Nullcon Goa 2010http://nullcon.net Tracking the Progress of an SDL Program - Cassio Goldschmidt.

Slides:



Advertisements
Similar presentations
OWASP CLASP Overview.
Advertisements

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
QAAC 1 Metrics: A Path for Success Kim Mahoney, QA Manager, The Hartford
Operational Security Risk Metrics: Definitions, Calculations, Visualizations Metricon 2.0 Alain Mayer CTO RedSeal Systems
Cassio Goldschmidt May 13 th, Introduction 2.
® Rational Power-Up Program © 2008 IBM Corporation IBM Rational’s Solutions to Ensure Quality Susann Ulrich –
Project Risk Management
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
Vulnerability Assessments
Software Process and Product Metrics
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
Software Assurance Automation throughout the Lifecycle OWASP AppSec USA 2011 September 23 rd 2011.
EOSC Generic Application Security Framework
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Architecting secure software systems
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
A Framework for Automated Web Application Security Evaluation
SOFTWARE ENGINEERING BIT-8 APRIL, 16,2008 Introduction to UML.
HIT241 - RISK MANAGEMENT Introduction
Int 2 / Higher Grade Physical Education Preparation of the Body Lesson 5.
Filtering Out Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science.
Cassio Goldschmidt June 29 th, Introduction 2.
Computer Security and Penetration Testing
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
Microsoft Security Development Lifecycle
Is Your Company Security Aware? Presented By: Brian Picard GSEC.
CSCD 303 Essential Computer Security Spring 2013 Lecture 8 - Desktop Security OS Security Compared Reading: See References.
Software Security Weakness Scoring Chris Wysopal Metricon August 2007.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
CS Welcome to CS 5383, Topics in Software Assurance, Toward Zero-defect Programming Spring 2007.
CSc 461/561 Information Systems Engineering Lecture 5 – Software Metrics.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Module 5 – Vulnerability Identification  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.
Building Security In January 2009 Workshop Harry Hochheiser, Building Security In: January 2009 Workshop Harry Hochheiser Towson.
Preparation of the Body Lesson 6 Int 2 / Higher Grade Physical Education.
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),
Preparation of the Body Lesson 5 Int 2 / Higher Grade Physical Education.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Fuzzing And Oracles By: Thomas Sidoti. Overview Introduction Motivation Fuzzable Exploits Oracles Implementation Fuzzing Results.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Information Security Proposal POP’S POP SPRITZERS JULY 2016.
Classic Buffer OVERFLOW ATTACKS CSCE 548 Student Presentation Mouiad Al Wahah.
Sabrina Wilkes-Morris CSCE 548 Student Presentation
Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:
Security Issues Formalization
Theodore Lawson CSCE548 Student Presentation, Topic #2
Metrics-Focused Analysis of Network Flow Data
Threat Simulation & Modeling Training
High Coverage Detection of Input-Related Security Faults
Risk Assessment = Risky Business
CSCD 434 Network Security Spring 2012 Lecture 1 Course Overview.
Getting benefits of OWASP ASVS at initial phases
Threat Modeling 101 Jozsef Ottucsak OWASP Santa Barbara 12/07/18.
Information security planning
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

nullcon Goa 2010http://nullcon.net Tracking the Progress of an SDL Program - Cassio Goldschmidt

Who am I? Cassio Goldschmidt Sr. Manager, Product Security – Symantec Education MBA, USC MS Software Engineering, SCU BSCS, PUCRS CSSLP, (ISC) 2 When I’m not in the office… Volleyball (Indoor, Beach) Coding… for way to long! Gym…

Typical Project Lifecycle

Exercise type: CWE Exercise type: CWE

Number of Reps: Number of Findings Number of Reps: Number of Findings

Exercise Intensity: CVSS Exercise Intensity: CVSS

nullcon Goa 2010http://nullcon.net Common Weakness Enumeration

Common Weakness Enumeration What is it? A common language for describing software security weaknesses Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS). Hierarchical Each individual CWE represents a single vulnerability type Deeper levels of the tree provide a finer granularity Higher levels provide a broad overview of a vulnerability

