nullcon Goa 2010 http://nullcon.net

Tracking the Progress of an SDL Program

- Cassio Goldschmidt

Who am I?Cassio Goldschmidt

Sr. Manager, Product Security – Symantec

EducationMBA, USC

MS Software Engineering, SCU

BSCS, PUCRS

CSSLP, (ISC)2

When I’m not in the office…

Volleyball (Indoor, Beach)

Coding… for way to long!

Gym…

Typical Project Lifecycle

Exercise type:

CWE

Number of Reps:

Number of Findings

Exercise Intensity:

CVSS

nullcon Goa 2010 http://nullcon.net

Common Weakness Enumeration

Common Weakness EnumerationWhat is it?

A common language for describing software security weaknesses

Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS).

HierarchicalEach individual CWE represents a single vulnerability type

Deeper levels of the tree provide a finer granularity

Higher levels provide a broad overview of a vulnerability

Common Weakness EnumerationPortion of CWE structure

What data is available for each CWE?

Weakness description

Applicable platforms and programming languages

Common Consequences

Likelihood of Exploit

Coding Examples

Potential Mitigations

Related Attacks

Time of Introduction

Taxonomy MappingLink to CWE Page on XSS

How useful is this information?

13

Pie Chart showing the frequency of CWEs found in penetration tests

Pie Chart showing the frequency of CWEs found in penetration tests

nullcon Goa 2010 http://nullcon.net

Common Vulnerability Scoring System

Common Vulnerability Scoring System What is it?

0.0...3.9 4.0...6.9 7.0...10

Common Vulnerability Scoring System BASE Vector

Access Vector

Access Complexity

Authenti…

Network High None

Adjacent Network

Medium Single Instance

Local Low Mult. Instances

Undefined Undefined Undefined

Confident… Integrity Avail.

None None None

Partial Partial Partial

Complete Complete Complete

Undefined Undefined Undefined

Exploitability Impact

Sample Score: 7.5

Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Every CVSS score should be accompanied by the corresponding vector

Common Vulnerability Scoring System (CVSS)The Calculator

nullcon Goa 2010 http://nullcon.net

Hands on Demo

void CHTMLEngine::SetPost(CBufferedInput& buf,unsigned int length,string& multipart){ m_post=true; if (length <= 0)

return; char* pData = new char[length+1]; memset(pData,0,length+1);

// Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) {

bytesRead = buf.Read(pData+totalBytesRead, length-totalBytesRead);if ( bytesRead == -1 ) { DTRACE(1,“ EOF error reading POSTed data."); break;}totalBytesRead += bytesRead;

} m_post_data = pData; m_mp_boundary = multipart; delete [] pData;}

What if I make

length = -1?

What if I make

length = -1?

new char[0] calls malloc(0) which succeeds!

new char[0] calls malloc(0) which succeeds!

Next, attacker-controlled data either overflows heap or crashes

Next, attacker-controlled data either overflows heap or crashes

Doesn’t quite work – length is unsignedDoesn’t quite work – length is unsigned

CWE and CVSS use in PracticeCode Review

void CHTMLEngine::SetPost(CBufferedInput& buf,unsigned int length,string& multipart){ m_post=true; if (length <= 0)

return; char* pData = new char[length+1]; memset(pData,0,length+1);

// Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) {

bytesRead = buf.Read(pData+totalBytesRead, length-totalBytesRead);if ( bytesRead == -1 ) { DTRACE(1,“ EOF error reading POSTed data."); break;}totalBytesRead += bytesRead;

} m_post_data = pData; m_mp_boundary = multipart; delete [] pData;}

CWE and CVSS use in PracticeCode Review

Buffer Overflow

CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Buffer Overflow

CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

nullcon Goa 2010 http://nullcon.net

Training and Metrics

Training and MetricsA special activity in the SDL

•Security training is what food is to a workout

•Same workout metrics do not apply

•Quality of your intake affects overall performance

•Staff needs ongoing training

Training and Metrics Security Learning Process

Training and Metrics Security Learning Process

Understand who is the audience• Previous knowledge about secure coding and secure testing• Programming languages in use• Supported platforms• Type of product

Understand who is the audience• Previous knowledge about secure coding and secure testing• Programming languages in use• Supported platforms• Type of product

Training and Metrics Security Learning Process

Train everyone involved in the SDL• Developers: Secure Coding, Threat Model• QA: Security Testing, Tools• Managers: Secure Development Lifecycle (also known as Symmunize)

Train everyone involved in the SDL• Developers: Secure Coding, Threat Model• QA: Security Testing, Tools• Managers: Secure Development Lifecycle (also known as Symmunize)

Training and Metrics Security Learning Process

Quality Assurance - Capture the flag• Use Beta software• Approximately 3 hours long• Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group

Quality Assurance - Capture the flag• Use Beta software• Approximately 3 hours long• Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group

Training and Metrics Security Learning Process

Pos Class Survey• Anonymous• MetricsMetrics

• Class content • Instructor knowledge • Exercises

Pos Class Survey• Anonymous• MetricsMetrics

• Class content • Instructor knowledge • Exercises

Training and Metrics Security awareness is more than training

nullcon Goa 2010 http://nullcon.net

Conclusions and final thoughts

Why This Approach Makes Sense?

• Compare Apples to Apples

• Quantify results in a meaningful way to “C” executives

– Past results can be used to explain impact of new findings

– Can be simplified to a number from 1-10 or semaphore (green, yellow and red).

– Can be used for competitive analysis

• Harder to game CVSS• CWE can be easily mapped to different taxonomies

nullcon Goa 2010 http://nullcon.net

Thank You!