Web App Security I
Transcript of Web App Security I
![Page 1: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/1.jpg)
WebAppSecurityI
![Page 2: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/2.jpg)
AGuideforYourPresentation• Goals
– In2‐3sentences,statethegoals• Whyisthispaperinteresting?
• RelatedWork– Whyisitdifferent?
• Assumptions– Whatarethey?– Aretherealistic?– Whatkindofenvironmentdotheyrepresent?
• Basicconcepts– Keycomponentsthatmakeitwork
• Experiment– Whatisobjective?
– Whataretheinput/outputparameters?
• TakeawaySlide– Howitcanbenefitlisteners?Reusableconcepts?
![Page 3: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/3.jpg)
Example• Title
– Phalanx:WithstandingMultimillion‐NodeBotnets
• Goal– Defendagainstmultimillionnodebotnetsusingindirectionalinfrastructurewithafocusondeployability
• Whythispaperisinteresting– DeployableDDoSisrare– Multimillionnodebotnetsarerealthreats– Createagood“botnet”tofightagainstbadones
![Page 4: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/4.jpg)
Example(cont.)
• RelatedWork– Lowdeployabilitysincereliantonchangesto“ossified”routers
– Havenotconsideredbotnetsofthismagnitude
• Assumptions– Thetotalresourcesofgoodbotnetisgreaterthanmultimillionnodebadbotnets
![Page 5: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/5.jpg)
Example(cont.)
• Concepts– EmbedcodeinP2Pclients,e.g.,BitTorrent– AccumulateP2Pclientstoformgoodbotnet– P2Pclientsbecomeindirectionalinfrastructure
– ProtectserverfromdirectconnectivitythroughISPfiltering
• Experiment
– …..• Takeawayslide
– LimitedISPfilteringatserverlocationsseemsdeployableandeffective
– Embedcodeonsoftwarewithlargeinstallbase
![Page 6: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/6.jpg)
QuickCheckI
• WhatisSOX?• WhatyearwasSOXintroduced?
• WhywasSOXintroduced?
• WhyisSOXCSO’sbestfriend?
![Page 7: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/7.jpg)
SOX:CSO’sBestFriend
CFO
CSO Ineedmoneyto
secureoutsystems
Sorry,themoneyisforbusinessexpansion
CSO
CFO Oursystemsecurityissecurebuthere’smoneytoenhanceit
Nomorebegging
Pre-SOX Post-SOX
![Page 8: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/8.jpg)
SOXQuickFacts
• EveryquarterlyreportfiledwiththeSecurityExchangeCommission(SEC),theCEOandCFOsigncertificationsthatsystemsconformtotheSarbanes‐OxleyAct(SOX)
• UnderSOX,600corporatefraudconvictions,involvingmorethan1,000corporateexecutives
How can one ensure that the hundreds of different systems, each with different configuration and applications running, are secure?
![Page 9: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/9.jpg)
SecurityBenchmark
Vendor
Wecanscanfor35DB
vulnerabilities
Weneedasecurity
scannerthatfindknown
vulnerabilities
CSO
Vendor WecanscanforbufferoverflowonSupa‐DB
fromver1to35
CSO
ThisisgoodforourOracle
DB
![Page 10: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/10.jpg)
QuickCheckII
• WhatisCVE?• WhomanagesCVE?
• WhatisCVEusedfor?
• Whatelsedotheymanage?
