Running a Software Security Program with Open Source Tools (Course)

© Copyright 2013 Denim Group - All Rights Reserved

Running a Software Security Program!on Open Source Tools!!Dan Cornell!CTO, Denim Group!@danielcornell

© Copyright 2013 Denim Group - All Rights Reserved 1

My Background

•  Dan Cornell, founder and CTO of Denim Group

•  Software developer by background (Java, .NET, etc)

•  OWASP San Antonio


Denim Group Background

•  Secure software services and products company –  Builds secure software –  Helps organizations assess and mitigate risk of in-house developed and third party

software –  Provides classroom training and e-Learning so clients can build software securely

•  Software-centric view of application security –  Application security experts are practicing developers –  Development pedigree translates to rapport with development managers –  Business impact: shorter time-to-fix application vulnerabilities

•  Culture of application security innovation and contribution –  Develops open source tools to help clients mature their software security programs

•  Remediation Resource Center, ThreadFix –  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI –  World class alliance partners accelerate innovation to solve client problems

2


Course Abstract Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.

3


Agenda •  So You Want To Roll Out a Software Security Program? •  Software Assurance Maturity Model (OpenSAMM) •  Components Of Your Software Security Program

–  Governance –  Construction –  Verification –  Deployment

•  Conclusions / Questions

4


So You Want To Roll Out a Software Security Program?

•  Great!

•  What a software security program ISN’T –  Question: “What are you doing to address software security concerns?” –  Answer: “We bought scanner XYZ”

•  What a software security program IS –  People, process, tools (naturally) –  Set of activities intended to repeatedly produce appropriately-secure software

5


Challenges Rolling Out Software Security Programs •  Resources

–  Raw budget and cost issues –  Level of effort issues

•  Resistance: requires organizational change –  Apparently people hate this

•  Open source tools –  Can help with raw budget issues –  May exacerbate problems with level of effort

•  View the rollout as a multi-stage process –  Not one magical effort –  Use short-term successes and gains to fuel further change

6


Let’s Create the Class Virtual Machine •  Get VirtualBox if you do not already have it

–  https://www.virtualbox.org/

•  Get the Ubuntu image if you do not already have it

–  http://www.ubuntu.com/ –  ubuntu-13.10-desktop-i386.iso

•  Run VirtualBox

•  Click “New”

7


Creating the VM •  Name:

–  Whatever –  I called mine “OWASP_Course”

•  Type: Linux •  Version: Ubuntu

•  Memory Size: –  I used 4096 MB –  More is better. If you use less you might have issues

•  Hard Drive: –  Create a virtual hard drive now

8


Creating the VM •  Hard Drive File Type

–  Whatever –  I used “VDI (VirtualBox Disk Image)”

•  Storage on Physical Hard Drive –  Whatever –  I used “Dynamically allocated”

•  File Location and Size: –  I used “OWASP_Course” –  I used 16 GB. More is better. (Default 8 GB is NOT enough)

9


Install the OS •  Click “Start” •  Select the Ubuntu ISO image

•  Select “Install Ubuntu”

•  Click “Download updates while installing”

•  Select “Erase disk and install Ubuntu”

10


Install the OS •  Set your location and keyboard type

•  Enter user info

•  Wait

•  Reboot

•  Congratulations!

•  (Do yourself a favor and put a terminal icon on the launcher)

11


Software Assurance Maturity Model (OpenSAMM) •  Open framework to help organizations formulate and implement a

strategy for software security that is tailored to the specific risks racing the organization

•  Useful for: –  Evaluating an organization’s existing software security practices –  Building a balanced software security program in well-defined iterations –  Demonstrating concrete improvements to a security assurance program –  Defining and measuring security-related activities within an organization

•  Main website:

–  http://www.opensamm.org/

12


Using OpenSAMM You Can…

•  Evaluate an organization’s existing software security practices •  Build a balanced software security assurance program in well-

defined iterations •  Demonstrate concrete improvements to a security assurance

program •  Define and measure security-related activities throughout an

organization

[This slide content © Pravir Chandra]


Review of Existing Secure SDLC Efforts



CLASP

•  Comprehensive, Lightweight Application Security Process

–  Centered around 7 AppSec Best Practices

–  Cover the entire software lifecycle (not just development)

•  Adaptable to any development process

–  Defines roles across the SDLC

–  24 role-based process components

–  Start small and dial-in to your needs



Microsoft SDL

•  Built internally for MS software •  Extended and made public for others •  MS-only versions since public release



Touchpoints

•  Gary McGraw’s and Cigital’s model



Lessons Learned

•  Microsoft SDL

–  Heavyweight, good for large ISVs

•  Touchpoints

–  High-level, not enough details to execute against

•  CLASP

–  Large collection of activities, but no priority ordering

•  ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf



Drivers for a Maturity Model

•  An organization’s behavior changes slowly over time

–  Changes must be iterative while working toward long-term goals

•  There is no single recipe that works for all organizations

–  A solution must enable risk-based choices tailor to the organization

•  Guidance related to security activities must be prescriptive

–  A solution must provide enough details for non-security-people

•  Overall, must be simple, well-defined, and measurable



Therefore, a Viable Model Must...

•  Define building blocks for an assurance program

–  Delineate all functions within an organization that could be improved over time

•  Define how building blocks should be combined

–  Make creating change in iterations a no-brainer

•  Define details for each building block clearly

–  Clarify the security-relevant parts in a widely applicable way (for any org doing software dev)



Understanding the Model



SAMM Business Functions

•  Start with the core activities tied to any organization performing software development

•  Named generically, but should resonate with any developer or manager



SAMM Security Practices

•  From each of the Business Functions, 3 Security Practices are defined

•  The Security Practices cover all areas relevant to software security assurance

•  Each one is a ‘silo’ for improvement



Under Each Security Practice

•  Three successive Objectives under each Practice define how it can be improved over time

–  This establishes a notion of a Level at which an organization fulfills a given Practice

•  The three Levels for a Practice generally correspond to:

–  (0: Implicit starting point with the Practice unfulfilled)

–  1: Initial understanding and ad hoc provision of the Practice

–  2: Increase efficiency and/or effectiveness of the Practice

–  3: Comprehensive mastery of the Practice at scale



Check Out This One...



Per Level, SAMM Defines...

