Tracking the Progress of an SDL Program - Cassio Goldschmidt nullcon Goa 2010 http://nullcon.net
Who am I? <ul><li>Cassio Goldschmidt </li></ul><ul><ul><li>Sr. Manager, Product Security – Symantec </li></ul></ul><ul><li...
Typical Project Lifecycle
 
Exercise type: CWE
Number of Reps: Number of Findings
Exercise Intensity: CVSS
 
nullcon Goa 2010 http://nullcon.net Common Weakness Enumeration
Common Weakness Enumeration What is it? <ul><li>A  common language  for describing software security weaknesses </li></ul>...
Common Weakness Enumeration Portion of CWE structure
What data is available for each CWE? <ul><li>Weakness description </li></ul><ul><li>Applicable platforms and programming l...
How useful is this information? Pie Chart showing the frequency of CWEs found in penetration tests
nullcon Goa 2010 http://nullcon.net Common Vulnerability Scoring System
Common Vulnerability Scoring System  What is it? 0.0...3.9 4.0...6.9 7.0...10
Common Vulnerability Scoring System  BASE Vector <ul><li>Sample Score:  7.5 </li></ul><ul><li>Sample Vector:  (AV:N/AC:L/A...
Common Vulnerability Scoring System (CVSS) The Calculator
nullcon Goa 2010 http://nullcon.net Hands on Demo
CWE and CVSS use in Practice Code Review v oid   CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int  length,string& mu...
CWE and CVSS use in Practice Code Review v oid   CHTMLEngine::SetPost(CBufferedInput& buf, unsigned   int  length,string& ...
nullcon Goa 2010 http://nullcon.net Training and Metrics
Training and Metrics A special activity in the SDL <ul><li>Security  training  is what  food  is to a workout </li></ul><u...
Training and Metrics  Security Learning Process
Training and Metrics  Security Learning Process <ul><li>Understand who is the audience </li></ul><ul><li>Previous knowledg...
Training and Metrics  Security Learning Process <ul><li>Train everyone involved in the SDL </li></ul><ul><li>Developers: S...
Training and Metrics  Security Learning Process <ul><li>Quality Assurance - Capture the flag </li></ul><ul><li>Use Beta so...
Training and Metrics  Security Learning Process <ul><li>Pos Class Survey </li></ul><ul><li>Anonymous </li></ul><ul><li>Met...
Training and Metrics  Security awareness is more than  training
nullcon Goa 2010 http://nullcon.net Conclusions and final thoughts
Why This Approach Makes Sense? <ul><li>Compare  Apples  to  Apples </li></ul><ul><li>Quantify results in a  meaningful  wa...
nullcon Goa 2010 http://nullcon.net Thank You!
Upcoming SlideShare
Loading in...5
×

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym

1,293

Published on

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym by Cassio Goldschmidt

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,293
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 13 years of technical and managerial experience in the software industry.  During the seven years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests. Cassio is also internationally known for leading the OWASP chapter in Los Angeles. Cassio represents Symantec on the SAFECode technical committee and (ISC) 2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.
  • Transcript of "nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym"