![Page 11: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/11.jpg)
MeasureableSecurity• MakingSecurityMeasurable(MSM)
– Standardizedenumeration• Sharedconcepts(Vulnerabilities/Weaknessdescription)
– Language• Findconcepts• CommunicateconceptsH2H,T2H,H2T,T2T
– Repositories• Sharingofinformationonconcepts
– UniformofAdoption• Brandingprogramstoensureconformanceandinteroperability
![Page 12: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/12.jpg)
MSM
• Goal– Facilitatetheuseofautomationtoassess,manage,andimprovesecurity
– Fostereffectivesecurityprocesscoordinationacrosstheadoptingorganizations
– Choiceoftoolsandinteroperability
![Page 13: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/13.jpg)
MSMEffortshttp://measurablesecurity.mitre.org/
![Page 14: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/14.jpg)
MSM:ContributionInfoonstandardconceptsinrepositoryHigh‐fidelityofinfo
transferbyusingstandardlanguage
Interoperabilitywithothersystems
Automatedsecuritywithclearlydefinedstandardsandnolock‐intoproprietarytools/concepts
![Page 15: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/15.jpg)
MSM:SecurityConfig&Mgmt
Cou
rtesy
of R
ober
t Mar
tin (M
ILC
OM
2008
)
![Page 16: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/16.jpg)
MSM
• Capturehowyourorganizationhasconfiguredandsetupanewsystemwhenithasbeenapprovedforuseinyourenterprise
• Makesurethenewsystemcontinuestobeconfiguredthewayitwasapproved
• Ensurethatitremainssecureinthefaceofnewthreatsandvulnerabilities
![Page 17: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/17.jpg)
SecurityContentAutomationProtocol(SCAP)
Enumeration Evaluation Measuring Reporting Content
CVE ● ●
CCE ● ●
CPE ● ●
XCCDF ● ● ●
OVAL ● ●
CVSS ● ● CourtesyofNIST2007
![Page 18: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/18.jpg)
IntegratingITandITSecuritythroughSCAP
AssetManagement
VulnerabilityManagement
ConfigurationManagement
CVE
CPEXCCDF
CCE
SCAP
OVALCVSS
CourtesyofNIST2007
Unique configuration ID
Collection of CCE that applies to CPE with OVAL check
Unique platform ID
Unique vulnerabilities ID
Rules to define CCE and CVE checks
Scoring system
![Page 19: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/19.jpg)
CVE:CommonVulnerabilitiesandExposureEnumeration
• Whatisit?– Alistofsecurityvulnerabilitiesandexposures
• Goal– Makeiteasiertosharedataacrossseparatedatabases,tools,andservicesusingacommonID
– Baselineforevaluatingthecoverageofyourtools
![Page 20: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/20.jpg)
Trivia
• DoesCVEtellsyouhowtofixtheproblem?
![Page 21: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/21.jpg)
CVEEntry
• CVEidentifiernumber– E.g.,"CVE‐1999‐0067”
• Status– "entry"or"candidate”
• Briefdescription– Descriptionofsecurityvulnerabilityorexposure
• Anypertinentreferences– VulnerabilityreportsandadvisoriesorOVAL‐ID
![Page 22: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/22.jpg)
ExampleCVEEntry• CVEID
– CVE‐2002‐0649• Status
– Candidate• Description
– MultiplebufferoverflowsintheResolutionServiceforMicrosoftSQLServer2000andMicrosoftDesktopEngine2000(MSDE)allowremoteattackerstocauseadenialofserviceorexecutearbitrarycodeviaUDPpacketstoport1434…..
• References– BUGTRAQ:20030125Fw:MSSQLWORMISDESTROYINGINTERNET
• URL:http://www.securityfocus.com/archive/1/archive/1/308321/30/26180/threaded
– MS:MS02‐039• URL:http://www.microsoft.com/technet/security/bulletin/ms02‐039.asp
– CERT:CA‐2002‐22• URL:http://www.cert.org/advisories/CA‐2002‐22.html
![Page 23: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/23.jpg)
CVEUsage:ShareDataVulnScanandRepository
Courtesyofhttp://www.securityfocus.com/infocus/1759
Search/RetrieveinfousingCVE
![Page 24: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/24.jpg)
CVEUsage:BaselineforComparison
• OpenVASproductsareFreeSoftwareunderGNUGPLandaforkofNessus
