Course 1: Overview of  Secure Programming, Section 2 <ul><li>Pascal Meunier, Ph.D., M.Sc., CISSP </li></ul><ul><li>May 200...
Course 1 Learning Plan <ul><li>Security overview and patching </li></ul><ul><li>Public vulnerability databases and resourc...
Public Resources: Learning Objectives <ul><li>Become familiar with vulnerability databases and online secure programming r...
Public Resources <ul><li>Why and for who </li></ul><ul><li>Governmental and academic </li></ul><ul><li>Security vendor res...
Why should you know about these resources? <ul><li>For insight into how vulnerabilities get tracked </li></ul><ul><li>For ...
Why should you know about these resources? (Cont.) <ul><li>To proactively prevent vulnerabilities in your product by being...
Who should use them? <ul><li>Vulnerability response coordinators or IT security (check policies) </li></ul><ul><li>At leas...
Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra <...
MITRE's CVE <ul><li>Common Vulnerabilities and Enumeration </li></ul><ul><li>http://cve.mitre.org </li></ul><ul><li>&quot;...
CVE Quality Assurance Process <ul><li>MITRE employees gather information </li></ul><ul><ul><li>Check for duplicates </li><...
CVE Names <ul><li>Two-state name system </li></ul><ul><ul><li>Candidates (name is CAN-year-number) </li></ul></ul><ul><ul>...
CVE Searches <ul><li>Search by keyword or CVE name </li></ul><ul><li>Keywords are &quot;translated&quot; without user's kn...
Search Results for &quot;Symantec&quot; <ul><li>Search engine is limited and results are inconsistent with those of other ...
CVE Download <ul><li>CVE web site has versions in these formats: </li></ul><ul><ul><li>HTML </li></ul></ul><ul><ul><li>Tex...
CVE Change Log (CERIAS) <ul><li>For people maintaining vulnerability databases </li></ul><ul><ul><li>For day-to-day monito...
Exercise <ul><li>Point your browser to cve.mitre.org </li></ul><ul><li>What is the number of the first vulnerability in 20...
Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra <...
NIST's ICAT <ul><li>NIST:  National Institute of Standards and Technology </li></ul><ul><li>Based on the CVE </li></ul><ul...
ICAT Search Menu <ul><li>Search by vendor, product or keyword, over a time period </li></ul><ul><li>Click on a letter to g...
ICAT Search <ul><li>Now click on a duration to get all the vulnerabilities in the selected vendor's products </li></ul>
ICAT Search Results <ul><li>Click on a CVE number to get details </li></ul>
ICAT Vulnerability Entry (part 1): CAN-2003-0291
ICAT Vulnerability Entry (part 2) <ul><li>Notice the link to where patches can be found: </li></ul>
Exercise <ul><li>Do a search for vulnerabilities in Adobe Acrobat reader on ICAT </li></ul><ul><ul><li>How many entries ar...
Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra <...
Cassandra <ul><li>Vulnerability notification service based on ICAT and Secunia advisories </li></ul><ul><ul><li>Secunia ad...
Creating a Profile <ul><li>After creating a new account and logging in, you are taken to the profile management page: </li...
Managing a Profile <ul><li>You can select to receive information from ICAT, Secunia, and whether you want all the informat...
Adding Entries to a Profile <ul><li>Choose a vendor </li></ul><ul><li>Choose products from this vendor </li></ul>
A Sample Profile <ul><li>These products are now part of the profile: </li></ul>
Keywords <ul><li>Enter a keyword </li></ul>
Keywords List <ul><li>Technologies </li></ul><ul><li>Issues </li></ul><ul><li>Interests (e.g., &quot;remote&quot;, &quot;p...
Searches <ul><li>By duration </li></ul><ul><li>New entries since last search </li></ul><ul><li>Search results (notice both...
Discussion <ul><li>How does information flow before you get a notification by Cassandra? </li></ul><ul><li>How long does t...
Discussion Sample Answers <ul><li>How does information flow before you get a notification by Cassandra? </li></ul><ul><ul>...
Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra <...
CERT Coordination Center <ul><li>http://www.cert.org/ </li></ul><ul><li>based at Carnegie-Mellon University </li></ul><ul>...
Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra <...
US-CERT <ul><li>http://www.us-cert.gov </li></ul><ul><li>Your Cyber Security Everything </li></ul><ul><ul><li>&quot;Techni...
US-CERT Vulnerability Notes <ul><li>The old CERT/CC Vulnerability Notes renamed </li></ul><ul><ul><li>http://www.kb.cert. ...
Searching the US-CERT Vulnerability Notes <ul><li>Enter a keyword, vendor name, etc: </li></ul>
Example Vulnerability Note <ul><li>http://www.kb.cert.org/vuls/id/948750 </li></ul><ul><li>Vulnerability Note VU#948750 </...
Searching for &quot;Sun&quot; <ul><li>Results list whenever Sun was involved: </li></ul>
Question <ul><li>If you are looking for vulnerabilities in your favorite vendor's products, what are the limitations of Vu...
Question Answers <ul><li>If you are looking for vulnerabilities in your favorite vendor's products, what are the limitatio...
Exercise <ul><li>Find both the CVE number and VU# of an AOL Instant Messenger vulnerability on the US-CERT Vulnerability N...
Question <ul><li>Why do you particularly not want to have your product mentioned in a US-CERT Vulnerability Note (choose t...
Question Answer <ul><li>Why do you particularly not want to have your product mentioned in a US-CERT Vulnerability Note? <...
Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra <...
NIST Security Documents <ul><li>http://csrc.nist.gov/publications/nistpubs/index.html </li></ul><ul><ul><li>SP 800-64 Secu...
Exercises <ul><li>Find a NIST publication that describes how your customers might select information security products </l...
Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra <...
Secure Programming How-Tos <ul><li>David Wheeler's Secure Programming for Linux and UNIX How-To </li></ul><ul><ul><li>http...
Parts: Security Vendor Resources <ul><li>Security Focus </li></ul><ul><li>SANS </li></ul><ul><li>ISS X-Force </li></ul><ul...
Symantec <ul><li>tms.symantec.com </li></ul><ul><ul><li>More in-depth </li></ul></ul><ul><ul><li>Analyst reports </li></ul...
Books <ul><li>High Level </li></ul><ul><ul><li>Secure Coding, Principles and Practices (M.G. Graff and K.R. Van Wyk 2003) ...
Free Books <ul><li>Improving Web Application Security: Threats and Countermeasures Roadmap </li></ul><ul><ul><li>J.D. Meie...
About These Slides <ul><li>You are free to copy, distribute, display, and perform the work; and to make derivative works, ...
Pascal Meunier [email_address] <ul><li>Contributors: </li></ul><ul><li>Jared Robinson, Alan Krassowski, Craig Ozancin, Tim...
Upcoming SlideShare
Loading in …5
×

2.Public Vulnerability Databases

1,041 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,041
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Answer to second sub bullet: We are addressing the principle of education today, with this training.
  • 2.Public Vulnerability Databases

    1. 1. Course 1: Overview of Secure Programming, Section 2 <ul><li>Pascal Meunier, Ph.D., M.Sc., CISSP </li></ul><ul><li>May 2004; updated August 12, 2004 </li></ul><ul><li>Developed thanks to support and contributions from Symantec Corporation, support from the NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center </li></ul><ul><li>Copyright (2004) Purdue Research Foundation. All rights reserved. </li></ul>
    2. 2. Course 1 Learning Plan <ul><li>Security overview and patching </li></ul><ul><li>Public vulnerability databases and resources </li></ul><ul><li>Secure software engineering </li></ul><ul><li>Security assessment and testing </li></ul><ul><li>Shell and environment </li></ul><ul><li>Resource management </li></ul><ul><li>Trust management </li></ul>
    3. 3. Public Resources: Learning Objectives <ul><li>Become familiar with vulnerability databases and online secure programming resources </li></ul><ul><ul><li>Know how to use them </li></ul></ul><ul><ul><li>Know which ones to select and consult </li></ul></ul><ul><ul><li>Know how CVE numbers are used </li></ul></ul>
    4. 4. Public Resources <ul><li>Why and for who </li></ul><ul><li>Governmental and academic </li></ul><ul><li>Security vendor resources </li></ul><ul><li>Books </li></ul>
