Upload
denim-group
View
403
Download
8
Tags:
Embed Size (px)
Citation preview
© Copyright 2013 Denim Group - All Rights Reserved
Running a Software Security Program!on Open Source Tools!!Dan Cornell!CTO, Denim Group!@danielcornell
© Copyright 2013 Denim Group - All Rights Reserved 1
My Background
• Dan Cornell, founder and CTO of Denim Group
• Software developer by background (Java, .NET, etc)
• OWASP San Antonio
© Copyright 2013 Denim Group - All Rights Reserved
Denim Group Background
• Secure software services and products company – Builds secure software – Helps organizations assess and mitigate risk of in-house developed and third party
software – Provides classroom training and e-Learning so clients can build software securely
• Software-centric view of application security – Application security experts are practicing developers – Development pedigree translates to rapport with development managers – Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution – Develops open source tools to help clients mature their software security programs
• Remediation Resource Center, ThreadFix – OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI – World class alliance partners accelerate innovation to solve client problems
2
© Copyright 2013 Denim Group - All Rights Reserved
Course Abstract Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.
3
© Copyright 2013 Denim Group - All Rights Reserved
Agenda • So You Want To Roll Out a Software Security Program? • Software Assurance Maturity Model (OpenSAMM) • Components Of Your Software Security Program
– Governance – Construction – Verification – Deployment
• Conclusions / Questions
4
© Copyright 2013 Denim Group - All Rights Reserved
So You Want To Roll Out a Software Security Program?
• Great!
• What a software security program ISN’T – Question: “What are you doing to address software security concerns?” – Answer: “We bought scanner XYZ”
• What a software security program IS – People, process, tools (naturally) – Set of activities intended to repeatedly produce appropriately-secure software
5
© Copyright 2013 Denim Group - All Rights Reserved
Challenges Rolling Out Software Security Programs • Resources
– Raw budget and cost issues – Level of effort issues
• Resistance: requires organizational change – Apparently people hate this
• Open source tools – Can help with raw budget issues – May exacerbate problems with level of effort
• View the rollout as a multi-stage process – Not one magical effort – Use short-term successes and gains to fuel further change
6
© Copyright 2013 Denim Group - All Rights Reserved
Let’s Create the Class Virtual Machine • Get VirtualBox if you do not already have it
– https://www.virtualbox.org/
• Get the Ubuntu image if you do not already have it
– http://www.ubuntu.com/ – ubuntu-13.10-desktop-i386.iso
• Run VirtualBox
• Click “New”
7
© Copyright 2013 Denim Group - All Rights Reserved
Creating the VM • Name:
– Whatever – I called mine “OWASP_Course”
• Type: Linux • Version: Ubuntu
• Memory Size: – I used 4096 MB – More is better. If you use less you might have issues
• Hard Drive: – Create a virtual hard drive now
8
© Copyright 2013 Denim Group - All Rights Reserved
Creating the VM • Hard Drive File Type
– Whatever – I used “VDI (VirtualBox Disk Image)”
• Storage on Physical Hard Drive – Whatever – I used “Dynamically allocated”
• File Location and Size: – I used “OWASP_Course” – I used 16 GB. More is better. (Default 8 GB is NOT enough)
9
© Copyright 2013 Denim Group - All Rights Reserved
Install the OS • Click “Start” • Select the Ubuntu ISO image
• Select “Install Ubuntu”
• Click “Download updates while installing”
• Select “Erase disk and install Ubuntu”
10
© Copyright 2013 Denim Group - All Rights Reserved
Install the OS • Set your location and keyboard type
• Enter user info
• Wait
• Reboot
• Congratulations!
• (Do yourself a favor and put a terminal icon on the launcher)
11
© Copyright 2013 Denim Group - All Rights Reserved
Software Assurance Maturity Model (OpenSAMM) • Open framework to help organizations formulate and implement a
strategy for software security that is tailored to the specific risks racing the organization
• Useful for: – Evaluating an organization’s existing software security practices – Building a balanced software security program in well-defined iterations – Demonstrating concrete improvements to a security assurance program – Defining and measuring security-related activities within an organization
• Main website:
– http://www.opensamm.org/
12
© Copyright 2013 Denim Group - All Rights Reserved
Using OpenSAMM You Can…
• Evaluate an organization’s existing software security practices • Build a balanced software security assurance program in well-
defined iterations • Demonstrate concrete improvements to a security assurance
program • Define and measure security-related activities throughout an
organization
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Review of Existing Secure SDLC Efforts
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
CLASP
• Comprehensive, Lightweight Application Security Process
– Centered around 7 AppSec Best Practices
– Cover the entire software lifecycle (not just development)
• Adaptable to any development process
– Defines roles across the SDLC
– 24 role-based process components
– Start small and dial-in to your needs
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Microsoft SDL
• Built internally for MS software • Extended and made public for others • MS-only versions since public release
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Touchpoints
• Gary McGraw’s and Cigital’s model
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Lessons Learned
• Microsoft SDL
– Heavyweight, good for large ISVs
• Touchpoints
– High-level, not enough details to execute against
• CLASP
– Large collection of activities, but no priority ordering
• ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Drivers for a Maturity Model
• An organization’s behavior changes slowly over time
– Changes must be iterative while working toward long-term goals
• There is no single recipe that works for all organizations
– A solution must enable risk-based choices tailor to the organization
• Guidance related to security activities must be prescriptive
– A solution must provide enough details for non-security-people
• Overall, must be simple, well-defined, and measurable
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Therefore, a Viable Model Must...
• Define building blocks for an assurance program
– Delineate all functions within an organization that could be improved over time
• Define how building blocks should be combined
– Make creating change in iterations a no-brainer
• Define details for each building block clearly
– Clarify the security-relevant parts in a widely applicable way (for any org doing software dev)
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Understanding the Model
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
SAMM Business Functions
• Start with the core activities tied to any organization performing software development
• Named generically, but should resonate with any developer or manager
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
SAMM Security Practices
• From each of the Business Functions, 3 Security Practices are defined
• The Security Practices cover all areas relevant to software security assurance
• Each one is a ‘silo’ for improvement
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Under Each Security Practice
• Three successive Objectives under each Practice define how it can be improved over time
– This establishes a notion of a Level at which an organization fulfills a given Practice
• The three Levels for a Practice generally correspond to:
– (0: Implicit starting point with the Practice unfulfilled)
– 1: Initial understanding and ad hoc provision of the Practice
– 2: Increase efficiency and/or effectiveness of the Practice
– 3: Comprehensive mastery of the Practice at scale
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Check Out This One...
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Per Level, SAMM Defines...
