Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE...
-
Upload
lydia-lyons -
Category
Documents
-
view
215 -
download
0
Transcript of Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE...
Measuring and Managing Software Security
Robert A. Martin
20 March 2013
© 2012 The MITRE Corporation. All rights reserved.
Today Everything’s Connected
When this Other System gets subverted through an un-patched vulnerability, a mis-configuration, or an application weakness…
Your System is attackable…
© 2012 The MITRE Corporation. All rights reserved.
CVE 1999 to 2000
to 2012
Vulnerability Type Trends:A Look at the CVE List (2001 - 2007)
Removing and Preventing the Vulnerabilities Requires More Specific Definitions…CWEsImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting’) (79)
• Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80)• Improper Neutralization of Script in an Error Message Web Page (81)• Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (82)• Improper Neutralization of Script in Attributes in a Web Page (83)• Improper Neutralization of Encoded URI Schemes in a Web Page (84)• Doubled Character XSS Manipulations (85)• Improper Neutralization of Invalid Characters in Identifiers in Web Pages (86)• Improper Neutralization of Alternate XSS Syntax (87)
Improper Restriction of Operations within the Bounds of a Memory Buffer (119)• Buffer Copy without Checking Size of Input ('Classic Buffer Overflow’) (120)• Write-what-where Condition (123)• Out-of-bounds Read (125)• Improper Handling of Length Parameter Inconsistency (130)• Improper Validation of Array Index (129) • Return of Pointer Value Outside of Expected Range (466)• Access of Memory Location Before Start of Buffer (786) • Access of Memory Location After End of Buffer (788)• Buffer Access with Incorrect Length Value 805• Untrusted Pointer Dereference (822)• Use of Out-of-range Pointer Offset (823)• Access of Uninitialized Pointer (824)• Expired Pointer Dereference (825)
Path Traversal (22)• Relative Path Traversal (23)• Path Traversal: '../filedir' (24)• Path Traversal: '/../filedir' (25)• <------------8 more here -------------->• Path Traversal: '....//' (34)• Path Traversal: '.../...//' (35)• Absolute Path Traversal (36)
• Path Traversal: '/absolute/pathname/here’ (37)• Path Traversal: '\absolute\pathname\here’ (38)• Path Traversal: 'C:dirname’ (39)• Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (40)
9
14
19
Common Weakness Enumeration (CWE) – 700+
© 2012 The MITRE Corporation. All rights reserved.
What is wrong with this picture?Wouldn’t it be nice if the weaknesses in software were as easy to spot and their impact as easy to understand as a screen door in a submarine…
CWE Compatibility & Effectiveness Program
396
9
cwe.mitre.org/compatible/
( launched Feb 2007)
Direct Contributors to the 2011 CWE/SANS Top 25
Red Hat Inc. Secunia (Denmark) CERIAS, Purdue University CAST Software NetBSD Symantec Corporation Veracode, Inc. Grammatech Inc. IPA (Japan) IBM Ellumen, Inc. McAfee SAIC SRI International UC Davis MITRE White Hat Security KRvW Associates Oracle Corporation Fortify Software, an HP Company ThinkSec
Tata Consultancy Services (TCS) Motorola Solutions RSA, the Security Division of EMC
Mark J. Cox Carsten Eiram Pascal Meunier Razak Ellafi & Bonsignour David Maxwell Cassio Goldschmidt & Mahesh Saptarshi Chris Eng Paul Anderson Masato Terada Bernie Wong Dennis Seymour Kent Landfield Hart Rossman Jeremy Epstein Matt Bishop Adam Hahn & Sean Barnum Jeremiah Grossman Kenneth van Wyk Bruce Lowenthal Jacob West Frank Kim Christian Heinrich (Australia) Ketan Vyas Joe Baum Matthew Coles, Aaron Katz & Nazira OmuralievaNational Security Agency (NSA) Information Assurance Division Department of Homeland Security (DHS) National Cyber Security Division
© 2012 The MITRE Corporation. All rights reserved.
CWE/SANS Top 25
3 years running Latest version published in June 2011 Survey results from over 25 organizations 41 CWE entries nominated CWSS 0.8 used to rank results
– Technical Impact, Prevalence, Likelihood of Exploit
Published pocket guide for mitigating the Top 25 (and other weaknesses, too)
© 2012 The MITRE Corporation. All rights reserved.
CWE Outreach: A Team SportMay/June Issue of IEEE Security & Privacy…
16 July 2010
| 25 |
© 2012 The MITRE Corporation. All rights reserved.
| 26 |
© 2012 The MITRE Corporation. All rights reserved.
| 27 |
© 2012 The MITRE Corporation. All rights reserved.
