Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Today Everything’s Connected When this Other System gets subverted through an un-patched vulnerability, a mis- configuration, or an application weakness… Your System is attackable… © 2012 The MITRE Corporation. All rights reserved.
CVE 1999 to 2000 to 2012
Vulnerability Type Trends: A Look at the CVE List ( )
Removing and Preventing the Vulnerabilities Requires More Specific Definitions…CWEs Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting’) (79) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80) Improper Neutralization of Script in an Error Message Web Page (81) Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (82) Improper Neutralization of Script in Attributes in a Web Page (83) Improper Neutralization of Encoded URI Schemes in a Web Page (84) Doubled Character XSS Manipulations (85) Improper Neutralization of Invalid Characters in Identifiers in Web Pages (86) Improper Neutralization of Alternate XSS Syntax (87) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting’) (79) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80) Improper Neutralization of Script in an Error Message Web Page (81) Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (82) Improper Neutralization of Script in Attributes in a Web Page (83) Improper Neutralization of Encoded URI Schemes in a Web Page (84) Doubled Character XSS Manipulations (85) Improper Neutralization of Invalid Characters in Identifiers in Web Pages (86) Improper Neutralization of Alternate XSS Syntax (87) Improper Restriction of Operations within the Bounds of a Memory Buffer (119) Buffer Copy without Checking Size of Input ('Classic Buffer Overflow’) (120) Write-what-where Condition (123) Out-of-bounds Read (125) Improper Handling of Length Parameter Inconsistency (130) Improper Validation of Array Index (129) Return of Pointer Value Outside of Expected Range (466) Access of Memory Location Before Start of Buffer (786) Access of Memory Location After End of Buffer (788) Buffer Access with Incorrect Length Value 805 Untrusted Pointer Dereference (822) Use of Out-of-range Pointer Offset (823) Access of Uninitialized Pointer (824) Expired Pointer Dereference (825) Improper Restriction of Operations within the Bounds of a Memory Buffer (119) Buffer Copy without Checking Size of Input ('Classic Buffer Overflow’) (120) Write-what-where Condition (123) Out-of-bounds Read (125) Improper Handling of Length Parameter Inconsistency (130) Improper Validation of Array Index (129) Return of Pointer Value Outside of Expected Range (466) Access of Memory Location Before Start of Buffer (786) Access of Memory Location After End of Buffer (788) Buffer Access with Incorrect Length Value 805 Untrusted Pointer Dereference (822) Use of Out-of-range Pointer Offset (823) Access of Uninitialized Pointer (824) Expired Pointer Dereference (825) Path Traversal (22) Relative Path Traversal (23) Path Traversal: '../filedir' (24) Path Traversal: '/../filedir' (25) Path Traversal: '....//' (34) Path Traversal: '.../...//' (35) Absolute Path Traversal (36) Path Traversal: '/absolute/pathname/here’ (37) Path Traversal: '\absolute\pathname\here’ (38) Path Traversal: 'C:dirname’ (39) Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (40) Path Traversal (22) Relative Path Traversal (23) Path Traversal: '../filedir' (24) Path Traversal: '/../filedir' (25) Path Traversal: '....//' (34) Path Traversal: '.../...//' (35) Absolute Path Traversal (36) Path Traversal: '/absolute/pathname/here’ (37) Path Traversal: '\absolute\pathname\here’ (38) Path Traversal: 'C:dirname’ (39) Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (40)
Common Weakness Enumeration (CWE) – 700+ © 2012 The MITRE Corporation. All rights reserved.
What is wrong with this picture? Wouldn’t it be nice if the weaknesses in software were as easy to spot and their impact as easy to understand as a screen door in a submarine…
CWE Compatibility & Effectiveness Program cwe.mitre.org/compatible/ ( launched Feb 2007)
Direct Contributors to the 2011 CWE/SANS Top 25 Red Hat Inc. Secunia (Denmark) CERIAS, Purdue University CAST Software NetBSD Symantec Corporation Veracode, Inc. Grammatech Inc. IPA (Japan) IBM Ellumen, Inc. McAfee SAIC SRI International UC Davis MITRE White Hat Security KRvW Associates Oracle Corporation Fortify Software, an HP Company ThinkSec Tata Consultancy Services (TCS) Motorola Solutions RSA, the Security Division of EMC Mark J. Cox Carsten Eiram Pascal Meunier Razak Ellafi & Bonsignour David Maxwell Cassio Goldschmidt & Mahesh Saptarshi Chris Eng Paul Anderson Masato Terada Bernie Wong Dennis Seymour Kent Landfield Hart Rossman Jeremy Epstein Matt Bishop Adam Hahn & Sean Barnum Jeremiah Grossman Kenneth van Wyk Bruce Lowenthal Jacob West Frank Kim Christian Heinrich (Australia) Ketan Vyas Joe Baum Matthew Coles, Aaron Katz & Nazira Omuralieva National Security Agency (NSA) Information Assurance Division Department of Homeland Security (DHS) National Cyber Security Division © 2012 The MITRE Corporation. All rights reserved.
