Running a Software Security Program with Open Source Tools (Course)

© Copyright 2013 Denim Group - All Rights Reserved
Running a Software Security Program!
on Open Source Tools!
!
Dan Cornell!
CTO, Denim Group!
@danielcornell

© Copyright 2013 Denim Group - All Rights Reserved 1
My Background
•  Dan Cornell, founder and CTO of
Denim Group
•  Software developer by background
(Java, .NET, etc)
•  OWASP San Antonio

Denim Group Background
•  Secure software services and products company
–  Builds secure software
–  Helps organizations assess and mitigate risk of in-house developed and third party
software
–  Provides classroom training and e-Learning so clients can build software securely
•  Software-centric view of application security
–  Application security experts are practicing developers
–  Development pedigree translates to rapport with development managers
–  Business impact: shorter time-to-fix application vulnerabilities
•  Culture of application security innovation and contribution
–  Develops open source tools to help clients mature their software security programs
•  Remediation Resource Center, ThreadFix
–  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI
–  World class alliance partners accelerate innovation to solve client problems
2

Course Abstract
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this
course walks through the major components of a comprehensive software
security program and highlights open source and other freely-available tools that
can be used to help implement the activities involved in such a program. The
focus of the course is on providing hands-on demonstrations of the tools with an
emphasis on integrating tool results into the overall software security program.
Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs,
FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well
as other educational resources from OWASP. Attendees should finish the course
with a solid understanding of the various components of a comprehensive
software security program as well as hands-on experience with a variety of freely-
available tools that they can use to implement portions of these programs.
3

Agenda
•  So You Want To Roll Out a Software Security Program?
•  Software Assurance Maturity Model (OpenSAMM)
•  Components Of Your Software Security Program
–  Governance
–  Construction
–  Verification
–  Deployment
•  Conclusions / Questions
4

So You Want To Roll Out a Software Security
Program?
•  Great!
•  What a software security program ISN’T
–  Question: “What are you doing to address software security concerns?”
–  Answer: “We bought scanner XYZ”
•  What a software security program IS
–  People, process, tools (naturally)
–  Set of activities intended to repeatedly produce appropriately-secure software
5

Challenges Rolling Out Software Security
Programs
•  Resources
–  Raw budget and cost issues
–  Level of effort issues
•  Resistance: requires organizational change
–  Apparently people hate this
•  Open source tools
–  Can help with raw budget issues
–  May exacerbate problems with level of effort
•  View the rollout as a multi-stage process
–  Not one magical effort
–  Use short-term successes and gains to fuel further change
6

Let’s Create the Class Virtual Machine
•  Get VirtualBox if you do not already have it
–  https://www.virtualbox.org/
•  Get the Ubuntu image if you do not already have it
–  http://www.ubuntu.com/
–  ubuntu-13.10-desktop-i386.iso
•  Run VirtualBox
•  Click “New”
7

Creating the VM
•  Name:
–  Whatever
–  I called mine “OWASP_Course”
•  Type: Linux
•  Version: Ubuntu
•  Memory Size:
–  I used 4096 MB
–  More is better. If you use less you might have issues
•  Hard Drive:
–  Create a virtual hard drive now
8

Creating the VM
•  Hard Drive File Type
–  Whatever
–  I used “VDI (VirtualBox Disk Image)”
•  Storage on Physical Hard Drive
–  Whatever
–  I used “Dynamically allocated”
•  File Location and Size:
–  I used “OWASP_Course”
–  I used 16 GB. More is better. (Default 8 GB is NOT enough)
9

Install the OS
•  Click “Start”
•  Select the Ubuntu ISO image
•  Select “Install Ubuntu”
•  Click “Download updates while installing”
•  Select “Erase disk and install Ubuntu”
10

Install the OS
•  Set your location and keyboard type
•  Enter user info
•  Wait
•  Reboot
•  Congratulations!
•  (Do yourself a favor and put a terminal icon on the launcher)
11

Software Assurance Maturity Model (OpenSAMM)
•  Open framework to help organizations formulate and implement a
strategy for software security that is tailored to the specific risks racing
the organization
•  Useful for:
–  Evaluating an organization’s existing software security practices
–  Building a balanced software security program in well-defined iterations
–  Demonstrating concrete improvements to a security assurance program
–  Defining and measuring security-related activities within an organization
•  Main website:
–  http://www.opensamm.org/
12

Using OpenSAMM You Can…

•  Evaluate an organization s existing software security practices

•  Build a balanced software security assurance program in well-
deﬁned iterations

•  Demonstrate concrete improvements to a security assurance
program

•  Deﬁne and measure security-related activities throughout an
organization

[This slide content © Pravir Chandra]

Review of Existing Secure SDLC Efforts


CLASP

•  Comprehensive, Lightweight Application Security Process

–  Centered around 7 AppSec Best Practices

–  Cover the entire software lifecycle (not just development)

•  Adaptable to any development process

–  Deﬁnes roles across the SDLC

–  24 role-based process components

–  Start small and dial-in to your needs


Microsoft SDL

•  Built internally for MS software

•  Extended and made public for others

•  MS-only versions since public release


Touchpoints

•  Gary McGraw s and Cigital s model


Lessons Learned

•  Microsoft SDL

–  Heavyweight, good for large ISVs

•  Touchpoints

–  High-level, not enough details to execute against

•  CLASP

–  Large collection of activities, but no priority ordering

•  ALL: Good for experts to use as a guide, but hard for non-
security folks to use off the shelf


Drivers for a Maturity Model

•  An organization s behavior changes slowly over time

–  Changes must be iterative while working toward long-term goals

•  There is no single recipe that works for all organizations

–  A solution must enable risk-based choices tailor to the organization

•  Guidance related to security activities must be prescriptive

–  A solution must provide enough details for non-security-people

•  Overall, must be simple, well-deﬁned, and measurable


Therefore, a Viable Model Must...

•  Define building blocks for an assurance program

–  Delineate all functions within an organization that could be
improved over time

•  Define how building blocks should be combined

–  Make creating change in iterations a no-brainer

•  Define details for each building block clearly

–  Clarify the security-relevant parts in a widely applicable way
(for any org doing software dev)


Understanding the Model


SAMM Business Functions

•  Start with the core activities
tied to any organization
performing software
development

•  Named generically, but should
resonate with any developer
or manager


SAMM Security Practices

•  From each of the Business Functions, 3 Security Practices are deﬁned

•  The Security Practices cover all areas relevant to software security
assurance

•  Each one is a silo for improvement


Under Each Security Practice

•  Three successive Objectives under each Practice define how it can be
improved over time

–  This establishes a notion of a Level at which an organization fulfills a given
Practice

•  The three Levels for a Practice generally correspond to:

–  (0: Implicit starting point with the Practice unfulfilled)

–  1: Initial understanding and ad hoc provision of the Practice

–  2: Increase efficiency and/or effectiveness of the Practice

–  3: Comprehensive mastery of the Practice at scale


Check Out This One...


