Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE...

45
Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Transcript of Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE...

Page 1: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Measuring and Managing Software Security

Robert A. Martin

20 March 2013

© 2012 The MITRE Corporation. All rights reserved.

Page 2: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Today Everything’s Connected

When this Other System gets subverted through an un-patched vulnerability, a mis-configuration, or an application weakness…

Your System is attackable…

© 2012 The MITRE Corporation. All rights reserved.

Page 3: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 4: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 5: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 6: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 7: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

CVE 1999 to 2000

to 2012

Page 8: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Vulnerability Type Trends:A Look at the CVE List (2001 - 2007)

Page 9: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Removing and Preventing the Vulnerabilities Requires More Specific Definitions…CWEsImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting’) (79)

• Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80)• Improper Neutralization of Script in an Error Message Web Page (81)• Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (82)• Improper Neutralization of Script in Attributes in a Web Page (83)• Improper Neutralization of Encoded URI Schemes in a Web Page (84)• Doubled Character XSS Manipulations (85)• Improper Neutralization of Invalid Characters in Identifiers in Web Pages (86)• Improper Neutralization of Alternate XSS Syntax (87)

Improper Restriction of Operations within the Bounds of a Memory Buffer (119)• Buffer Copy without Checking Size of Input ('Classic Buffer Overflow’) (120)• Write-what-where Condition (123)• Out-of-bounds Read (125)• Improper Handling of Length Parameter Inconsistency (130)• Improper Validation of Array Index (129) • Return of Pointer Value Outside of Expected Range (466)• Access of Memory Location Before Start of Buffer (786) • Access of Memory Location After End of Buffer (788)• Buffer Access with Incorrect Length Value 805• Untrusted Pointer Dereference (822)• Use of Out-of-range Pointer Offset (823)• Access of Uninitialized Pointer (824)• Expired Pointer Dereference (825)

Path Traversal (22)• Relative Path Traversal (23)• Path Traversal: '../filedir' (24)• Path Traversal: '/../filedir' (25)• <------------8 more here -------------->• Path Traversal: '....//' (34)• Path Traversal: '.../...//' (35)• Absolute Path Traversal (36)

• Path Traversal: '/absolute/pathname/here’ (37)• Path Traversal: '\absolute\pathname\here’ (38)• Path Traversal: 'C:dirname’ (39)• Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (40)

9

14

19

Page 10: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Common Weakness Enumeration (CWE) – 700+

© 2012 The MITRE Corporation. All rights reserved.

Page 11: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

What is wrong with this picture?Wouldn’t it be nice if the weaknesses in software were as easy to spot and their impact as easy to understand as a screen door in a submarine…

Page 12: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

CWE Compatibility & Effectiveness Program

396

9

cwe.mitre.org/compatible/

( launched Feb 2007)

Page 13: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 14: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 15: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Direct Contributors to the 2011 CWE/SANS Top 25

Red Hat Inc. Secunia (Denmark) CERIAS, Purdue University CAST Software NetBSD Symantec Corporation Veracode, Inc. Grammatech Inc. IPA (Japan) IBM Ellumen, Inc. McAfee SAIC SRI International UC Davis MITRE White Hat Security KRvW Associates Oracle Corporation Fortify Software, an HP Company ThinkSec

Tata Consultancy Services (TCS) Motorola Solutions RSA, the Security Division of EMC

Mark J. Cox Carsten Eiram Pascal Meunier Razak Ellafi & Bonsignour David Maxwell Cassio Goldschmidt & Mahesh Saptarshi Chris Eng Paul Anderson Masato Terada Bernie Wong Dennis Seymour Kent Landfield Hart Rossman Jeremy Epstein Matt Bishop Adam Hahn & Sean Barnum Jeremiah Grossman Kenneth van Wyk Bruce Lowenthal Jacob West Frank Kim Christian Heinrich (Australia) Ketan Vyas Joe Baum Matthew Coles, Aaron Katz & Nazira OmuralievaNational Security Agency (NSA) Information Assurance Division Department of Homeland Security (DHS) National Cyber Security Division

© 2012 The MITRE Corporation. All rights reserved.

Page 16: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

CWE/SANS Top 25

3 years running Latest version published in June 2011 Survey results from over 25 organizations 41 CWE entries nominated CWSS 0.8 used to rank results

– Technical Impact, Prevalence, Likelihood of Exploit

Published pocket guide for mitigating the Top 25 (and other weaknesses, too)

© 2012 The MITRE Corporation. All rights reserved.

Page 17: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 18: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 19: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 20: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 21: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 22: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 23: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

CWE Outreach: A Team SportMay/June Issue of IEEE Security & Privacy…

Page 24: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

16 July 2010

Page 25: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

| 25 |

© 2012 The MITRE Corporation. All rights reserved.

Page 26: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

| 26 |

© 2012 The MITRE Corporation. All rights reserved.

Page 27: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

| 27 |

© 2012 The MITRE Corporation. All rights reserved.