    5. 5. Why should you know about these resources? <ul><li>For insight into how vulnerabilities get tracked </li></ul><ul><li>For situational awareness </li></ul><ul><ul><li>Be ready to answer queries from customers who also saw that information </li></ul></ul><ul><ul><li>Get notification of vulnerabilities pertinent to your product </li></ul></ul><ul><ul><ul><li>As a backup (should be rare) </li></ul></ul></ul><ul><ul><ul><li>The situation where developers learn first about a vulnerability through public sources should be covered in an organization's policy </li></ul></ul></ul>
    6. 6. Why should you know about these resources? (Cont.) <ul><li>To proactively prevent vulnerabilities in your product by being informed about vulnerabilities in other products </li></ul><ul><ul><li>Learn from other people's mistakes </li></ul></ul><ul><li>For reference </li></ul><ul><li>For additional sources on best programming and software engineering practices </li></ul><ul><ul><li>So you can grow and learn more about secure programming on your own </li></ul></ul><ul><ul><li>For other examples and ideas </li></ul></ul>
    7. 7. Who should use them? <ul><li>Vulnerability response coordinators or IT security (check policies) </li></ul><ul><li>At least one person from each team </li></ul><ul><li>Any developer or architect interested in learning more </li></ul><ul><ul><li>Note that this material is insufficient for high assurance systems such as those with an Evaluation Assurance Level (EAL) of 5 or more (EALs will be discussed later) </li></ul></ul>
    8. 8. Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra </li></ul><ul><li>CERT/CC </li></ul><ul><li>US-CERT </li></ul><ul><li>NIST documents </li></ul><ul><li>Secure programming howtos </li></ul>
    9. 9. MITRE's CVE <ul><li>Common Vulnerabilities and Enumeration </li></ul><ul><li>http://cve.mitre.org </li></ul><ul><li>&quot; A list of standardized names for vulnerabilities and other information security exposures — CVE aims to standardize the names for all publicly known vulnerabilities and security exposures.&quot; </li></ul><ul><li>CVE names are unique, standard names to be used by CERTs, vulnerability databases, intrusion detection systems, etc... to identify vulnerabilities </li></ul>
    10. 10. CVE Quality Assurance Process <ul><li>MITRE employees gather information </li></ul><ul><ul><li>Check for duplicates </li></ul></ul><ul><ul><li>That it is a real issue </li></ul></ul><ul><ul><ul><li>often request vendor confirmation </li></ul></ul></ul><ul><ul><li>That it is only one issue </li></ul></ul><ul><ul><li>That the description is correct </li></ul></ul><ul><ul><li>Can take weeks, but severe issues are given priority </li></ul></ul><ul><li>Researchers and vendors can reserve CVE numbers ahead of time so that their announcements and advisories include a unique identifier </li></ul>
    11. 11. CVE Names <ul><li>Two-state name system </li></ul><ul><ul><li>Candidates (name is CAN-year-number) </li></ul></ul><ul><ul><ul><li>Candidates need votes from editors to become mature </li></ul></ul></ul><ul><ul><ul><li>Editors from industry, government and academia </li></ul></ul></ul><ul><ul><ul><li>Voting can take months </li></ul></ul></ul><ul><ul><li>Mature entries (name is CVE-year-number) </li></ul></ul><ul><ul><li>Entries renamed from CAN to CVE keep the same year and number if there were no problems </li></ul></ul>
    12. 12. CVE Searches <ul><li>Search by keyword or CVE name </li></ul><ul><li>Keywords are &quot;translated&quot; without user's knowledge and control </li></ul><ul><ul><li>Results are often not what you would expect </li></ul></ul>
    13. 13. Search Results for &quot;Symantec&quot; <ul><li>Search engine is limited and results are inconsistent with those of other CVE-based tools </li></ul><ul><li>Description is very short, barely long enough to identify the issue </li></ul>N.B.: Symantec is used only for this example. Other companies will be used for other examples, in an effort to provide an overall vendor-neutral sampling. Nothing else is meant or implied by the choices.