Per Level, SAMM Deﬁnes...

•  Objective

•  Activities

•  Results

•  Success Metrics

•  Costs

•  Personnel

•  Related Levels


Approach to Iterative Improvement

•  Since the twelve Practices are each a maturity area, the successive
Objectives represent the building blocks for any assurance
program

•  Simply put, improve an assurance program in phases by:

1. Select security Practices to improve in next phase of assurance
program

2. Achieve the next Objective in each Practice by performing the
corresponding Activities at the speciﬁed Success Metrics


Applying the Model


Conducting Assessments

•  SAMM includes assessment worksheets for each Security Practice


Assessment Process

•  Supports both lightweight and detailed assessments

•  Organizations may fall in between levels (+)


Creating Scorecards

•  Gap analysis

–  Capturing scores from detailed assessments
versus expected performance levels

•  Demonstrating improvement

–  Capturing scores from before and after an
iteration of assurance program build-out

•  Ongoing measurement

–  Capturing scores over consistent time
frames for an assurance program that is
already in place


Roadmap Templates

•  To make the building blocks usable, SAMM deﬁnes
Roadmaps templates for typical kinds of
organizations

–  Independent Software Vendors

–  Online Service Providers

–  Financial Services Organizations

–  Government Organizations

•  Organization types chosen because

–  They represent common use-cases

–  Each organization has variations in typical software-
induced risk

–  Optimal creation of an assurance program is
different for each


Building Assurance Programs


Case Studies

•  A full walkthrough with prose explanations of
decision-making as an organization improves

•  Each Phase described in detail

– Organizational constraints

– Build/buy choices

•  One case study exists today, several more in
progress using industry partners


Exploring the Model s Levels and Activities


The SAMM 1.0 release


SAMM and the Real World


SAMM History

•  Beta released August 2008

–  1.0 released March 2009

•  Originally funded by Fortify

–  Still actively involved and using this model

•  Released under a Creative Commons Attribution
Share-Alike license

•  Donated to OWASP and is currently an OWASP
project


Expert Contributions

•  Built based on collected experiences with 100 s of
organizations

–  Including security experts, developers, architects,
development managers, IT managers


Industry Support

•  Several more case studies underway


The OpenSAMM Project

•  http://www.opensamm.org

•  Dedicated to deﬁning, improving, and testing the SAMM
framework

•  Always vendor-neutral, but lots of industry participation

–  Open and community driven

•  Targeting new releases every 6-12 months

•  Change management process

–  SAMM Enhancement Proposals (SEP)


OpenSAMM Resources

•  Nick Coblentz - SAMM Assessment Interview Template (xls/
googledoc)

•  Christian Frichot - SAMM Assessment Spreadsheet (xls)

•  Colin Watson - Roadmap Chart Template (xls)

•  Jim Weiler - MS Project Plan Template (mpp)

•  Denim Group – ThreadFix (web application)


Quick Recap on Using SAMM

•  Evaluate an organization s existing software security practices

•  Build a balanced software security assurance program in well-
deﬁned iterations

•  Demonstrate concrete improvements to a security assurance
program

•  Deﬁne and measure security-related activities throughout an
organization


Discussion: Tools
•  Commercial tools in use?
•  Free / open source tools in use?
•  What tool implementations have been successful?
•  What tool implementations have been less successful?
•  Why?
•  What is your interest in using open source tools for software security?
44

Why Use Free / Open Source Tools?
•  They’re FREE!
–  No per-user license fees
•  Can be customized
–  Don’t like the way a feature works – improve it!
•  Community support
–  Not a tremendous amount of public resources for commercial tools
45

Potential Disadvantages of Free Tools
•  Often less mature than commercial analogs
–  Application and software security are new when compared to other disciplines
–  Open source tools lag in a number of areas
•  Task-focused rather than program-focused
–  Geared toward testing a single application rather than a portfolio of applications
46

Discussion: Organizational Concerns
•  Does your organization allow the use of open source tools?
•  What restrictions are placed on the use of free / open source tools?
–  Only certain licenses allowed
–  Each tool / library must have a sponsor
47

Open Source Tool Usage – Best Practices
•  Reach out to the project lead / development community
–  How responsive are they?
–  Good to have a relationship for escalating issues
•  Consider commercial support
–  If available
–  When it makes sense
•  Give back
–  Installation instructions for your platform(s)
–  Other documentation opportunities
–  Code updates – if possible / desirable
48

ThreadFix - Overview
•  ThreadFix is a software vulnerability aggregation and management
system that helps organizations aggregate vulnerability data, generate
virtual patches, and interact with software defect tracking systems.
•  Freely available under the Mozilla Public License (MPL)
•  Hosted at Google Code: http://code.google.com/p/threadfix/
49

ThreadFix - Installation
•  2.0M1 Available as ZIP archive
–  Including ThreadFix, Apache Tomcat and HSQL database
–  Designed for easy installation
–  Limited performance and capacity
•  1.2 Available as a pre-installed Linux VM
–  Including ThreadFix, Apache Tomcat and MySQL database
–  Can also be custom-installed
50

ThreadFix - Installation
•  Pre-requisites (for your xubuntu VM)
–  Java 1.7 JRE installed via:
•  sudo apt-get install openjdk-7-jre
•  java -version
•  Instructions (from ~/Desktop/WorkingDir):
–  Unzip ThreadFix
•  unzip ~/Downloads/ThreadFix_2_0M1.zip
–  Make threadfix.sh executable
•  cd ThreadFix
•  chmod u+x threadfix.sh
–  Set JAVA_HOME environment variable
•  export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-i386
–  Run ThreadFix
•  ./threadfix.sh start
–  Open ThreadFix via browser
•  Navigate to https://localhost:8443/threadfix (you will have to confirm the HTTPS exception)
51

ThreadFix – Usage (The Basics)
•  Create a Team
–  Login with credentials “user” and “password”
–  Click “Get started” link
–  Create a Team called “My Team”
•  Create an Application
–  Click “Add Application”
–  Create an Application called “My Application”
–  Use URL http://www.myapp.com/ and criticality “Low”
–  Don’t worry about “Defect Tracker” or “WAF” right now
•  Upload a Scan for the Application
–  Click “Upload Scan”
–  Upload file WorkingDir/ThreadFix/test-scans/w3af-demo-site.xml
52

OpenSAMM: Governance
•  Strategy and Metrics
•  Policy and Compliance
•  Education and Guidance
53

Governance: Strategy and Metrics
•  Overall strategic direction of the assurance program
•  How are processes instrumented?
•  How are measurements taken?
54

ThreadFix: Reporting
•  Can be done at multiple levels:
–  Enterprise-wide
–  Team
–  Individual application
•  Reports for:
–  Vulnerability count trending
–  Progress – vulnerability resolution and timelines
–  Scanner effectiveness
–  Frequency of scanning across the portfolio
•  Will revisit ThreadFix reporting later in the course for examples
55

