nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym
Upcoming SlideShare
Loading in...5
×
 

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym

on

  • 1,440 views

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym by Cassio Goldschmidt

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym by Cassio Goldschmidt

Statistics

Views

Total Views
1,440
Views on SlideShare
1,420
Embed Views
20

Actions

Likes
0
Downloads
20
Comments
0

1 Embed 20

http://null.co.in 20

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 13 years of technical and managerial experience in the software industry.  During the seven years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests. Cassio is also internationally known for leading the OWASP chapter in Los Angeles. Cassio represents Symantec on the SAFECode technical committee and (ISC) 2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym Presentation Transcript

  • Tracking the Progress of an SDL Program - Cassio Goldschmidt nullcon Goa 2010 http://nullcon.net
  • Who am I?
    • Cassio Goldschmidt
      • Sr. Manager, Product Security – Symantec
    • Education
      • MBA, USC
      • MS Software Engineering, SCU
      • BSCS, PUCRS
      • CSSLP, (ISC) 2
    • When I’m not in the office…
      • Volleyball (Indoor, Beach)
      • Coding… for way to long!
      • Gym…
  • Typical Project Lifecycle
  •  
  • Exercise type: CWE
  • Number of Reps: Number of Findings
  • Exercise Intensity: CVSS
  •  
  • nullcon Goa 2010 http://nullcon.net Common Weakness Enumeration
  • Common Weakness Enumeration What is it?
    • A common language for describing software security weaknesses
    • Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS).
    • Hierarchical
      • Each individual CWE represents a single vulnerability type
      • Deeper levels of the tree provide a finer granularity
      • Higher levels provide a broad overview of a vulnerability
  • Common Weakness Enumeration Portion of CWE structure
  • What data is available for each CWE?
    • Weakness description
    • Applicable platforms and programming languages
    • Common Consequences
    • Likelihood of Exploit
    • Coding Examples
    • Potential Mitigations
    • Related Attacks
    • Time of Introduction
    • Taxonomy Mapping
    Link to CWE Page on XSS
  • How useful is this information? Pie Chart showing the frequency of CWEs found in penetration tests
  • nullcon Goa 2010 http://nullcon.net Common Vulnerability Scoring System
  • Common Vulnerability Scoring System What is it? 0.0...3.9 4.0...6.9 7.0...10
  • Common Vulnerability Scoring System BASE Vector
    • Sample Score: 7.5
    • Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
    • Every CVSS score should be accompanied by the corresponding vector
    Exploitability Impact Access Vector Access Complexity Authenti… Network High None Adjacent Network Medium Single Instance Local Low Mult. Instances Undefined Undefined Undefined Confident… Integrity Avail. None None None Partial Partial Partial Complete Complete Complete Undefined Undefined Undefined
  • Common Vulnerability Scoring System (CVSS) The Calculator
  • nullcon Goa 2010 http://nullcon.net Hands on Demo
  • CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char[length+1 ]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data.&quot; ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } What if I make length = -1? new char[0] calls malloc(0) which succeeds! Next, attacker-controlled data either overflows heap or crashes Doesn’t quite work – length is unsigned
  • CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char [length+1]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data.&quot; ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } Buffer Overflow CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
  • nullcon Goa 2010 http://nullcon.net Training and Metrics
  • Training and Metrics A special activity in the SDL
    • Security training is what food is to a workout
    • Same workout metrics do not apply
    • Quality of your intake affects overall performance
    • Staff needs ongoing training
  • Training and Metrics Security Learning Process
  • Training and Metrics Security Learning Process
    • Understand who is the audience
    • Previous knowledge about secure coding and secure testing
      • Programming languages in use
      • Supported platforms
      • Type of product
  • Training and Metrics Security Learning Process
    • Train everyone involved in the SDL
    • Developers: Secure Coding, Threat Model
      • QA: Security Testing, Tools
      • Managers: Secure Development Lifecycle (also known as Symmunize)
  • Training and Metrics Security Learning Process
    • Quality Assurance - Capture the flag
    • Use Beta software
    • Approximately 3 hours long
    • Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group
  • Training and Metrics Security Learning Process
    • Pos Class Survey
    • Anonymous
    • Metrics
      • Class content
      • Instructor knowledge
      • Exercises
  • Training and Metrics Security awareness is more than training
  • nullcon Goa 2010 http://nullcon.net Conclusions and final thoughts
  • Why This Approach Makes Sense?
    • Compare Apples to Apples
    • Quantify results in a meaningful way to “C” executives
      • Past results can be used to explain impact of new findings
      • Can be simplified to a number from 1-10 or semaphore (green, yellow and red).
      • Can be used for competitive analysis
    • Harder to game CVSS
    • CWE can be easily mapped to different taxonomies
  • nullcon Goa 2010 http://nullcon.net Thank You!