CWE/SANS Top 25 3 years running Latest version published in June 2011 Survey results from over 25 organizations 41 CWE entries nominated CWSS 0.8 used to rank results –Technical Impact, Prevalence, Likelihood of Exploit Published pocket guide for mitigating the Top 25 (and other weaknesses, too) © 2012 The MITRE Corporation. All rights reserved.
CWE Outreach: A Team Sport May/June Issue of IEEE Security & Privacy…
16 July 2010
| 25 | © 2012 The MITRE Corporation. All rights reserved.
| 26 | © 2012 The MITRE Corporation. All rights reserved.
| 27 | © 2012 The MITRE Corporation. All rights reserved.
[1] CWE-79Cross-site Scripting [2] CWE-89SQL Injection [3] CWE-120 Classic Buffer Overflow [4] CWE-352 Cross-Site Request Forgery (CSRF) [5] CWE-285 Improper Authorization [6] CWE-807 Reliance on Untrusted Inputs in a Security Decision [7] CWE-22 Path Traversal [8] CWE-434 Unrestricted Upload of File with Dangerous Type [9] CWE-78 OS Command Injection [10] CWE-311 Missing Encryption of Sensitive Data [11] CWE-798 Use of Hard-coded Credentials [12] CWE-805 Buffer Access with Incorrect Length Value [13] CWE-98 PHP File Inclusion [14] CWE-129 Improper Validation of Array Index [15] CWE-754 Improper Check for Unusual or Exceptional Conditions [16] CWE-209 Information Exposure Through an Error Message [17] CWE-190 Integer Overflow or Wraparound [18] CWE-131 Incorrect Calculation of Buffer Size [19] CWE-306 Missing Authentication for Critical Function [20] CWE-494 Download of Code Without Integrity Check [21] CWE-732 Incorrect Permission Assignment for Critical Resource [22] CWE-770 Allocation of Resources Without Limits or Throttling [23] CWE-601 Open Redirect [24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm [25] CWE-362 Race Condition [26] CWE-749Exposed Dangerous Method or Function [27] CWE-307Improper Restriction of Excessive Auth. Attempts [28] CWE-212Improper Cross-boundary Removal of Sensitive Data [29] CWE-330Use of Insufficiently Random Values [30] CWE-59Link Following [31] CWE-134Uncontrolled Format String [32] CWE-476NULL Pointer Dereference [33] CWE-681Incorrect Conversion between Numeric Types [34] CWE-426Untrusted Search Path [35] CWE-454External Initialization of Trusted Variables or Data Stores [36] CWE-416Use After Free [37] CWE-772Missing Release of Resource after Effective Lifetime [38] CWE-799Improper Control of Interaction Frequency [39] CWE-456Missing Initialization [40] CWE-672Operation on a Resource after Expiration or Release [41] CWE-804Guessable CAPTCHA | 28 | CWE-119 CWE-706 CWE-834 CWE-637 CWE/SANS 2010 Top 25 Most Dangerous Software Errors
Total Potential Security Weaknesses DynamicAnalysisStaticAnalysis Environment Configuration Issues Issues in integrations of modules Runtime Privileges Issues Protocol Parser/Serializer Issues Issues in 3 rd party components … Environment Configuration Issues Issues in integrations of modules Runtime Privileges Issues Protocol Parser/Serializer Issues Issues in 3 rd party components … Null Pointer Dereference Threading Issues Issues in Dead Code Insecure Crypto Functions … Null Pointer Dereference Threading Issues Issues in Dead Code Insecure Crypto Functions … SQL Injection Cross Site Scripting HTTP Response Splitting OS Commanding LDAP Injection … SQL Injection Cross Site Scripting HTTP Response Splitting OS Commanding LDAP Injection … Application Logic Issues Leveraging and Managing to take Advantage of the Multiple Perspectives of Analysis
Weakness Asset Attack Impact Item Attack Function Asset Impact Known Threat Actors Attack Patterns (CAPECs) Weaknesses (CWEs) Controls*Technical Impacts Operational Impacts * Controls include architecture choices, design choices, added security functions, activities & processes, physical decomposition choices, code assessments, design reviews, dynamic testing, and pen testing System & System Security Engineering Trades ISO/IEC Technical Report 20004: Refining Software Vulnerability Analysis Under ISO/IEC and ISO/IEC 18045
Technical Impacts – Common Consequences
1.Modify data 2.Read data 3.DoS: unreliable execution 4.DoS: resource consumption 5.Execute unauthorized code or commands 6.Gain privileges / assume identity 7.Bypass protection mechanism 8.Hide activities Technical Impacts – Common Weakness Risk Analysis Framework (CWRAF)