    14. 14. CVE Download <ul><li>CVE web site has versions in these formats: </li></ul><ul><ul><li>HTML </li></ul></ul><ul><ul><li>Text </li></ul></ul><ul><ul><li>Comma-separated </li></ul></ul><ul><li>MySQL format available elsewhere </li></ul><ul><ul><li>http://www.cerias.purdue.edu/homes/pmeunier/CVEdump.sql </li></ul></ul><ul><ul><ul><li>updated daily </li></ul></ul></ul>
    15. 15. CVE Change Log (CERIAS) <ul><li>For people maintaining vulnerability databases </li></ul><ul><ul><li>For day-to-day monitoring of the CVE </li></ul></ul><ul><li>https://cassandra.cerias.purdue.edu/CVE_changes/ </li></ul><ul><li>Example: </li></ul><ul><ul><li>date: 2004-03-18 New candidate entries: 2004-0079 2004-0081 2004-0112 2004-0236 2004-0237 2004-0238 2004-0239 2004-0240 (...) </li></ul></ul>
    16. 16. Exercise <ul><li>Point your browser to cve.mitre.org </li></ul><ul><li>What is the number of the first vulnerability in 2004? </li></ul><ul><ul><li>Make sure to type &quot;2004-0001&quot; with the correct number of zeros! </li></ul></ul><ul><li>What operating system was involved in the first vulnerability of 2004? </li></ul><ul><li>What stage is it in? </li></ul><ul><li>Search for vulnerabilities in products from a company you know </li></ul><ul><ul><li>Look at the entries returned, and the CVE web site FAQs. Why are there missing results? </li></ul></ul><ul><ul><ul><li>What if the company name is not in the description? </li></ul></ul></ul>
    17. 17. Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra </li></ul><ul><li>CERT/CC </li></ul><ul><li>US-CERT </li></ul><ul><li>NIST documents </li></ul><ul><li>Secure programming howtos </li></ul>
    18. 18. NIST's ICAT <ul><li>NIST: National Institute of Standards and Technology </li></ul><ul><li>Based on the CVE </li></ul><ul><li>Uses the CERIAS CVE change-log service for quick updates </li></ul><ul><li>Completes vendor and product information </li></ul><ul><li>Adds a classification of vulnerabilities </li></ul><ul><li>http: //icat . nist . gov </li></ul>
    19. 19. ICAT Search Menu <ul><li>Search by vendor, product or keyword, over a time period </li></ul><ul><li>Click on a letter to get a select popup with a narrowed down list of vendors or products </li></ul>
    20. 20. ICAT Search <ul><li>Now click on a duration to get all the vulnerabilities in the selected vendor's products </li></ul>
    21. 21. ICAT Search Results <ul><li>Click on a CVE number to get details </li></ul>
    22. 22. ICAT Vulnerability Entry (part 1): CAN-2003-0291
    23. 23. ICAT Vulnerability Entry (part 2) <ul><li>Notice the link to where patches can be found: </li></ul>
    24. 24. Exercise <ul><li>Do a search for vulnerabilities in Adobe Acrobat reader on ICAT </li></ul><ul><ul><li>How many entries are there? </li></ul></ul><ul><ul><li>What is their severity? </li></ul></ul><ul><ul><li>How did the latest vulnerability happen (see vulnerability type)? </li></ul></ul><ul><li>Go to the statistics section of ICAT. Approximately what percentage of vulnerabilities are remotely exploitable, year after year? </li></ul><ul><li>What do you have to do if you want to keep up to date on vulnerabilities in Symantec products? </li></ul>
    25. 25. Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra </li></ul><ul><li>CERT/CC </li></ul><ul><li>US-CERT </li></ul><ul><li>NIST documents </li></ul><ul><li>Secure programming howtos </li></ul>
    26. 26. Cassandra <ul><li>Vulnerability notification service based on ICAT and Secunia advisories </li></ul><ul><ul><li>Secunia advisories are more timely </li></ul></ul><ul><li>Main idea: remove the need for polling ICAT every day for new vulnerabilities </li></ul><ul><ul><li>Make a list of products and keywords </li></ul></ul><ul><ul><li>A search is done every night </li></ul></ul><ul><ul><li>Results are emailed to you </li></ul></ul><ul><li>https://cassandra.cerias.purdue.edu/main/index.html </li></ul>
