Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cassio Goldschmidt May 13 th, 2009. Introduction 2.

Published byBarbara McKinney Modified over 9 years ago

Similar presentations

Presentation on theme: "Cassio Goldschmidt May 13 th, 2009. Introduction 2."— Presentation transcript:

1 Cassio Goldschmidt May 13 th, 2009

2 Introduction 2

3 Who am I? Cassio Goldschmidt –Sr. Manager, Product Security –Chapter Leader, OWASP Los Angeles Education –MBA, USC –MS Software Engineering, SCU –BS Computer Science, PUCRS –Certified Software Sec. Lifecycle Professional – CSSLP, (ISC) 2 When I’m not in the office… –Volleyball (Indoor, Beach) –Coding –Gym… 3

4 Typical Project Lifecycle 4

5 How your workout looks like 5

6 METRICS How your METRICS should look like 6 Exercise type: CWE Exercise type: CWE

7 METRICS How your METRICS should look like 7 Number of Reps: Number of Findings Number of Reps: Number of Findings

8 METRICS How your METRICS should look like 8 Exercise Intensity: CVSS Exercise Intensity: CVSS

9 METRICS How your METRICS should look like 9

10 Common Weakness Enumeration

11 Common Weakness Enumeration What is it? A common language for describing software security weaknesses Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS). Hierarchical –Each individual CWE represents a single vulnerability type –Deeper levels of the tree provide a finer granularity –Higher levels provide a broad overview of a vulnerability 11

12 Common Weakness Enumeration Portion of CWE structure 12

13 Common Weakness Enumeration What data is available for each CWE? Weakness description Applicable platforms and programming languages Common Consequences Likelihood of Exploit Coding Examples Potential Mitigations Related Attacks Time of Introduction Taxonomy Mapping 13 Link to CWE Page on XSSCWE Page on XSS

14 Common Weakness Enumeration How useful is this information? 14 Pie Chart showing the frequency of CWEs found in penetration tests Pie Chart showing the frequency of CWEs found in penetration tests

15 Common Vulnerability Scoring System

16 Objective (and “perfect enough”) metric A universal way to convey vulnerability severity –Can be used for competitive analysis CVSS score ranges between 0.0 and 10.0 –Can be expressed as high, medium, low as well Composed of 3 vectors –Base Represents general vulnerability severity: Intrinsic and immutable –Temporal Time-dependent qualities of a vulnerability –Environmental Qualities of a vulnerability specific to a particular IT environment 16 Common Vulnerability Scoring System (CVSS) What is it?

17 17 Common Vulnerability Scoring System (CVSS) BASE Vector Access Vector Access Complexity Authenti… NetworkHighNone Adjacent Network MediumSingle Instance LocalLowMult. Instances Undefined Confident…IntegrityAvailability None Partial Complete Undefined ExploitabilityImpact Sample Score: 7.5 Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Every CVSS score should be accompanied by the corresponding vector

18 18 Common Vulnerability Scoring System (CVSS) The Calculator

19 Training and Metrics.

20 Training and Metrics A special activity in the SDL 20 Security training is what food is to a workout Same workout metrics do not apply Quality of your intake affects overall performance Staff needs ongoing training

21 Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current 21

22 Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current 22 Understand who is the audience Previous knowledge about secure coding and secure testing Programming languages in use Supported platforms Type of product Understand who is the audience Previous knowledge about secure coding and secure testing Programming languages in use Supported platforms Type of product

23 Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current 23 Train everyone involved in the SDL Developers: Secure Coding, Threat Model QA: Security Testing, Tools Managers: Secure Development Lifecycle (also known as Symmunize) Train everyone involved in the SDL Developers: Secure Coding, Threat Model QA: Security Testing, Tools Managers: Secure Development Lifecycle (also known as Symmunize)

24 Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current 24 Quality Assurance - Capture the flag Use Beta software Approximately 3 hours long Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group Quality Assurance - Capture the flag Use Beta software Approximately 3 hours long Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group

25 Training and Metrics Security Learning Process Pre classClass Fixation Exercises Pos Class Survey Keeping Staff Current 25 Pos Class Survey Anonymous Metrics Class content Instructor knowledge Exercises Pos Class Survey Anonymous Metrics Class content Instructor knowledge Exercises