CWRAF/CWSS in a Nutshell W WdWd W is all possible weaknesses Wd is all known weaknesses (CWE)
Common Weakness Risk Analysis Framework (CWRAF) Multiple pieces – we’ll focus on “Vignettes” Technical Impacts 1. Modify data 2. Read data 3. DoS: unreliable execution 4. DoS: resource consumption 5. Execute unauthorized code or commands 6. Gain privileges / assume identity 7. Bypass protection mechanism 8. Hide activities Technical Impact Scorecard W1=1 0 W2=0 W3=0 W4=0 W5=0 W6=0 W7=0 W8=0 Weightings
CWRAF/CWSS in a Nutshell W WdWd CWSS Score CWE 97CWE-79 95CWE-78 94CWE-22 94CWE CWE CWE CWE CWE CWE CWE CWE CWE CWE CWE CWE-131 … User-defined cutoff CWSS Scoring Engine Most Important Weaknesses “Vignette” W is all possible weaknesses Wd is all known weaknesses (CWE)
What types of attacks should I test my system against? Common Attack Pattern Enumeration and Classification W WdWd CWSS ScoreCWE 97CWE-79 95CWE-78 94CWE-22 94CWE CWE CWE CWE CWE CWE CWE CWE CWE CWE CWE CWE-131 … CWSS Scoring Engine Most Important Weaknesses CWERelated CAPEC ID’s CWE-79CAPEC-232, CAPEC-106, CAPEC-19, … CWE-78CAPEC-108, CAPEC-15, CAPEC-43, CAPEC-6, … ……
Scoring Weaknesses Discovered in Code using CWSS
Organizations that have declared plans to support CWSS in their future offerings and are working with MITRE to help evolve CWSS to meet their customer's and the community's needs for a scoring system for software errors.
CWE Coverage – Implemented…
Which static analysis tools and Pen Testing services find the CWE’s I care about? Utilizing CWE Coverage Claims Most Important Weaknesses (CWE’s) Code Review Static Analysis Tool A Pen Testing Services CWE’s a capability claims to cover Static Analysis Tool B
Leveraging and Managing to take Advantage of the Multiple Perspectives of Analysis Different perspectives are effective at finding different types of weaknesses Some are good at finding the cause and some at finding the effect Static Code Analysis Penetration Test Data Security Analysis Code Review Architecture Risk Analysis Cross-Site Scripting (XSS)XXX SQL InjectionXXX Insufficient Authorization ControlsXXX X Broken Authentication and Session ManagementXXX X Information LeakageXX X Improper Error HandlingX Insecure Use of CryptographyXX X Cross Site Request Forgery (CSRF)XX Denial of ServiceXXX X Poor Coding PracticesXX
Architecture Analysis Design Review Source Code Static Analysis Binary Static Analysis Automated Dynamic Analysis Penetration Testing Red Team Assessment (1) Modify data (2) Read Data (3) DoS: unreliable execution (4) DoS: resource consumption (5) Execute unauthorized code or commands (6) Gain privileges / assume identity (7) Bypass protection mechanism (8) Hide activities Review of Architecture and Design Review of Code Review of Live System
Architecture Analysis Design Review Source Code Static Analysis Binary Static Analysis Automated Dynamic Analysis Penetration Testing Red Team Assessment (1) Modify data CWE-23 CWE-131 CWE-311 (2) Read Data CWE-14 CWE-129 CWE-209 (3) DoS: unreliable execution CWE-36 CWE-476 CWE-406 (4) DoS: resource consumption CWE-395 CWE-190 CWE-412 (5) Execute unauthorized code or commands CWE-88 CWE-120 CWE-79 (6) Gain privileges / assume identity CWE-96 CWE-489 CWE-309 (7) Bypass protection mechanism CWE-89 CWE-357 CWE-665 (8) Hide activities CWE-78 CWE-168 CWE-444 OS Command Injection SQL Injection Static Code Injection Argument Injection Use of NullPointerException Absolute Path Traversal Compiler Removal of Buffer Clearing Relative Path Traversal Improper Handling of Inconsistent Insufficient UI Warning of Dangerous Leftover Debug Code Buffer Overflow Integer Overflow Null Pointer Dereference Improper Validation of Array Index Incorrect Calculation of Buffer Size HTTP Request Smuggling Improper Initialization Use of Password System for Primary Authentication Cross-site Scripting Unrestricted Externally Accessible Lock Network Amplification Information Exposure Through an Error Messages Missing Encryption of Sensitive Data Vulnerability Analysis Focus By Phase and Impact
Contact Info