Presentation is loading. Please wait.

Presentation is loading. Please wait.

Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Published byLydia Lyons Modified over 9 years ago

Similar presentations

Presentation on theme: "Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved."— Presentation transcript:

1 Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

2 Today Everything’s Connected When this Other System gets subverted through an un-patched vulnerability, a mis- configuration, or an application weakness… Your System is attackable… © 2012 The MITRE Corporation. All rights reserved.

3

4

5

6

7 CVE 1999 to 2000 to 2012

8 Vulnerability Type Trends: A Look at the CVE List (2001 - 2007)

9 Removing and Preventing the Vulnerabilities Requires More Specific Definitions…CWEs Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting’) (79) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80) Improper Neutralization of Script in an Error Message Web Page (81) Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (82) Improper Neutralization of Script in Attributes in a Web Page (83) Improper Neutralization of Encoded URI Schemes in a Web Page (84) Doubled Character XSS Manipulations (85) Improper Neutralization of Invalid Characters in Identifiers in Web Pages (86) Improper Neutralization of Alternate XSS Syntax (87) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting’) (79) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80) Improper Neutralization of Script in an Error Message Web Page (81) Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (82) Improper Neutralization of Script in Attributes in a Web Page (83) Improper Neutralization of Encoded URI Schemes in a Web Page (84) Doubled Character XSS Manipulations (85) Improper Neutralization of Invalid Characters in Identifiers in Web Pages (86) Improper Neutralization of Alternate XSS Syntax (87) Improper Restriction of Operations within the Bounds of a Memory Buffer (119) Buffer Copy without Checking Size of Input ('Classic Buffer Overflow’) (120) Write-what-where Condition (123) Out-of-bounds Read (125) Improper Handling of Length Parameter Inconsistency (130) Improper Validation of Array Index (129) Return of Pointer Value Outside of Expected Range (466) Access of Memory Location Before Start of Buffer (786) Access of Memory Location After End of Buffer (788) Buffer Access with Incorrect Length Value 805 Untrusted Pointer Dereference (822) Use of Out-of-range Pointer Offset (823) Access of Uninitialized Pointer (824) Expired Pointer Dereference (825) Improper Restriction of Operations within the Bounds of a Memory Buffer (119) Buffer Copy without Checking Size of Input ('Classic Buffer Overflow’) (120) Write-what-where Condition (123) Out-of-bounds Read (125) Improper Handling of Length Parameter Inconsistency (130) Improper Validation of Array Index (129) Return of Pointer Value Outside of Expected Range (466) Access of Memory Location Before Start of Buffer (786) Access of Memory Location After End of Buffer (788) Buffer Access with Incorrect Length Value 805 Untrusted Pointer Dereference (822) Use of Out-of-range Pointer Offset (823) Access of Uninitialized Pointer (824) Expired Pointer Dereference (825) Path Traversal (22) Relative Path Traversal (23) Path Traversal: '../filedir' (24) Path Traversal: '/../filedir' (25) Path Traversal: '....//' (34) Path Traversal: '.../...//' (35) Absolute Path Traversal (36) Path Traversal: '/absolute/pathname/here’ (37) Path Traversal: '\absolute\pathname\here’ (38) Path Traversal: 'C:dirname’ (39) Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (40) Path Traversal (22) Relative Path Traversal (23) Path Traversal: '../filedir' (24) Path Traversal: '/../filedir' (25) Path Traversal: '....//' (34) Path Traversal: '.../...//' (35) Absolute Path Traversal (36) Path Traversal: '/absolute/pathname/here’ (37) Path Traversal: '\absolute\pathname\here’ (38) Path Traversal: 'C:dirname’ (39) Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (40) 9 14 19

10 Common Weakness Enumeration (CWE) – 700+ © 2012 The MITRE Corporation. All rights reserved.

11 What is wrong with this picture? Wouldn’t it be nice if the weaknesses in software were as easy to spot and their impact as easy to understand as a screen door in a submarine…

12 CWE Compatibility & Effectiveness Program 39 69 cwe.mitre.org/compatible/ ( launched Feb 2007)

13

14

15 Direct Contributors to the 2011 CWE/SANS Top 25 Red Hat Inc. Secunia (Denmark) CERIAS, Purdue University CAST Software NetBSD Symantec Corporation Veracode, Inc. Grammatech Inc. IPA (Japan) IBM Ellumen, Inc. McAfee SAIC SRI International UC Davis MITRE White Hat Security KRvW Associates Oracle Corporation Fortify Software, an HP Company ThinkSec Tata Consultancy Services (TCS) Motorola Solutions RSA, the Security Division of EMC Mark J. Cox Carsten Eiram Pascal Meunier Razak Ellafi & Bonsignour David Maxwell Cassio Goldschmidt & Mahesh Saptarshi Chris Eng Paul Anderson Masato Terada Bernie Wong Dennis Seymour Kent Landfield Hart Rossman Jeremy Epstein Matt Bishop Adam Hahn & Sean Barnum Jeremiah Grossman Kenneth van Wyk Bruce Lowenthal Jacob West Frank Kim Christian Heinrich (Australia) Ketan Vyas Joe Baum Matthew Coles, Aaron Katz & Nazira Omuralieva National Security Agency (NSA) Information Assurance Division Department of Homeland Security (DHS) National Cyber Security Division © 2012 The MITRE Corporation. All rights reserved.

