nullcon goa 2010 tracking the progress of an sdl program - cassio goldschmidt
TRANSCRIPT
Who am I?Cassio Goldschmidt
Sr. Manager, Product Security – Symantec
EducationMBA, USC
MS Software Engineering, SCU
BSCS, PUCRS
CSSLP, (ISC)2
When I’m not in the office…
Volleyball (Indoor, Beach)
Coding… for way to long!
Gym…
Common Weakness EnumerationWhat is it?
A common language for describing software security weaknesses
Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS).
HierarchicalEach individual CWE represents a single vulnerability type
Deeper levels of the tree provide a finer granularity
Higher levels provide a broad overview of a vulnerability
What data is available for each CWE?
Weakness description
Applicable platforms and programming languages
Common Consequences
Likelihood of Exploit
Coding Examples
Potential Mitigations
Related Attacks
Time of Introduction
Taxonomy MappingLink to CWE Page on XSS
How useful is this information?
13
Pie Chart showing the frequency of CWEs found in penetration tests
Pie Chart showing the frequency of CWEs found in penetration tests
Common Vulnerability Scoring System BASE Vector
Access Vector
Access Complexity
Authenti…
Network High None
Adjacent Network
Medium Single Instance
Local Low Mult. Instances
Undefined Undefined Undefined
Confident… Integrity Avail.
None None None
Partial Partial Partial
Complete Complete Complete
Undefined Undefined Undefined
Exploitability Impact
Sample Score: 7.5
Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Every CVSS score should be accompanied by the corresponding vector
void CHTMLEngine::SetPost(CBufferedInput& buf,unsigned int length,string& multipart){ m_post=true; if (length <= 0)
return; char* pData = new char[length+1]; memset(pData,0,length+1);
// Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) {
bytesRead = buf.Read(pData+totalBytesRead, length-totalBytesRead);if ( bytesRead == -1 ) { DTRACE(1,“ EOF error reading POSTed data."); break;}totalBytesRead += bytesRead;
} m_post_data = pData; m_mp_boundary = multipart; delete [] pData;}
What if I make
length = -1?
What if I make
length = -1?
new char[0] calls malloc(0) which succeeds!
new char[0] calls malloc(0) which succeeds!
Next, attacker-controlled data either overflows heap or crashes
Next, attacker-controlled data either overflows heap or crashes
Doesn’t quite work – length is unsignedDoesn’t quite work – length is unsigned
CWE and CVSS use in PracticeCode Review
void CHTMLEngine::SetPost(CBufferedInput& buf,unsigned int length,string& multipart){ m_post=true; if (length <= 0)
return; char* pData = new char[length+1]; memset(pData,0,length+1);
// Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) {
bytesRead = buf.Read(pData+totalBytesRead, length-totalBytesRead);if ( bytesRead == -1 ) { DTRACE(1,“ EOF error reading POSTed data."); break;}totalBytesRead += bytesRead;
} m_post_data = pData; m_mp_boundary = multipart; delete [] pData;}
CWE and CVSS use in PracticeCode Review
Buffer Overflow
CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Buffer Overflow
CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Training and MetricsA special activity in the SDL
•Security training is what food is to a workout
•Same workout metrics do not apply
•Quality of your intake affects overall performance
•Staff needs ongoing training
Training and Metrics Security Learning Process
Understand who is the audience• Previous knowledge about secure coding and secure testing• Programming languages in use• Supported platforms• Type of product
Understand who is the audience• Previous knowledge about secure coding and secure testing• Programming languages in use• Supported platforms• Type of product
Training and Metrics Security Learning Process
Train everyone involved in the SDL• Developers: Secure Coding, Threat Model• QA: Security Testing, Tools• Managers: Secure Development Lifecycle (also known as Symmunize)
Train everyone involved in the SDL• Developers: Secure Coding, Threat Model• QA: Security Testing, Tools• Managers: Secure Development Lifecycle (also known as Symmunize)
Training and Metrics Security Learning Process
Quality Assurance - Capture the flag• Use Beta software• Approximately 3 hours long• Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group
Quality Assurance - Capture the flag• Use Beta software• Approximately 3 hours long• Top 3 finders receive prizes and are invited to explain what techniques and tools they used to find the vulnerabilities to the rest of the group
Training and Metrics Security Learning Process
Pos Class Survey• Anonymous• MetricsMetrics
• Class content • Instructor knowledge • Exercises
Pos Class Survey• Anonymous• MetricsMetrics
• Class content • Instructor knowledge • Exercises
Why This Approach Makes Sense?
• Compare Apples to Apples
• Quantify results in a meaningful way to “C” executives
– Past results can be used to explain impact of new findings
– Can be simplified to a number from 1-10 or semaphore (green, yellow and red).
– Can be used for competitive analysis
• Harder to game CVSS• CWE can be easily mapped to different taxonomies