•  Objective

•  Activities

•  Results

•  Success Metrics

•  Costs

•  Personnel

•  Related Levels



Approach to Iterative Improvement

•  Since the twelve Practices are each a maturity area, the successive Objectives represent the “building blocks” for any assurance program

•  Simply put, improve an assurance program in phases by:

1. Select security Practices to improve in next phase of assurance program

2. Achieve the next Objective in each Practice by performing the corresponding Activities at the specified Success Metrics



Applying the Model



Conducting Assessments

•  SAMM includes assessment worksheets for each Security Practice



Assessment Process

•  Supports both lightweight and detailed assessments

•  Organizations may fall in between levels (+)



Creating Scorecards •  Gap analysis

–  Capturing scores from detailed assessments versus expected performance levels

•  Demonstrating improvement

–  Capturing scores from before and after an iteration of assurance program build-out

•  Ongoing measurement

–  Capturing scores over consistent time frames for an assurance program that is already in place



Roadmap Templates •  To make the “building blocks” usable, SAMM defines

Roadmaps templates for typical kinds of organizations

–  Independent Software Vendors

–  Online Service Providers

–  Financial Services Organizations

–  Government Organizations

•  Organization types chosen because

–  They represent common use-cases

–  Each organization has variations in typical software-induced risk

–  Optimal creation of an assurance program is different for each



Building Assurance Programs



Case Studies

•  A full walkthrough with prose explanations of decision-making as an organization improves

•  Each Phase described in detail

– Organizational constraints

– Build/buy choices

•  One case study exists today, several more in progress using industry partners



Exploring the Model’s Levels and Activities



The SAMM 1.0 release



SAMM and the Real World



SAMM History

•  Beta released August 2008 –  1.0 released March 2009

•  Originally funded by Fortify

–  Still actively involved and using this model

•  Released under a Creative Commons Attribution Share-Alike license

•  Donated to OWASP and is currently an OWASP project



Expert Contributions

•  Built based on collected experiences with 100’s of organizations

–  Including security experts, developers, architects, development managers, IT managers



Industry Support

•  Several more case studies underway



The OpenSAMM Project

•  http://www.opensamm.org

•  Dedicated to defining, improving, and testing the SAMM framework

•  Always vendor-neutral, but lots of industry participation

–  Open and community driven

•  Targeting new releases every 6-12 months

•  Change management process

–  SAMM Enhancement Proposals (SEP)



OpenSAMM Resources

•  Nick Coblentz - SAMM Assessment Interview Template (xls/googledoc)

•  Christian Frichot - SAMM Assessment Spreadsheet (xls)

•  Colin Watson - Roadmap Chart Template (xls)

•  Jim Weiler - MS Project Plan Template (mpp) •  Denim Group – ThreadFix (web application)



Quick Recap on Using SAMM

•  Evaluate an organization’s existing software security practices •  Build a balanced software security assurance program in well-

defined iterations •  Demonstrate concrete improvements to a security assurance

program •  Define and measure security-related activities throughout an

organization



Discussion: Tools •  Commercial tools in use? •  Free / open source tools in use?

•  What tool implementations have been successful? •  What tool implementations have been less successful?

•  Why?

•  What is your interest in using open source tools for software security?

44


Why Use Free / Open Source Tools? •  They’re FREE!

–  No per-user license fees

•  Can be customized –  Don’t like the way a feature works – improve it!

•  Community support –  Not a tremendous amount of public resources for commercial tools

45


Potential Disadvantages of Free Tools •  Often less mature than commercial analogs

–  Application and software security are new when compared to other disciplines –  Open source tools lag in a number of areas

•  Task-focused rather than program-focused –  Geared toward testing a single application rather than a portfolio of applications

46


Discussion: Organizational Concerns •  Does your organization allow the use of open source tools?

•  What restrictions are placed on the use of free / open source tools? –  Only certain licenses allowed –  Each tool / library must have a sponsor

47


Open Source Tool Usage – Best Practices •  Reach out to the project lead / development community

–  How responsive are they? –  Good to have a relationship for escalating issues

•  Consider commercial support –  If available –  When it makes sense

•  Give back –  Installation instructions for your platform(s) –  Other documentation opportunities –  Code updates – if possible / desirable

48


ThreadFix - Overview •  ThreadFix is a software vulnerability aggregation and management

system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.

•  Freely available under the Mozilla Public License (MPL)

•  Hosted at Google Code: http://code.google.com/p/threadfix/

49


ThreadFix - Installation •  2.0M1 Available as ZIP archive

–  Including ThreadFix, Apache Tomcat and HSQL database –  Designed for easy installation –  Limited performance and capacity

•  1.2 Available as a pre-installed Linux VM –  Including ThreadFix, Apache Tomcat and MySQL database –  Can also be custom-installed

50


ThreadFix - Installation •  Pre-requisites (for your xubuntu VM)

–  Java 1.7 JRE installed via: •  sudo apt-get install openjdk-7-jre •  java -version

•  Instructions (from ~/Desktop/WorkingDir): –  Unzip ThreadFix

•  unzip ~/Downloads/ThreadFix_2_0M1.zip –  Make threadfix.sh executable

•  cd ThreadFix •  chmod u+x threadfix.sh

–  Set JAVA_HOME environment variable •  export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-i386

–  Run ThreadFix •  ./threadfix.sh start

–  Open ThreadFix via browser •  Navigate to https://localhost:8443/threadfix (you will have to confirm the HTTPS exception)

51


ThreadFix – Usage (The Basics) •  Create a Team

–  Login with credentials “user” and “password” –  Click “Get started” link –  Create a Team called “My Team”

•  Create an Application –  Click “Add Application” –  Create an Application called “My Application” –  Use URL http://www.myapp.com/ and criticality “Low” –  Don’t worry about “Defect Tracker” or “WAF” right now

•  Upload a Scan for the Application –  Click “Upload Scan” –  Upload file WorkingDir/ThreadFix/test-scans/w3af-demo-site.xml

52


OpenSAMM: Governance •  Strategy and Metrics •  Policy and Compliance •  Education and Guidance

53


Governance: Strategy and Metrics •  Overall strategic direction of the assurance program

•  How are processes instrumented? •  How are measurements taken?

54


ThreadFix: Reporting •  Can be done at multiple levels:

–  Enterprise-wide –  Team –  Individual application

•  Reports for: –  Vulnerability count trending –  Progress – vulnerability resolution and timelines –  Scanner effectiveness –  Frequency of scanning across the portfolio

•  Will revisit ThreadFix reporting later in the course for examples

55


Governance: Policy and Compliance •  What compliance regimes are your organizations and applications

subject to? –  PCI –  HIPAA –  SOX

•  What policies will you put in place to meet these obligations?