Governance: Policy and Compliance
•  What compliance regimes are your organizations and applications
subject to?
–  PCI
–  HIPAA
–  SOX
•  What policies will you put in place to meet these obligations?
56

Governance: Education and Guidance
•  Software security requires the input of a variety of stakeholders
•  Software security is a relatively new area of study
–  Many of the involved parties (i.e. software developers) have never been exposed
•  You cannot hold people responsible if they have not been properly
trained
57

Governance: Education and Guidance
•  Variety of potential consumers
–  Executives / Management
–  Developers
–  Quality Assurance (QA)
–  Security Testers
•  Need for information at several levels
–  Introduction / overview
–  Topic-specific
–  Technology-specific
•  Several ways to deliver guidance and training
–  Self-serve portal
–  Instructor-led training
–  E-Learning
58

OWASP Development Guide
•  Provides guidance to developers on how to build secure applications
•  Attempts to cover broad topics with some technology-specific
examples
•  Several translations: English, Spanish, Japanese
•  Originally released in 2001, revised in 2005
–  Somewhat dated
•  Currently undergoing a significant rewrite
•  Main site: https://www.owasp.org/index.php/OWASP_Guide_Project
59

OWASP Cheat Sheets
•  Provide targeted, consumable guidance on specific topics or
technologies
–  Authentication
–  Transport layer protection
–  Input validation
–  Session management
–  And so on…
•  Tend to be “fresher” than the related sections in the Development
Guide
–  Also easier to provide to developers for use
•  Main site: https://www.owasp.org/index.php/Cheat_Sheets
60

OWASP Secure Coding Practices Quick
Reference Guide
•  Technology agnostic set of general software security coding practices
•  Consumable
–  ~17 pages long
–  Checklist format
•  Main site:
https://www.owasp.org/index.php/
OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
61

OWASP Secure Coding Practices Quick
Reference Guide
•  Covered topics:
–  Input validation
–  Output encoding
–  Authentication and password management
–  Session management
–  Access control
–  Cryptographic practices
–  Error handling and logging
–  Data protection
–  Communication security
–  Database security
–  File management
–  Memory management
–  General coding practices
62

OWASP WebGoat - Overview
•  Deliberately insecure JEE web application
•  Presented as a series of lessons
–  SQL injection
–  Cross-site Scripting (XSS)
–  Cross-site Request Forgery (CSRF)
–  Hidden form manipulation
–  And so on…
•  Main site:
Category:OWASP_WebGoat_Project
63

OWASP WebGoat - Installation
•  Available as a self-contained ZIP archive
–  WebGoat, Apache Tomcat
–  Unzip WebGoat
•  Unzip ~/Downloads/WebGoat-5.4-OWASP_Standard_Win32.zip
–  Make webgoat.sh executable
•  cd WebGoat-5.4/
•  chmod u+x webgoat.sh
–  Make one tiny little cheating change in webgoat.sh
•  Delete line 20 and 24 to short-circuit the JVM version checking
–  Run WebGoat
•  ./webgoat.sh start8080
•  Could also run “./webgoat.sh start80” to start on port 80
–  Navigate to http://localhost:8080/WebGoat/attack (case matters)
64

OWASP WebGoat - Usage
•  WebGoat consists of different “lessons” to be passed
–  Each demonstrates a vulnerability or some other aspect of web application security
•  Hints – Show hints about how to solve the lesson
•  Show Params – Toggle rendering request parameters in the page
•  Show Cookies – Toggle rendering request cookies in the page
•  Lesson Plan – Explain the purpose of the lesson
•  Show Java – Show the Java source code of the lesson in a window
•  Solution – Show the solution to the lesson in a window
65

WebGoat - Example
•  Navigate to General -> Http Basics
•  Click on:
–  Hints
–  Show Params
–  Show Cookies
–  Lesson Plan
–  Show Java
–  Solution
•  Enter your name in the field and click “Go!”
•  Navigate to Admin Functions -> Report Card
–  Shows lessons completed, hints used
66

wavsep - Overview
•  Web Application Vulnerability Scanner Evaluation Project (wavsep)
•  “A vulnerable web application designed to help assessing the features,
quality and accuracy of web application vulnerability scanners. This
evaluation platform contains a collection of unique vulnerable web
pages that can be used to test the various properties of web
application scanners”
•  Used for many benchmarks.
•  Check out
http://sectooladdict.blogspot.co.il/2012/07/2012-web-application-
scanner-benchmark.html
•  Main site: http://code.google.com/p/wavsep/
67

wavsep - Installation
•  Install MySQL (wavsep uses it as its database)
–  sudo apt-get install mysql-server
•  Install wavsep
–  unzip wavsep-v1.2-war-linux.zip
–  Copy wavsep.war into WebGoat-5.4/tomcat/webapps/ directory
–  http://localhost:8080/wavsep/wavsep-install/install.jsp
68

wavsep - Usage
•  Navigate your browser to http://localhost:8080/wavsep/
•  Run scanners against the various subdirectories / URLs
–  There are no actual links to /wavsep/index-active.jsp and /wavsep/index-passive.jsp
–  You will need to let the scanners know they are there
69

OpenSAMM: Construction
•  Threat Assessment
•  Security Requirements
•  Secure Architecture
70

Construction: Threat Assessment
•  Identify and characterize potential attacks
•  These will determine investment level and required countermeasures
•  WHO do you need to be worried about?
–  Nation-states
–  Chaotic actors
–  Organized crime
–  And so on…
71

Construction: Security Requirements
•  Up-front determination of required security properties of the system
•  Drive future activities
72

Construction: Secure Architecture
•  Use the design process to:
–  Build in security controls
–  Avoid injecting security issues
•  Threat modeling
•  Architectural risk analysis
73

ESAPI - Overview
•  Enterprise Security API (ESAPI)
•  Open source web application security control library
•  Several languages available: JavaEE, .NET, PHP, Classic ASP, etc
–  WIDE variation in maturity and support
–  Stick to Java unless you are very brave (and even then)
•  Main site:
Category:OWASP_Enterprise_Security_API
74

ESAPI – Installation (Java)
–  Create a container directory and relocate there
•  mkdir ESAPI
•  cd ESAPI
–  Unpack
•  tar xzvf ~/Downloads/esapi-2.0.1-dist.tar.gz
–  To use in a project, copy the ESAPI and its supporting JARS into your lib/ directory
•  You might not need servlet-api-2.4.jar if your project already contains those classes
–  Set up ESAPI.properties file
•  Logging configuration
•  Encryption master keys
•  See documentation/esapi4java-core-2.0-install-guide.pdf
–  Use in specific build systems and development environments
–  Step-by-step instructions
75

Exercise: Fixing XSS Vulnerabilities with ESAPI
•  To Use:
–  Follow the installation guide
–  Must create a folder (.esapi) to store your configuration and preferences
•  Get access to library:
–  Add all the support jars (31) to your project
–  Remove repeated jars
–  Add esapi-2.0_rc10.jar to your project
<%@ page import="org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder" %>
•  Make calls to encode tainted data:
–  ESAPI.encoder().encodeForHTML()
–  ESAPI.encoder().encodeForHTMLAttribute()
76

