Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym

1,545 views

Published on

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym by Cassio Goldschmidt

Published in: Technology
  • Finally found a service provider which actually supplies an essay with an engaging introduction leading to the main body of the exposition Here is the site ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym

  1. 1. Tracking the Progress of an SDL Program - Cassio Goldschmidt nullcon Goa 2010 http://nullcon.net
  2. 2. Who am I? <ul><li>Cassio Goldschmidt </li></ul><ul><ul><li>Sr. Manager, Product Security – Symantec </li></ul></ul><ul><li>Education </li></ul><ul><ul><li>MBA, USC </li></ul></ul><ul><ul><li>MS Software Engineering, SCU </li></ul></ul><ul><ul><li>BSCS, PUCRS </li></ul></ul><ul><ul><li>CSSLP, (ISC) 2 </li></ul></ul><ul><li>When I’m not in the office… </li></ul><ul><ul><li>Volleyball (Indoor, Beach) </li></ul></ul><ul><ul><li>Coding… for way to long! </li></ul></ul><ul><ul><li>Gym… </li></ul></ul>
  3. 3. Typical Project Lifecycle
  4. 5. Exercise type: CWE
  5. 6. Number of Reps: Number of Findings
  6. 7. Exercise Intensity: CVSS
  7. 9. nullcon Goa 2010 http://nullcon.net Common Weakness Enumeration
  8. 10. Common Weakness Enumeration What is it? <ul><li>A common language for describing software security weaknesses </li></ul><ul><li>Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS). </li></ul><ul><li>Hierarchical </li></ul><ul><ul><li>Each individual CWE represents a single vulnerability type </li></ul></ul><ul><ul><li>Deeper levels of the tree provide a finer granularity </li></ul></ul><ul><ul><li>Higher levels provide a broad overview of a vulnerability </li></ul></ul>
  9. 11. Common Weakness Enumeration Portion of CWE structure
  10. 12. What data is available for each CWE? <ul><li>Weakness description </li></ul><ul><li>Applicable platforms and programming languages </li></ul><ul><li>Common Consequences </li></ul><ul><li>Likelihood of Exploit </li></ul><ul><li>Coding Examples </li></ul><ul><li>Potential Mitigations </li></ul><ul><li>Related Attacks </li></ul><ul><li>Time of Introduction </li></ul><ul><li>Taxonomy Mapping </li></ul>Link to CWE Page on XSS
  11. 13. How useful is this information? Pie Chart showing the frequency of CWEs found in penetration tests
  12. 14. nullcon Goa 2010 http://nullcon.net Common Vulnerability Scoring System
  13. 15. Common Vulnerability Scoring System What is it? 0.0...3.9 4.0...6.9 7.0...10
  14. 16. Common Vulnerability Scoring System BASE Vector <ul><li>Sample Score: 7.5 </li></ul><ul><li>Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) </li></ul><ul><li>Every CVSS score should be accompanied by the corresponding vector </li></ul>Exploitability Impact Access Vector Access Complexity Authenti… Network High None Adjacent Network Medium Single Instance Local Low Mult. Instances Undefined Undefined Undefined Confident… Integrity Avail. None None None Partial Partial Partial Complete Complete Complete Undefined Undefined Undefined
  15. 17. Common Vulnerability Scoring System (CVSS) The Calculator
  16. 18. nullcon Goa 2010 http://nullcon.net Hands on Demo
  17. 19. CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char[length+1 ]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data.&quot; ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } What if I make length = -1? new char[0] calls malloc(0) which succeeds! Next, attacker-controlled data either overflows heap or crashes Doesn’t quite work – length is unsigned
  18. 20. CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char [length+1]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data.&quot; ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } Buffer Overflow CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
  19. 21. nullcon Goa 2010 http://nullcon.net Training and Metrics
  20. 22. Training and Metrics A special activity in the SDL <ul><li>Security training is what food is to a workout </li></ul><ul><li>Same workout metrics do not apply </li></ul><ul><li>Quality of your intake affects overall performance </li></ul><ul><li>Staff needs ongoing training </li></ul>
  21. 23. Training and Metrics Security Learning Process
  22. 24. Training and Metrics Security Learning Process <ul><li>Understand who is the audience </li></ul><ul><li>Previous knowledge about secure coding and secure testing </li></ul><ul><ul><li>Programming languages in use </li></ul></ul><ul><ul><li>Supported platforms </li></ul></ul><ul><ul><li>Type of product </li></ul></ul>
  23. 25. Training and Metrics Security Learning Process <ul><li>Train everyone involved in the SDL </li></ul><ul><li>Developers: Secure Coding, Threat Model </li></ul><ul><ul><li>QA: Security Testing, Tools </li></ul></ul><ul><ul><li>Managers: Secure Development Lifecycle (also known as Symmunize) </li></ul></ul>
  24. 26. Training and Metrics Security Learning Process <ul><li>Quality Assurance - Capture the flag </li></ul><ul><li>Use Beta software </li></ul><ul><li>Approximately 3 hours long </li></ul><ul><li>Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group </li></ul>
  25. 27. Training and Metrics Security Learning Process <ul><li>Pos Class Survey </li></ul><ul><li>Anonymous </li></ul><ul><li>Metrics </li></ul><ul><ul><li>Class content </li></ul></ul><ul><ul><li>Instructor knowledge </li></ul></ul><ul><ul><li>Exercises </li></ul></ul>
  26. 28. Training and Metrics Security awareness is more than training
  27. 29. nullcon Goa 2010 http://nullcon.net Conclusions and final thoughts
  28. 30. Why This Approach Makes Sense? <ul><li>Compare Apples to Apples </li></ul><ul><li>Quantify results in a meaningful way to “C” executives </li></ul><ul><ul><li>Past results can be used to explain impact of new findings </li></ul></ul><ul><ul><li>Can be simplified to a number from 1-10 or semaphore (green, yellow and red). </li></ul></ul><ul><ul><li>Can be used for competitive analysis </li></ul></ul><ul><li>Harder to game CVSS </li></ul><ul><li>CWE can be easily mapped to different taxonomies </li></ul>
  29. 31. nullcon Goa 2010 http://nullcon.net Thank You!

×