26 Training and Metrics Security awareness is more than training 26

27 Training and Metrics Security awareness is more than training 27 What: Symantec’s company-wide knowledge sharing session. How Often: Occurs every two weeks. 2 hours long. Who: Internal and external guests present on a topic of choice to Symantec’s engineering community What: Symantec’s company-wide knowledge sharing session. How Often: Occurs every two weeks. 2 hours long. Who: Internal and external guests present on a topic of choice to Symantec’s engineering community

28 Training and Metrics Security awareness is more than training 28 What: Symantec’s company-wide internal technical conference. How Often: Once a year. 3 days long. Who: Top engineers present on a topic of choice to Symantec’s engineering community. 25% of the talks are related to security. What: Symantec’s company-wide internal technical conference. How Often: Once a year. 3 days long. Who: Top engineers present on a topic of choice to Symantec’s engineering community. 25% of the talks are related to security.

29 Training and Metrics Security awareness is more than training 29 What: Symantec’s internal newsletter. How Often: Every quarter. 50 pages long. Who: Top engineers write on a topic of choice to Symantec’s engineering community. 1-3 security article in every issue since inception. What: Symantec’s internal newsletter. How Often: Every quarter. 50 pages long. Who: Top engineers write on a topic of choice to Symantec’s engineering community. 1-3 security article in every issue since inception.

30 Conclusions and final thoughts

31 Why This Approach Makes Sense? 31 Compare Apples to Apples Quantify results in a meaningful way to “C” executives –Past results can be used to explain impact of new findings –Can be simplified to a number from 1-10 or semaphore (green, yellow and red). –Can be used for competitive analysis Harder to game CVSS CWE can be easily mapped to different taxonomies

32 Final Thoughts… 32 Other metrics are useful too! Defense is like forcing muscle growth. It’s a proactive, measured and well fueled endeavor.

33 Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Thank You! Cassio Goldschmidt cassio_goldschmidt@symantec.com cassio@owasp.org

Download ppt "Cassio Goldschmidt May 13 th, 2009. Introduction 2."

Similar presentations

Symantec Education Skills Assessment SESA 3.0 Feature Showcase

Symantec Education Skills Assessment SESA 3.0 Feature Showcase
IT Analytics for Symantec Endpoint Protection

IT Analytics for Symantec Endpoint Protection
‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, 2012 1 Industry and the fight against cybercrime.

‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, Industry and the fight against cybercrime.
1 Online Self-Defense: Avoiding Email Scams Chau Mai December 5, 2013.

1 Online Self-Defense: Avoiding Scams Chau Mai December 5, 2013.
© 2014 Microsoft Corporation. All rights reserved.

© 2014 Microsoft Corporation. All rights reserved.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Bill McClanahan – Principal Business Consultant LPS Integration.

Bill McClanahan – Principal Business Consultant LPS Integration.
Translation in the Community LRC Localisation in the Cloud Jason Rickard Principal Product Manager, Community.

Translation in the Community LRC Localisation in the Cloud Jason Rickard Principal Product Manager, Community.
1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing

1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing
Symantec Tech Symposium Randy Cochran, Vice Present Channel Sales – Americas August 17, 2009.

Symantec Tech Symposium Randy Cochran, Vice Present Channel Sales – Americas August 17, 2009.
Click to edit Master title style Click to edit Master subtitle style.

Click to edit Master title style Click to edit Master subtitle style.
The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.

The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.
Project Risk Management

Project Risk Management
MIS 4600 Ethical Hacking & Network Defense January 12, 2010 Abdou Illia, Ph.D

MIS 4600 Ethical Hacking & Network Defense January 12, 2010 Abdou Illia, Ph.D
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: 509-359-6908 Office.

CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.

1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.
GPS 2011 Slide - 1 COMPETITIVE STRATEGIES APAC Discussion.

GPS 2011 Slide - 1 COMPETITIVE STRATEGIES APAC Discussion.
Linda Mitchell 2014 1 Evaluating Community Post-Editing - Bridging the Gap between Translation Studies and Social Informatics Linda Mitchell PhD student.

Linda Mitchell Evaluating Community Post-Editing - Bridging the Gap between Translation Studies and Social Informatics Linda Mitchell PhD student.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Similar presentations

Ads by Google