ESAPI – Possible Challenges (Java)
•  ESAPI Java has a LOT of dependencies (~30 JARs)
•  Can cause configuration management and licensing issues for some
organizations
•  Potential versioning issues
77

Microsoft Web Protection Library - Overview
•  Set of .NET assemblies which help protect web applications
•  AntiXSS encoding library
–  Encoding functions for HTML, HTML attributes, XML, etc
•  HTML sanitization routines (for “safely” accepting rich content)
•  Security Runtime Engine (SRE)
–  Provides runtime protection against SQL injection and Cross-Site Scripting (XSS)
•  Sites:
–  http://wpl.codeplex.com/
–  https://www.microsoft.com/en-us/download/details.aspx?id=28589
78

Microsoft Web Protection Library - Cautions
•  A security vulnerability was identified in the 4.0 release
•  There have been complaints about the HTML sanitization in the 4.2.1
release being broken with little follow-up from Microsoft
•  Older (WPL 4.0) binaries should be available from
http://ajaxcontroltoolkit.codeplex.com/releases/view/76976
79

Microsoft Web Protection Library - Installation
•  Run the MSI installer
•  To use:
–  Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll)
•  Found in C:Program Files (x86)Microsoft Information SecurityAntiXSS Library v4.0
–  Get access to library:
•  In code:
–  using Microsoft.Security.Application;
•  In ASPX page:
–  <%@ Import Namespace="Microsoft.Security.Application" %>
–  Make call to encode tainted data:
•  AntiXss.HtmlEncode()
•  AntiXss.HtmlAttributeEncode()
•  And so on…
80

OpenSAMM: Verification
•  Design Review
•  Code Review
•  Security Testing
81

Application Security Assessments
•  The challenges and goals of an assessment
•  What an assessment must accomplish
•  The assessment approach
–  Identification
–  Baseline Review and Testing
–  Threat Identification
–  Targeted Review and Testing
–  Reporting
82

The Challenges and Goals of Software Assessments
•  Identify the application’s vulnerabilities and the risks they entail
•  Provide the greatest value for the time spent
•  Provide application owners with detailed vulnerability reports and
remediation recommendations
–  Provide actionable reports to the application team
83

How Assessors can Support Those Goals
•  Strategic Message
–  The assessments must be conducted efficiently with the majority of the time spent
on performing the assessments. This will increase the coverage of the
assessments and the depth and quality of product delivered the application owners.
Scheduling and preparation of assessments should be conducted in an almost
production line approach.
•  Testing must...
–  Be integral to the development team’s own ongoing efforts
–  Cover the “breadth” and “depth” of the functionality
–  Reflect experience with the technology and business
•  Reporting must…
–  Clearly communicate risk, both business and technical
–  Allow trouble-free integration with the business strategic assets
–  Guide and justify remediation efforts
84

The Output of an Assessment Engagement Should…
•  Summarize vulnerability discoveries and known risk
•  Provide adequate detail about discovered vulnerabilities
–  Where in the application behavior or code the vulnerability resides
–  The implied security risk
–  Any mitigating factors for exploitation
•  Requires high-level credentials to exploit
•  Requires social engineering to exploit
•  etc.
•  Rate the vulnerabilities to help prioritize remediation
–  DREAD works well for this as it accounts for damage potential, reproducibility,
affected users, etc.
•  Provide remediation criteria and recommended approaches
85

The General Assessment Approach
•  Identification
–  Help identify what applications have highest priority to assess
•  Preparation
–  Obtain requisite code and/or access
•  Threat Modeling
–  Data flow, functional security, abuse cases
•  Baseline Review and Testing
–  Account for risks inherent to the technology and common features
–  Commercial scanning tools with manual auditing
•  Targeted Testing
–  Account for identified threats, data flow, abuse cases
–  Follow up with suspect behavior in the baseline review and testing
•  Reporting
–  Rate vulnerabilities
–  Provide remediation recommendations
86

Verification: Design Review
•  Incorporate security into review of architecture/design materials
•  Were the previous assurance activities successful?
87

Microsoft Threat Analysis and Modeling Tool -
Overview
•  Create threat models for your applications
•  Identify potential issues
•  Plan for mitigations
•  Requires Visio 2007 or 2010
•  Main site:
http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx
88

Installation
•  Run ThreatModelingToolSetup318.msi
•  Software should be installed to C:Program FilesMicrosoftSDL Threat
Modeling Tool
89

Example
•  Create a Threat Model for a mobile application
90

Approaches for Identifying Threats
•  Use Cases for Business
–  Useful for identifying flaws with specific application features
•  Data Flow for Architecture
–  What threats can we identify looking at the application’s data flow?
–  The whole system’s data stores, services, processes, etc.
–  The interaction among those components
•  Functional Security
–  Here are the security features. How could an attacker defeat them?
•  Attacker’s Goals for Threat Trees
–  If you are an attacker, what would you want to accomplish?
–  How would you go about achieving the malicious goal?
–  Useful for identifying any erroneous security assumptions
•  No one approach is perfect – these are essentially brain storming
techniques
91

Mapping Threats to Data Flow Asset Types
Threat
Type
External

Interactor

Process
Data
Flow
Data
Store

S
–
Spooﬁng
Yes
Yes

T
–
Tampering
Yes
Yes
Yes

R
–
Repudia4on
Yes
Yes
Yes

I
–
Informa4on
Disclosure
Yes
Yes
Yes

D
–
Denial
of
Service
Yes
Yes
Yes

E
–
Eleva4on
of
Privilege
Yes

92

Typical Mobile Threats
•  Spoofing: Users to the Mobile Application
•  Spoofing: Web Services to Mobile Application
•  Tampering: Mobile Application
•  Tampering: Device Data Stores
•  Disclosure: Device Data Stores or Residual Data
•  Disclosure: Mobile Application to Web Service
•  Denial of Service: Mobile Application
•  Elevation of Privilege: Mobile Application or Web Services
User
Local
App

Storage
Mobile

Application
Mobile
Web

Services
Device

Keychain
Main Site Pages

Spoofing: Users to the Mobile Application
•  Borrowed Device
•  Stolen Device
•  Other Malicious Application
Attacker
Local
App

Storage
Mobile

Application
Device

Keychain

Spoofing: Attacker to Mobile Web Services
•  Attacks against Mobile Web Services
User
Mobile

Application Mobile
Web
Services
Attacker

Spoofing: Web Services to Mobile Application
•  Borrowed Device
User
Mobile

Application Mobile
Web
Services
Malicious
Host

Tampering: Mobile Application
•  Borrowed/Stolen Device
User
Local
App

Storage
Tampered

Application
Device

Keychain

Disclosure: Device Data Stores or Residual Data
•  Borrowed/Stolen Device
•  Malicious Application
Functionality
•  Attacks from Mobile Web
Services
User
Local
SQLIte

