Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nullcon Goa 2010http://nullcon.net Tracking the Progress of an SDL Program - Cassio Goldschmidt.

Published byMarsha Lester Modified over 8 years ago

Similar presentations

Presentation on theme: "Nullcon Goa 2010http://nullcon.net Tracking the Progress of an SDL Program - Cassio Goldschmidt."— Presentation transcript:

1 nullcon Goa 2010http://nullcon.net Tracking the Progress of an SDL Program - Cassio Goldschmidt

2 Who am I? Cassio Goldschmidt Sr. Manager, Product Security – Symantec Education MBA, USC MS Software Engineering, SCU BSCS, PUCRS CSSLP, (ISC) 2 When I’m not in the office… Volleyball (Indoor, Beach) Coding… for way to long! Gym…

3 Typical Project Lifecycle

4

5 Exercise type: CWE Exercise type: CWE

6 Number of Reps: Number of Findings Number of Reps: Number of Findings

7 Exercise Intensity: CVSS Exercise Intensity: CVSS

8

9 nullcon Goa 2010http://nullcon.net Common Weakness Enumeration

10 Common Weakness Enumeration What is it? A common language for describing software security weaknesses Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS). Hierarchical Each individual CWE represents a single vulnerability type Deeper levels of the tree provide a finer granularity Higher levels provide a broad overview of a vulnerability

11 Common Weakness Enumeration Portion of CWE structure

12 What data is available for each CWE? Weakness description Applicable platforms and programming languages Common Consequences Likelihood of Exploit Coding Examples Potential Mitigations Related Attacks Time of Introduction Taxonomy Mapping Link to CWE Page on XSSCWE Page on XSS

13 How useful is this information? 13 Pie Chart showing the frequency of CWEs found in penetration tests

14 nullcon Goa 2010http://nullcon.net Common Vulnerability Scoring System

15 Objective (and “perfect enough”) metric A universal way to convey vulnerability severity Can be used for competitive analysis CVSS score ranges between 0.0 and 10.0 Can be expressed as high, medium, low as well. Composed of 3 vectors Base Represents general vulnerability severity: Intrinsic and immutable Temporal Time-dependent qualities of a vulnerability Environmental Qualities of a vulnerability specific to a particular IT environment Common Vulnerability Scoring System What is it? 0.0...3.9 4.0...6.9 7.0...10

16 Common Vulnerability Scoring System BASE Vector Access Vector Access Complexity Authenti… NetworkHighNone Adjacent Network MediumSingle Instance LocalLowMult. Instances Undefined Confident…IntegrityAvail. None Partial Complete Undefined ExploitabilityImpact Sample Score: 7.5 Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Every CVSS score should be accompanied by the corresponding vector

17 Common Vulnerability Scoring System (CVSS) The Calculator

18 nullcon Goa 2010http://nullcon.net Hands on Demo

19 void CHTMLEngine::SetPost(CBufferedInput& buf,unsigned int length,string& multipart) { m_post=true; if (length <= 0) return; char* pData = new char[length+1]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length-totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1,“ EOF error reading POSTed data."); break; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } What if I make length = -1? new char[0] calls malloc(0) which succeeds! Next, attacker-controlled data either overflows heap or crashes Doesn’t quite work – length is unsigned CWE and CVSS use in Practice Code Review

20 void CHTMLEngine::SetPost(CBufferedInput& buf,unsigned int length,string& multipart) { m_post=true; if (length <= 0) return; char* pData = new char[length+1]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length-totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1,“ EOF error reading POSTed data."); break; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } CWE and CVSS use in Practice Code Review Buffer Overflow CWE: 119119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) Buffer Overflow CWE: 119119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

21 nullcon Goa 2010http://nullcon.net Training and Metrics

22 Training and Metrics A special activity in the SDL Security training is what food is to a workout Same workout metrics do not apply Quality of your intake affects overall performance Staff needs ongoing training

23 Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current

24 Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current Understand who is the audience Previous knowledge about secure coding and secure testing Programming languages in use Supported platforms Type of product Understand who is the audience Previous knowledge about secure coding and secure testing Programming languages in use Supported platforms Type of product

25 Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current Train everyone involved in the SDL Developers: Secure Coding, Threat Model QA: Security Testing, Tools Managers: Secure Development Lifecycle (also known as Symmunize) Train everyone involved in the SDL Developers: Secure Coding, Threat Model QA: Security Testing, Tools Managers: Secure Development Lifecycle (also known as Symmunize)

26 Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current Quality Assurance - Capture the flag Use Beta software Approximately 3 hours long Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group Quality Assurance - Capture the flag Use Beta software Approximately 3 hours long Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group

27 Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current Pos Class Survey Anonymous Metrics Class content Instructor knowledge Exercises Pos Class Survey Anonymous Metrics Class content Instructor knowledge Exercises

28 Training and Metrics Security awareness is more than training

29 nullcon Goa 2010http://nullcon.net Conclusions and final thoughts

30 Why This Approach Makes Sense? Compare Apples to Apples Quantify results in a meaningful way to “C” executives – Past results can be used to explain impact of new findings – Can be simplified to a number from 1-10 or semaphore (green, yellow and red). – Can be used for competitive analysis Harder to game CVSS CWE can be easily mapped to different taxonomies

31 nullcon Goa 2010http://nullcon.net Thank You!

Download ppt "Nullcon Goa 2010http://nullcon.net Tracking the Progress of an SDL Program - Cassio Goldschmidt."

Similar presentations

OWASP CLASP Overview.

OWASP CLASP Overview.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
QAAC 1 Metrics: A Path for Success Kim Mahoney, QA Manager, The Hartford

QAAC 1 Metrics: A Path for Success Kim Mahoney, QA Manager, The Hartford
Operational Security Risk Metrics: Definitions, Calculations, Visualizations Metricon 2.0 Alain Mayer CTO RedSeal Systems

Operational Security Risk Metrics: Definitions, Calculations, Visualizations Metricon 2.0 Alain Mayer CTO RedSeal Systems
Cassio Goldschmidt May 13 th, 2009. Introduction 2.

Cassio Goldschmidt May 13 th, Introduction 2.
® Rational Power-Up Program © 2008 IBM Corporation IBM Rational’s Solutions to Ensure Quality Susann Ulrich –

® Rational Power-Up Program © 2008 IBM Corporation IBM Rational’s Solutions to Ensure Quality Susann Ulrich –
Project Risk Management

Project Risk Management
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: 509-359-6908 Office.

CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
Vulnerability Assessments

Vulnerability Assessments
Software Process and Product Metrics

Software Process and Product Metrics
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.

1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
Software Assurance Automation throughout the Lifecycle OWASP AppSec USA 2011 September 23 rd 2011.

Software Assurance Automation throughout the Lifecycle OWASP AppSec USA 2011 September 23 rd 2011.
EOSC Generic Application Security Framework

EOSC Generic Application Security Framework
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Similar presentations

Ads by Google