16 CWE/SANS Top 25  3 years running  Latest version published in June 2011  Survey results from over 25 organizations  41 CWE entries nominated  CWSS 0.8 used to rank results –Technical Impact, Prevalence, Likelihood of Exploit  Published pocket guide for mitigating the Top 25 (and other weaknesses, too) © 2012 The MITRE Corporation. All rights reserved.

17

18

19

20

21

22

23 CWE Outreach: A Team Sport May/June Issue of IEEE Security & Privacy…

24 16 July 2010

25 | 25 | © 2012 The MITRE Corporation. All rights reserved.

26 | 26 | © 2012 The MITRE Corporation. All rights reserved.

27 | 27 | © 2012 The MITRE Corporation. All rights reserved.

28 [1] CWE-79Cross-site Scripting [2] CWE-89SQL Injection [3] CWE-120 Classic Buffer Overflow [4] CWE-352 Cross-Site Request Forgery (CSRF) [5] CWE-285 Improper Authorization [6] CWE-807 Reliance on Untrusted Inputs in a Security Decision [7] CWE-22 Path Traversal [8] CWE-434 Unrestricted Upload of File with Dangerous Type [9] CWE-78 OS Command Injection [10] CWE-311 Missing Encryption of Sensitive Data [11] CWE-798 Use of Hard-coded Credentials [12] CWE-805 Buffer Access with Incorrect Length Value [13] CWE-98 PHP File Inclusion [14] CWE-129 Improper Validation of Array Index [15] CWE-754 Improper Check for Unusual or Exceptional Conditions [16] CWE-209 Information Exposure Through an Error Message [17] CWE-190 Integer Overflow or Wraparound [18] CWE-131 Incorrect Calculation of Buffer Size [19] CWE-306 Missing Authentication for Critical Function [20] CWE-494 Download of Code Without Integrity Check [21] CWE-732 Incorrect Permission Assignment for Critical Resource [22] CWE-770 Allocation of Resources Without Limits or Throttling [23] CWE-601 Open Redirect [24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm [25] CWE-362 Race Condition [26] CWE-749Exposed Dangerous Method or Function [27] CWE-307Improper Restriction of Excessive Auth. Attempts [28] CWE-212Improper Cross-boundary Removal of Sensitive Data [29] CWE-330Use of Insufficiently Random Values [30] CWE-59Link Following [31] CWE-134Uncontrolled Format String [32] CWE-476NULL Pointer Dereference [33] CWE-681Incorrect Conversion between Numeric Types [34] CWE-426Untrusted Search Path [35] CWE-454External Initialization of Trusted Variables or Data Stores [36] CWE-416Use After Free [37] CWE-772Missing Release of Resource after Effective Lifetime [38] CWE-799Improper Control of Interaction Frequency [39] CWE-456Missing Initialization [40] CWE-672Operation on a Resource after Expiration or Release [41] CWE-804Guessable CAPTCHA | 28 | CWE-119 CWE-706 CWE-834 CWE-637 CWE/SANS 2010 Top 25 Most Dangerous Software Errors

29

30 Total Potential Security Weaknesses DynamicAnalysisStaticAnalysis Environment Configuration Issues Issues in integrations of modules Runtime Privileges Issues Protocol Parser/Serializer Issues Issues in 3 rd party components … Environment Configuration Issues Issues in integrations of modules Runtime Privileges Issues Protocol Parser/Serializer Issues Issues in 3 rd party components … Null Pointer Dereference Threading Issues Issues in Dead Code Insecure Crypto Functions … Null Pointer Dereference Threading Issues Issues in Dead Code Insecure Crypto Functions … SQL Injection Cross Site Scripting HTTP Response Splitting OS Commanding LDAP Injection … SQL Injection Cross Site Scripting HTTP Response Splitting OS Commanding LDAP Injection …  Application Logic Issues Leveraging and Managing to take Advantage of the Multiple Perspectives of Analysis

31 Weakness Asset Attack Impact Item Attack Function Asset Impact Known Threat Actors Attack Patterns (CAPECs) Weaknesses (CWEs) Controls*Technical Impacts Operational Impacts * Controls include architecture choices, design choices, added security functions, activities & processes, physical decomposition choices, code assessments, design reviews, dynamic testing, and pen testing System & System Security Engineering Trades ISO/IEC Technical Report 20004: Refining Software Vulnerability Analysis Under ISO/IEC 15049 and ISO/IEC 18045

32 Technical Impacts – Common Consequences

33 1.Modify data 2.Read data 3.DoS: unreliable execution 4.DoS: resource consumption 5.Execute unauthorized code or commands 6.Gain privileges / assume identity 7.Bypass protection mechanism 8.Hide activities Technical Impacts – Common Weakness Risk Analysis Framework (CWRAF)