Storage
Mobile

Application
Device

Keychain

Disclosure: Mobile Application to Web Service
•  Attacks from Local Network
User
Mobile

Application Mobile
Web
Services
Attacker

Other Data-Flow Threats
•  Denial of Service
•  Elevation of Privilege
User
Local
App

Storage
Mobile

Application
Device

Keychain
USAA
Member
Local
App

Storage
Mobile

Application
Device

Keychain
Attacker

Verification: Code Review
•  Review software artifacts “at-rest”
•  Can be both automated and manual
•  Reach and frequency
–  How much of your software is subject to review?
–  How thorough is the analysis?
–  How often is it performed?
101

Static Analysis
•  Source Code Scanning
•  Manual Code Reviews
•  Advantages
–  Identifies flaws during integration, when it is easier to address issues
–  Developers can identify flaws in their own code before checking it in
–  Many projects already have a code review process in-place
•  Disadvantages
–  Freeware tools often do not address security well (specifically dataflow analysis)
–  Licensed tools are a significant investment
–  Manual review can be unstructured and time-consuming without licensed tools
–  Not ideal for discovering logical vulnerabilities
102

Static Analysis Tools
•  Commercial Tools
–  Fortify (now HP)
–  Ounce (now IBM Rational)
–  Checkmarx
–  Veracode (SaaS)
•  Freeware Tools
–  RATS/Flawfinder - C/C++, Python, PHP
–  Findbugs – Java
–  PMD - Java
–  FxCop - .NET
–  Brakeman – Ruby on Rails
103

FindBugs - Overview
•  Freely-available binary static analysis tool for Java
•  Main site: http://findbugs.sourceforge.net/
104

FindBugs - Installation
–  Unpack the distribution
•  tar xzvf ~/Downloads/findbugs-2.0.3-rc1.tar.gz
•  Should unpack into findbugs-2.0.3-rc1/
•  Can also install as an Eclipse plugin:
–  Plugin update site: http://findbugs.cs.umd.edu/eclipse
105

FindBugs – Usage (GUI)
•  Run the FindBugs GUI
–  bin/fb gui
•  Create a new project
–  File -> New Project
–  Enter project name “WebGoat”
–  Enter classpath for analysis “~/Desktop/WorkingDir/WebGoat-5.4/tomcat/
webapps/WebGoat.war”
–  Use remaining defaults and run analysis
•  Notice the error messages but ignore for now and look
through the results
106

•  But can we get rid of those error messages?
•  Reconfigure the project
–  File -> Reconfigure
–  Add supporting JARs
•  JARs in tomcat/bin/
•  JARs in tomcat/lib/
•  JARs in tomcat/webapps/WebGoat/WEB-INF/lib
–  CAN’T JUST SELECT THE DIRECTORIES – MUST SELECT ALL THE JARS
•  Re-run the analysis
107

•  The reporting seems to be lacking details. Can we link to the source?
•  Install subversion
–  sudo apt-get install subversion
•  Download the appropriate source code
–  svn checkout http://webgoat.googlecode.com/svn/tags/webgoat-5.4 webgoat-src
•  Reconfigure the project
–  File -> Reconfigure
–  Add source directory
•  ~/WorkingDir/WebGoat-5.4/webgoat-src/src/main/java
•  Now you should be able to see the WebGoat source files
•  Save the results as a FindBugs Project (fbp) file
–  bin/ directory
–  FBP files can be sensitive to relative paths if moved
108

FindBugs – Usage Notes
•  So what did we learn about FindBugs
–  FindBugs has to know about the binaries it is supposed to analyze
–  FindBugs gives us better results if we include supporting libraries
–  FindBugs gives us better reporting if we include source code
•  These lessons translate to most static analysis tools (commercial and
open source)
109

FindBugs – What Has It Told Us?
•  There are lots of results
–  But not all of them have to do with security
•  There is a Security top-level category
–  Some good stuff in here (if perhaps a little noisy)
•  What else might we want to look at?
–  Correctness
–  Bad practice
–  Malicious code vulnerability
–  Multithreaded correctness
–  Performance
110

FindBugs – Usage (Command Line)
•  Hopefully you saved a .fbp file via the GUI…
•  bin/fb analyze –project <projectname>
–  Runs the same FindBugs analysis we did before but prints the results to stdout
•  bin/fb analyze –project <projectname> -xml:withMessages –output
<outputfile>
–  Runs the same FindBugs analysis we did before but stores results with human-
readable descriptions in the indicated XML file
•  Documentation for command-line switches:
http://findbugs.sourceforge.net/manual/
running.html#commandLineOptions
111

FxCop - Overview
•  Free static analysis tool from Microsoft
•  Integrated into Visual Studio
•  Similar capabilities to FindBugs (but for .NET)
•  Blog: http://blogs.msdn.com/b/codeanalysis/
112

CAT.NET - Overview
•  Free static analysis tool from Microsoft
•  Does dataflow analysis (rare among the free tools)
•  Version 1:
http://www.microsoft.com/en-us/download/details.aspx?id=19968
•  Version 2:
http://blogs.msdn.com/b/securitytools/archive/2010/02/04/cat-net-2-0-
beta.aspx
•  Dinis Cruz has done some interesting work with CAT.NET and O2
–  https://www.owasp.org/index.php/OWASP_O2_Platform/Microsoft/CAT.NET
•  Plans for future development are not clear
113

Brakeman - Overview
•  Security scanner for Ruby on Rails applications
•  Static analysis
•  Finds things like SQL injection and XSS
–  Also checks for certain CVE-type vulnerabilities
•  Main site: http://brakemanscanner.org/
114

Brakeman - Installation
•  Install prerequisites:
–  sudo apt-get install ruby1.8
–  sudo apt-get install rubygems
•  Install scanner:
–  sudo gem install brakeman
•  Usage:
–  brakeman <path-of-rails-site>
–  brakeman –o <output-file> <path-of-rails-site>
115

Brakeman - Using
•  Try some test sites
•  But first install git:
–  sudo apt-get install git
•  Sites to try:
–  RailsGoat
•  http://railsgoat.cktricky.com/
•  git clone https://github.com/OWASP/railsgoat.git
–  Hacme Casino
•  git clone git://github.com/spinkham/Hacme-Casino
116

Agnitio - Overview
•  Tool for supporting manual code reviews
•  Set of checklists to verify security controls
•  Some grep-like search capabilities
•  Main site: http://sourceforge.net/projects/agnitiotool/
117

DependencyCheck – Overview
•  Checks for out-of-date JAR libraries with known CWE issues
•  Looks beyond JAR hashes
•  We used it to find a vulnerable library used by ThreadFix
–  Apache POI library
–  http://web.nvd.nist.gov/view/vuln/search-results?cpe=cpe%3A%2Fa%3Aapache
%3Apoi%3A3.7&page_num=0&cid=1
•  Main site: https://github.com/jeremylong/DependencyCheck
118