• Objective
• Activities
• Results
• Success Metrics
• Costs
• Personnel
• Related Levels
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Approach to Iterative Improvement
• Since the twelve Practices are each a maturity area, the successive Objectives represent the “building blocks” for any assurance program
• Simply put, improve an assurance program in phases by:
1. Select security Practices to improve in next phase of assurance program
2. Achieve the next Objective in each Practice by performing the corresponding Activities at the specified Success Metrics
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Applying the Model
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Conducting Assessments
• SAMM includes assessment worksheets for each Security Practice
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Assessment Process
• Supports both lightweight and detailed assessments
• Organizations may fall in between levels (+)
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Creating Scorecards • Gap analysis
– Capturing scores from detailed assessments versus expected performance levels
• Demonstrating improvement
– Capturing scores from before and after an iteration of assurance program build-out
• Ongoing measurement
– Capturing scores over consistent time frames for an assurance program that is already in place
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Roadmap Templates • To make the “building blocks” usable, SAMM defines
Roadmaps templates for typical kinds of organizations
– Independent Software Vendors
– Online Service Providers
– Financial Services Organizations
– Government Organizations
• Organization types chosen because
– They represent common use-cases
– Each organization has variations in typical software-induced risk
– Optimal creation of an assurance program is different for each
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Building Assurance Programs
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Case Studies
• A full walkthrough with prose explanations of decision-making as an organization improves
• Each Phase described in detail
– Organizational constraints
– Build/buy choices
• One case study exists today, several more in progress using industry partners
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Exploring the Model’s Levels and Activities
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
The SAMM 1.0 release
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
SAMM and the Real World
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
SAMM History
• Beta released August 2008 – 1.0 released March 2009
• Originally funded by Fortify
– Still actively involved and using this model
• Released under a Creative Commons Attribution Share-Alike license
• Donated to OWASP and is currently an OWASP project
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Expert Contributions
• Built based on collected experiences with 100’s of organizations
– Including security experts, developers, architects, development managers, IT managers
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Industry Support
• Several more case studies underway
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
The OpenSAMM Project
• http://www.opensamm.org
• Dedicated to defining, improving, and testing the SAMM framework
• Always vendor-neutral, but lots of industry participation
– Open and community driven
• Targeting new releases every 6-12 months
• Change management process
– SAMM Enhancement Proposals (SEP)
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
OpenSAMM Resources
• Nick Coblentz - SAMM Assessment Interview Template (xls/googledoc)
• Christian Frichot - SAMM Assessment Spreadsheet (xls)
• Colin Watson - Roadmap Chart Template (xls)
• Jim Weiler - MS Project Plan Template (mpp) • Denim Group – ThreadFix (web application)
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Quick Recap on Using SAMM
• Evaluate an organization’s existing software security practices • Build a balanced software security assurance program in well-
defined iterations • Demonstrate concrete improvements to a security assurance
program • Define and measure security-related activities throughout an
organization
[This slide content © Pravir Chandra]
© Copyright 2013 Denim Group - All Rights Reserved
Discussion: Tools • Commercial tools in use? • Free / open source tools in use?
• What tool implementations have been successful? • What tool implementations have been less successful?
• Why?
• What is your interest in using open source tools for software security?
44
© Copyright 2013 Denim Group - All Rights Reserved
Why Use Free / Open Source Tools? • They’re FREE!
– No per-user license fees
• Can be customized – Don’t like the way a feature works – improve it!
• Community support – Not a tremendous amount of public resources for commercial tools
45
© Copyright 2013 Denim Group - All Rights Reserved
Potential Disadvantages of Free Tools • Often less mature than commercial analogs
– Application and software security are new when compared to other disciplines – Open source tools lag in a number of areas
• Task-focused rather than program-focused – Geared toward testing a single application rather than a portfolio of applications
46
© Copyright 2013 Denim Group - All Rights Reserved
Discussion: Organizational Concerns • Does your organization allow the use of open source tools?
• What restrictions are placed on the use of free / open source tools? – Only certain licenses allowed – Each tool / library must have a sponsor
47
© Copyright 2013 Denim Group - All Rights Reserved
Open Source Tool Usage – Best Practices • Reach out to the project lead / development community
– How responsive are they? – Good to have a relationship for escalating issues
• Consider commercial support – If available – When it makes sense
• Give back – Installation instructions for your platform(s) – Other documentation opportunities – Code updates – if possible / desirable
48
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix - Overview • ThreadFix is a software vulnerability aggregation and management
system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.
• Freely available under the Mozilla Public License (MPL)
• Hosted at Google Code: http://code.google.com/p/threadfix/
49
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix - Installation • 2.0M1 Available as ZIP archive
– Including ThreadFix, Apache Tomcat and HSQL database – Designed for easy installation – Limited performance and capacity
• 1.2 Available as a pre-installed Linux VM – Including ThreadFix, Apache Tomcat and MySQL database – Can also be custom-installed
50
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix - Installation • Pre-requisites (for your xubuntu VM)
– Java 1.7 JRE installed via: • sudo apt-get install openjdk-7-jre • java -version
• Instructions (from ~/Desktop/WorkingDir): – Unzip ThreadFix
• unzip ~/Downloads/ThreadFix_2_0M1.zip – Make threadfix.sh executable
• cd ThreadFix • chmod u+x threadfix.sh
– Set JAVA_HOME environment variable • export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-i386
– Run ThreadFix • ./threadfix.sh start
– Open ThreadFix via browser • Navigate to https://localhost:8443/threadfix (you will have to confirm the HTTPS exception)
51
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix – Usage (The Basics) • Create a Team
– Login with credentials “user” and “password” – Click “Get started” link – Create a Team called “My Team”
• Create an Application – Click “Add Application” – Create an Application called “My Application” – Use URL http://www.myapp.com/ and criticality “Low” – Don’t worry about “Defect Tracker” or “WAF” right now
• Upload a Scan for the Application – Click “Upload Scan” – Upload file WorkingDir/ThreadFix/test-scans/w3af-demo-site.xml
52
© Copyright 2013 Denim Group - All Rights Reserved
OpenSAMM: Governance • Strategy and Metrics • Policy and Compliance • Education and Guidance
53
© Copyright 2013 Denim Group - All Rights Reserved
Governance: Strategy and Metrics • Overall strategic direction of the assurance program
• How are processes instrumented? • How are measurements taken?
54
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Reporting • Can be done at multiple levels:
– Enterprise-wide – Team – Individual application
• Reports for: – Vulnerability count trending – Progress – vulnerability resolution and timelines – Scanner effectiveness – Frequency of scanning across the portfolio
• Will revisit ThreadFix reporting later in the course for examples
55
© Copyright 2013 Denim Group - All Rights Reserved
Governance: Policy and Compliance • What compliance regimes are your organizations and applications
subject to? – PCI – HIPAA – SOX
• What policies will you put in place to meet these obligations?