Baselineforcomparisonandtoolselection
CourtesyofLaboratoryforSystemsandSystemsUniversityofZagreb
![Page 25: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/25.jpg)
CPE:CommonPlatformEnumeration–UseCase
• AsoftwareinventorymanagementproductvendorusesCPENamestotagdataelementswithintheirproduct'sdatamodel
• Enabletheirproducttointeroperatewithdifferenttools
![Page 26: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/26.jpg)
CPESpecification
• Includes:– NamingsyntaxforCPENames
– Languagefordescribingcomplexplatforms– Algorithmformatching– XMLschemaforbindingdescriptiveanddiagnosticinformationtoaname
![Page 27: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/27.jpg)
CPENamingSyntax
![Page 28: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/28.jpg)
CPEUsage
• Representtheindividualsoftwareproductsthatexistonanendsystem
• Impliesrelationshiptosoftwareproduct– Configurationcheck– Vulnerabilitycheck– Patchcheck/Patch– Configurationcontrolchange
![Page 29: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/29.jpg)
CPEExampleInCPEDictionary
• CPEDictionary:– OfficialcollectionofCPENames
– BinddescriptiveproseanddiagnosticteststoaCPEName,e.g.,OVALcheck
<cpe-item name="cpe:/a:microsoft:ie:7”> <title>Microsoft Internet Explorer 7</title> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="fdcc-ie7-cpe-oval.xml">oval:gov.nist.fdcc.ie7:def:627</check> </cpe-item>
CPE Name
Human readable description
OVAL Check: Example registry check for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version
![Page 30: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/30.jpg)
CPEComplexPlatformExample
<cpe:platform id="456”> <cpe:title>Sun Solaris 5.8 or 5.9 or 5.10</cpe:title> <cpe:logical-test operator="OR" negate="FALSE”> <cpe:fact-ref name="cpe:/o:sun:solaris:5.8" /> <cpe:fact-ref name="cpe:/o:sun:solaris:5.9" /> <cpe:fact-ref name="cpe:/o:sun:solaris:5.10" /> </cpe:logical-test> </cpe:platform>
![Page 31: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/31.jpg)
CPEMatchingExample
• OVALdefinitioninCPEdictionarydeterminesthatthesystemconsistsof– K={"cpe:/o:microsoft:windows_2000::sp3:pro","cpe:/a:microsoft:ie:5.5"}
• AsecurityguidancechecklistdescribessomeforMicrosoftWindows2000– X="cpe:/o:microsoft:windows_2000"– Part=“o”,Vendor=“microsoft”,Product=“windows_2000”
• XmatchesK’s1stmembersoguidanceapplies
![Page 32: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/32.jpg)
CPEComplexMatching
• Twodifferences– TheruletomatchX,utilizedCPElanguage– InsteadofmatchinganymemberinK,itneedstomatchall
K = {"cpe:/o:sun:sunos:5.9:::en-us", "cpe:/a:bea:weblogic:8.1”} X = <cpe:platform id="123”> <cpe:title>Sun Solaris 5.8 or 5.9 with BEA Weblogic 8.1 installed</cpe:title> <cpe:logical-test operator="AND" negate="FALSE”> <cpe:logical-test operator="OR" negate="FALSE”> <cpe:fact-ref name="cpe:/o:sun:solaris:5.8" /> <cpe:fact-ref name="cpe:/o:sun:solaris:5.9" /> </cpe:logical-test> <cpe:fact-ref name="cpe:/ a:bea:weblogic:8.1" /> </cpe:logical-test> </cpe:platform>
![Page 33: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/33.jpg)
CPE:Functionalvs.Technical
• CPEnamingbasedonfunctionaldefinitionNOTtechnicaldefinition– LinuxdistroAwithApachever.B– LinuxdistroCwithApachever.B– Technically,CPEnameforApachever.Bissame
– Functionally,whoshouldbeprovidingpatchmeanstheCPEnamemaybedifferent
![Page 34: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/34.jpg)
CPE:IssuewithScope(UnsupportedUse)
• Network‐basedDiscovery– Assetsdiscoveredbyscanning– Partialinfosoneedstobecategorizedunderfunctionalityetc.
• ForensicsAnalysis/SoftwareArchitecture– Lowergranularitytagging– dlls,harddiskclusters,stack
• ITManagement– Categorizeassetsbasedonfunctionality
![Page 35: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/35.jpg)
CCE:CommonConfigurationEnumeration• Whatisit?