56


Governance: Education and Guidance •  Software security requires the input of a variety of stakeholders

•  Software security is a relatively new area of study –  Many of the involved parties (i.e. software developers) have never been exposed

•  You cannot hold people responsible if they have not been properly trained

57


Governance: Education and Guidance •  Variety of potential consumers

–  Executives / Management –  Developers –  Quality Assurance (QA) –  Security Testers

•  Need for information at several levels –  Introduction / overview –  Topic-specific –  Technology-specific

•  Several ways to deliver guidance and training –  Self-serve portal –  Instructor-led training –  E-Learning

58


OWASP Development Guide •  Provides guidance to developers on how to build secure applications •  Attempts to cover broad topics with some technology-specific

examples

•  Several translations: English, Spanish, Japanese

•  Originally released in 2001, revised in 2005 –  Somewhat dated

•  Currently undergoing a significant rewrite

•  Main site: https://www.owasp.org/index.php/OWASP_Guide_Project

59


OWASP Cheat Sheets •  Provide targeted, consumable guidance on specific topics or

technologies –  Authentication –  Transport layer protection –  Input validation –  Session management –  And so on…

•  Tend to be “fresher” than the related sections in the Development Guide

–  Also easier to provide to developers for use

•  Main site: https://www.owasp.org/index.php/Cheat_Sheets

60


OWASP Secure Coding Practices Quick Reference Guide •  Technology agnostic set of general software security coding practices

•  Consumable –  ~17 pages long –  Checklist format

•  Main site: https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

61


OWASP Secure Coding Practices Quick Reference Guide •  Covered topics:

–  Input validation –  Output encoding –  Authentication and password management –  Session management –  Access control –  Cryptographic practices –  Error handling and logging –  Data protection –  Communication security –  Database security –  File management –  Memory management –  General coding practices

62


OWASP WebGoat - Overview •  Deliberately insecure JEE web application •  Presented as a series of lessons

–  SQL injection –  Cross-site Scripting (XSS) –  Cross-site Request Forgery (CSRF) –  Hidden form manipulation –  And so on…

•  Main site: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

63


OWASP WebGoat - Installation •  Available as a self-contained ZIP archive

–  WebGoat, Apache Tomcat

•  Instructions (from ~/Desktop/WorkingDir): –  Unzip WebGoat

•  Unzip ~/Downloads/WebGoat-5.4-OWASP_Standard_Win32.zip

–  Make webgoat.sh executable •  cd WebGoat-5.4/ •  chmod u+x webgoat.sh

–  Make one tiny little cheating change in webgoat.sh •  Delete line 20 and 24 to short-circuit the JVM version checking

–  Run WebGoat •  ./webgoat.sh start8080 •  Could also run “./webgoat.sh start80” to start on port 80

–  Navigate to http://localhost:8080/WebGoat/attack (case matters)

64


OWASP WebGoat - Usage •  WebGoat consists of different “lessons” to be passed

–  Each demonstrates a vulnerability or some other aspect of web application security

•  Hints – Show hints about how to solve the lesson •  Show Params – Toggle rendering request parameters in the page •  Show Cookies – Toggle rendering request cookies in the page •  Lesson Plan – Explain the purpose of the lesson •  Show Java – Show the Java source code of the lesson in a window •  Solution – Show the solution to the lesson in a window

65


WebGoat - Example •  Navigate to General -> Http Basics •  Click on:

–  Hints –  Show Params –  Show Cookies –  Lesson Plan –  Show Java –  Solution

•  Enter your name in the field and click “Go!” •  Navigate to Admin Functions -> Report Card

–  Shows lessons completed, hints used

66


wavsep - Overview •  Web Application Vulnerability Scanner Evaluation Project (wavsep) •  “A vulnerable web application designed to help assessing the features,

quality and accuracy of web application vulnerability scanners. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners”

•  Used for many benchmarks. •  Check out

http://sectooladdict.blogspot.co.il/2012/07/2012-web-application-scanner-benchmark.html

•  Main site: http://code.google.com/p/wavsep/ 67


wavsep - Installation

•  Install MySQL (wavsep uses it as its database) –  sudo apt-get install mysql-server

•  Install wavsep –  unzip wavsep-v1.2-war-linux.zip –  Copy wavsep.war into WebGoat-5.4/tomcat/webapps/ directory –  http://localhost:8080/wavsep/wavsep-install/install.jsp

68


wavsep - Usage •  Navigate your browser to http://localhost:8080/wavsep/

•  Run scanners against the various subdirectories / URLs –  There are no actual links to /wavsep/index-active.jsp and /wavsep/index-passive.jsp –  You will need to let the scanners know they are there

69


OpenSAMM: Construction •  Threat Assessment •  Security Requirements •  Secure Architecture

70


Construction: Threat Assessment •  Identify and characterize potential attacks •  These will determine investment level and required countermeasures

•  WHO do you need to be worried about? –  Nation-states –  Chaotic actors –  Organized crime –  And so on…

71


Construction: Security Requirements •  Up-front determination of required security properties of the system •  Drive future activities

72


Construction: Secure Architecture •  Use the design process to:

–  Build in security controls –  Avoid injecting security issues

•  Threat modeling •  Architectural risk analysis

73


ESAPI - Overview •  Enterprise Security API (ESAPI) •  Open source web application security control library

•  Several languages available: JavaEE, .NET, PHP, Classic ASP, etc –  WIDE variation in maturity and support –  Stick to Java unless you are very brave (and even then)

•  Main site: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

74


ESAPI – Installation (Java) •  Instructions (from ~/Desktop/WorkingDir):

–  Create a container directory and relocate there •  mkdir ESAPI •  cd ESAPI

–  Unpack •  tar xzvf ~/Downloads/esapi-2.0.1-dist.tar.gz

–  To use in a project, copy the ESAPI and its supporting JARS into your lib/ directory •  You might not need servlet-api-2.4.jar if your project already contains those classes

–  Set up ESAPI.properties file •  Logging configuration •  Encryption master keys

•  See documentation/esapi4java-core-2.0-install-guide.pdf –  Use in specific build systems and development environments –  Step-by-step instructions

75


Exercise: Fixing XSS Vulnerabilities with ESAPI •  To Use:

–  Follow the installation guide –  Must create a folder (.esapi) to store your configuration and preferences

•  Get access to library: –  Add all the support jars (31) to your project –  Remove repeated jars –  Add esapi-2.0_rc10.jar to your project <%@ page import="org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder" %>

•  Make calls to encode tainted data: –  ESAPI.encoder().encodeForHTML() –  ESAPI.encoder().encodeForHTMLAttribute()

76


ESAPI – Possible Challenges (Java) •  ESAPI Java has a LOT of dependencies (~30 JARs)

•  Can cause configuration management and licensing issues for some organizations

•  Potential versioning issues

77


Microsoft Web Protection Library - Overview •  Set of .NET assemblies which help protect web applications