56
© Copyright 2013 Denim Group - All Rights Reserved
Governance: Education and Guidance • Software security requires the input of a variety of stakeholders
• Software security is a relatively new area of study – Many of the involved parties (i.e. software developers) have never been exposed
• You cannot hold people responsible if they have not been properly trained
57
© Copyright 2013 Denim Group - All Rights Reserved
Governance: Education and Guidance • Variety of potential consumers
– Executives / Management – Developers – Quality Assurance (QA) – Security Testers
• Need for information at several levels – Introduction / overview – Topic-specific – Technology-specific
• Several ways to deliver guidance and training – Self-serve portal – Instructor-led training – E-Learning
58
© Copyright 2013 Denim Group - All Rights Reserved
OWASP Development Guide • Provides guidance to developers on how to build secure applications • Attempts to cover broad topics with some technology-specific
examples
• Several translations: English, Spanish, Japanese
• Originally released in 2001, revised in 2005 – Somewhat dated
• Currently undergoing a significant rewrite
• Main site: https://www.owasp.org/index.php/OWASP_Guide_Project
59
© Copyright 2013 Denim Group - All Rights Reserved
OWASP Cheat Sheets • Provide targeted, consumable guidance on specific topics or
technologies – Authentication – Transport layer protection – Input validation – Session management – And so on…
• Tend to be “fresher” than the related sections in the Development Guide
– Also easier to provide to developers for use
• Main site: https://www.owasp.org/index.php/Cheat_Sheets
60
© Copyright 2013 Denim Group - All Rights Reserved
OWASP Secure Coding Practices Quick Reference Guide • Technology agnostic set of general software security coding practices
• Consumable – ~17 pages long – Checklist format
• Main site: https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
61
© Copyright 2013 Denim Group - All Rights Reserved
OWASP Secure Coding Practices Quick Reference Guide • Covered topics:
– Input validation – Output encoding – Authentication and password management – Session management – Access control – Cryptographic practices – Error handling and logging – Data protection – Communication security – Database security – File management – Memory management – General coding practices
62
© Copyright 2013 Denim Group - All Rights Reserved
OWASP WebGoat - Overview • Deliberately insecure JEE web application • Presented as a series of lessons
– SQL injection – Cross-site Scripting (XSS) – Cross-site Request Forgery (CSRF) – Hidden form manipulation – And so on…
• Main site: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
63
© Copyright 2013 Denim Group - All Rights Reserved
OWASP WebGoat - Installation • Available as a self-contained ZIP archive
– WebGoat, Apache Tomcat
• Instructions (from ~/Desktop/WorkingDir): – Unzip WebGoat
• Unzip ~/Downloads/WebGoat-5.4-OWASP_Standard_Win32.zip
– Make webgoat.sh executable • cd WebGoat-5.4/ • chmod u+x webgoat.sh
– Make one tiny little cheating change in webgoat.sh • Delete line 20 and 24 to short-circuit the JVM version checking
– Run WebGoat • ./webgoat.sh start8080 • Could also run “./webgoat.sh start80” to start on port 80
– Navigate to http://localhost:8080/WebGoat/attack (case matters)
64
© Copyright 2013 Denim Group - All Rights Reserved
OWASP WebGoat - Usage • WebGoat consists of different “lessons” to be passed
– Each demonstrates a vulnerability or some other aspect of web application security
• Hints – Show hints about how to solve the lesson • Show Params – Toggle rendering request parameters in the page • Show Cookies – Toggle rendering request cookies in the page • Lesson Plan – Explain the purpose of the lesson • Show Java – Show the Java source code of the lesson in a window • Solution – Show the solution to the lesson in a window
65
© Copyright 2013 Denim Group - All Rights Reserved
WebGoat - Example • Navigate to General -> Http Basics • Click on:
– Hints – Show Params – Show Cookies – Lesson Plan – Show Java – Solution
• Enter your name in the field and click “Go!” • Navigate to Admin Functions -> Report Card
– Shows lessons completed, hints used
66
© Copyright 2013 Denim Group - All Rights Reserved
wavsep - Overview • Web Application Vulnerability Scanner Evaluation Project (wavsep) • “A vulnerable web application designed to help assessing the features,
quality and accuracy of web application vulnerability scanners. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners”
• Used for many benchmarks. • Check out
http://sectooladdict.blogspot.co.il/2012/07/2012-web-application-scanner-benchmark.html
• Main site: http://code.google.com/p/wavsep/ 67
© Copyright 2013 Denim Group - All Rights Reserved
wavsep - Installation
• Install MySQL (wavsep uses it as its database) – sudo apt-get install mysql-server
• Install wavsep – unzip wavsep-v1.2-war-linux.zip – Copy wavsep.war into WebGoat-5.4/tomcat/webapps/ directory – http://localhost:8080/wavsep/wavsep-install/install.jsp
68
© Copyright 2013 Denim Group - All Rights Reserved
wavsep - Usage • Navigate your browser to http://localhost:8080/wavsep/
• Run scanners against the various subdirectories / URLs – There are no actual links to /wavsep/index-active.jsp and /wavsep/index-passive.jsp – You will need to let the scanners know they are there
69
© Copyright 2013 Denim Group - All Rights Reserved
OpenSAMM: Construction • Threat Assessment • Security Requirements • Secure Architecture
70
© Copyright 2013 Denim Group - All Rights Reserved
Construction: Threat Assessment • Identify and characterize potential attacks • These will determine investment level and required countermeasures
• WHO do you need to be worried about? – Nation-states – Chaotic actors – Organized crime – And so on…
71
© Copyright 2013 Denim Group - All Rights Reserved
Construction: Security Requirements • Up-front determination of required security properties of the system • Drive future activities
72
© Copyright 2013 Denim Group - All Rights Reserved
Construction: Secure Architecture • Use the design process to:
– Build in security controls – Avoid injecting security issues
• Threat modeling • Architectural risk analysis
73
© Copyright 2013 Denim Group - All Rights Reserved
ESAPI - Overview • Enterprise Security API (ESAPI) • Open source web application security control library
• Several languages available: JavaEE, .NET, PHP, Classic ASP, etc – WIDE variation in maturity and support – Stick to Java unless you are very brave (and even then)
• Main site: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
74
© Copyright 2013 Denim Group - All Rights Reserved
ESAPI – Installation (Java) • Instructions (from ~/Desktop/WorkingDir):
– Create a container directory and relocate there • mkdir ESAPI • cd ESAPI
– Unpack • tar xzvf ~/Downloads/esapi-2.0.1-dist.tar.gz
– To use in a project, copy the ESAPI and its supporting JARS into your lib/ directory • You might not need servlet-api-2.4.jar if your project already contains those classes
– Set up ESAPI.properties file • Logging configuration • Encryption master keys
• See documentation/esapi4java-core-2.0-install-guide.pdf – Use in specific build systems and development environments – Step-by-step instructions
75
© Copyright 2013 Denim Group - All Rights Reserved
Exercise: Fixing XSS Vulnerabilities with ESAPI • To Use:
– Follow the installation guide – Must create a folder (.esapi) to store your configuration and preferences
• Get access to library: – Add all the support jars (31) to your project – Remove repeated jars – Add esapi-2.0_rc10.jar to your project <%@ page import="org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder" %>
• Make calls to encode tainted data: – ESAPI.encoder().encodeForHTML() – ESAPI.encoder().encodeForHTMLAttribute()
76
© Copyright 2013 Denim Group - All Rights Reserved
ESAPI – Possible Challenges (Java) • ESAPI Java has a LOT of dependencies (~30 JARs)
• Can cause configuration management and licensing issues for some organizations
• Potential versioning issues
77
© Copyright 2013 Denim Group - All Rights Reserved
Microsoft Web Protection Library - Overview • Set of .NET assemblies which help protect web applications
• AntiXSS encoding library – Encoding functions for HTML, HTML attributes, XML, etc
• HTML sanitization routines (for “safely” accepting rich content) • Security Runtime Engine (SRE)
– Provides runtime protection against SQL injection and Cross-Site Scripting (XSS)
• Sites: – http://wpl.codeplex.com/ – https://www.microsoft.com/en-us/download/details.aspx?id=28589
78
© Copyright 2013 Denim Group - All Rights Reserved
Microsoft Web Protection Library - Cautions • A security vulnerability was identified in the 4.0 release • There have been complaints about the HTML sanitization in the 4.2.1
release being broken with little follow-up from Microsoft • Older (WPL 4.0) binaries should be available from
http://ajaxcontroltoolkit.codeplex.com/releases/view/76976
79
© Copyright 2013 Denim Group - All Rights Reserved
Microsoft Web Protection Library - Installation • Run the MSI installer
• To use: – Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll)
• Found in C:\Program Files (x86)\Microsoft Information Security\AntiXSS Library v4.0 – Get access to library:
• In code: – using Microsoft.Security.Application;
• In ASPX page: – <%@ Import Namespace="Microsoft.Security.Application" %>
– Make call to encode tainted data: • AntiXss.HtmlEncode() • AntiXss.HtmlAttributeEncode() • And so on…
80
© Copyright 2013 Denim Group - All Rights Reserved
OpenSAMM: Verification • Design Review • Code Review • Security Testing
81
© Copyright 2013 Denim Group - All Rights Reserved
Application Security Assessments • The challenges and goals of an assessment • What an assessment must accomplish • The assessment approach
– Identification – Baseline Review and Testing – Threat Identification – Targeted Review and Testing – Reporting
82
© Copyright 2013 Denim Group - All Rights Reserved
The Challenges and Goals of Software Assessments
• Identify the application’s vulnerabilities and the risks they entail
• Provide the greatest value for the time spent
• Provide application owners with detailed vulnerability reports and remediation recommendations
– Provide actionable reports to the application team
83
© Copyright 2013 Denim Group - All Rights Reserved
How Assessors can Support Those Goals
• Strategic Message – The assessments must be conducted efficiently with the majority of the time spent
on performing the assessments. This will increase the coverage of the assessments and the depth and quality of product delivered the application owners. Scheduling and preparation of assessments should be conducted in an almost production line approach.
