nullcon 2010 - tracking the progress of an sdl program: lessons from the gym
DESCRIPTION
nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym by Cassio GoldschmidtTRANSCRIPT
![Page 1: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/1.jpg)
nullcon Goa 2010 http://nullcon.net
Tracking the Progress of an SDL Program
- Cassio Goldschmidt
![Page 2: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/2.jpg)
Who am I?Cassio Goldschmidt
Sr. Manager, Product Security – Symantec
EducationMBA, USC
MS Software Engineering, SCU
BSCS, PUCRS
CSSLP, (ISC)2
When I’m not in the office…
Volleyball (Indoor, Beach)
Coding… for way to long!
Gym…
![Page 3: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/3.jpg)
Typical Project Lifecycle
![Page 4: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/4.jpg)
![Page 5: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/5.jpg)
Exercise type:
CWE
![Page 6: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/6.jpg)
Number of Reps:
Number of Findings
![Page 7: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/7.jpg)
Exercise Intensity:
CVSS
![Page 8: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/8.jpg)
![Page 9: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/9.jpg)
nullcon Goa 2010 http://nullcon.net
Common Weakness Enumeration
![Page 10: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/10.jpg)
Common Weakness EnumerationWhat is it?
A common language for describing software security weaknesses
Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS).
HierarchicalEach individual CWE represents a single vulnerability type
Deeper levels of the tree provide a finer granularity
Higher levels provide a broad overview of a vulnerability
![Page 11: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/11.jpg)
Common Weakness EnumerationPortion of CWE structure
![Page 12: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/12.jpg)
What data is available for each CWE?
Weakness description
Applicable platforms and programming languages
Common Consequences
Likelihood of Exploit
Coding Examples
Potential Mitigations
Related Attacks
Time of Introduction
Taxonomy MappingLink to CWE Page on XSS
![Page 13: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/13.jpg)
How useful is this information?
13
Pie Chart showing the frequency of CWEs found in penetration tests
Pie Chart showing the frequency of CWEs found in penetration tests
![Page 14: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/14.jpg)
nullcon Goa 2010 http://nullcon.net
Common Vulnerability Scoring System
![Page 15: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/15.jpg)
Common Vulnerability Scoring System What is it?
0.0...3.9 4.0...6.9 7.0...10
![Page 16: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/16.jpg)
Common Vulnerability Scoring System BASE Vector
Access Vector
Access Complexity
Authenti…
Network High None
Adjacent Network
Medium Single Instance
Local Low Mult. Instances
Undefined Undefined Undefined
Confident… Integrity Avail.
None None None
Partial Partial Partial
Complete Complete Complete
Undefined Undefined Undefined
Exploitability Impact
Sample Score: 7.5
Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Every CVSS score should be accompanied by the corresponding vector
![Page 17: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/17.jpg)
Common Vulnerability Scoring System (CVSS)The Calculator
![Page 18: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/18.jpg)
nullcon Goa 2010 http://nullcon.net
Hands on Demo
![Page 19: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/19.jpg)
void CHTMLEngine::SetPost(CBufferedInput& buf,unsigned int length,string& multipart){ m_post=true; if (length <= 0)
return; char* pData = new char[length+1]; memset(pData,0,length+1);
// Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) {
bytesRead = buf.Read(pData+totalBytesRead, length-totalBytesRead);if ( bytesRead == -1 ) { DTRACE(1,“ EOF error reading POSTed data."); break;}totalBytesRead += bytesRead;
} m_post_data = pData; m_mp_boundary = multipart; delete [] pData;}
What if I make
length = -1?
What if I make
length = -1?
new char[0] calls malloc(0) which succeeds!
new char[0] calls malloc(0) which succeeds!
Next, attacker-controlled data either overflows heap or crashes
Next, attacker-controlled data either overflows heap or crashes
Doesn’t quite work – length is unsignedDoesn’t quite work – length is unsigned
CWE and CVSS use in PracticeCode Review
![Page 20: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/20.jpg)
void CHTMLEngine::SetPost(CBufferedInput& buf,unsigned int length,string& multipart){ m_post=true; if (length <= 0)
return; char* pData = new char[length+1]; memset(pData,0,length+1);
// Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) {
bytesRead = buf.Read(pData+totalBytesRead, length-totalBytesRead);if ( bytesRead == -1 ) { DTRACE(1,“ EOF error reading POSTed data."); break;}totalBytesRead += bytesRead;
} m_post_data = pData; m_mp_boundary = multipart; delete [] pData;}
CWE and CVSS use in PracticeCode Review
Buffer Overflow
CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Buffer Overflow
CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
![Page 21: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/21.jpg)
nullcon Goa 2010 http://nullcon.net
Training and Metrics
![Page 22: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/22.jpg)
Training and MetricsA special activity in the SDL
•Security training is what food is to a workout
•Same workout metrics do not apply
•Quality of your intake affects overall performance
•Staff needs ongoing training
![Page 23: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/23.jpg)
Training and Metrics Security Learning Process
![Page 24: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/24.jpg)
Training and Metrics Security Learning Process
Understand who is the audience• Previous knowledge about secure coding and secure testing• Programming languages in use• Supported platforms• Type of product
Understand who is the audience• Previous knowledge about secure coding and secure testing• Programming languages in use• Supported platforms• Type of product
![Page 25: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/25.jpg)
Training and Metrics Security Learning Process
Train everyone involved in the SDL• Developers: Secure Coding, Threat Model• QA: Security Testing, Tools• Managers: Secure Development Lifecycle (also known as Symmunize)
Train everyone involved in the SDL• Developers: Secure Coding, Threat Model• QA: Security Testing, Tools• Managers: Secure Development Lifecycle (also known as Symmunize)
![Page 26: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/26.jpg)
Training and Metrics Security Learning Process
Quality Assurance - Capture the flag• Use Beta software• Approximately 3 hours long• Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group
Quality Assurance - Capture the flag• Use Beta software• Approximately 3 hours long• Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group
![Page 27: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/27.jpg)
Training and Metrics Security Learning Process
Pos Class Survey• Anonymous• MetricsMetrics
• Class content • Instructor knowledge • Exercises
Pos Class Survey• Anonymous• MetricsMetrics
• Class content • Instructor knowledge • Exercises
![Page 28: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/28.jpg)
Training and Metrics Security awareness is more than training
![Page 29: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/29.jpg)
nullcon Goa 2010 http://nullcon.net
Conclusions and final thoughts
![Page 30: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/30.jpg)
Why This Approach Makes Sense?
• Compare Apples to Apples
• Quantify results in a meaningful way to “C” executives
– Past results can be used to explain impact of new findings
– Can be simplified to a number from 1-10 or semaphore (green, yellow and red).
– Can be used for competitive analysis
• Harder to game CVSS• CWE can be easily mapped to different taxonomies
![Page 31: nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym](https://reader035.vdocuments.site/reader035/viewer/2022070318/55756ae8d8b42a2e248b4c76/html5/thumbnails/31.jpg)
nullcon Goa 2010 http://nullcon.net
Thank You!