– UniqueIDsforconfigurationguidancestatementsandconfigurationcontrols
– Configurationguidancestatement• The"accountlockoutthreshold"settingshouldbesetto3
– Configurationcontrol• Theaccountpolicysettings,suchasaccountlockoutthresholdsetting
• Goal– Quicklycorrelateconfigurationdataacrossmultipleinformationsourcesandtools
![Page 36: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/36.jpg)
CCEEntry• CCEIdentifierNumber
– "CCE‐2715‐1”• Description
– Descriptionoftheconfigurationissue• ConceptualParameters
– ParametersneededtoimplementaCCE
• AssociatedTechnicalMechanisms– Anygivenconfigurationissuehaveoneormorewaystoimplementthedesiredresult
• References– Pointerstodocumentsthathasdetailsofconfigurationissue
![Page 37: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/37.jpg)
CCEWindowsVistaPlatformGroupExtract
CCE ID CCE Description CCE Parameters CCE Technical Mechanisms
CCE-2715-1
The "reset account lockout counter after" policy should meet minimum requirements. (1) number of minutes
(1) defined by Local or Group Policy
CCE-2363-0 The "account lockout duration" policy should meet minimum requirements. (1) number of minutes
(1) defined by Local or Group Policy
CCE-3177-3
The "account lockout threshold" policy should meet minimum requirements. (1) number of attempts
(1) defined by Local or Group Policy
![Page 38: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/38.jpg)
ExtensibleConfigurationChecklistDescriptionFormat(XCCDF)
• Specificationlanguageforwritingsecuritychecklists,benchmarks,etc.
• XCCDFdocumentrepresents:– Structuredcollectionofsecurityconfigurationrules
– Forsomesetoftargetsystems
• Supportinformationinterchange,automatedcompliancetesting,andcompliancescoring
![Page 39: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/39.jpg)
XCCDF:Example<Benchmarkid="fdcc‐ie‐7"resolved="0"xml:lang="en”… … <title>FDCC:GuidanceforSecuringMicrosoftInternetExplorer7forITProfessionals</title> <description>ThisguidehasbeencreatedtoassistITprofessionalsineffectivelysecuringsystemswithMicrosoftInternetExplorer7installed.</description> … <Profileid="all_800_53"abstract="true”> <title>800‐53All</title> … <selectidref="CM‐1"selected="true"/> <selectidref="CM‐2"selected="true"/> … </Profile>
CONTINUEonnextpage
Collection of checks
![Page 40: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/40.jpg)
XCCDF:Example(cont.) <Profileid="federal_desktop_core_configuration_version_1.2.0.0"extends="all_800_53"> <selectidref="DisableAutomaticInstallOfIEComponents_LocalComputer"selected="true"/> </Profile> … <Groupid="core‐policy"> … <Ruleid="DisableAutomaticInstallOfIEComponents_LocalComputer"selected="false"weight="10.0”> <title>DisableAutomaticInstallofInternetExplorerComponents‐LocalComputer</title> … <requiresidref="SI‐3"/> <requiresidref="SI‐7"/> <identsystem="http://cce.mitre.org">CCE‐3518‐8</ident> … <check‐content‐refhref="fdcc‐ie7‐oval.xml"name="oval:gov.nist.fdcc.ie7:def:1198"/> </check> </Rule>
Extending existing check collection
New check with CCE ID and corresponding OVAL check
![Page 41: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/41.jpg)
XCCDF
![Page 42: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/42.jpg)
OpenVulnerabilityandAssessmentLanguage(OVAL)
• Goals– Promoteopenandpubliclyavailablesecuritycontent
– Standardizethisinformationtransferacrossthesecuritytoolsandservices
![Page 43: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/43.jpg)
OVALComponents• Language
– Standardizes3stepsoftheassessmentprocess:• Representconfigurationinformationofsystemsfortesting(Systemschema)
• Analyzethesystemforthepresencespecifiedmachinestate(vulnerability,configuration,patchstate,etc.)(DefinitionSchema)
• Reporttheresultsofthisassessment(Resultschema)
• Repository– Collectionsofpubliclyavailableandopencontentthatutilizethelanguage
![Page 44: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/44.jpg)
OVAL
• WhyOVAL?– Nomeanstodeterminetheexistenceofsoftwarevulnerabilities,configurationissues,programs,and/orpatchesinlocalsystems
– Informationwasavailableastext‐baseddescriptionsfromvulnerabilitybutlaboriousanderror‐pronetointerpret
– Assessmenttooldoesnotrevealhowitdetectsvulnerabilities,thusunabletoverifyfalsepositives
![Page 45: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/45.jpg)
OVALID
• val:OrganizationDNSName:IDType:IDValue”– OrganizationDNSNamee.g.,‘org.mitre.oval’
– IDType:obj‐Object,ste‐State,tst‐Test,orvar–Variable
– IDValue:integeruniquetotheDNSnameandIDTypepairthatprecedesit,e.g.,oval:org.mitre.oval:def:1115oroval:com.redhat.rhsa:def:20060742.