•  AntiXSS encoding library –  Encoding functions for HTML, HTML attributes, XML, etc

•  HTML sanitization routines (for “safely” accepting rich content) •  Security Runtime Engine (SRE)

–  Provides runtime protection against SQL injection and Cross-Site Scripting (XSS)

•  Sites: –  http://wpl.codeplex.com/ –  https://www.microsoft.com/en-us/download/details.aspx?id=28589

78


Microsoft Web Protection Library - Cautions •  A security vulnerability was identified in the 4.0 release •  There have been complaints about the HTML sanitization in the 4.2.1

release being broken with little follow-up from Microsoft •  Older (WPL 4.0) binaries should be available from

http://ajaxcontroltoolkit.codeplex.com/releases/view/76976

79


Microsoft Web Protection Library - Installation •  Run the MSI installer

•  To use: –  Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll)

•  Found in C:\Program Files (x86)\Microsoft Information Security\AntiXSS Library v4.0 –  Get access to library:

•  In code: –  using Microsoft.Security.Application;

•  In ASPX page: –  <%@ Import Namespace="Microsoft.Security.Application" %>

–  Make call to encode tainted data: •  AntiXss.HtmlEncode() •  AntiXss.HtmlAttributeEncode() •  And so on…

80


OpenSAMM: Verification •  Design Review •  Code Review •  Security Testing

81


Application Security Assessments •  The challenges and goals of an assessment •  What an assessment must accomplish •  The assessment approach

–  Identification –  Baseline Review and Testing –  Threat Identification –  Targeted Review and Testing –  Reporting

82


The Challenges and Goals of Software Assessments

•  Identify the application’s vulnerabilities and the risks they entail

•  Provide the greatest value for the time spent

•  Provide application owners with detailed vulnerability reports and remediation recommendations

–  Provide actionable reports to the application team

83


How Assessors can Support Those Goals

•  Strategic Message –  The assessments must be conducted efficiently with the majority of the time spent

on performing the assessments. This will increase the coverage of the assessments and the depth and quality of product delivered the application owners. Scheduling and preparation of assessments should be conducted in an almost production line approach.

•  Testing must... –  Be integral to the development team’s own ongoing efforts –  Cover the “breadth” and “depth” of the functionality –  Reflect experience with the technology and business

•  Reporting must… –  Clearly communicate risk, both business and technical –  Allow trouble-free integration with the business strategic assets –  Guide and justify remediation efforts

84


The Output of an Assessment Engagement Should…

•  Summarize vulnerability discoveries and known risk •  Provide adequate detail about discovered vulnerabilities

–  Where in the application behavior or code the vulnerability resides –  The implied security risk –  Any mitigating factors for exploitation

•  Requires high-level credentials to exploit •  Requires social engineering to exploit •  etc.

•  Rate the vulnerabilities to help prioritize remediation –  DREAD works well for this as it accounts for damage potential, reproducibility,

affected users, etc.

•  Provide remediation criteria and recommended approaches

85


The General Assessment Approach

•  Identification –  Help identify what applications have highest priority to assess

•  Preparation –  Obtain requisite code and/or access

•  Threat Modeling –  Data flow, functional security, abuse cases

•  Baseline Review and Testing –  Account for risks inherent to the technology and common features –  Commercial scanning tools with manual auditing

•  Targeted Testing –  Account for identified threats, data flow, abuse cases –  Follow up with suspect behavior in the baseline review and testing

•  Reporting –  Rate vulnerabilities –  Provide remediation recommendations

86


Verification: Design Review •  Incorporate security into review of architecture/design materials

•  Were the previous assurance activities successful?

87


Microsoft Threat Analysis and Modeling Tool - Overview •  Create threat models for your applications •  Identify potential issues •  Plan for mitigations

•  Requires Visio 2007 or 2010

•  Main site: http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx

88


Microsoft Threat Analysis and Modeling Tool - Installation •  Run ThreatModelingToolSetup318.msi

•  Software should be installed to C:\Program Files\Microsoft\SDL Threat Modeling Tool\

89


Microsoft Threat Analysis and Modeling Tool - Example •  Create a Threat Model for a mobile application

90


Approaches for Identifying Threats •  Use Cases for Business

–  Useful for identifying flaws with specific application features

•  Data Flow for Architecture –  What threats can we identify looking at the application’s data flow? –  The whole system’s data stores, services, processes, etc. –  The interaction among those components

•  Functional Security –  Here are the security features. How could an attacker defeat them?

•  Attacker’s Goals for Threat Trees –  If you are an attacker, what would you want to accomplish? –  How would you go about achieving the malicious goal? –  Useful for identifying any erroneous security assumptions

•  No one approach is perfect – these are essentially brain storming techniques

91


Mapping Threats to Data Flow Asset Types Threat Type External

Interactor Process Data Flow Data Store

S – Spoofing Yes Yes

T – Tampering Yes Yes Yes

R – Repudia4on Yes Yes Yes

I – Informa4on Disclosure Yes Yes Yes

D – Denial of Service Yes Yes Yes

E – Eleva4on of Privilege Yes

92


Typical Mobile Threats

•  Spoofing: Users to the Mobile Application •  Spoofing: Web Services to Mobile Application •  Tampering: Mobile Application •  Tampering: Device Data Stores •  Disclosure: Device Data Stores or Residual Data •  Disclosure: Mobile Application to Web Service •  Denial of Service: Mobile Application •  Elevation of Privilege: Mobile Application or Web Services

User

Local App Storage

Mobile Application

Mobile Web Services

Device Keychain

Main Site Pages


Spoofing: Users to the Mobile Application •  Borrowed Device •  Stolen Device •  Other Malicious Application

Attacker

Local App Storage

Mobile Application

Device Keychain


Spoofing: Attacker to Mobile Web Services •  Attacks against Mobile Web Services

UserMobile

Application Mobile Web Services

Attacker


Spoofing: Web Services to Mobile Application •  Borrowed Device •  Other Malicious Application

UserMobile


Malicious Host


Tampering: Mobile Application •  Borrowed/Stolen Device •  Other Malicious Application

User

Local App Storage

Tampered Application

Device Keychain


Disclosure: Device Data Stores or Residual Data •  Borrowed/Stolen Device •  Malicious Application

Functionality •  Other Malicious Application •  Attacks from Mobile Web

Services

User

Local SQLIte Storage

Mobile Application

Device Keychain


Disclosure: Mobile Application to Web Service •  Attacks from Local Network •  Other Malicious Application

UserMobile


Attacker


Other Data-Flow Threats •  Denial of Service •  Elevation of Privilege

User

Local App Storage

Mobile Application

Device Keychain

USAA Member

Local App Storage

Mobile Application

Device Keychain

Attacker


Verification: Code Review •  Review software artifacts “at-rest” •  Can be both automated and manual

•  Reach and frequency –  How much of your software is subject to review? –  How thorough is the analysis? –  How often is it performed?