• Testing must... – Be integral to the development team’s own ongoing efforts – Cover the “breadth” and “depth” of the functionality – Reflect experience with the technology and business
• Reporting must… – Clearly communicate risk, both business and technical – Allow trouble-free integration with the business strategic assets – Guide and justify remediation efforts
84
© Copyright 2013 Denim Group - All Rights Reserved
The Output of an Assessment Engagement Should…
• Summarize vulnerability discoveries and known risk • Provide adequate detail about discovered vulnerabilities
– Where in the application behavior or code the vulnerability resides – The implied security risk – Any mitigating factors for exploitation
• Requires high-level credentials to exploit • Requires social engineering to exploit • etc.
• Rate the vulnerabilities to help prioritize remediation – DREAD works well for this as it accounts for damage potential, reproducibility,
affected users, etc.
• Provide remediation criteria and recommended approaches
85
© Copyright 2013 Denim Group - All Rights Reserved
The General Assessment Approach
• Identification – Help identify what applications have highest priority to assess
• Preparation – Obtain requisite code and/or access
• Threat Modeling – Data flow, functional security, abuse cases
• Baseline Review and Testing – Account for risks inherent to the technology and common features – Commercial scanning tools with manual auditing
• Targeted Testing – Account for identified threats, data flow, abuse cases – Follow up with suspect behavior in the baseline review and testing
• Reporting – Rate vulnerabilities – Provide remediation recommendations
86
© Copyright 2013 Denim Group - All Rights Reserved
Verification: Design Review • Incorporate security into review of architecture/design materials
• Were the previous assurance activities successful?
87
© Copyright 2013 Denim Group - All Rights Reserved
Microsoft Threat Analysis and Modeling Tool - Overview • Create threat models for your applications • Identify potential issues • Plan for mitigations
• Requires Visio 2007 or 2010
• Main site: http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx
88
© Copyright 2013 Denim Group - All Rights Reserved
Microsoft Threat Analysis and Modeling Tool - Installation • Run ThreatModelingToolSetup318.msi
• Software should be installed to C:\Program Files\Microsoft\SDL Threat Modeling Tool\
89
© Copyright 2013 Denim Group - All Rights Reserved
Microsoft Threat Analysis and Modeling Tool - Example • Create a Threat Model for a mobile application
90
© Copyright 2013 Denim Group - All Rights Reserved
Approaches for Identifying Threats • Use Cases for Business
– Useful for identifying flaws with specific application features
• Data Flow for Architecture – What threats can we identify looking at the application’s data flow? – The whole system’s data stores, services, processes, etc. – The interaction among those components
• Functional Security – Here are the security features. How could an attacker defeat them?
• Attacker’s Goals for Threat Trees – If you are an attacker, what would you want to accomplish? – How would you go about achieving the malicious goal? – Useful for identifying any erroneous security assumptions
• No one approach is perfect – these are essentially brain storming techniques
91
© Copyright 2013 Denim Group - All Rights Reserved
Mapping Threats to Data Flow Asset Types Threat Type External
Interactor Process Data Flow Data Store
S – Spoofing Yes Yes
T – Tampering Yes Yes Yes
R – Repudia4on Yes Yes Yes
I – Informa4on Disclosure Yes Yes Yes
D – Denial of Service Yes Yes Yes
E – Eleva4on of Privilege Yes
92
© Copyright 2013 Denim Group - All Rights Reserved
Typical Mobile Threats
• Spoofing: Users to the Mobile Application • Spoofing: Web Services to Mobile Application • Tampering: Mobile Application • Tampering: Device Data Stores • Disclosure: Device Data Stores or Residual Data • Disclosure: Mobile Application to Web Service • Denial of Service: Mobile Application • Elevation of Privilege: Mobile Application or Web Services
User
Local App Storage
Mobile Application
Mobile Web Services
Device Keychain
Main Site Pages
© Copyright 2013 Denim Group - All Rights Reserved
Spoofing: Users to the Mobile Application • Borrowed Device • Stolen Device • Other Malicious Application
Attacker
Local App Storage
Mobile Application
Device Keychain
© Copyright 2013 Denim Group - All Rights Reserved
Spoofing: Attacker to Mobile Web Services • Attacks against Mobile Web Services
UserMobile
Application Mobile Web Services
Attacker
© Copyright 2013 Denim Group - All Rights Reserved
Spoofing: Web Services to Mobile Application • Borrowed Device • Other Malicious Application
UserMobile
Application Mobile Web Services
Malicious Host
© Copyright 2013 Denim Group - All Rights Reserved
Tampering: Mobile Application • Borrowed/Stolen Device • Other Malicious Application
User
Local App Storage
Tampered Application
Device Keychain
© Copyright 2013 Denim Group - All Rights Reserved
Disclosure: Device Data Stores or Residual Data • Borrowed/Stolen Device • Malicious Application
Functionality • Other Malicious Application • Attacks from Mobile Web
Services
User
Local SQLIte Storage
Mobile Application
Device Keychain
© Copyright 2013 Denim Group - All Rights Reserved
Disclosure: Mobile Application to Web Service • Attacks from Local Network • Other Malicious Application
UserMobile
Application Mobile Web Services
Attacker
© Copyright 2013 Denim Group - All Rights Reserved
Other Data-Flow Threats • Denial of Service • Elevation of Privilege
User
Local App Storage
Mobile Application
Device Keychain
USAA Member
Local App Storage
Mobile Application
Device Keychain
Attacker
© Copyright 2013 Denim Group - All Rights Reserved
Verification: Code Review • Review software artifacts “at-rest” • Can be both automated and manual
• Reach and frequency – How much of your software is subject to review? – How thorough is the analysis? – How often is it performed?