[1] CWE-79 Cross-site Scripting[2] CWE-89 SQL Injection[3] CWE-120 Classic Buffer Overflow[4] CWE-352 Cross-Site Request Forgery (CSRF)[5] CWE-285 Improper Authorization[6] CWE-807 Reliance on Untrusted Inputs in a Security Decision[7] CWE-22 Path Traversal[8] CWE-434 Unrestricted Upload of File with Dangerous Type[9] CWE-78 OS Command Injection[10] CWE-311 Missing Encryption of Sensitive Data[11] CWE-798 Use of Hard-coded Credentials[12] CWE-805 Buffer Access with Incorrect Length Value[13] CWE-98 PHP File Inclusion[14] CWE-129 Improper Validation of Array Index[15] CWE-754 Improper Check for Unusual or Exceptional Conditions[16] CWE-209 Information Exposure Through an Error Message[17] CWE-190 Integer Overflow or Wraparound[18] CWE-131 Incorrect Calculation of Buffer Size[19] CWE-306 Missing Authentication for Critical Function[20] CWE-494 Download of Code Without Integrity Check[21] CWE-732 Incorrect Permission Assignment for Critical Resource[22] CWE-770 Allocation of Resources Without Limits or Throttling[23] CWE-601 Open Redirect[24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm[25] CWE-362 Race Condition[26] CWE-749 Exposed Dangerous Method or Function[27] CWE-307 Improper Restriction of Excessive Auth. Attempts[28] CWE-212 Improper Cross-boundary Removal of Sensitive Data[29] CWE-330 Use of Insufficiently Random Values[30] CWE-59 Link Following[31] CWE-134 Uncontrolled Format String[32] CWE-476 NULL Pointer Dereference[33] CWE-681 Incorrect Conversion between Numeric Types[34] CWE-426 Untrusted Search Path[35] CWE-454 External Initialization of Trusted Variables or Data Stores[36] CWE-416 Use After Free[37] CWE-772 Missing Release of Resource after Effective Lifetime[38] CWE-799 Improper Control of Interaction Frequency[39] CWE-456 Missing Initialization[40] CWE-672 Operation on a Resource after Expiration or Release[41] CWE-804 Guessable CAPTCHA
| 28 |
CWE-119
CWE-706
CWE-834
CWE-637
CW
E/S
AN
S 2
01
0 T
op 2
5 M
ost
Dangero
us
Soft
ware
Err
ors
Total PotentialSecurity Weaknesses
DynamicAnalysis
StaticAnalysis
• Environment Configuration Issues• Issues in integrations of modules• Runtime Privileges Issues• Protocol Parser/Serializer Issues• Issues in 3rd party components• …
• Environment Configuration Issues• Issues in integrations of modules• Runtime Privileges Issues• Protocol Parser/Serializer Issues• Issues in 3rd party components• …
• Null Pointer Dereference• Threading Issues• Issues in Dead Code• Insecure Crypto Functions• …
• Null Pointer Dereference• Threading Issues• Issues in Dead Code• Insecure Crypto Functions• …
• SQL Injection• Cross Site Scripting• HTTP Response Splitting• OS Commanding• LDAP Injection• …
• SQL Injection• Cross Site Scripting• HTTP Response Splitting• OS Commanding• LDAP Injection• …
Application Logic Issues Application Logic Issues
Leveraging and Managing to take Advantage of the Multiple Perspectives of Analysis
Weakness
Weakness
Weakness
Weakness
Asset
Attack
Impact
Item
Item
Item
Attack
Attack
Function
Asset
Impact
Impact
KnownThreatActors
Attack Patterns(CAPECs)
Weaknesses(CWEs)
Controls* TechnicalImpacts
Operational Impacts
* Controls include architecture choices, design choices, added security functions, activities & processes, physical decomposition choices, code assessments, design reviews, dynamic testing, and pen testing
System & System Security
EngineeringTrades
ISO/IEC Technical Report 20004:Refining Software Vulnerability Analysis Under ISO/IEC 15049 and ISO/IEC 18045
Technical Impacts – Common Consequences
1. Modify data2. Read data3. DoS: unreliable execution4. DoS: resource consumption5. Execute unauthorized code or commands6. Gain privileges / assume identity7. Bypass protection mechanism8. Hide activities
Technical Impacts – Common Weakness Risk Analysis Framework (CWRAF)
CWRAF/CWSS in a Nutshell
W
Wd
W is all possible weaknessesWd is all known weaknesses (CWE)
Common Weakness Risk Analysis Framework (CWRAF)
Multiple pieces – we’ll focus on “Vignettes”
Technical Impacts1. Modify data
2. Read data
3. DoS: unreliable execution
4. DoS: resource consumption
5. Execute unauthorized code or commands
6. Gain privileges / assume identity
7. Bypass protection mechanism
8. Hide activities
Technical Impact Scorecard
W1=10W2=0W3=0W4=0W5=0W6=0W7=0W8=0
Weightings
CWRAF/CWSS in a Nutshell
W
Wd
CWSS Score
CWE
97 CWE-7995 CWE-7894 CWE-2294 CWE-43494 CWE-79893 CWE-12093 CWE-25092 CWE-77091 CWE-82991 CWE-19091 CWE-49490 CWE-13490 CWE-77290 CWE-47690 CWE-131
…
User-defined cutoff
CWSSScorin
g Engine
Most Important Weakness
es
“Vignette”
W is all possible weaknessesWd is all known weaknesses (CWE)
What types of attacks should I test my system against?