101


Static Analysis •  Source Code Scanning •  Manual Code Reviews •  Advantages

–  Identifies flaws during integration, when it is easier to address issues –  Developers can identify flaws in their own code before checking it in –  Many projects already have a code review process in-place

•  Disadvantages –  Freeware tools often do not address security well (specifically dataflow analysis) –  Licensed tools are a significant investment –  Manual review can be unstructured and time-consuming without licensed tools –  Not ideal for discovering logical vulnerabilities

102


Static Analysis Tools •  Commercial Tools

–  Fortify (now HP) –  Ounce (now IBM Rational) –  Checkmarx –  Veracode (SaaS)

•  Freeware Tools –  RATS/Flawfinder - C/C++, Python, PHP –  Findbugs – Java –  PMD - Java –  FxCop - .NET –  Brakeman – Ruby on Rails

103


FindBugs - Overview •  Freely-available binary static analysis tool for Java •  Main site: http://findbugs.sourceforge.net/

104


FindBugs - Installation •  Instructions (from ~/Desktop/WorkingDir):

–  Unpack the distribution •  tar xzvf ~/Downloads/findbugs-2.0.3-rc1.tar.gz •  Should unpack into findbugs-2.0.3-rc1/

•  Can also install as an Eclipse plugin: –  Plugin update site: http://findbugs.cs.umd.edu/eclipse

105


FindBugs – Usage (GUI)

•  Run the FindBugs GUI –  bin/fb gui

•  Create a new project –  File -> New Project –  Enter project name “WebGoat” –  Enter classpath for analysis “~/Desktop/WorkingDir/WebGoat-5.4/tomcat/

webapps/WebGoat.war” –  Use remaining defaults and run analysis

•  Notice the error messages but ignore for now and look through the results

106


FindBugs – Usage (GUI) •  But can we get rid of those error messages?

•  Reconfigure the project –  File -> Reconfigure –  Add supporting JARs

•  JARs in tomcat/bin/ •  JARs in tomcat/lib/ •  JARs in tomcat/webapps/WebGoat/WEB-INF/lib

–  CAN’T JUST SELECT THE DIRECTORIES – MUST SELECT ALL THE JARS

•  Re-run the analysis

107


FindBugs – Usage (GUI) •  The reporting seems to be lacking details. Can we link to the source? •  Install subversion

–  sudo apt-get install subversion

•  Download the appropriate source code –  svn checkout http://webgoat.googlecode.com/svn/tags/webgoat-5.4 webgoat-src

•  Reconfigure the project –  File -> Reconfigure –  Add source directory

•  ~/WorkingDir/WebGoat-5.4/webgoat-src/src/main/java

•  Now you should be able to see the WebGoat source files •  Save the results as a FindBugs Project (fbp) file

–  bin/ directory –  FBP files can be sensitive to relative paths if moved

108


FindBugs – Usage Notes •  So what did we learn about FindBugs

–  FindBugs has to know about the binaries it is supposed to analyze –  FindBugs gives us better results if we include supporting libraries –  FindBugs gives us better reporting if we include source code

•  These lessons translate to most static analysis tools (commercial and open source)

109


FindBugs – What Has It Told Us? •  There are lots of results

–  But not all of them have to do with security

•  There is a Security top-level category –  Some good stuff in here (if perhaps a little noisy)

•  What else might we want to look at? –  Correctness –  Bad practice –  Malicious code vulnerability –  Multithreaded correctness –  Performance

110


FindBugs – Usage (Command Line) •  Hopefully you saved a .fbp file via the GUI…

•  bin/fb analyze –project <projectname> –  Runs the same FindBugs analysis we did before but prints the results to stdout

•  bin/fb analyze –project <projectname> -xml:withMessages –output <outputfile>

–  Runs the same FindBugs analysis we did before but stores results with human-readable descriptions in the indicated XML file

•  Documentation for command-line switches: http://findbugs.sourceforge.net/manual/running.html#commandLineOptions

111


FxCop - Overview •  Free static analysis tool from Microsoft •  Integrated into Visual Studio •  Similar capabilities to FindBugs (but for .NET)

•  Blog: http://blogs.msdn.com/b/codeanalysis/

112


CAT.NET - Overview •  Free static analysis tool from Microsoft •  Does dataflow analysis (rare among the free tools) •  Version 1:

http://www.microsoft.com/en-us/download/details.aspx?id=19968 •  Version 2:

http://blogs.msdn.com/b/securitytools/archive/2010/02/04/cat-net-2-0-beta.aspx

•  Dinis Cruz has done some interesting work with CAT.NET and O2 –  https://www.owasp.org/index.php/OWASP_O2_Platform/Microsoft/CAT.NET

•  Plans for future development are not clear

113


Brakeman - Overview •  Security scanner for Ruby on Rails applications •  Static analysis

•  Finds things like SQL injection and XSS –  Also checks for certain CVE-type vulnerabilities

•  Main site: http://brakemanscanner.org/

114


Brakeman - Installation •  Install prerequisites:

–  sudo apt-get install ruby1.8 –  sudo apt-get install rubygems

•  Install scanner: –  sudo gem install brakeman

•  Usage: –  brakeman <path-of-rails-site> –  brakeman –o <output-file> <path-of-rails-site>

115


Brakeman - Using

•  Try some test sites

•  But first install git: –  sudo apt-get install git

•  Sites to try: –  RailsGoat

•  http://railsgoat.cktricky.com/ •  git clone https://github.com/OWASP/railsgoat.git

–  Hacme Casino •  git clone git://github.com/spinkham/Hacme-Casino

116


Agnitio - Overview •  Tool for supporting manual code reviews •  Set of checklists to verify security controls •  Some grep-like search capabilities

•  Main site: http://sourceforge.net/projects/agnitiotool/

117


DependencyCheck – Overview •  Checks for out-of-date JAR libraries with known CWE issues •  Looks beyond JAR hashes

•  We used it to find a vulnerable library used by ThreadFix –  Apache POI library –  http://web.nvd.nist.gov/view/vuln/search-results?cpe=cpe%3A%2Fa%3Aapache

%3Apoi%3A3.7&page_num=0&cid=1

•  Main site: https://github.com/jeremylong/DependencyCheck

118


DependencyCheck - Installation •  Install dependencies:

–  sudo apt-get install git (should have already done this) –  sudo apt-get update –  sudo apt-get install maven (we need Maven 3) –  sudo apt-get install openjdk-7-jdk (need a JDK – previously we only installed a JRE)

•  Download code: –  git clone git://github.com/jeremylong/DependencyCheck.git

•  Build: –  cd DependencyCheck –  mvn package

119


DependencyCheck – Example •  Running DependencyCheck

–  java –jar dependency-check-1.0.5-SNAPSHOT.jar –a WebGoat –out . –s <path-to-JARs> –  The first time it runs it needs to download NVD data from NIST which can take a while –  Will attempt to check for new NVD data

•  Run against –  ThreadFix –  WebGoat –  OLAT –  Other Java-based applications

120


Verification: Security Testing •  Runtime testing for security vulnerabilities

•  Web applications: automated scanners, web proxies •  Other applications: fuzzing, protocol analysis

121


Dynamic Analysis •  Integrate abuse cases into unit and automated testing •  Use application scanning tools •  Perform a dedicated penetration test by security staff or a 3rd party

•  Advantages –  Generally more time-efficient than manual code review –  Good for discovering logical vulnerabilities

•  Disadvantages –  Requires fully functional features to test –  Security staff may not have application security training or experience –  Scanning tools may have difficulty with unusual applications

122


Dynamic Analysis Tools •  Automated Tools

–  IBM Rational AppScan –  HP WebInspect –  Acunetix Vulnerability Scanner –  Netsparker

•  Manual Testing –  Zed Attack Proxy –  Burp –  Google RatProxy –  Browser plugins –  Testing Scripts –Watir –  Load and Performance testing tools – JMeter, Grinder

123


Arachni - Overview •  Open source automated web application scanner •  Written in Ruby •  Can be deployed in a “grid” format for faster scanning

•  Uses several different types of analysis to identify vulnerabilities –  Fuzzing –  Taint analysis –  Time analysis

•  Main site: http://arachni-scanner.com/

124


Arachni – Installation •  Unpack:

–  tar xzvf arachni-0.4.5.2-0.4.2.1-linux-i686.tar.gz

•  Usage: –  arachni –h –  arachni http://site-to-test.com/ –  arachni -fv http://site-to-test.com/ --report=html:outfile=my_report.html

125


w3af - Overview •  Open source automated web application scanner •  Written in Python

•  Main site: http://w3af.sourceforge.net/

126


w3af - Installation •  Recommended *NIX install:

–  git clone https://github.com/andresriancho/w3af.git –  cd w3af –  ./w3af_gui

•  Now fix the dependencies: –  apt-get install python-setuptools python-pip graphviz python2.7-dev libsqlite3-dev

libxslt1-dev python-gtksourceview2 libxml2-dev python-pip –  Still need some Python stuff –  apt-get install libssl-dev (otherwise one of the dependency compiles will fail) –  /tmp/w3af_dependency_install.sh (make it executable and run sudo) (great security

practice, by the way… )

127


OWASP ZAProxy - Overview •  Open source web proxy and web application scanner •  Supports both manual and automated assessment •  Fork of Paros Proxy •  Exposes RESTful API

•  Main site: http://code.google.com/p/zaproxy/

128


OWASP ZAProxy - Installation •  Unpack

–  tar xzvf ZAP_2.2.2_Linux.tar.gz

•  Run –  zap.sh

129


OWASP ZAProxy – Usage •  Change your browser to point to ZAP’s proxy

–  ZAP defaults to using 8080 which might conflict with local Tomcat installs –  Change proxy port via Tools -> Options -> Local proxy

•  Spider

•  Passive Scanner

•  Active Scanner

130


Skipfish - Overview •  Fast web application scanner written in C •  Maintained by Google •  Does a lot of file/directory guessing by default

•  Main site: –  https://code.google.com/p/skipfish/

131


Skipfish – Installation and Usage •  Installation

–  tar xzvf ~/Downloads/skipfish-2.10b.tgz

•  Handle dependencies: –  sudo apt-get install libpcre3-dev –  sudo apt-get install libidn11-dev

•  Build: –  make

•  Run: –  touch new_dict.wl –  ./skipfish –o output_dir –S existing_dictionary.wl –W new_dict.wl http://

www.example.com/some/starting_path.txt

132


Which Open Source Scanner Is Best?

•  What Do You Want? –  Coverage –  Low False Positives –  Low False Negatives

133


Scanner Coverage •  You can’t test what you can’t see

•  How effective is the scanner’s crawler?

•  How are URLs mapped to functionality? –  RESTful –  Parameters

•  Possible issues: –  Login routines –  Multi-step processes –  Anti-CSRF protection

134


Are You Getting a Good Scan? Large financial firm: “Our 500 page website is secure because the scanner did not find any vulnerabilities!”

Me: “Did you teach the scanner to log in so that it can see more than just the homepage?”

Large financial firm: “…”

135


Can Your Scanner Do This? •  Two-step login procedure:

–  Enter username / password (pretty standard) –  Enter answer to one of several arbitrary questions

•  Challenge was that the parameter indicating the question was dynamic

–  Question_1, Question_2, Question_3, and so on –  Makes standard login recording ineffective

136


It All Started With A Simple Blog Post… •  Ran into an application with a complicated login procedure •  Wrote blog post about the toolchain used to solve the problem

–  http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-complicated-logins-with-appscan-and-burp-suite.html

•  Other scanner teams responded: –  IBM Rational AppScan

•  http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-complicated-logins-with-appscan-only.html

–  HP WebInspect •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-hp-

webinspect.html

–  Mavituna Security Netsparker •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-mavituna-

netsparker.html –  NTObjectives NTOSpider

•  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-ntospider.html

137


Scanner Authentication Scenario Examples •  Built as a response to the previously-mentioned blog conversation

•  Example implementations of different login routines –  How can different scanners be configured to successfully scan?

•  GitHub site: –  https://github.com/denimgroup/authexamples

138


Did I Get a Good Scan? •  Scanner training is really important

–  Read the Larry Suto reports…

•  Must sanity-check the results of your scans

•  What URLs were accessed? –  If only two URLs were accessed on a 500 page site, you probably have a bad scan –  If 5000 URLs were accessed on a five page site, you probably have a bad scan

•  What vulnerabilities were found and not found? –  Scan with no vulnerabilities – probably not a good scan –  Scan with excessive vulnerabilities – possibly a lot of false positives

139


Low False Positives •  Reports of vulnerabilities that do not actually exist

•  How “touchy” is the scanner’s testing engine?