    27. 27. Creating a Profile <ul><li>After creating a new account and logging in, you are taken to the profile management page: </li></ul>
    28. 28. Managing a Profile <ul><li>You can select to receive information from ICAT, Secunia, and whether you want all the information emailed to you </li></ul><ul><li>Click on the profile name to change its contents </li></ul>
    29. 29. Adding Entries to a Profile <ul><li>Choose a vendor </li></ul><ul><li>Choose products from this vendor </li></ul>
    30. 30. A Sample Profile <ul><li>These products are now part of the profile: </li></ul>
    31. 31. Keywords <ul><li>Enter a keyword </li></ul>
    32. 32. Keywords List <ul><li>Technologies </li></ul><ul><li>Issues </li></ul><ul><li>Interests (e.g., &quot;remote&quot;, &quot;path&quot;) </li></ul>
    33. 33. Searches <ul><li>By duration </li></ul><ul><li>New entries since last search </li></ul><ul><li>Search results (notice both ICAT and Secunia links): </li></ul>
    34. 34. Discussion <ul><li>How does information flow before you get a notification by Cassandra? </li></ul><ul><li>How long does that take? </li></ul><ul><li>Why were Secunia advisories added as a source of information? </li></ul><ul><li>Why not advisories from another source (e.g., CERT)? </li></ul>
    35. 35. Discussion Sample Answers <ul><li>How does information flow before you get a notification by Cassandra? </li></ul><ul><ul><li>Public disclosure, MITRE, CERIAS, NIST, Cassandra </li></ul></ul><ul><li>How long does that take? </li></ul><ul><ul><li>It can take a month or more, although important issues are prioritized and may take &quot;only&quot; a week </li></ul></ul><ul><li>Why were Secunia advisories added as a source of information? </li></ul><ul><ul><li>For timeliness </li></ul></ul><ul><li>Why not advisories from another source (e.g., CERT)? </li></ul><ul><ul><li>Data not in a machine-parsable format </li></ul></ul>
    36. 36. Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra </li></ul><ul><li>CERT/CC </li></ul><ul><li>US/CERT </li></ul><ul><li>NIST documents </li></ul><ul><li>Secure programming howtos </li></ul>
    37. 37. CERT Coordination Center <ul><li>http://www.cert.org/ </li></ul><ul><li>based at Carnegie-Mellon University </li></ul><ul><ul><li>Operated by the Software Engineering Institute </li></ul></ul><ul><ul><li>Links to various SEI products for sale </li></ul></ul><ul><li>Used to produce: </li></ul><ul><ul><li>Advisories </li></ul></ul><ul><ul><ul><li>CERT advisory mailing list being phased out </li></ul></ul></ul><ul><ul><li>Incident Notes </li></ul></ul><ul><ul><li>Vulnerability Notes </li></ul></ul><ul><li>Now &quot;partner&quot; with US-CERT </li></ul><ul><ul><li>most links on CERT/CC's web site now refer to US-CERT </li></ul></ul>
    38. 38. Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra </li></ul><ul><li>CERT/CC </li></ul><ul><li>US/CERT </li></ul><ul><li>NIST documents </li></ul><ul><li>Secure programming howtos </li></ul>
    39. 39. US-CERT <ul><li>http://www.us-cert.gov </li></ul><ul><li>Your Cyber Security Everything </li></ul><ul><ul><li>&quot;Technical Cyber Security Alerts&quot; </li></ul></ul><ul><ul><li>&quot;Non-technical Cyber Security Alerts&quot; </li></ul></ul><ul><ul><ul><li>e.g., &quot;Understanding Firewalls&quot;, like a &quot;Firewalls for dummies&quot; </li></ul></ul></ul><ul><ul><li>Cyber Security Bulletins </li></ul></ul><ul><ul><li>Cyber Security Tips </li></ul></ul><ul><li>US-CERT Vulnerability Notes </li></ul><ul><ul><li>(why aren't they &quot;cyber security vulnerability notes&quot;? I don't know) </li></ul></ul>