Page 28: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

[1] CWE-79 Cross-site Scripting[2] CWE-89 SQL Injection[3] CWE-120 Classic Buffer Overflow[4] CWE-352 Cross-Site Request Forgery (CSRF)[5] CWE-285 Improper Authorization[6] CWE-807 Reliance on Untrusted Inputs in a Security Decision[7] CWE-22 Path Traversal[8] CWE-434 Unrestricted Upload of File with Dangerous Type[9] CWE-78 OS Command Injection[10] CWE-311 Missing Encryption of Sensitive Data[11] CWE-798 Use of Hard-coded Credentials[12] CWE-805 Buffer Access with Incorrect Length Value[13] CWE-98 PHP File Inclusion[14] CWE-129 Improper Validation of Array Index[15] CWE-754 Improper Check for Unusual or Exceptional Conditions[16] CWE-209 Information Exposure Through an Error Message[17] CWE-190 Integer Overflow or Wraparound[18] CWE-131 Incorrect Calculation of Buffer Size[19] CWE-306 Missing Authentication for Critical Function[20] CWE-494 Download of Code Without Integrity Check[21] CWE-732 Incorrect Permission Assignment for Critical Resource[22] CWE-770 Allocation of Resources Without Limits or Throttling[23] CWE-601 Open Redirect[24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm[25] CWE-362 Race Condition[26] CWE-749 Exposed Dangerous Method or Function[27] CWE-307 Improper Restriction of Excessive Auth. Attempts[28] CWE-212 Improper Cross-boundary Removal of Sensitive Data[29] CWE-330 Use of Insufficiently Random Values[30] CWE-59 Link Following[31] CWE-134 Uncontrolled Format String[32] CWE-476 NULL Pointer Dereference[33] CWE-681 Incorrect Conversion between Numeric Types[34] CWE-426 Untrusted Search Path[35] CWE-454 External Initialization of Trusted Variables or Data Stores[36] CWE-416 Use After Free[37] CWE-772 Missing Release of Resource after Effective Lifetime[38] CWE-799 Improper Control of Interaction Frequency[39] CWE-456 Missing Initialization[40] CWE-672 Operation on a Resource after Expiration or Release[41] CWE-804 Guessable CAPTCHA

| 28 |

CWE-119

CWE-706

CWE-834

CWE-637

CW

E/S

AN

S 2

01

0 T

op 2

5 M

ost

Dangero

us

Soft

ware

Err

ors

Page 29: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.
Page 30: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Total PotentialSecurity Weaknesses

DynamicAnalysis

StaticAnalysis

• Environment Configuration Issues• Issues in integrations of modules• Runtime Privileges Issues• Protocol Parser/Serializer Issues• Issues in 3rd party components• …

• Environment Configuration Issues• Issues in integrations of modules• Runtime Privileges Issues• Protocol Parser/Serializer Issues• Issues in 3rd party components• …

• Null Pointer Dereference• Threading Issues• Issues in Dead Code• Insecure Crypto Functions• …

• Null Pointer Dereference• Threading Issues• Issues in Dead Code• Insecure Crypto Functions• …

• SQL Injection• Cross Site Scripting• HTTP Response Splitting• OS Commanding• LDAP Injection• …

• SQL Injection• Cross Site Scripting• HTTP Response Splitting• OS Commanding• LDAP Injection• …

Application Logic Issues Application Logic Issues

Leveraging and Managing to take Advantage of the Multiple Perspectives of Analysis

Page 31: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Weakness

Weakness

Weakness

Weakness

Asset

Attack

Impact

Item

Item

Item

Attack

Attack

Function

Asset

Impact

Impact

KnownThreatActors

Attack Patterns(CAPECs)

Weaknesses(CWEs)

Controls* TechnicalImpacts

Operational Impacts

* Controls include architecture choices, design choices, added security functions, activities & processes, physical decomposition choices, code assessments, design reviews, dynamic testing, and pen testing

System & System Security

EngineeringTrades

ISO/IEC Technical Report 20004:Refining Software Vulnerability Analysis Under ISO/IEC 15049 and ISO/IEC 18045

Page 32: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Technical Impacts – Common Consequences

Page 33: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

1. Modify data2. Read data3. DoS: unreliable execution4. DoS: resource consumption5. Execute unauthorized code or commands6. Gain privileges / assume identity7. Bypass protection mechanism8. Hide activities

Technical Impacts – Common Weakness Risk Analysis Framework (CWRAF)

Page 34: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

CWRAF/CWSS in a Nutshell

W

Wd

W is all possible weaknessesWd is all known weaknesses (CWE)

Page 35: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Common Weakness Risk Analysis Framework (CWRAF)

Multiple pieces – we’ll focus on “Vignettes”

Technical Impacts1. Modify data

2. Read data

3. DoS: unreliable execution

4. DoS: resource consumption

5. Execute unauthorized code or commands

6. Gain privileges / assume identity

7. Bypass protection mechanism

8. Hide activities

Technical Impact Scorecard

W1=10W2=0W3=0W4=0W5=0W6=0W7=0W8=0

Weightings

Page 36: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

CWRAF/CWSS in a Nutshell

W

Wd

CWSS Score

CWE

97 CWE-7995 CWE-7894 CWE-2294 CWE-43494 CWE-79893 CWE-12093 CWE-25092 CWE-77091 CWE-82991 CWE-19091 CWE-49490 CWE-13490 CWE-77290 CWE-47690 CWE-131

User-defined cutoff

CWSSScorin

g Engine

Most Important Weakness

es

“Vignette”

W is all possible weaknessesWd is all known weaknesses (CWE)

Page 37: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

What types of attacks should I test my system against?