•  Why are they bad? –  Take time to manually review and filter out –  Can lead to wasted remediation time

140


Low False Negatives •  Scanner failing to report vulnerabilities that do exist

•  How effective is the scanner’s testing engine?

•  Why are they bad? –  You are exposed to risks you do not know about –  You expect that the scanner would have found certain classes of vulnerabilities

•  What vulnerability classes do you think scanners will find?

141


Other Benchmarking Efforts •  Larry Suto’s 2007 and 2010 reports

–  Analyzing the Accuracy and Time Costs of Web Application Security Standards –  http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf –  Vendor reactions were … varied –  [Ofer Shezaf attended this talk at AppSecEU 2012 and had some great questions

and comments. See his reactions to the latest Larry Suto scanner report here :http://www.xiom.com/2010/02/09/wafs-are-not-perfect-any-security-tool-perfect ]

•  Shay Chen’s Blog and Site –  http://sectooladdict.blogspot.com/ –  http://www.sectoolmarket.com/

•  Web Application Vulnerability Scanner Evaluation Project (wavsep) –  http://code.google.com/p/wavsep/

142


So I Should Just Buy the Best Scanner, Right? •  Or the cheapest?

•  Well… –  What do you mean by “best”?

•  Follow-on questions –  How well do the scanners work on your organization’s applications? –  How many false positives are you willing to deal with? –  What depth and breadth of coverage do you need?

143


What is a Unique Vulnerability in ThreadFix? •  (CWE, Relative URL)

–  Predictable resource location –  Directory listing misconfiguration

•  (CWE, Relative URL, Injection Point) –  SQL injection –  Cross-site Scripting (XSS)

•  Injection points –  Parameters – GET/POST –  Cookies –  Other headers

144


What Do The Scanner Results Look Like? •  Usually XML

–  Skipfish uses JSON and gets packaged as a ZIP

•  Scanners have different concepts of what a “vulnerability” is –  We normalize to the (CWE, location, [injection point]) noted before

•  Look at some example files

•  Several vendors have been really helpful adding additional data to their APIs and file formats to accommodate requests

145


Why Common Weakness Enumeration (CWE)? •  Every tool has their own “spin” on naming vulnerabilities •  OWASP Top 10 / WASC 24 are helpful but not comprehensive

•  CWE is exhaustive (though a bit sprawling at times) •  Reasonably well-adopted standard •  Many tools have mappings to CWE for their results

•  Main site: http://cwe.mitre.org/

146


Scanner Benchmarking in ThreadFix •  Upload multiple scans

•  Mark false positives

•  Run reports

147


Let’s Run Our Own Benchmark •  Scan wavsep with:

–  w3af –  OWASP ZAP –  Arachni –  Skipfish –  (We package example files in ThreadFix/test-scans/wavsep)

•  Upload results to ThreadFix

•  Run results

148


Current Limitations •  Vulnerability importers are not currently

formally vendor-supported –  Though a number have helped us test and

refine them (thanks!) –  After you get a good scan make sure you also

got a good import

•  Summary report should show data by severity rating

–  Make it easier to focus on vulnerabilities you probably care more about

–  But you can look at the data by vulnerability type

149


You Know What Would Make All This Way Easier? •  Common data standards for scanning

tools!

•  Current efforts: –  MITRE Software Assurance Findings

Expression Schema (SAFES) •  http://www.mitre.org/work/tech_papers/

2012/11_3671/ –  OWASP Data Exchange Format Project

•  https://www.owasp.org/index.php/OWASP_Data_Exchange_Format_Project

150


Simple Software Vulnerability Language (SSVL) •  Common way to represent static and dynamic scanner findings •  Based on our experience building importers for ThreadFix

–  It “works” for real-world applications because we are essentially using it

•  Love to hear feedback –  Folks have been using the GitHub bug tracker to discuss

•  Online: –  https://github.com/OWASP/SSVL

151


Simple Software Vulnerability Language (SSVL)

152


OpenSAMM: Deployment •  Vulnerability Management •  Environment Hardening •  Operational Enablement

153


Deployment: Vulnerability Management •  Processing for managing vulnerabilities in both internal and external

software •  Goal is consistency •  Use data from vulnerability handling to improve processes

–  Decrease number and severity of future vulnerabilities –  Decrease time-to-fix

154


Application Vulnerability Management

•  Application security teams uses automated static and dynamic test results as well as manual testing results to assess the security of an application

•  Each test delivers results in different formats

•  Different test platforms describe same flaws differently, creating duplicates

•  Security teams end up using spreadsheets to keep track manually

•  It is extremely difficult to prioritize the severity of flaws as a result

•  Software development teams receive unmanageable reports and only a small portion of the flaws get fixed

155


The Result •  Application vulnerabilities persist in applications:

**Average serious vulnerabilities found per website per year is 79 **Average days website exposed to one serious vulnerability is 231 days **Overall percentage of serious vulnerabilities that are fixed annually is only 63%

•  Part of that problem is there is no easy way for the security team and application development teams to work together on these issues

•  Remediation quickly becomes an overwhelming project

•  Trending reports that track the number of reduced vulnerabilities are impossible to create

**WhiteHat Statistics Report (Summer 2012): https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf


Vulnerability Fun Facts: •  Average number of serious

vulnerabilities found per website per year is 79 **

•  Serious Vulnerabilities were fixed in ~38 days **

•  Percentage of serious vulnerabilities fixed annually is only 63% **

•  Average number of days a website is exposed, at least one serious vulnerability ~231 days

WhiteHat Statistics Report (Summer 2012): https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf


Vulnerability Remediation Data

Vulnerability Type Sample Count Average Fix (minutes) Dead Code (unused methods) 465 2.6 Poor logging: system output stream 83 2.9 Poor Error Handling: Empty catch block 180 6.8 Lack of Authoriza4on check 61 6.9 Unsafe threading 301 8.5 ASP.NET non-‐serializable object in session 42 9.3 XSS (stored) 1023 9.6 Null Dereference 157 10.2 Missing Null Check 46 15.7 XSS (reflected) 25 16.2 Redundant null check 21 17.1 SQL injec4on 30 97.5

158


Where Is Time Being Spent?

159

17%

37%

20%

2%

24%

0%

15%

0% 0%

9%

31%

59%

44%

15%

42%

16%

29% 24%

3%

28%

0%

10%

20%

30%

40%

50%

60%

70%

Setup Development Environment

Fix Vulnerabilities Confirm Fixes / QA Deploy Overhead

Indicates the weighted average versus the average of individual projects


Turning Vulnerabilities Into Software Defects •  Security teams talk about “vulnerabilities” •  Software developers talk about “defects”

•  Developers Don’t Speak PDF –  http://blog.denimgroup.com/denim_group/2012/11/hey-security-teams-developers-dont-speak-pdf.html

•  Why should developers manage 90% of their workload in defect trackers

–  And the magic, special “security” part of their workload … some other way?