101
© Copyright 2013 Denim Group - All Rights Reserved
Static Analysis • Source Code Scanning • Manual Code Reviews • Advantages
– Identifies flaws during integration, when it is easier to address issues – Developers can identify flaws in their own code before checking it in – Many projects already have a code review process in-place
• Disadvantages – Freeware tools often do not address security well (specifically dataflow analysis) – Licensed tools are a significant investment – Manual review can be unstructured and time-consuming without licensed tools – Not ideal for discovering logical vulnerabilities
102
© Copyright 2013 Denim Group - All Rights Reserved
Static Analysis Tools • Commercial Tools
– Fortify (now HP) – Ounce (now IBM Rational) – Checkmarx – Veracode (SaaS)
• Freeware Tools – RATS/Flawfinder - C/C++, Python, PHP – Findbugs – Java – PMD - Java – FxCop - .NET – Brakeman – Ruby on Rails
103
© Copyright 2013 Denim Group - All Rights Reserved
FindBugs - Overview • Freely-available binary static analysis tool for Java • Main site: http://findbugs.sourceforge.net/
104
© Copyright 2013 Denim Group - All Rights Reserved
FindBugs - Installation • Instructions (from ~/Desktop/WorkingDir):
– Unpack the distribution • tar xzvf ~/Downloads/findbugs-2.0.3-rc1.tar.gz • Should unpack into findbugs-2.0.3-rc1/
• Can also install as an Eclipse plugin: – Plugin update site: http://findbugs.cs.umd.edu/eclipse
105
© Copyright 2013 Denim Group - All Rights Reserved
FindBugs – Usage (GUI)
• Run the FindBugs GUI – bin/fb gui
• Create a new project – File -> New Project – Enter project name “WebGoat” – Enter classpath for analysis “~/Desktop/WorkingDir/WebGoat-5.4/tomcat/
webapps/WebGoat.war” – Use remaining defaults and run analysis
• Notice the error messages but ignore for now and look through the results
106
© Copyright 2013 Denim Group - All Rights Reserved
FindBugs – Usage (GUI) • But can we get rid of those error messages?
• Reconfigure the project – File -> Reconfigure – Add supporting JARs
• JARs in tomcat/bin/ • JARs in tomcat/lib/ • JARs in tomcat/webapps/WebGoat/WEB-INF/lib
– CAN’T JUST SELECT THE DIRECTORIES – MUST SELECT ALL THE JARS
• Re-run the analysis
107
© Copyright 2013 Denim Group - All Rights Reserved
FindBugs – Usage (GUI) • The reporting seems to be lacking details. Can we link to the source? • Install subversion
– sudo apt-get install subversion
• Download the appropriate source code – svn checkout http://webgoat.googlecode.com/svn/tags/webgoat-5.4 webgoat-src
• Reconfigure the project – File -> Reconfigure – Add source directory
• ~/WorkingDir/WebGoat-5.4/webgoat-src/src/main/java
• Now you should be able to see the WebGoat source files • Save the results as a FindBugs Project (fbp) file
– bin/ directory – FBP files can be sensitive to relative paths if moved
108
© Copyright 2013 Denim Group - All Rights Reserved
FindBugs – Usage Notes • So what did we learn about FindBugs
– FindBugs has to know about the binaries it is supposed to analyze – FindBugs gives us better results if we include supporting libraries – FindBugs gives us better reporting if we include source code
• These lessons translate to most static analysis tools (commercial and open source)
109
© Copyright 2013 Denim Group - All Rights Reserved
FindBugs – What Has It Told Us? • There are lots of results
– But not all of them have to do with security
• There is a Security top-level category – Some good stuff in here (if perhaps a little noisy)
• What else might we want to look at? – Correctness – Bad practice – Malicious code vulnerability – Multithreaded correctness – Performance
110
© Copyright 2013 Denim Group - All Rights Reserved
FindBugs – Usage (Command Line) • Hopefully you saved a .fbp file via the GUI…
• bin/fb analyze –project <projectname> – Runs the same FindBugs analysis we did before but prints the results to stdout
• bin/fb analyze –project <projectname> -xml:withMessages –output <outputfile>
– Runs the same FindBugs analysis we did before but stores results with human-readable descriptions in the indicated XML file
• Documentation for command-line switches: http://findbugs.sourceforge.net/manual/running.html#commandLineOptions
111
© Copyright 2013 Denim Group - All Rights Reserved
FxCop - Overview • Free static analysis tool from Microsoft • Integrated into Visual Studio • Similar capabilities to FindBugs (but for .NET)
• Blog: http://blogs.msdn.com/b/codeanalysis/
112
© Copyright 2013 Denim Group - All Rights Reserved
CAT.NET - Overview • Free static analysis tool from Microsoft • Does dataflow analysis (rare among the free tools) • Version 1:
http://www.microsoft.com/en-us/download/details.aspx?id=19968 • Version 2:
http://blogs.msdn.com/b/securitytools/archive/2010/02/04/cat-net-2-0-beta.aspx
• Dinis Cruz has done some interesting work with CAT.NET and O2 – https://www.owasp.org/index.php/OWASP_O2_Platform/Microsoft/CAT.NET
• Plans for future development are not clear
113
© Copyright 2013 Denim Group - All Rights Reserved
Brakeman - Overview • Security scanner for Ruby on Rails applications • Static analysis
• Finds things like SQL injection and XSS – Also checks for certain CVE-type vulnerabilities
• Main site: http://brakemanscanner.org/
114
© Copyright 2013 Denim Group - All Rights Reserved
Brakeman - Installation • Install prerequisites:
– sudo apt-get install ruby1.8 – sudo apt-get install rubygems
• Install scanner: – sudo gem install brakeman
• Usage: – brakeman <path-of-rails-site> – brakeman –o <output-file> <path-of-rails-site>
115
© Copyright 2013 Denim Group - All Rights Reserved
Brakeman - Using
• Try some test sites
• But first install git: – sudo apt-get install git
• Sites to try: – RailsGoat
• http://railsgoat.cktricky.com/ • git clone https://github.com/OWASP/railsgoat.git
– Hacme Casino • git clone git://github.com/spinkham/Hacme-Casino
116
© Copyright 2013 Denim Group - All Rights Reserved
Agnitio - Overview • Tool for supporting manual code reviews • Set of checklists to verify security controls • Some grep-like search capabilities
• Main site: http://sourceforge.net/projects/agnitiotool/
117
© Copyright 2013 Denim Group - All Rights Reserved
DependencyCheck – Overview • Checks for out-of-date JAR libraries with known CWE issues • Looks beyond JAR hashes
• We used it to find a vulnerable library used by ThreadFix – Apache POI library – http://web.nvd.nist.gov/view/vuln/search-results?cpe=cpe%3A%2Fa%3Aapache
%3Apoi%3A3.7&page_num=0&cid=1
• Main site: https://github.com/jeremylong/DependencyCheck
118
© Copyright 2013 Denim Group - All Rights Reserved
DependencyCheck - Installation • Install dependencies:
– sudo apt-get install git (should have already done this) – sudo apt-get update – sudo apt-get install maven (we need Maven 3) – sudo apt-get install openjdk-7-jdk (need a JDK – previously we only installed a JRE)
• Download code: – git clone git://github.com/jeremylong/DependencyCheck.git
• Build: – cd DependencyCheck – mvn package
119
© Copyright 2013 Denim Group - All Rights Reserved
DependencyCheck – Example • Running DependencyCheck