DependencyCheck - Installation
•  Install dependencies:
–  sudo apt-get install git (should have already done this)
–  sudo apt-get update
–  sudo apt-get install maven (we need Maven 3)
–  sudo apt-get install openjdk-7-jdk (need a JDK – previously we only installed a JRE)
•  Download code:
–  git clone git://github.com/jeremylong/DependencyCheck.git
•  Build:
–  cd DependencyCheck
–  mvn package
119

DependencyCheck – Example
•  Running DependencyCheck
–  java –jar dependency-check-1.0.5-SNAPSHOT.jar –a WebGoat –out . –s <path-to-JARs>
–  The first time it runs it needs to download NVD data from NIST which can take a while
–  Will attempt to check for new NVD data
•  Run against
–  ThreadFix
–  WebGoat
–  OLAT
–  Other Java-based applications
120

Verification: Security Testing
•  Runtime testing for security vulnerabilities
•  Web applications: automated scanners, web proxies
•  Other applications: fuzzing, protocol analysis
121

Dynamic Analysis
•  Integrate abuse cases into unit and automated testing
•  Use application scanning tools
•  Perform a dedicated penetration test by security staff or a 3rd party
•  Advantages
–  Generally more time-efficient than manual code review
–  Good for discovering logical vulnerabilities
•  Disadvantages
–  Requires fully functional features to test
–  Security staff may not have application security training or experience
–  Scanning tools may have difficulty with unusual applications
122

Dynamic Analysis Tools
•  Automated Tools
–  IBM Rational AppScan
–  HP WebInspect
–  Acunetix Vulnerability Scanner
–  Netsparker
•  Manual Testing
–  Zed Attack Proxy
–  Burp
–  Google RatProxy
–  Browser plugins
–  Testing Scripts –Watir
–  Load and Performance testing tools – JMeter, Grinder
123

Arachni - Overview
•  Open source automated web application scanner
•  Written in Ruby
•  Can be deployed in a “grid” format for faster scanning
•  Uses several different types of analysis to identify vulnerabilities
–  Fuzzing
–  Taint analysis
–  Time analysis
•  Main site: http://arachni-scanner.com/
124

Arachni – Installation
•  Unpack:
–  tar xzvf arachni-0.4.5.2-0.4.2.1-linux-i686.tar.gz
•  Usage:
–  arachni –h
–  arachni http://site-to-test.com/
–  arachni -fv http://site-to-test.com/ --report=html:outfile=my_report.html
125

w3af - Overview
•  Open source automated web application scanner
•  Written in Python
•  Main site: http://w3af.sourceforge.net/
126

w3af - Installation
•  Recommended *NIX install:
–  git clone https://github.com/andresriancho/w3af.git
–  cd w3af
–  ./w3af_gui
•  Now fix the dependencies:
–  apt-get install python-setuptools python-pip graphviz python2.7-dev libsqlite3-dev
libxslt1-dev python-gtksourceview2 libxml2-dev python-pip
–  Still need some Python stuff
–  apt-get install libssl-dev (otherwise one of the dependency compiles will fail)
–  /tmp/w3af_dependency_install.sh (make it executable and run sudo) (great security
practice, by the way…)
127

OWASP ZAProxy - Overview
•  Open source web proxy and web application scanner
•  Supports both manual and automated assessment
•  Fork of Paros Proxy
•  Exposes RESTful API
•  Main site: http://code.google.com/p/zaproxy/
128

OWASP ZAProxy - Installation
•  Unpack
–  tar xzvf ZAP_2.2.2_Linux.tar.gz
•  Run
–  zap.sh
129

OWASP ZAProxy – Usage
•  Change your browser to point to ZAP’s proxy
–  ZAP defaults to using 8080 which might conflict with local Tomcat installs
–  Change proxy port via Tools -> Options -> Local proxy
•  Spider
•  Passive Scanner
•  Active Scanner
130

Skipfish - Overview
•  Fast web application scanner written in C
•  Maintained by Google
•  Does a lot of file/directory guessing by default
•  Main site:
–  https://code.google.com/p/skipfish/
131

Skipfish – Installation and Usage
•  Installation
–  tar xzvf ~/Downloads/skipfish-2.10b.tgz
•  Handle dependencies:
–  sudo apt-get install libpcre3-dev
–  sudo apt-get install libidn11-dev
•  Build:
–  make
•  Run:
–  touch new_dict.wl
–  ./skipfish –o output_dir –S existing_dictionary.wl –W new_dict.wl http://
www.example.com/some/starting_path.txt
132

Which Open Source Scanner Is Best?
•  What Do You Want?
–  Coverage
–  Low False Positives
–  Low False Negatives
133

Scanner Coverage
•  You can’t test what you can’t see
•  How effective is the scanner’s crawler?
•  How are URLs mapped to functionality?
–  RESTful
–  Parameters
•  Possible issues:
–  Login routines
–  Multi-step processes
–  Anti-CSRF protection
134

Are You Getting a Good Scan?
Large financial firm: “Our 500 page website is secure because the
scanner did not find any vulnerabilities!”
Me: “Did you teach the scanner to log in so that it can see more than just
the homepage?”
Large financial firm: “…”
135

Can Your Scanner Do This?
•  Two-step login procedure:
–  Enter username / password (pretty standard)
–  Enter answer to one of several arbitrary questions
•  Challenge was that the parameter indicating the question was
dynamic
–  Question_1, Question_2, Question_3, and so on
–  Makes standard login recording ineffective
136

It All Started With A Simple Blog Post…
•  Ran into an application with a complicated login procedure
•  Wrote blog post about the toolchain used to solve the problem
–  http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-
complicated-logins-with-appscan-and-burp-suite.html
•  Other scanner teams responded:
–  IBM Rational AppScan
•  http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-complicated-
logins-with-appscan-only.html
–  HP WebInspect
•  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-hp-
webinspect.html
–  Mavituna Security Netsparker
•  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-mavituna-
netsparker.html
–  NTObjectives NTOSpider
•  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-ntospider.html
137

Scanner Authentication Scenario Examples
•  Built as a response to the previously-mentioned blog conversation
•  Example implementations of different login routines
–  How can different scanners be configured to successfully scan?
•  GitHub site:
–  https://github.com/denimgroup/authexamples
138

Did I Get a Good Scan?
•  Scanner training is really important
–  Read the Larry Suto reports…
•  Must sanity-check the results of your scans
•  What URLs were accessed?
–  If only two URLs were accessed on a 500 page site, you probably have a bad scan
–  If 5000 URLs were accessed on a five page site, you probably have a bad scan
•  What vulnerabilities were found and not found?
–  Scan with no vulnerabilities – probably not a good scan
–  Scan with excessive vulnerabilities – possibly a lot of false positives
139

Low False Positives
•  Reports of vulnerabilities that do not actually exist
•  How “touchy” is the scanner’s testing engine?
•  Why are they bad?
–  Take time to manually review and filter out
–  Can lead to wasted remediation time
140