•  ThreadFix lets you slice, dice and bundle vulnerabilities into software defects

–  And track their remediation status over time to schedule re-scans

160


ThreadFix: Vulnerability Import •  A “channel” is a source of vulnerability data for an application

–  With the 1.2 version users no longer have to manually manage channels

•  Each import from a channel is “diff’ed” versus the previous scan –  When do vulnerabilities appear? –  When do vulnerabilities go away?

•  Can be automated via the RESTful interface to include in build process, etc

161


ThreadFix: Defect Tracker Integration •  Turn vulnerabilities that security staff care about into software bugs

that developers know how to handle •  Bundle multiple vulnerabilities into a single defect

•  How to organize? –  By severity –  By type –  By location in the application –  Some combination

•  When the defect status changes you can schedule re-scans

162


But My Bug Tracker Isn’t Supported!

•  We are always working on supporting new technologies –  Check out the current support list:

https://code.google.com/p/threadfix/wiki/DefectTrackers –  Submit a bug to the TheadFix defect tracker

https://code.google.com/p/threadfix/issues/list

•  You can add new defect trackers as plugins –  No changes to the core codebase required –  For instructions and sample code check out the wiki article:

https://code.google.com/p/threadfix/wiki/CustomDefectTrackerGuide

163


Deployment: Environment Hardening •  Attackers do not care about applications – attacking infrastructure

might be just as effective and valuable for them

•  Controls for operating environments: –  Reduce vulnerabilities in the infrastructure –  Enable logging and tracking

164


Microsoft Baseline Security Analyzer (MBSA) - Overview •  Runs standard checks on Windows Workstations and Servers

–  Internet Explorer –  IIS –  SQL Server

•  Checks registry and file settings

•  2.2 Downloads: http://www.microsoft.com/en-us/download/details.aspx?id=7558

165


Microsoft Baseline Security Analyzer (MBSA) – Installation and Use •  Install via the .msi

•  Run scans –  Single machine –  Network of machines

•  Review the results

166


Deployment: Operational Enablement •  How do you install, configure and run your applications?

–  Also updates and upgrades

•  Runtime checks and logging for intrusion detection and incident response

–  John Dickson has done some work in this area –  http://www.slideshare.net/denimgroup/top-strategies-to-capture-security-

intelligence-for-applications

167


Continuous Integration and Security Testing •  Reduce the time between introducing security defects and knowing

about them •  Free tools mean that any project can be instrumented

–  No licensing fees

•  ThreadFix has a REST-based API and command-line client for scripting

168


Exercise: Script the Scan/Upload Process •  Generate a ThreadFix API key •  Test the command-line client •  Script a web application scan •  Include file upload after scanning

169


mod_security - Overview •  Open source web application firewall engine •  Also has a Core RuleSet (CRS)

•  Traditionally has been Apache-only –  Runs as an apache module (mod_security) –  Recently announced both IIS and Nginx support

•  Main site: http://www.modsecurity.org/

170


Virtual Patching •  Overview

•  Applicability

•  Approaches

171


Overview •  Create short-term protections by telling IDS/IPS/WAFs where

vulnerabilities are located and how to detect attacks –  IDS – Intrusion Detection System –  IPS – Intrusion Prevention System –  WAF – Web Application Firewall

172


Applicability •  Most applicable for “technical” vulnerabilities

–  SQL injection –  Cross-Site Scripting

•  Harder to do for application-specific vulnerabilities

173


Approaches •  Tell the sensor where the vulnerability is and what an attack looks like •  This rule pattern is useful when you need to protect a known address

and a known parameter with a known payload.

174


ThreadFix: Virtual Patching •  Use vulnerability data from scans (usually dynamic) to create targeted,

application-specific WAF rules

•  ThreadFix supports several IDS/IPS/WAF systems –  Snort –  mod_security –  F5 ASM –  Imperva –  DenyAll

•  Can also import sensor logs to map blocked attacks back to vulnerabilities targeted

175


ThreadFix: Virtual Patching Example •  Example Rule Generation:

–  Create a mod_security WAF –  Associate with an application with open vulnerabilities –  Generate rules

•  Example Log Import: –  Upload log file –  Look at event data in vulnerability listing –  (This is faked but you hopefully get the idea)

176


Program Benchmark Reporting •  How does your software security organization stack up?

–  Look at publicly-shared data from WhiteHat and Veracode

•  Compare your progress –  Percentage of vulnerabilities fixed –  Time to fix different vulnerability types –  Age of remaining vulnerabilities

177


ThreadFix: Reporting Examples •  Can be done at multiple levels:

–  Enterprise-wide –  Team –  Individual application

•  Reports for: –  Vulnerability count trending –  Progress – vulnerability resolution and timelines –  Scanner effectiveness –  Frequency of scanning across the portfolio

•  We have already looked at scanner benchmark reports

178


ThreadFix: Reporting: Trending •  Shows trending over time

•  Data series: –  Total vulnerabilities –  New vulnerabilities –  Resurfaced vulnerabilities

179


ThreadFix: Reporting: Point-in-Time •  Shows current state of vulnerabilities

•  Pie chart! –  Critical –  High –  Medium –  Low

180


ThreadFix: Reporting: Vulnerability Progress •  Shows progress resolving vulnerabilities

•  Data series by vulnerability type: –  Vulnerability count –  Percentage fixed –  Average age to close –  Average age of remaining

•  Use to benchmark your organization against publicly-available data –  WhiteHat Security – Website Security Statistics Report

https://www.whitehatsec.com/resource/stats.html –  Veracode – State of Software Security Report http://www.veracode.com/reports

181


ThreadFix: Reporting: Monthly •  Shows trending on a per-month basis

–  Similar to trending report

•  Data series: –  Total vulnerabilities –  New vulnerabilities –  Resurfaced vulnerabilities

182


ThreadFix: Reporting: Portfolio Tracking •  Shows consistency of scanning across the portfolio

•  Broken down by criticality of the application

183


Recap •  A software security program is more than a tool or set of tools

–  But tools help provide automation and facilitate scale

•  OpenSAMM is a maturity model that can be used as a framework for building and advancing software security programs

•  Open source tools exist to support many key activities in a software security program

184


Conclusions / Questions

Dan Cornell [email protected] Twitter: @danielcornell www.denimgroup.com www.denimgroup.com/threadfix code.google.com/p/threadfix (210) 572-4400