– java –jar dependency-check-1.0.5-SNAPSHOT.jar –a WebGoat –out . –s <path-to-JARs> – The first time it runs it needs to download NVD data from NIST which can take a while – Will attempt to check for new NVD data
• Run against – ThreadFix – WebGoat – OLAT – Other Java-based applications
120
© Copyright 2013 Denim Group - All Rights Reserved
Verification: Security Testing • Runtime testing for security vulnerabilities
• Web applications: automated scanners, web proxies • Other applications: fuzzing, protocol analysis
121
© Copyright 2013 Denim Group - All Rights Reserved
Dynamic Analysis • Integrate abuse cases into unit and automated testing • Use application scanning tools • Perform a dedicated penetration test by security staff or a 3rd party
• Advantages – Generally more time-efficient than manual code review – Good for discovering logical vulnerabilities
• Disadvantages – Requires fully functional features to test – Security staff may not have application security training or experience – Scanning tools may have difficulty with unusual applications
122
© Copyright 2013 Denim Group - All Rights Reserved
Dynamic Analysis Tools • Automated Tools
– IBM Rational AppScan – HP WebInspect – Acunetix Vulnerability Scanner – Netsparker
• Manual Testing – Zed Attack Proxy – Burp – Google RatProxy – Browser plugins – Testing Scripts –Watir – Load and Performance testing tools – JMeter, Grinder
123
© Copyright 2013 Denim Group - All Rights Reserved
Arachni - Overview • Open source automated web application scanner • Written in Ruby • Can be deployed in a “grid” format for faster scanning
• Uses several different types of analysis to identify vulnerabilities – Fuzzing – Taint analysis – Time analysis
• Main site: http://arachni-scanner.com/
124
© Copyright 2013 Denim Group - All Rights Reserved
Arachni – Installation • Unpack:
– tar xzvf arachni-0.4.5.2-0.4.2.1-linux-i686.tar.gz
• Usage: – arachni –h – arachni http://site-to-test.com/ – arachni -fv http://site-to-test.com/ --report=html:outfile=my_report.html
125
© Copyright 2013 Denim Group - All Rights Reserved
w3af - Overview • Open source automated web application scanner • Written in Python
• Main site: http://w3af.sourceforge.net/
126
© Copyright 2013 Denim Group - All Rights Reserved
w3af - Installation • Recommended *NIX install:
– git clone https://github.com/andresriancho/w3af.git – cd w3af – ./w3af_gui
• Now fix the dependencies: – apt-get install python-setuptools python-pip graphviz python2.7-dev libsqlite3-dev
libxslt1-dev python-gtksourceview2 libxml2-dev python-pip – Still need some Python stuff – apt-get install libssl-dev (otherwise one of the dependency compiles will fail) – /tmp/w3af_dependency_install.sh (make it executable and run sudo) (great security
practice, by the way… )
127
© Copyright 2013 Denim Group - All Rights Reserved
OWASP ZAProxy - Overview • Open source web proxy and web application scanner • Supports both manual and automated assessment • Fork of Paros Proxy • Exposes RESTful API
• Main site: http://code.google.com/p/zaproxy/
128
© Copyright 2013 Denim Group - All Rights Reserved
OWASP ZAProxy - Installation • Unpack
– tar xzvf ZAP_2.2.2_Linux.tar.gz
• Run – zap.sh
129
© Copyright 2013 Denim Group - All Rights Reserved
OWASP ZAProxy – Usage • Change your browser to point to ZAP’s proxy
– ZAP defaults to using 8080 which might conflict with local Tomcat installs – Change proxy port via Tools -> Options -> Local proxy
• Spider
• Passive Scanner
• Active Scanner
130
© Copyright 2013 Denim Group - All Rights Reserved
Skipfish - Overview • Fast web application scanner written in C • Maintained by Google • Does a lot of file/directory guessing by default
• Main site: – https://code.google.com/p/skipfish/
131
© Copyright 2013 Denim Group - All Rights Reserved
Skipfish – Installation and Usage • Installation
– tar xzvf ~/Downloads/skipfish-2.10b.tgz
• Handle dependencies: – sudo apt-get install libpcre3-dev – sudo apt-get install libidn11-dev
• Build: – make
• Run: – touch new_dict.wl – ./skipfish –o output_dir –S existing_dictionary.wl –W new_dict.wl http://
www.example.com/some/starting_path.txt
132
© Copyright 2013 Denim Group - All Rights Reserved
Which Open Source Scanner Is Best?
• What Do You Want? – Coverage – Low False Positives – Low False Negatives
133
© Copyright 2013 Denim Group - All Rights Reserved
Scanner Coverage • You can’t test what you can’t see
• How effective is the scanner’s crawler?
• How are URLs mapped to functionality? – RESTful – Parameters
• Possible issues: – Login routines – Multi-step processes – Anti-CSRF protection
134
© Copyright 2013 Denim Group - All Rights Reserved
Are You Getting a Good Scan? Large financial firm: “Our 500 page website is secure because the scanner did not find any vulnerabilities!”
Me: “Did you teach the scanner to log in so that it can see more than just the homepage?”
Large financial firm: “…”
135
© Copyright 2013 Denim Group - All Rights Reserved
Can Your Scanner Do This? • Two-step login procedure:
– Enter username / password (pretty standard) – Enter answer to one of several arbitrary questions
• Challenge was that the parameter indicating the question was dynamic
– Question_1, Question_2, Question_3, and so on – Makes standard login recording ineffective
136
© Copyright 2013 Denim Group - All Rights Reserved
It All Started With A Simple Blog Post… • Ran into an application with a complicated login procedure • Wrote blog post about the toolchain used to solve the problem
– http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-complicated-logins-with-appscan-and-burp-suite.html
• Other scanner teams responded: – IBM Rational AppScan
• http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-complicated-logins-with-appscan-only.html
– HP WebInspect • http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-hp-
webinspect.html
– Mavituna Security Netsparker • http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-mavituna-
netsparker.html – NTObjectives NTOSpider
• http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-ntospider.html
137
© Copyright 2013 Denim Group - All Rights Reserved
Scanner Authentication Scenario Examples • Built as a response to the previously-mentioned blog conversation
• Example implementations of different login routines – How can different scanners be configured to successfully scan?
• GitHub site: – https://github.com/denimgroup/authexamples
138
© Copyright 2013 Denim Group - All Rights Reserved
Did I Get a Good Scan? • Scanner training is really important
– Read the Larry Suto reports…
• Must sanity-check the results of your scans
• What URLs were accessed? – If only two URLs were accessed on a 500 page site, you probably have a bad scan – If 5000 URLs were accessed on a five page site, you probably have a bad scan
• What vulnerabilities were found and not found? – Scan with no vulnerabilities – probably not a good scan – Scan with excessive vulnerabilities – possibly a lot of false positives
139
© Copyright 2013 Denim Group - All Rights Reserved
Low False Positives • Reports of vulnerabilities that do not actually exist
• How “touchy” is the scanner’s testing engine?
