Security Assurance Tools
Amarendra GodboleSoftware Security Analyst
Agenda
Security Assurance Tools 2
Security assurance and tools 1
Categories and usage2
Host based 3
Network based 4
CVSS v25
Disclaimer• Symantec does not endorse these tools• If anything breaks, both parts are yours. ;-)• Etc.
Security Assurance Tools 3
Security Assurance and Tools• Ensure software operates at the designed level of security• Partial, but invaluable help from tools– Deep inspection
• Tools are not the “silver bullet”– Find subset of issues– Have false-positives (FPs’) and/or false-negative (FNs’)– Analysis important – human intelligence
• Defensive tools– More likely to be allowed in your organization
• Open source– Check with your legal team for license compatibility.
Security Assurance Tools 4
Categories• Host-based– Find issues on the host (permission checkers, config checkers, debuggers)– Standard system commands/tools being ignored in the light of more
exotic ones (netstat, tcpdump, find, compiler flags anyone?)• Network-based– Tools for inspecting network packets (wireshark/ethereal, tcpdump)– Protocol specific tools (burp proxy, ratproxy, SkipFish for web)
• Numerous other tools (see sectools.org)
Security Assurance Tools 5
Compiler Flags• Flags enabling protection mechanisms during compile-time– Visual Studio (VC++) defenses
• /GS• /SafeSEH• /DynamicBase• /NXCompat
– GNU gcc• -fstack-protector• -Wformat -Wformat-security
Security Assurance Tools 6
BinScope• Microsoft verification tool that analyzes binaries• Checks for compliance with the Microsoft SDLC• Stand-alone or can be integrated with Visual Studio 2008
Security Assurance Tools 7
SysInternal Tools• Windows deep-inspection tools– Runtime behavior
• Procmon, Filemon, ProcessExplorer, Regmon – more than 60 tools.
• Allow filtering of results.
Security Assurance Tools 8
find• Unix command line utility for “finding” things– World-writable files and directories– Setuid binaries
find / -type f –perm 0002 –exec ls –lg {} \;
find / -type d \( -perm -0002 –a ! –perm -1000 \) –exec ls –ldg {} \;
find / -type f \( -perm -4000 –o –perm -2000 \) –exec ls –lg {} \;
Security Assurance Tools 9
base64 to ASCII encoder/decoder• c3ltYW50ZWM= • Many sites encode plain-text password to base64– encoding, not encryption.– offers no security
• http://www.hcidata.info/base64.htm
Security Assurance Tools 10
netstat• Simple command line utility for Unix and Windows• Lists the open sockets and socket connections• List all TCP open ports:
Windows: netstat –an | findstr LISTENINGUNIX: netstat –an | grep LISTENLinux: netstat -anpt -A inet | grep LISTEN
Security Assurance Tools 11
tcpdump• Capture and dump packets, analyze network traffic• Large options, customized output
Security Assurance Tools 12
Wireshark – Network protocol analyzer• Dissect well-known protocols via Dissectors– “Follow TCP Stream” option
• Differentiate protocol headers and data/payload• Filters
Security Assurance Tools 13
Web based tools• WebScarab– OWASP tool for use as web proxy– Inspect and modify user-agent http/s data
• RatProxy– Semi-automated, passive web application security tool– Detects and prioritizes a broad range of web vulnerabilities (XSS, XSRF,
cookie issues, trust-model violations, etc.)
Security Assurance Tools 14
CVSS v2 Scores• Framework to standardize vulnerability scores
Security Assurance Tools 15
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Security Assurance Tools 16
Amarendra [email protected]+91 20 4075 4401