Common Attack Pattern Enumeration and Classification
WWd
CWSS Score CWE
97 CWE-79
95 CWE-78
94 CWE-22
94 CWE-434
94 CWE-798
93 CWE-120
93 CWE-250
92 CWE-770
91 CWE-829
91 CWE-190
91 CWE-494
90 CWE-134
90 CWE-772
90 CWE-476
90 CWE-131
…
CWSSScoring Engine
Most Important
Weaknesses
CWE Related CAPEC ID’s
CWE-79 CAPEC-232, CAPEC-106, CAPEC-19, …
CWE-78 CAPEC-108, CAPEC-15, CAPEC-43, CAPEC-6, …
… …
Scoring Weaknesses Discovered in Code using CWSS
Organizations that have declared plans to support CWSS in their future offerings and are working with MITRE to help evolve CWSS to meet their customer's and the community's needs for a scoring system for software errors.
CWE Coverage – Implemented…
Which static analysis tools and Pen Testing services find the CWE’s I care about?
Utilizing CWE Coverage Claims
Most Important Weakness
es(CWE’s)
Code Review
Static Analysis Tool A
Pen Testing Services
CWE’s a capability claims to cover
Static Analysis Tool B
Leveraging and Managing to take Advantage of the Multiple Perspectives of Analysis
Different perspectives are effective at finding different types of weaknesses
Some are good at finding the cause and some at finding the effectStaticCode
Analysis
PenetrationTest
DataSecurityAnalysis
CodeReview
ArchitectureRisk
Analysis
Cross-Site Scripting (XSS) X X X
SQL Injection X X X
Insufficient Authorization Controls X X X X
Broken Authentication and Session Management X X X X
Information Leakage X X X
Improper Error Handling X
Insecure Use of Cryptography X X X
Cross Site Request Forgery (CSRF) X X
Denial of Service X X X X
Poor Coding Practices X X
Architecture Analysis
Design Review
Source Code Static Analysis
Binary Static Analysis
Automated Dynamic Analysis
Penetration Testing
Red Team Assessment
(1) Modify data
(2) Read Data
(3) DoS: unreliable execution
(4) DoS: resource consumption
(5) Execute unauthorized code or commands
(6) Gain privileges / assume identity(7) Bypass protection mechanism
(8) Hide activities
Revie
w o
f A
rch
itectu
re a
nd
D
esig
n
Revie
w o
f C
od
e
Revie
w o
f Liv
e
Syste
m
Notiona
l
Architecture Analysis
Design Review
Source Code Static
Analysis
Binary Static
Analysis
Automated Dynamic Analysis
Penetration Testing
Red Team Assessment
(1) Modify data CWE-23 CWE-23 CWE-131 CWE-131 CWE-311 CWE-311 CWE-311
(2) Read Data CWE-14 CWE-14 CWE-129 CWE-129 CWE-209 CWE-209 CWE-209
(3) DoS: unreliable execution
CWE-36 CWE-36 CWE-476 CWE-476 CWE-406 CWE-406 CWE-406
(4) DoS: resource consumption
CWE-395 CWE-395
CWE-190 CWE-190 CWE-412 CWE-412 CWE-412
(5) Execute unauthorized code or commands
CWE-88 CWE-88 CWE-120 CWE-120 CWE-120 CWE-79 CWE-79
(6) Gain privileges / assume identity
CWE-96 CWE-96 CWE-489 CWE-489 CWE-309 CWE-309 CWE-309
(7) Bypass protection mechanism
CWE-89 CWE-89 CWE-357 CWE-357 CWE-665 CWE-665 CWE-665
(8) Hide activities
CWE-78 CWE-78 CWE-168 CWE-168 CWE-444 CWE-444 CWE-444
Notiona
l
OS Command Injection
SQL Injection
Static Code Injection
Argument Injection
Use of NullPointerExceptio
n
Absolute Path Traversal
Compiler Removal of Buffer Clearing
Relative Path Traversal
Improper Handling of Inconsistent
Insufficient UI Warning of Dangerous
Leftover Debug Code
Buffer Overflow
Integer Overflow
Null Pointer Dereference
Improper Validation of Array
Index
Incorrect Calculation of
Buffer Size
HTTP Request Smuggling
Improper Initialization
Use of Password System for Primary Authentication
Cross-site Scripting
Unrestricted Externally Accessible Lock
Network Amplification
Information Exposure Through an Error Messages
Missing Encryption of Sensitive Data
Vulnerability Analysis Focus By Phase and Impact