    40. 40. US-CERT Vulnerability Notes <ul><li>The old CERT/CC Vulnerability Notes renamed </li></ul><ul><ul><li>http://www.kb.cert. org/vuls/ </li></ul></ul><ul><li>Well written </li></ul><ul><li>Informative </li></ul><ul><li>Not exhaustive </li></ul><ul><li>Mailing list </li></ul><ul><li>Database </li></ul><ul><li>No customized notification mechanism </li></ul>
    41. 41. Searching the US-CERT Vulnerability Notes <ul><li>Enter a keyword, vendor name, etc: </li></ul>
    42. 42. Example Vulnerability Note <ul><li>http://www.kb.cert.org/vuls/id/948750 </li></ul><ul><li>Vulnerability Note VU#948750 </li></ul><ul><ul><li>Microsoft Outlook Web Access contains vulnerability in HTML redirection query </li></ul></ul><ul><ul><li>Overview </li></ul></ul><ul><ul><ul><li>A cross-site scripting vulnerability in Microsoft Exchange 5.5 Outlook Web Access (OWA) could allow an attacker to execute arbitrary scripting code in the victim's browser </li></ul></ul></ul>
    43. 43. Searching for &quot;Sun&quot; <ul><li>Results list whenever Sun was involved: </li></ul>
    44. 44. Question <ul><li>If you are looking for vulnerabilities in your favorite vendor's products, what are the limitations of Vulnerability Notes? </li></ul><ul><ul><li>Hint: Did all the entries obtained when searching for &quot;Sun&quot; relate to Sun products? </li></ul></ul>
    45. 45. Question Answers <ul><li>If you are looking for vulnerabilities in your favorite vendor's products, what are the limitations of Vulnerability Notes? </li></ul><ul><ul><li>Results are not exhaustive </li></ul></ul><ul><ul><ul><li>Only the most &quot;serious&quot; vulnerabilities have notes </li></ul></ul></ul><ul><ul><li>Lists every involvement of the vendor even when some other vendor is at fault </li></ul></ul><ul><ul><ul><li>Security vendors typically get listed when they publish an advisory </li></ul></ul></ul><ul><ul><ul><li>and OS vendors typically get listed when there's a problem with another company's product for their platform </li></ul></ul></ul>
    46. 46. Exercise <ul><li>Find both the CVE number and VU# of an AOL Instant Messenger vulnerability on the US-CERT Vulnerability Notes web site </li></ul><ul><ul><li>http://www.kb.cert. org/vuls/ </li></ul></ul>
    47. 47. Question <ul><li>Why do you particularly not want to have your product mentioned in a US-CERT Vulnerability Note (choose the most important reason)? </li></ul><ul><li>because only the most severe vulnerabilities are mentioned </li></ul><ul><li>because it is highly visible </li></ul><ul><li>because it is government interference with the industry (and your company) </li></ul>
    48. 48. Question Answer <ul><li>Why do you particularly not want to have your product mentioned in a US-CERT Vulnerability Note? </li></ul><ul><ul><li>a) because only the most severe vulnerabilities are mentioned </li></ul></ul><ul><li>That means you made a big mistake! </li></ul>
    49. 49. Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra </li></ul><ul><li>CERT/CC </li></ul><ul><li>US-CERT </li></ul><ul><li>NIST Documents </li></ul><ul><li>Secure programming howtos </li></ul>
    50. 50. NIST Security Documents <ul><li>http://csrc.nist.gov/publications/nistpubs/index.html </li></ul><ul><ul><li>SP 800-64 Security Considerations in the Information System Development Life Cycle, October 2003 </li></ul></ul><ul><ul><li>SP 800-55 Security Metrics Guide for Information Technology Systems, July 2003 </li></ul></ul><ul><ul><li>SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, September 2002 </li></ul></ul><ul><ul><li>SP 800-47 Security Guide for Interconnecting Information Technology Systems, September 2002 </li></ul></ul><ul><li>And many others... </li></ul>