• Why are they bad? – Take time to manually review and filter out – Can lead to wasted remediation time
140
© Copyright 2013 Denim Group - All Rights Reserved
Low False Negatives • Scanner failing to report vulnerabilities that do exist
• How effective is the scanner’s testing engine?
• Why are they bad? – You are exposed to risks you do not know about – You expect that the scanner would have found certain classes of vulnerabilities
• What vulnerability classes do you think scanners will find?
141
© Copyright 2013 Denim Group - All Rights Reserved
Other Benchmarking Efforts • Larry Suto’s 2007 and 2010 reports
– Analyzing the Accuracy and Time Costs of Web Application Security Standards – http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf – Vendor reactions were … varied – [Ofer Shezaf attended this talk at AppSecEU 2012 and had some great questions
and comments. See his reactions to the latest Larry Suto scanner report here :http://www.xiom.com/2010/02/09/wafs-are-not-perfect-any-security-tool-perfect ]
• Shay Chen’s Blog and Site – http://sectooladdict.blogspot.com/ – http://www.sectoolmarket.com/
• Web Application Vulnerability Scanner Evaluation Project (wavsep) – http://code.google.com/p/wavsep/
142
© Copyright 2013 Denim Group - All Rights Reserved
So I Should Just Buy the Best Scanner, Right? • Or the cheapest?
• Well… – What do you mean by “best”?
• Follow-on questions – How well do the scanners work on your organization’s applications? – How many false positives are you willing to deal with? – What depth and breadth of coverage do you need?
143
© Copyright 2013 Denim Group - All Rights Reserved
What is a Unique Vulnerability in ThreadFix? • (CWE, Relative URL)
– Predictable resource location – Directory listing misconfiguration
• (CWE, Relative URL, Injection Point) – SQL injection – Cross-site Scripting (XSS)
• Injection points – Parameters – GET/POST – Cookies – Other headers
144
© Copyright 2013 Denim Group - All Rights Reserved
What Do The Scanner Results Look Like? • Usually XML
– Skipfish uses JSON and gets packaged as a ZIP
• Scanners have different concepts of what a “vulnerability” is – We normalize to the (CWE, location, [injection point]) noted before
• Look at some example files
• Several vendors have been really helpful adding additional data to their APIs and file formats to accommodate requests
145
© Copyright 2013 Denim Group - All Rights Reserved
Why Common Weakness Enumeration (CWE)? • Every tool has their own “spin” on naming vulnerabilities • OWASP Top 10 / WASC 24 are helpful but not comprehensive
• CWE is exhaustive (though a bit sprawling at times) • Reasonably well-adopted standard • Many tools have mappings to CWE for their results
• Main site: http://cwe.mitre.org/
146
© Copyright 2013 Denim Group - All Rights Reserved
Scanner Benchmarking in ThreadFix • Upload multiple scans
• Mark false positives
• Run reports
147
© Copyright 2013 Denim Group - All Rights Reserved
Let’s Run Our Own Benchmark • Scan wavsep with:
– w3af – OWASP ZAP – Arachni – Skipfish – (We package example files in ThreadFix/test-scans/wavsep)
• Upload results to ThreadFix
• Run results
148
© Copyright 2013 Denim Group - All Rights Reserved
Current Limitations • Vulnerability importers are not currently
formally vendor-supported – Though a number have helped us test and
refine them (thanks!) – After you get a good scan make sure you also
got a good import
• Summary report should show data by severity rating
– Make it easier to focus on vulnerabilities you probably care more about
– But you can look at the data by vulnerability type
149
© Copyright 2013 Denim Group - All Rights Reserved
You Know What Would Make All This Way Easier? • Common data standards for scanning
tools!
• Current efforts: – MITRE Software Assurance Findings
Expression Schema (SAFES) • http://www.mitre.org/work/tech_papers/
2012/11_3671/ – OWASP Data Exchange Format Project
• https://www.owasp.org/index.php/OWASP_Data_Exchange_Format_Project
150
© Copyright 2013 Denim Group - All Rights Reserved
Simple Software Vulnerability Language (SSVL) • Common way to represent static and dynamic scanner findings • Based on our experience building importers for ThreadFix
– It “works” for real-world applications because we are essentially using it
• Love to hear feedback – Folks have been using the GitHub bug tracker to discuss
• Online: – https://github.com/OWASP/SSVL
151
© Copyright 2013 Denim Group - All Rights Reserved
Simple Software Vulnerability Language (SSVL)
152
© Copyright 2013 Denim Group - All Rights Reserved
OpenSAMM: Deployment • Vulnerability Management • Environment Hardening • Operational Enablement
153
© Copyright 2013 Denim Group - All Rights Reserved
Deployment: Vulnerability Management • Processing for managing vulnerabilities in both internal and external
software • Goal is consistency • Use data from vulnerability handling to improve processes
– Decrease number and severity of future vulnerabilities – Decrease time-to-fix
154
© Copyright 2013 Denim Group - All Rights Reserved
Application Vulnerability Management
• Application security teams uses automated static and dynamic test results as well as manual testing results to assess the security of an application
• Each test delivers results in different formats
• Different test platforms describe same flaws differently, creating duplicates
• Security teams end up using spreadsheets to keep track manually
• It is extremely difficult to prioritize the severity of flaws as a result
• Software development teams receive unmanageable reports and only a small portion of the flaws get fixed
155
© Copyright 2013 Denim Group - All Rights Reserved 156
The Result • Application vulnerabilities persist in applications:
**Average serious vulnerabilities found per website per year is 79 **Average days website exposed to one serious vulnerability is 231 days **Overall percentage of serious vulnerabilities that are fixed annually is only 63%
• Part of that problem is there is no easy way for the security team and application development teams to work together on these issues
• Remediation quickly becomes an overwhelming project
• Trending reports that track the number of reduced vulnerabilities are impossible to create
**WhiteHat Statistics Report (Summer 2012): https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf
© Copyright 2013 Denim Group - All Rights Reserved 157
Vulnerability Fun Facts: • Average number of serious
vulnerabilities found per website per year is 79 **
• Serious Vulnerabilities were fixed in ~38 days **
• Percentage of serious vulnerabilities fixed annually is only 63% **
• Average number of days a website is exposed, at least one serious vulnerability ~231 days
WhiteHat Statistics Report (Summer 2012): https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf
© Copyright 2013 Denim Group - All Rights Reserved
Vulnerability Remediation Data
Vulnerability Type Sample Count Average Fix (minutes) Dead Code (unused methods) 465 2.6 Poor logging: system output stream 83 2.9 Poor Error Handling: Empty catch block 180 6.8 Lack of Authoriza4on check 61 6.9 Unsafe threading 301 8.5 ASP.NET non-‐serializable object in session 42 9.3 XSS (stored) 1023 9.6 Null Dereference 157 10.2 Missing Null Check 46 15.7 XSS (reflected) 25 16.2 Redundant null check 21 17.1 SQL injec4on 30 97.5
158
© Copyright 2013 Denim Group - All Rights Reserved
Where Is Time Being Spent?