Low False Negatives
•  Scanner failing to report vulnerabilities that do exist
•  How effective is the scanner’s testing engine?
•  Why are they bad?
–  You are exposed to risks you do not know about
–  You expect that the scanner would have found certain classes of vulnerabilities
•  What vulnerability classes do you think scanners will find?
141

Other Benchmarking Efforts
•  Larry Suto’s 2007 and 2010 reports
–  Analyzing the Accuracy and Time Costs of Web Application Security Standards
–  http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf
–  Vendor reactions were … varied
–  [Ofer Shezaf attended this talk at AppSecEU 2012 and had some great questions
and comments. See his reactions to the latest Larry Suto scanner report here :
http://www.xiom.com/2010/02/09/wafs-are-not-perfect-any-security-tool-perfect ]
•  Shay Chen’s Blog and Site
–  http://sectooladdict.blogspot.com/
–  http://www.sectoolmarket.com/
•  Web Application Vulnerability Scanner Evaluation Project (wavsep)
–  http://code.google.com/p/wavsep/
142

So I Should Just Buy the Best Scanner, Right?
•  Or the cheapest?
•  Well…
–  What do you mean by “best”?
•  Follow-on questions
–  How well do the scanners work on your organization’s applications?
–  How many false positives are you willing to deal with?
–  What depth and breadth of coverage do you need?
143

What is a Unique Vulnerability in ThreadFix?
•  (CWE, Relative URL)
–  Predictable resource location
–  Directory listing misconfiguration
•  (CWE, Relative URL, Injection Point)
–  Cross-site Scripting (XSS)
•  Injection points
–  Parameters – GET/POST
–  Cookies
–  Other headers
144

What Do The Scanner Results Look Like?
•  Usually XML
–  Skipfish uses JSON and gets packaged as a ZIP
•  Scanners have different concepts of what a “vulnerability” is
–  We normalize to the (CWE, location, [injection point]) noted before
•  Look at some example files
•  Several vendors have been really helpful adding additional data to
their APIs and file formats to accommodate requests
145

Why Common Weakness Enumeration (CWE)?
•  Every tool has their own “spin” on naming vulnerabilities
•  OWASP Top 10 / WASC 24 are helpful but not comprehensive
•  CWE is exhaustive (though a bit sprawling at times)
•  Reasonably well-adopted standard
•  Many tools have mappings to CWE for their results
•  Main site: http://cwe.mitre.org/
146

Scanner Benchmarking in ThreadFix
•  Upload multiple scans
•  Mark false positives
•  Run reports
147

Let’s Run Our Own Benchmark
•  Scan wavsep with:
–  w3af
–  OWASP ZAP
–  Arachni
–  Skipfish
–  (We package example files in ThreadFix/test-scans/wavsep)
•  Upload results to ThreadFix
•  Run results
148

Current Limitations
•  Vulnerability importers are not currently
formally vendor-supported
–  Though a number have helped us test and
refine them (thanks!)
–  After you get a good scan make sure you also
got a good import
•  Summary report should show data by
severity rating
–  Make it easier to focus on vulnerabilities you
probably care more about
–  But you can look at the data by vulnerability
type
149

You Know What Would Make All This Way Easier?
•  Common data standards for scanning
tools!
•  Current efforts:
–  MITRE Software Assurance Findings
Expression Schema (SAFES)
•  http://www.mitre.org/work/tech_papers/
2012/11_3671/
–  OWASP Data Exchange Format Project
•  https://www.owasp.org/index.php/
OWASP_Data_Exchange_Format_Project
150

Simple Software Vulnerability Language (SSVL)
•  Common way to represent static and dynamic scanner findings
•  Based on our experience building importers for ThreadFix
–  It “works” for real-world applications because we are essentially using it
•  Love to hear feedback
–  Folks have been using the GitHub bug tracker to discuss
•  Online:
–  https://github.com/OWASP/SSVL
151

Simple Software Vulnerability Language (SSVL)
152

OpenSAMM: Deployment
•  Vulnerability Management
•  Environment Hardening
•  Operational Enablement
153

Deployment: Vulnerability Management
•  Processing for managing vulnerabilities in both internal and external
software
•  Goal is consistency
•  Use data from vulnerability handling to improve processes
–  Decrease number and severity of future vulnerabilities
–  Decrease time-to-fix
154

Application Vulnerability Management
•  Application security teams uses automated static and dynamic test results as
well as manual testing results to assess the security of an application
•  Each test delivers results in different formats
•  Different test platforms describe same flaws differently, creating duplicates
•  Security teams end up using spreadsheets to keep track manually
•  It is extremely difficult to prioritize the severity of flaws as a result
•  Software development teams receive unmanageable reports and only a small
portion of the flaws get fixed
155

The Result
•  Application vulnerabilities persist in applications:
**Average serious vulnerabilities found per website per year is 79
**Average days website exposed to one serious vulnerability is 231 days
**Overall percentage of serious vulnerabilities that are fixed annually is only 63%
•  Part of that problem is there is no easy way for the security team and
application development teams to work together on these issues
•  Remediation quickly becomes an overwhelming project
•  Trending reports that track the number of reduced vulnerabilities are
impossible to create
**WhiteHat Statistics Report (Summer 2012):
https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf

Vulnerability Fun Facts:
•  Average number of serious
vulnerabilities found per
website per year is 79 **
•  Serious Vulnerabilities
were fixed in ~38 days **
•  Percentage of serious
vulnerabilities fixed
annually is only 63% **
•  Average number of days a
website is exposed, at least
one serious vulnerability
~231 days
WhiteHat Statistics Report (Summer 2012):
https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf

Vulnerability Remediation Data
Vulnerability
Type
Sample
Count
Average
Fix
(minutes)

Dead
Code
(unused
methods)
465
2.6

Poor
logging:
system
output
stream
83
2.9

Poor
Error
Handling:
Empty
catch
block
180
6.8

Lack
of
Authoriza4on
check
61
6.9

Unsafe
threading
301
8.5

ASP.NET
non-‐serializable
object
in
session
42
9.3

XSS
(stored)
1023
9.6

Null
Dereference
157
10.2

Missing
Null
Check
46
15.7

XSS
(reﬂected)
25
16.2

Redundant
null
check
21
17.1

SQL
injec4on
30
97.5

158

Where Is Time Being Spent?
159
17%
37%
20%
2%
24%
0%
15%
0%
0%
9%
31%
59%
44%
15%
42%
16%
29% 24%
3%
28%
0%
10%
20%
30%
40%
50%
60%
70%
Setup Development
Environment
Fix Vulnerabilities Confirm Fixes / QA Deploy Overhead
Indicates the weighted average
versus the average of
individual projects

Turning Vulnerabilities Into Software Defects
•  Security teams talk about “vulnerabilities”
•  Software developers talk about “defects”
•  Developers Don’t Speak PDF
–  http://blog.denimgroup.com/denim_group/2012/11/hey-security-teams-developers-dont-speak-pdf.html
•  Why should developers manage 90% of their workload in defect
trackers
–  And the magic, special “security” part of their workload … some other way?
•  ThreadFix lets you slice, dice and bundle vulnerabilities into software
defects
–  And track their remediation status over time to schedule re-scans
160

