as obvious as the picture –Because you can help 5

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited The Missing Link ■Between the mission experts (users) and the tool experts (engineers) –Tool experts know how the app and supporting infrastructure works –Mission experts know the local constraints of their enterprise –Not perfect alignment, but there is alignment - otherwise app would not be usable in the enterprise ■Engineers may not know the mission of the destination enterprise ■Engineers do know their general use cases ■There must be a link for security to be achieved 6

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Documentation vs. Guidance ■Documentation is the complete guide to an app ■Guidance is a set of suggestions for how to configure it ■Analogy: –Documentation is a map –Guidance is a route ■Guidance cannot be a straightjacket - variances in mission must be allowed –Users can take detours, but let them detour from a well-planned route 7

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Automated Security Guidance ■Automated security guidance –Guidance in a format that supports automated assessment ■A route and an auto-pilot –User gets a list of all compliance and non-compliance ■User only becomes involved when there is a need to change something –In most enterprises, this will be a minority of items ■User now can focus on critical elements –Where their mission requires special configurations –Where their configurations do not meet best security practices –Use documentation to tell which is which 8

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited SCAP ■US Government’s approach to automated guidance is SCAP –Security Content Automation Protocol –The unification of a suite of smaller focused standards ■Identifies how these standards work together to support security automation ■All component standards are usable alone – SCAP just shows how to connect 9 OCIL SCAP

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited ■CVE (Common Vulnerabilities and Exposures) –Enumeration of software vulnerabilities ■CVSS (Common Vulnerability Scoring System) –Metric used to assign a severity score to vulnerabilities entries ■CCE (Common Configuration Enumeration) –Enumeration of configurable controls of software ■CPE (Common Platform Enumeration) –Enumeration of identities of software/hardware entities ■OVAL (Open Vulnerability and Assessment Language) –Language to describe tests against system state ■OCIL (Open Checklist Interactive Language) –Language for user questionnaires ■XCCDF (eXtensible Configuration Checklist Description Format) –Language for encapsulating structure and content of security guidance The Components of SCAP Page 10

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited ■Enumerate software vulnerabilities – provide common name ■Minimal description and references –Expanded descriptions available at E.g. CVE : Common Vulnerabilities and Exposures (CVE) Page 11 From

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited ■Scores a given vulnerability based on its likely danger –Score runs between 0 (no danger) and 10 (extreme danger) ■Three parts –Base – the inherent danger of the vulnerability ■A provider can fill this out ahead of time –Temporal – changes over time ■Depends of maturity of exploits and remediations –Environmental – reflects specific dangers to an enterprise ■Depends on how critical the threatened component is and the impact of failure ■CVSS Vectors describe factors contributing to scores –E.g., (AV:N/AC:M/Au:N/C:C/I:C/A:C) = 9.3 ■Exploitable over the network ■Exploit is moderately difficult ■No authentication needed ■Critical impact to confidentiality, integrity, and availability Common Vulnerability Scoring System (CVSS) Page 12

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited ■Enumerate configuration functions in software ■Minimal description, possible ways to configure, and references ■CCEs do not contain recommendations – policy neutral Common Configuration Enumeration (CCE) Page 13

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited ■Means of naming pieces of software/hardware –Allows recommendations, vulnerabilities, etc. to be tied to specific software or software sets ■CPE names are composed of a descriptive URI –cpe:/{part}:{vendor}:{product}:{version}:{update}:{edition}:{language} –Part is “o” for Operating System, “a” for Application, or “h” for Hardware –Empty blocks cover all possible values (e.g. all versions or all editions) ■Examples: –cpe:/o:microsoft:windows_xp::sp1 ■Microsoft Windows XP Service Pack 1 (all versions, editions, and languages) –cpe:/a:apache:http_server:2.3.6 ■Apache Software Foundation Apache HTTP Server Common Platform Enumeration (CPE) Page 14

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited ■Standard format for security guidance –XML format is machine readable and can be converted to human-readable documents –Can drive automated assessment of system compliance ■Tailoring structures allow users to easily customize recommendations & assessments ■Standardized format allows content to be used by tools from multiple vendors Extensible Configuration Checklist Description Format (XCCDF) 15