    51. 51. Exercises <ul><li>Find a NIST publication that describes how your customers might select information security products </li></ul><ul><li>What is the title of special publication 800-27? Download it and open it. </li></ul><ul><ul><li>Who is the intended audience? </li></ul></ul><ul><ul><li>Which principle are we directly addressing today? </li></ul></ul><ul><ul><li>Quote another principle that you already knew and explain it to the class, or select one that is relevant to your work and explain to the class why you think it is relevant. </li></ul></ul>(Instructor: it is suggested to start student reports after about 15-20 minutes, and give up to 2 minutes for each student to quote a principle )
    52. 52. Parts: Governmental and Academic Resources <ul><li>MITRE's CVE </li></ul><ul><li>NIST's ICAT </li></ul><ul><li>Cassandra </li></ul><ul><li>CERT/CC </li></ul><ul><li>US-CERT </li></ul><ul><li>NIST Documents </li></ul><ul><li>Secure programming howtos </li></ul>
    53. 53. Secure Programming How-Tos <ul><li>David Wheeler's Secure Programming for Linux and UNIX How-To </li></ul><ul><ul><li>http://www.dwheeler.com/secure-programs </li></ul></ul><ul><li>Secure UNIX Programming FAQ </li></ul><ul><ul><li>http://www.whitefang.com/sup/secure-faq.html </li></ul></ul><ul><li>OWASP (Open Web Application Security Project) Guide </li></ul><ul><ul><li>http://www.owasp.org </li></ul></ul><ul><li>Etc... (Google &quot;secure programming&quot;) </li></ul>
    54. 54. Parts: Security Vendor Resources <ul><li>Security Focus </li></ul><ul><li>SANS </li></ul><ul><li>ISS X-Force </li></ul><ul><li>Secunia </li></ul><ul><li>Security Tracker </li></ul><ul><li>Symantec's Security Response Online DB </li></ul><ul><li>AtStake </li></ul><ul><li>Etc... </li></ul>
    55. 55. Symantec <ul><li>tms.symantec.com </li></ul><ul><ul><li>More in-depth </li></ul></ul><ul><ul><li>Analyst reports </li></ul></ul><ul><ul><li>Subscription required </li></ul></ul><ul><li>alerts.symantec.com </li></ul><ul><ul><li>&quot;DeepSight&quot; </li></ul></ul><ul><ul><li>Subscription required </li></ul></ul>
    56. 56. Books <ul><li>High Level </li></ul><ul><ul><li>Secure Coding, Principles and Practices (M.G. Graff and K.R. Van Wyk 2003) </li></ul></ul><ul><li>Technical </li></ul><ul><ul><li>Secure Programming Cookbook (J. Viega and M. Messier) </li></ul></ul><ul><ul><ul><li>Several practical cryptographic applications </li></ul></ul></ul><ul><ul><ul><li>Both UNIX and Windows validity </li></ul></ul></ul><ul><ul><li>Writing Secure Code, 2nd Edition (Howard and Leblanc) </li></ul></ul><ul><ul><ul><li>Microsoft technologies </li></ul></ul></ul><ul><ul><ul><li>Significantly better than 1st Edition </li></ul></ul></ul><ul><ul><ul><li>Information in chapter 24, &quot;Writing Documentation and Error Messages&quot;, is useful and difficult to find elsewhere </li></ul></ul></ul>
    57. 57. Free Books <ul><li>Improving Web Application Security: Threats and Countermeasures Roadmap </li></ul><ul><ul><li>J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan Microsoft Corporation </li></ul></ul><ul><ul><li>MSDN Library, June 2003 </li></ul></ul><ul><ul><li>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp </li></ul></ul>
    58. 58. About These Slides <ul><li>You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions. </li></ul><ul><ul><li>You must give the original author and other contributors credit </li></ul></ul><ul><ul><li>The work will be used for personal or non-commercial educational uses only, and not for commercial activities and purposes </li></ul></ul><ul><ul><li>For any reuse or distribution, you must make clear to others the terms of use for this work </li></ul></ul><ul><ul><li>Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification </li></ul></ul><ul><ul><li>For other uses please contact the Purdue Office of Technology Commercialization. </li></ul></ul><ul><li>Developed thanks to the support of Symantec Corporation </li></ul>
    59. 59. Pascal Meunier [email_address] <ul><li>Contributors: </li></ul><ul><li>Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera </li></ul>

    ×