ThreadFix: Vulnerability Import
•  A “channel” is a source of vulnerability data for an application
–  With the 1.2 version users no longer have to manually manage channels
•  Each import from a channel is “diff’ed” versus the previous scan
–  When do vulnerabilities appear?
–  When do vulnerabilities go away?
•  Can be automated via the RESTful interface to include in build
process, etc
161

ThreadFix: Defect Tracker Integration
•  Turn vulnerabilities that security staff care about into software bugs
that developers know how to handle
•  Bundle multiple vulnerabilities into a single defect
•  How to organize?
–  By severity
–  By type
–  By location in the application
–  Some combination
•  When the defect status changes you can schedule re-scans
162

But My Bug Tracker Isn’t Supported!
•  We are always working on supporting new technologies
–  Check out the current support list:
https://code.google.com/p/threadfix/wiki/DefectTrackers
–  Submit a bug to the TheadFix defect tracker
https://code.google.com/p/threadfix/issues/list
•  You can add new defect trackers as plugins
–  No changes to the core codebase required
–  For instructions and sample code check out the wiki article:
https://code.google.com/p/threadfix/wiki/CustomDefectTrackerGuide
163

Deployment: Environment Hardening
•  Attackers do not care about applications – attacking infrastructure
might be just as effective and valuable for them
•  Controls for operating environments:
–  Reduce vulnerabilities in the infrastructure
–  Enable logging and tracking
164

Microsoft Baseline Security Analyzer (MBSA) -
Overview
•  Runs standard checks on Windows Workstations and Servers
–  Internet Explorer
–  IIS
–  SQL Server
•  Checks registry and file settings
•  2.2 Downloads:
http://www.microsoft.com/en-us/download/details.aspx?id=7558
165

Microsoft Baseline Security Analyzer (MBSA) –
Installation and Use
•  Install via the .msi
•  Run scans
–  Single machine
–  Network of machines
•  Review the results
166

Deployment: Operational Enablement
•  How do you install, configure and run your applications?
–  Also updates and upgrades
•  Runtime checks and logging for intrusion detection and incident
response
–  John Dickson has done some work in this area
–  http://www.slideshare.net/denimgroup/top-strategies-to-capture-security-
intelligence-for-applications
167

Continuous Integration and Security Testing
•  Reduce the time between introducing security defects and knowing
about them
•  Free tools mean that any project can be instrumented
–  No licensing fees
•  ThreadFix has a REST-based API and command-line client for
scripting
168

Exercise: Script the Scan/Upload Process
•  Generate a ThreadFix API key
•  Test the command-line client
•  Script a web application scan
•  Include file upload after scanning
169

mod_security - Overview
•  Open source web application firewall engine
•  Also has a Core RuleSet (CRS)
•  Traditionally has been Apache-only
–  Runs as an apache module (mod_security)
–  Recently announced both IIS and Nginx support
•  Main site: http://www.modsecurity.org/
170

Virtual Patching
•  Overview
•  Applicability
•  Approaches
171

Overview
•  Create short-term protections by telling IDS/IPS/WAFs where
vulnerabilities are located and how to detect attacks
–  IDS – Intrusion Detection System
–  IPS – Intrusion Prevention System
–  WAF – Web Application Firewall
172

Applicability
•  Most applicable for “technical” vulnerabilities
–  Cross-Site Scripting
•  Harder to do for application-specific vulnerabilities
173

Approaches
•  Tell the sensor where the vulnerability is and what an attack looks like
•  This rule pattern is useful when you need to protect a known address
and a known parameter with a known payload.
174

ThreadFix: Virtual Patching
•  Use vulnerability data from scans (usually dynamic) to create targeted,
application-specific WAF rules
•  ThreadFix supports several IDS/IPS/WAF systems
–  Snort
–  mod_security
–  F5 ASM
–  Imperva
–  DenyAll
•  Can also import sensor logs to map blocked attacks back to
vulnerabilities targeted
175

ThreadFix: Virtual Patching Example
•  Example Rule Generation:
–  Create a mod_security WAF
–  Associate with an application with open vulnerabilities
–  Generate rules
•  Example Log Import:
–  Upload log file
–  Look at event data in vulnerability listing
–  (This is faked but you hopefully get the idea)
176

Program Benchmark Reporting
•  How does your software security organization stack up?
–  Look at publicly-shared data from WhiteHat and Veracode
•  Compare your progress
–  Percentage of vulnerabilities fixed
–  Time to fix different vulnerability types
–  Age of remaining vulnerabilities
177

ThreadFix: Reporting Examples
•  Can be done at multiple levels:
–  Enterprise-wide
–  Team
–  Individual application
•  Reports for:
–  Vulnerability count trending
–  Progress – vulnerability resolution and timelines
–  Scanner effectiveness
–  Frequency of scanning across the portfolio
•  We have already looked at scanner benchmark reports
178

ThreadFix: Reporting: Trending
•  Shows trending over time
•  Data series:
–  Total vulnerabilities
–  New vulnerabilities
–  Resurfaced vulnerabilities
179

ThreadFix: Reporting: Point-in-Time
•  Shows current state of vulnerabilities
•  Pie chart!
–  Critical
–  High
–  Medium
–  Low
180

ThreadFix: Reporting: Vulnerability Progress
•  Shows progress resolving vulnerabilities
•  Data series by vulnerability type:
–  Vulnerability count
–  Percentage fixed
–  Average age to close
–  Average age of remaining
•  Use to benchmark your organization against publicly-available data
–  WhiteHat Security – Website Security Statistics Report
https://www.whitehatsec.com/resource/stats.html
–  Veracode – State of Software Security Report http://www.veracode.com/reports
181

ThreadFix: Reporting: Monthly
•  Shows trending on a per-month basis
–  Similar to trending report
•  Data series:
–  Total vulnerabilities
–  New vulnerabilities
–  Resurfaced vulnerabilities
182

ThreadFix: Reporting: Portfolio Tracking
•  Shows consistency of scanning across the portfolio
•  Broken down by criticality of the application
183

Recap
•  A software security program is more than a tool or set of tools
–  But tools help provide automation and facilitate scale
•  OpenSAMM is a maturity model that can be used as a framework for
building and advancing software security programs
•  Open source tools exist to support many key activities in a software
security program
184

Conclusions / Questions
Dan Cornell
dan@denimgroup.com
Twitter: @danielcornell
www.denimgroup.com
www.denimgroup.com/threadfix
code.google.com/p/threadfix
(210) 572-4400

Running a Software Security Program with Open Source Tools (Course)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Running a Software Security Program with Open Source Tools (Course)

Ähnlich wie Running a Software Security Program with Open Source Tools (Course) (20)

Mehr von Denim Group

Mehr von Denim Group (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Running a Software Security Program with Open Source Tools (Course)