159
17%
37%
20%
2%
24%
0%
15%
0% 0%
9%
31%
59%
44%
15%
42%
16%
29% 24%
3%
28%
0%
10%
20%
30%
40%
50%
60%
70%
Setup Development Environment
Fix Vulnerabilities Confirm Fixes / QA Deploy Overhead
Indicates the weighted average versus the average of individual projects
© Copyright 2013 Denim Group - All Rights Reserved
Turning Vulnerabilities Into Software Defects • Security teams talk about “vulnerabilities” • Software developers talk about “defects”
• Developers Don’t Speak PDF – http://blog.denimgroup.com/denim_group/2012/11/hey-security-teams-developers-dont-speak-pdf.html
• Why should developers manage 90% of their workload in defect trackers
– And the magic, special “security” part of their workload … some other way?
• ThreadFix lets you slice, dice and bundle vulnerabilities into software defects
– And track their remediation status over time to schedule re-scans
160
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Vulnerability Import • A “channel” is a source of vulnerability data for an application
– With the 1.2 version users no longer have to manually manage channels
• Each import from a channel is “diff’ed” versus the previous scan – When do vulnerabilities appear? – When do vulnerabilities go away?
• Can be automated via the RESTful interface to include in build process, etc
161
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Defect Tracker Integration • Turn vulnerabilities that security staff care about into software bugs
that developers know how to handle • Bundle multiple vulnerabilities into a single defect
• How to organize? – By severity – By type – By location in the application – Some combination
• When the defect status changes you can schedule re-scans
162
© Copyright 2013 Denim Group - All Rights Reserved
But My Bug Tracker Isn’t Supported!
• We are always working on supporting new technologies – Check out the current support list:
https://code.google.com/p/threadfix/wiki/DefectTrackers – Submit a bug to the TheadFix defect tracker
https://code.google.com/p/threadfix/issues/list
• You can add new defect trackers as plugins – No changes to the core codebase required – For instructions and sample code check out the wiki article:
https://code.google.com/p/threadfix/wiki/CustomDefectTrackerGuide
163
© Copyright 2013 Denim Group - All Rights Reserved
Deployment: Environment Hardening • Attackers do not care about applications – attacking infrastructure
might be just as effective and valuable for them
• Controls for operating environments: – Reduce vulnerabilities in the infrastructure – Enable logging and tracking
164
© Copyright 2013 Denim Group - All Rights Reserved
Microsoft Baseline Security Analyzer (MBSA) - Overview • Runs standard checks on Windows Workstations and Servers
– Internet Explorer – IIS – SQL Server
• Checks registry and file settings
• 2.2 Downloads: http://www.microsoft.com/en-us/download/details.aspx?id=7558
165
© Copyright 2013 Denim Group - All Rights Reserved
Microsoft Baseline Security Analyzer (MBSA) – Installation and Use • Install via the .msi
• Run scans – Single machine – Network of machines
• Review the results
166
© Copyright 2013 Denim Group - All Rights Reserved
Deployment: Operational Enablement • How do you install, configure and run your applications?
– Also updates and upgrades
• Runtime checks and logging for intrusion detection and incident response
– John Dickson has done some work in this area – http://www.slideshare.net/denimgroup/top-strategies-to-capture-security-
intelligence-for-applications
167
© Copyright 2013 Denim Group - All Rights Reserved
Continuous Integration and Security Testing • Reduce the time between introducing security defects and knowing
about them • Free tools mean that any project can be instrumented
– No licensing fees
• ThreadFix has a REST-based API and command-line client for scripting
168
© Copyright 2013 Denim Group - All Rights Reserved
Exercise: Script the Scan/Upload Process • Generate a ThreadFix API key • Test the command-line client • Script a web application scan • Include file upload after scanning
169
© Copyright 2013 Denim Group - All Rights Reserved
mod_security - Overview • Open source web application firewall engine • Also has a Core RuleSet (CRS)
• Traditionally has been Apache-only – Runs as an apache module (mod_security) – Recently announced both IIS and Nginx support
• Main site: http://www.modsecurity.org/
170
© Copyright 2013 Denim Group - All Rights Reserved
Virtual Patching • Overview
• Applicability
• Approaches
171
© Copyright 2013 Denim Group - All Rights Reserved
Overview • Create short-term protections by telling IDS/IPS/WAFs where
vulnerabilities are located and how to detect attacks – IDS – Intrusion Detection System – IPS – Intrusion Prevention System – WAF – Web Application Firewall
172
© Copyright 2013 Denim Group - All Rights Reserved
Applicability • Most applicable for “technical” vulnerabilities
– SQL injection – Cross-Site Scripting
• Harder to do for application-specific vulnerabilities
173
© Copyright 2013 Denim Group - All Rights Reserved
Approaches • Tell the sensor where the vulnerability is and what an attack looks like • This rule pattern is useful when you need to protect a known address
and a known parameter with a known payload.
174
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Virtual Patching • Use vulnerability data from scans (usually dynamic) to create targeted,
application-specific WAF rules
• ThreadFix supports several IDS/IPS/WAF systems – Snort – mod_security – F5 ASM – Imperva – DenyAll
• Can also import sensor logs to map blocked attacks back to vulnerabilities targeted
175
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Virtual Patching Example • Example Rule Generation:
– Create a mod_security WAF – Associate with an application with open vulnerabilities – Generate rules
• Example Log Import: – Upload log file – Look at event data in vulnerability listing – (This is faked but you hopefully get the idea)
176
© Copyright 2013 Denim Group - All Rights Reserved
Program Benchmark Reporting • How does your software security organization stack up?
– Look at publicly-shared data from WhiteHat and Veracode
• Compare your progress – Percentage of vulnerabilities fixed – Time to fix different vulnerability types – Age of remaining vulnerabilities
177
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Reporting Examples • Can be done at multiple levels:
– Enterprise-wide – Team – Individual application
• Reports for: – Vulnerability count trending – Progress – vulnerability resolution and timelines – Scanner effectiveness – Frequency of scanning across the portfolio
• We have already looked at scanner benchmark reports
178
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Reporting: Trending • Shows trending over time
• Data series: – Total vulnerabilities – New vulnerabilities – Resurfaced vulnerabilities
179
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Reporting: Point-in-Time • Shows current state of vulnerabilities
• Pie chart! – Critical – High – Medium – Low
180
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Reporting: Vulnerability Progress • Shows progress resolving vulnerabilities
• Data series by vulnerability type: – Vulnerability count – Percentage fixed – Average age to close – Average age of remaining
• Use to benchmark your organization against publicly-available data – WhiteHat Security – Website Security Statistics Report
https://www.whitehatsec.com/resource/stats.html – Veracode – State of Software Security Report http://www.veracode.com/reports
181
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Reporting: Monthly • Shows trending on a per-month basis
– Similar to trending report
• Data series: – Total vulnerabilities – New vulnerabilities – Resurfaced vulnerabilities
182
© Copyright 2013 Denim Group - All Rights Reserved
ThreadFix: Reporting: Portfolio Tracking • Shows consistency of scanning across the portfolio
• Broken down by criticality of the application
183
© Copyright 2013 Denim Group - All Rights Reserved
Recap • A software security program is more than a tool or set of tools
– But tools help provide automation and facilitate scale
• OpenSAMM is a maturity model that can be used as a framework for building and advancing software security programs
• Open source tools exist to support many key activities in a software security program
184
© Copyright 2013 Denim Group - All Rights Reserved 185
Conclusions / Questions
Dan Cornell [email protected] Twitter: @danielcornell www.denimgroup.com www.denimgroup.com/threadfix code.google.com/p/threadfix (210) 572-4400