Common Attack Pattern Enumeration and Classification

WWd

CWSS Score CWE

97 CWE-79

95 CWE-78

94 CWE-22

94 CWE-434

94 CWE-798

93 CWE-120

93 CWE-250

92 CWE-770

91 CWE-829

91 CWE-190

91 CWE-494

90 CWE-134

90 CWE-772

90 CWE-476

90 CWE-131

CWSSScoring Engine

Most Important

Weaknesses

CWE Related CAPEC ID’s

CWE-79 CAPEC-232, CAPEC-106, CAPEC-19, …

CWE-78 CAPEC-108, CAPEC-15, CAPEC-43, CAPEC-6, …

… …

Page 38: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Scoring Weaknesses Discovered in Code using CWSS

Page 39: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Organizations that have declared plans to support CWSS in their future offerings and are working with MITRE to help evolve CWSS to meet their customer's and the community's needs for a scoring system for software errors.

Page 40: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

CWE Coverage – Implemented…

Page 41: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Which static analysis tools and Pen Testing services find the CWE’s I care about?

Utilizing CWE Coverage Claims

Most Important Weakness

es(CWE’s)

Code Review

Static Analysis Tool A

Pen Testing Services

CWE’s a capability claims to cover

Static Analysis Tool B

Page 42: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Leveraging and Managing to take Advantage of the Multiple Perspectives of Analysis

Different perspectives are effective at finding different types of weaknesses

Some are good at finding the cause and some at finding the effectStaticCode

Analysis

PenetrationTest

DataSecurityAnalysis

CodeReview

ArchitectureRisk

Analysis

Cross-Site Scripting (XSS) X X X

SQL Injection X X X

Insufficient Authorization Controls X X X X

Broken Authentication and Session Management X X X X

Information Leakage X X X

Improper Error Handling X

Insecure Use of Cryptography X X X

Cross Site Request Forgery (CSRF) X X

Denial of Service X X X X

Poor Coding Practices X X

Page 43: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Architecture Analysis

Design Review

Source Code Static Analysis

Binary Static Analysis

Automated Dynamic Analysis

Penetration Testing

Red Team Assessment

(1) Modify data

(2) Read Data

(3) DoS: unreliable execution

(4) DoS: resource consumption

(5) Execute unauthorized code or commands

(6) Gain privileges / assume identity(7) Bypass protection mechanism

(8) Hide activities

Revie

w o

f A

rch

itectu

re a

nd

D

esig

n

Revie

w o

f C

od

e

Revie

w o

f Liv

e

Syste

m

Notiona

l

Page 44: Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE Corporation. All rights reserved.

Architecture Analysis

Design Review

Source Code Static

Analysis

Binary Static

Analysis

Automated Dynamic Analysis

Penetration Testing

Red Team Assessment

(1) Modify data CWE-23 CWE-23 CWE-131 CWE-131 CWE-311 CWE-311 CWE-311

(2) Read Data CWE-14 CWE-14 CWE-129 CWE-129 CWE-209 CWE-209 CWE-209

(3) DoS: unreliable execution

CWE-36 CWE-36 CWE-476 CWE-476 CWE-406 CWE-406 CWE-406

(4) DoS: resource consumption

CWE-395 CWE-395

CWE-190 CWE-190 CWE-412 CWE-412 CWE-412

(5) Execute unauthorized code or commands

CWE-88 CWE-88 CWE-120 CWE-120 CWE-120 CWE-79 CWE-79

(6) Gain privileges / assume identity

CWE-96 CWE-96 CWE-489 CWE-489 CWE-309 CWE-309 CWE-309

(7) Bypass protection mechanism

CWE-89 CWE-89 CWE-357 CWE-357 CWE-665 CWE-665 CWE-665

(8) Hide activities

CWE-78 CWE-78 CWE-168 CWE-168 CWE-444 CWE-444 CWE-444

Notiona

l

OS Command Injection

SQL Injection

Static Code Injection

Argument Injection

Use of NullPointerExceptio

n

Absolute Path Traversal

Compiler Removal of Buffer Clearing

Relative Path Traversal

Improper Handling of Inconsistent

Insufficient UI Warning of Dangerous

Leftover Debug Code

Buffer Overflow

Integer Overflow

Null Pointer Dereference

Improper Validation of Array

Index

Incorrect Calculation of

Buffer Size

HTTP Request Smuggling

Improper Initialization

Use of Password System for Primary Authentication

Cross-site Scripting

Unrestricted Externally Accessible Lock

Network Amplification

Information Exposure Through an Error Messages

Missing Encryption of Sensitive Data

Vulnerability Analysis Focus By Phase and Impact