Common Weakness Enumeration Portion of CWE structure

What data is available for each CWE? Weakness description Applicable platforms and programming languages Common Consequences Likelihood of Exploit Coding Examples Potential Mitigations Related Attacks Time of Introduction Taxonomy Mapping Link to CWE Page on XSSCWE Page on XSS

How useful is this information? 13 Pie Chart showing the frequency of CWEs found in penetration tests

nullcon Goa 2010http://nullcon.net Common Vulnerability Scoring System

Objective (and “perfect enough”) metric A universal way to convey vulnerability severity Can be used for competitive analysis CVSS score ranges between 0.0 and 10.0 Can be expressed as high, medium, low as well. Composed of 3 vectors Base Represents general vulnerability severity: Intrinsic and immutable Temporal Time-dependent qualities of a vulnerability Environmental Qualities of a vulnerability specific to a particular IT environment Common Vulnerability Scoring System What is it?

Common Vulnerability Scoring System BASE Vector Access Vector Access Complexity Authenti… NetworkHighNone Adjacent Network MediumSingle Instance LocalLowMult. Instances Undefined Confident…IntegrityAvail. None Partial Complete Undefined ExploitabilityImpact Sample Score: 7.5 Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Every CVSS score should be accompanied by the corresponding vector

Common Vulnerability Scoring System (CVSS) The Calculator

nullcon Goa 2010http://nullcon.net Hands on Demo

void CHTMLEngine::SetPost(CBufferedInput& buf,unsigned int length,string& multipart) { m_post=true; if (length <= 0) return; char* pData = new char[length+1]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length-totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1,“ EOF error reading POSTed data."); break; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } What if I make length = -1? new char[0] calls malloc(0) which succeeds! Next, attacker-controlled data either overflows heap or crashes Doesn’t quite work – length is unsigned CWE and CVSS use in Practice Code Review

void CHTMLEngine::SetPost(CBufferedInput& buf,unsigned int length,string& multipart) { m_post=true; if (length <= 0) return; char* pData = new char[length+1]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length-totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1,“ EOF error reading POSTed data."); break; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } CWE and CVSS use in Practice Code Review Buffer Overflow CWE: CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) Buffer Overflow CWE: CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

nullcon Goa 2010http://nullcon.net Training and Metrics

Training and Metrics A special activity in the SDL Security training is what food is to a workout Same workout metrics do not apply Quality of your intake affects overall performance Staff needs ongoing training

Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current

Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current Understand who is the audience Previous knowledge about secure coding and secure testing Programming languages in use Supported platforms Type of product Understand who is the audience Previous knowledge about secure coding and secure testing Programming languages in use Supported platforms Type of product

Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current Train everyone involved in the SDL Developers: Secure Coding, Threat Model QA: Security Testing, Tools Managers: Secure Development Lifecycle (also known as Symmunize) Train everyone involved in the SDL Developers: Secure Coding, Threat Model QA: Security Testing, Tools Managers: Secure Development Lifecycle (also known as Symmunize)

Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current Quality Assurance - Capture the flag Use Beta software Approximately 3 hours long Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group Quality Assurance - Capture the flag Use Beta software Approximately 3 hours long Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group

Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current Pos Class Survey Anonymous Metrics Class content Instructor knowledge Exercises Pos Class Survey Anonymous Metrics Class content Instructor knowledge Exercises

Training and Metrics Security awareness is more than training

nullcon Goa 2010http://nullcon.net Conclusions and final thoughts

Why This Approach Makes Sense? Compare Apples to Apples Quantify results in a meaningful way to “C” executives – Past results can be used to explain impact of new findings – Can be simplified to a number from 1-10 or semaphore (green, yellow and red). – Can be used for competitive analysis Harder to game CVSS CWE can be easily mapped to different taxonomies

nullcon Goa 2010http://nullcon.net Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.