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Sample XCCDF 16 MLOM_Service automatically enabled The MLOM_Service is required to support the MakeLotsOfMoney web application. Ensure automatic startup to prevent application failure. <check-export export-name="oval:developer.com:var:10000" value-id="mlom_service_var"/> MLOM_Service automatically enabled Defines the startup state of the service

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited ■Standardized format to express assertions about system state –Describe how to locate system artifacts (registry keys, configuration files, RPM packages, etc.) –Describe assertions about the state of these system artifacts –Can combine to create sophisticated assertions with many factors ■Public repositories of OVAL content exist – (RedHat Errata) – (Public OVAL repository – many platforms) ■Many uses –Vulnerability detection –Inventory –Configuration assessment –Patch detection ■Many vendor tools ingest OVAL content and produce OVAL results Open Vulnerability Assessment Language (OVAL) 17

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Sample OVAL (1) 18 MLOM_Service State Microsoft Windows 7 MLOM_Service start state = automatic

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Sample OVAL (2) 19 HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\mlomserv Start reg_dword

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited ■Standardized format for user questionnaires –Can express question trees, with follow-on questions based on prior responses –Can also be used to guide the collection of system findings and evidence ■Used for… –Collection of non-technical assessment information –User assessment ■Newer standard –Limited vendor support but expected to grow Open Checklist Interactive Language (OCIL) 20

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Current SCAP-Validated Vendors ■List of validated vendors and products available at 21 Information current as of May 13, 2011Logos are trademarked by their respective corporations

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Security Guidance Use Case ■Publish guidance for an application –Authors might be application engineers or third-party integrators –Guidance not just for app, but relevant underlying infrastructure ■E.g. Web framework or server –Reflect applications requirements as well as security recommendations –May include multiple postures for different cases ■E.g., DMZ installation vs. interior installation ■From SCAP –XCCDF for guidance framework –OVAL for technical checks/OCIL for non-technical checks –If a public application, use CCE and CPE to annotate ■Users utilize for initial configuration and ongoing maintenance –Can tailor policy for local needs 22

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Inventory Management Use Case ■Name and detect application presence –Identify relevant software and versions –Identify necessary supporting architecture ■From SCAP –If a public application, register a CPE –Define OVAL checks for detection ■Users can automatically detect instance/version –Alert to rogue instantiations –Alert to obsolete versions –Correlate to alerts and other information 23

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Vulnerability Management Use Case ■Alert users to discovered software flaws –Provide a means for users to understand and respond appropriately ■From SCAP –If a public app, register a CVE ■If a custom application, CVE is unnecessary –Use CVSS to alert users as to nature of threat –Create OVAL definitions to determine when the flaw has (not) been patched ■Users gain rapid understanding of the threat (if any) –Know the number of issues –Know the magnitude of the necessary response –Know when their environments are vulnerable and when not ■Patching failures are a major cause of enterprise vulnerabilities – using automated tools lowers the bar 24

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited OWASP Project ■OWASP OVAL Content Project –A recently created project to create OVAL content of interest to the OWASP community –Gaurav Kumar – Project leader – ■This will provide content that can then be part of customized guidance bundles 25

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited Conclusion ■Cannot just provide well built applications –Need to provide link to user and their enterprise ■Do not just describe features/use to users –Better to provide guidance that covers common cases –User gets to work from a baseline instead of first principles ■Automated guidance is best of all –User only needs to pay attention to things that are not “normal” ■SCAP is an easy, well tested way to provide automated guidance ■We want to help –Mailing lists, documentation, online courses all available 26

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited ■More information on the standards –CVE – Vulnerabilities; –CVSS – Scores severity of vulnerabilities; –CCE – Configuration controls; –CPE – Platforms/applications; –XCCDF – Structuring guidance; –OVAL – Checking language; –OCIL – Questionnaire language; –NVD – Resources for SCAP users; –Making Security Measureable – More resources on SCAP and beyond; ■MITRE provides free training on guidance development –See our web site for more information: For More Information… Page 27

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited 28