    1. 1. Tracking the Progress of an SDL Program - Cassio Goldschmidt nullcon Goa 2010 http://nullcon.net
    2. 2. Who am I? <ul><li>Cassio Goldschmidt </li></ul><ul><ul><li>Sr. Manager, Product Security – Symantec </li></ul></ul><ul><li>Education </li></ul><ul><ul><li>MBA, USC </li></ul></ul><ul><ul><li>MS Software Engineering, SCU </li></ul></ul><ul><ul><li>BSCS, PUCRS </li></ul></ul><ul><ul><li>CSSLP, (ISC) 2 </li></ul></ul><ul><li>When I’m not in the office… </li></ul><ul><ul><li>Volleyball (Indoor, Beach) </li></ul></ul><ul><ul><li>Coding… for way to long! </li></ul></ul><ul><ul><li>Gym… </li></ul></ul>
    3. 3. Typical Project Lifecycle
    4. 5. Exercise type: CWE
    5. 6. Number of Reps: Number of Findings
    6. 7. Exercise Intensity: CVSS
    7. 9. nullcon Goa 2010 http://nullcon.net Common Weakness Enumeration
    8. 10. Common Weakness Enumeration What is it? <ul><li>A common language for describing software security weaknesses </li></ul><ul><li>Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS). </li></ul><ul><li>Hierarchical </li></ul><ul><ul><li>Each individual CWE represents a single vulnerability type </li></ul></ul><ul><ul><li>Deeper levels of the tree provide a finer granularity </li></ul></ul><ul><ul><li>Higher levels provide a broad overview of a vulnerability </li></ul></ul>
    9. 11. Common Weakness Enumeration Portion of CWE structure
    10. 12. What data is available for each CWE? <ul><li>Weakness description </li></ul><ul><li>Applicable platforms and programming languages </li></ul><ul><li>Common Consequences </li></ul><ul><li>Likelihood of Exploit </li></ul><ul><li>Coding Examples </li></ul><ul><li>Potential Mitigations </li></ul><ul><li>Related Attacks </li></ul><ul><li>Time of Introduction </li></ul><ul><li>Taxonomy Mapping </li></ul>Link to CWE Page on XSS
    11. 13. How useful is this information? Pie Chart showing the frequency of CWEs found in penetration tests
    12. 14. nullcon Goa 2010 http://nullcon.net Common Vulnerability Scoring System
    13. 15. Common Vulnerability Scoring System What is it? 0.0...3.9 4.0...6.9 7.0...10
    14. 16. Common Vulnerability Scoring System BASE Vector <ul><li>Sample Score: 7.5 </li></ul><ul><li>Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) </li></ul><ul><li>Every CVSS score should be accompanied by the corresponding vector </li></ul>Exploitability Impact Access Vector Access Complexity Authenti… Network High None Adjacent Network Medium Single Instance Local Low Mult. Instances Undefined Undefined Undefined Confident… Integrity Avail. None None None Partial Partial Partial Complete Complete Complete Undefined Undefined Undefined
    15. 17. Common Vulnerability Scoring System (CVSS) The Calculator
    16. 18. nullcon Goa 2010 http://nullcon.net Hands on Demo
    17. 19. CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char[length+1 ]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data.&quot; ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } What if I make length = -1? new char[0] calls malloc(0) which succeeds! Next, attacker-controlled data either overflows heap or crashes Doesn’t quite work – length is unsigned
    18. 20. CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char [length+1]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data.&quot; ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } Buffer Overflow CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
    19. 21. nullcon Goa 2010 http://nullcon.net Training and Metrics
    20. 22. Training and Metrics A special activity in the SDL <ul><li>Security training is what food is to a workout </li></ul><ul><li>Same workout metrics do not apply </li></ul><ul><li>Quality of your intake affects overall performance </li></ul><ul><li>Staff needs ongoing training </li></ul>
    21. 23. Training and Metrics Security Learning Process
    22. 24. Training and Metrics Security Learning Process <ul><li>Understand who is the audience </li></ul><ul><li>Previous knowledge about secure coding and secure testing </li></ul><ul><ul><li>Programming languages in use </li></ul></ul><ul><ul><li>Supported platforms </li></ul></ul><ul><ul><li>Type of product </li></ul></ul>
    23. 25. Training and Metrics Security Learning Process <ul><li>Train everyone involved in the SDL </li></ul><ul><li>Developers: Secure Coding, Threat Model </li></ul><ul><ul><li>QA: Security Testing, Tools </li></ul></ul><ul><ul><li>Managers: Secure Development Lifecycle (also known as Symmunize) </li></ul></ul>
    24. 26. Training and Metrics Security Learning Process <ul><li>Quality Assurance - Capture the flag </li></ul><ul><li>Use Beta software </li></ul><ul><li>Approximately 3 hours long </li></ul><ul><li>Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group </li></ul>
    25. 27. Training and Metrics Security Learning Process <ul><li>Pos Class Survey </li></ul><ul><li>Anonymous </li></ul><ul><li>Metrics </li></ul><ul><ul><li>Class content </li></ul></ul><ul><ul><li>Instructor knowledge </li></ul></ul><ul><ul><li>Exercises </li></ul></ul>
    26. 28. Training and Metrics Security awareness is more than training
    27. 29. nullcon Goa 2010 http://nullcon.net Conclusions and final thoughts
    28. 30. Why This Approach Makes Sense? <ul><li>Compare Apples to Apples </li></ul><ul><li>Quantify results in a meaningful way to “C” executives </li></ul><ul><ul><li>Past results can be used to explain impact of new findings </li></ul></ul><ul><ul><li>Can be simplified to a number from 1-10 or semaphore (green, yellow and red). </li></ul></ul><ul><ul><li>Can be used for competitive analysis </li></ul></ul><ul><li>Harder to game CVSS </li></ul><ul><li>CWE can be easily mapped to different taxonomies </li></ul>
    29. 31. nullcon Goa 2010 http://nullcon.net Thank You!
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×