![Page 46: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/46.jpg)
OVALDefinitionExamplehttp://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1115
Metadata
Criteria for vulnerability Checks for criteria Check details
![Page 47: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/47.jpg)
OVALDefinitionXML<metadata> <title>IE6,SP2 PNG Image Buffer Overflow</title> <affected family="windows"> <platform>Microsoft Windows XP</platform> <product>Microsoft Internet Explorer</product> </affected> <reference source="CVE" ref_id="CVE-2005-1211" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1211"/> <description> Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. </description> …
![Page 48: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/48.jpg)
<criteria operator="AND"> <criteria comment="Software section" operator="AND"> <criterion comment="Internet Explorer 6.0 Installed XP SP2" negate="false" test_ref="oval:org.mitre.oval:tst:2403"/> <criterion comment="the version of mshtml.dll is less than 6.0.2900.2668" negate="false" test_ref="oval:org.mitre.oval:tst:1150"/> … </criteria> <criteria comment="Configuration section" operator="AND"> <criterion comment="PNG image rendering enabled in Internet Explorer" negate="false" test_ref="oval:org.mitre.oval:tst:2749"/> </criteria> </criteria> … <registry_test id="oval:org.mitre.oval:tst:2750" version="1" comment="the patch kb883939 is installed" check_existence="at_least_one_exists" check="at least one"> <object object_ref="oval:org.mitre.oval:obj:1578"/> <state state_ref="oval:org.mitre.oval:ste:2571"/> </registry_test> … <registry_object id="oval:org.mitre.oval:obj:1578" version="1"> <hive>HKEY_LOCAL_MACHINE</hive> <key> SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB883939 </key> <name>Installed</name> </registry_object>
![Page 49: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/49.jpg)
OVALResults
![Page 50: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/50.jpg)
CommonVulnerabilityScoringSystem(CVSS)
• Vendoragnostic,industryopenstandardtoconveyvulnerabilityseverityandhelpdetermineurgencyandpriorityofresponse
• Solvestheproblemofmultiple,incompatiblescoringsystems
![Page 51: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/51.jpg)
CVSS• Derivedfrommetricsandformulas• Metricsareinthreedistinctcategoriesarequantitativeorqualitative– BaseMetrics
• Qualitiesthatareintrinsicanddonotchangeovertimeorindifferentenvironments
– TemporalMetrics• Characteristicswhichevolveoverthelifetimeofvulnerability
– EnvironmentalMetrics• Characteristicswhicharetiedtospecificusersenvironment.
![Page 52: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/52.jpg)
CVSSScoringProcess
Severity
Urgency
Priority
![Page 53: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/53.jpg)
BaseMetrics• AccessVector
– Howremoteanattackercanbetoattackatarget• Local,Adjacentnetwork,Network
• AccessComplexity– Complexityofattack
• High:Specializedcondition,e.g.,racecondition,rareconfigurationorsocialengineering
• Medium:Somewhatspecialized
• Authentication– Numberoftimesauthenticationneededinordertoexploitthevulnerability
• CIAImpact
![Page 54: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/54.jpg)
TemporalMetrics• Exploitability
– Howcomplextoexploitthevulnerability• Unproven:Noexploitcodeisyetavailable• ProofofConcept:Proofofconceptexploitcodeisavailable
• RemediationLevel– Levelofanavailablesolution
• ReportConfidence– Degreeofconfidenceintheexistenceofthevulnerabilityandthecredibilityofitsreport
![Page 55: Web App Security I](https://reader031.fdocuments.in/reader031/viewer/2022020705/61fb728d2e268c58cd5e4713/html5/thumbnails/55.jpg)
EnvironmentalMetrics
• CollateralDamagePotential– Potentialforalossoflifeorphysicalassets
• TargetDistribution– Percentageofvulnerablesystems
• SecurityRequirements– CustomizeddependingonthecriticalityoftheaffectedITasset• Greaterweighttoavailabilityifanassetsupportsabusinessfunction