This presentation is from the 29 June 2009 OWASP Minneapolis-St. Paul (MSP) chapter meeting.
Cassio Goldschmidt of Symantec talked about defining consistent metrics for tracking security vulnerabilities throughout the security development lifecycle.
3. Who am I? Cassio Goldschmidt Sr. Manager, Product Security Chapter Leader, OWASP Los Angeles Education MBA, USC MS Software Engineering, SCU BS Computer Science, PUCRS Certified Software Sec. Lifecycle Professional – CSSLP, (ISC)2 When I’m not in the office… Volleyball (Indoor, Beach) Coding Gym… 3
5. How your workout looks like 5 May 13th Workout Exercise: Pile Squat Repetitions: 35 Weight: 20 lbs Exercise: Barbell Squat Repetitions: 35 Weight: 150 lbs Exercise: Rev. Curl Repetitions: 20 Weight: 25 lbs
6. How your METRICS should look like 6 May 13thSec. Metrics Exercise type: CWE Exercise: Pile Squat Repetitions: 35 Weight: 20 lbs Exercise: Barbell Squat Repetitions: 35 Weight: 150 lbs Exercise: Rev. Curl Repetitions: 20 Weight: 25 lbs
7. How your METRICS should look like 7 May 13thSec. Metrics Number of Reps: Number of Findings CWE: 79 - XSS Repetitions: 35 Weight: 20 lbs Exercise: Barbell Squat Repetitions: 35 Weight: 150 lbs Exercise: Rev. Curl Repetitions: 20 Weight: 25 lbs
8. How your METRICS should look like 8 May 13thSec. Metrics Exercise Intensity: CVSS CWE: 79 - XSS Findings: 10 Weight: 20 lbs Exercise: Barbell Squat Repetitions: 35 Weight: 150 lbs Exercise: Rev. Curl Repetitions: 20 Weight: 25 lbs
9. How your METRICS should look like 9 May 13thSec. Metrics CWE: 20 – Input Val Findings: 1 CVSS: 8.6 DESIGN Threat Model CWE: 79 - XSS Findings: 3 CVSS: TEST Pen Test CWE: 314 Findings: 1 CVSS: 2.3 Support Vul. Mgmt
11. Common Weakness EnumerationWhat is it? A common language for describing software security weaknesses Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS). Hierarchical Each individual CWE represents a single vulnerability type Deeper levels of the tree provide a finer granularity Higher levels provide a broad overview of a vulnerability 11
13. Common Weakness EnumerationWhat data is available for each CWE? Weakness description Applicable platforms and programming languages Common Consequences Likelihood of Exploit Coding Examples Potential Mitigations Related Attacks Time of Introduction Taxonomy Mapping 13 Link to CWE Page on XSS
14. Common Weakness Enumeration How useful is this information? 14 Pie Chart showing the frequency of CWEs found in penetration tests
16. Objective (and “perfect enough”) metric A universal way to convey vulnerability severity Can be used for competitive analysis CVSS score ranges between 0.0 and 10.0 Can be expressed as high, medium, low as well Composed of 3 vectors Base Represents general vulnerability severity: Intrinsic and immutable Temporal Time-dependent qualities of a vulnerability Environmental Qualities of a vulnerability specific to a particular IT environment 16 Common Vulnerability Scoring System (CVSS)What is it?
17. 17 Common Vulnerability Scoring System (CVSS)BASE Vector Exploitability Impact Sample Score: 7.5 Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Every CVSS score should be accompanied by the corresponding vector
Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is to overlook the importance of tracking their weight lifting progress. Like a successful bodybuilding workout, a security development lifecycle program must consistently log simple to obtain, yet meaningful metrics throughout the entire process. Good metrics must lack subjectivity and clearly aid decision makers to determine areas that need improvement. In this pragmatic presentation we’ll discuss metrics used at Symantec, the world’s largest security ISV, to classify and appropriately compare security vulnerabilities found in different phases of the SDL by different teams working in different locations and in different products. We’ll also discuss how to easily provide decision makers different views of the same data and verify whether the process is indeed catching critical vulnerabilities internally and how the numbers compare with the competition.
Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 13 years of technical and managerial experience in the software industry. During the seven years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests. Cassio is also internationally known for leading the OWASP chapter in Los Angeles.Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from PontificiaUniversidadeCatolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.