34 CWRAF/CWSS in a Nutshell W WdWd W is all possible weaknesses Wd is all known weaknesses (CWE)

35 Common Weakness Risk Analysis Framework (CWRAF) Multiple pieces – we’ll focus on “Vignettes” Technical Impacts 1. Modify data 2. Read data 3. DoS: unreliable execution 4. DoS: resource consumption 5. Execute unauthorized code or commands 6. Gain privileges / assume identity 7. Bypass protection mechanism 8. Hide activities Technical Impact Scorecard W1=1 0 W2=0 W3=0 W4=0 W5=0 W6=0 W7=0 W8=0 Weightings

36 CWRAF/CWSS in a Nutshell W WdWd CWSS Score CWE 97CWE-79 95CWE-78 94CWE-22 94CWE-434 94CWE-798 93CWE-120 93CWE-250 92CWE-770 91CWE-829 91CWE-190 91CWE-494 90CWE-134 90CWE-772 90CWE-476 90CWE-131 … User-defined cutoff CWSS Scoring Engine Most Important Weaknesses “Vignette” W is all possible weaknesses Wd is all known weaknesses (CWE)

37 What types of attacks should I test my system against? Common Attack Pattern Enumeration and Classification W WdWd CWSS ScoreCWE 97CWE-79 95CWE-78 94CWE-22 94CWE-434 94CWE-798 93CWE-120 93CWE-250 92CWE-770 91CWE-829 91CWE-190 91CWE-494 90CWE-134 90CWE-772 90CWE-476 90CWE-131 … CWSS Scoring Engine Most Important Weaknesses CWERelated CAPEC ID’s CWE-79CAPEC-232, CAPEC-106, CAPEC-19, … CWE-78CAPEC-108, CAPEC-15, CAPEC-43, CAPEC-6, … ……

38 Scoring Weaknesses Discovered in Code using CWSS

39 Organizations that have declared plans to support CWSS in their future offerings and are working with MITRE to help evolve CWSS to meet their customer's and the community's needs for a scoring system for software errors.

40 CWE Coverage – Implemented…

41 Which static analysis tools and Pen Testing services find the CWE’s I care about? Utilizing CWE Coverage Claims Most Important Weaknesses (CWE’s) Code Review Static Analysis Tool A Pen Testing Services CWE’s a capability claims to cover Static Analysis Tool B

42 Leveraging and Managing to take Advantage of the Multiple Perspectives of Analysis Different perspectives are effective at finding different types of weaknesses Some are good at finding the cause and some at finding the effect Static Code Analysis Penetration Test Data Security Analysis Code Review Architecture Risk Analysis Cross-Site Scripting (XSS)XXX SQL InjectionXXX Insufficient Authorization ControlsXXX X Broken Authentication and Session ManagementXXX X Information LeakageXX X Improper Error HandlingX Insecure Use of CryptographyXX X Cross Site Request Forgery (CSRF)XX Denial of ServiceXXX X Poor Coding PracticesXX

43 Architecture Analysis Design Review Source Code Static Analysis Binary Static Analysis Automated Dynamic Analysis Penetration Testing Red Team Assessment (1) Modify data (2) Read Data (3) DoS: unreliable execution (4) DoS: resource consumption (5) Execute unauthorized code or commands (6) Gain privileges / assume identity (7) Bypass protection mechanism (8) Hide activities Review of Architecture and Design Review of Code Review of Live System

44 Architecture Analysis Design Review Source Code Static Analysis Binary Static Analysis Automated Dynamic Analysis Penetration Testing Red Team Assessment (1) Modify data CWE-23 CWE-131 CWE-311 (2) Read Data CWE-14 CWE-129 CWE-209 (3) DoS: unreliable execution CWE-36 CWE-476 CWE-406 (4) DoS: resource consumption CWE-395 CWE-190 CWE-412 (5) Execute unauthorized code or commands CWE-88 CWE-120 CWE-79 (6) Gain privileges / assume identity CWE-96 CWE-489 CWE-309 (7) Bypass protection mechanism CWE-89 CWE-357 CWE-665 (8) Hide activities CWE-78 CWE-168 CWE-444 OS Command Injection SQL Injection Static Code Injection Argument Injection Use of NullPointerException Absolute Path Traversal Compiler Removal of Buffer Clearing Relative Path Traversal Improper Handling of Inconsistent Insufficient UI Warning of Dangerous Leftover Debug Code Buffer Overflow Integer Overflow Null Pointer Dereference Improper Validation of Array Index Incorrect Calculation of Buffer Size HTTP Request Smuggling Improper Initialization Use of Password System for Primary Authentication Cross-site Scripting Unrestricted Externally Accessible Lock Network Amplification Information Exposure Through an Error Messages Missing Encryption of Sensitive Data Vulnerability Analysis Focus By Phase and Impact

45 Contact Info cwss@mitre.org cwe@mitre.org

Download ppt "Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved."

Similar presentations

Webgoat.

Webgoat.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Geneva, Switzerland, 15-16 September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.

Geneva, Switzerland, September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Similar presentations

Ads by Google