Wednesday, September 18, 2013

Tip #1: Evidence that a security turnaround is in effect

A Discussion on the Number of Vulnerabilities as a Metric

A common security metric is a count of the number of vulnerabilities found.

Many organizations measure it and many say that it is a common mistake as a measure of security effectiveness. Sometimes -- this is a necessary metric. But most times it is indeed a mistake. Why? Because there is no business context.

We will show how not to use this metric.

And show how to use it with four examples:
  • Metric 1: Cumulative vulnerability counts with the types of vulnerabilities, over time
  • Metric 2: Cumulative vulnerability counts with the types of vulnerabilities, stand-alone
  • Metric 3: Vulnerability counts with how the vulnerability was found, over time
  • Metric 4: Defect Removal Efficiency, over time

When this Metric Does Not Work


Consider these ambiguities.

  • What would a time series graph of the number of vulnerabilities found demonstrate? 
  • An ability to mine for vulnerabilities? 
  • What happens when it goes up? Celebrate that you can find issues? 
  • Or when it goes down? Does it mean you are losing the ability to find vulnerabilities? Or that developers are improving? 


In most situations, this metric is a mistake. But there is one situation when this might work. When you are in the very beginning of a security turnaround.

When it Works

A Turnaround Situation

What is a turnaround?


“STARS” is an acronym for the five common situations leaders move into: start-up, turnaround, accelerated growth, realignment, and sustaining success. Thus, the model outlines the challenges of launching a venture or project; saving a business or initiative that’s in serious trouble; dealing with rapid expansion; reenergizing a once-leading company that’s now facing problems; and following in the footsteps of a highly regarded leader with a strong legacy of success.1

Examples of turnarounds

  • Microsoft in the year 2000
  • A product that has had security neglect either from the very beginning or for years. No active security testing and customers were testing the product for the software vendor by reporting security issues. You were hired to not only perform a turnaround, but also start-up a security program. This hits two categories of "STARS"

How to Use it

There are limited situations when vulnerability counts can be used as a metric. You can't use it stand-alone and its use is generally limited to turnaround situations.

In a turnaround situation, you need to demonstrate, as part of a larger story, that the security program is working.

Metric 1: Cumulative vulnerability counts with the types of vulnerabilities, over time

Metric 1: Cumulative vulnerability count with vulnerability type over time
What story does this tell?
  • Identifies systemic and persistent vulnerabilities for remediation investment. In this case, the immediate focus area should be in resolving a systemic and persistent problem around "cwe-79," also known as Cross-site Scripting. It should be obvious that all vulnerabilities entered into a bug tracking system should be tagged with a standard Common Weakness Enumeration (CWE) identifier.
  • Historical view of the types of vulnerabilities that have appeared in the system under test. No particular executive action to be taken here, other than informational. Demonstrates the system is clearly not free from vulnerabilities -- it would be good to compare this to the overall population of software defects. At best, this would pull heads from the sand that the system does have issues requiring attention.
Notice!
Be sure to convert the CWE identifiers to a common name that the Executive may understand. Please add comments to this page for corresponding terms useful for Executives.

Examples
CWE Identifier Layman's Term
cwe-79: Cross-site Scripting Missing sanitization allowing script injection
cwe-89: SQL Injection Missing sanitization allowing db script injection
cwe-352: Cross-site Request Forgery Missing transaction authenticity check
cwe-287: Missing Authentication Missing authentication check
cwe-285: Improper Authorization Missing authorization check

Metric 2: Cumulative vulnerability counts with the types of vulnerabilities, stand-alone

Catch attention - wake up Executives with a big number


62%
Systemic 
Cross-site Scripting 
Vulnerabilities

See the Wall Street Journal's Number of the Week column for examples on how to apply this concept to other security metrics.

Follow-up with context
Metric 2: Cumulative vulnerability count by types of vulnerabilities

What story does this tell?

  • Identifies systemic and persistent vulnerabilities for remediation investment. A time element as seen in Metric 1, is not always needed. This shows the bulk of problems in the application is from "script injection." It's likely that spot-fixing the problems will not solve the problem and that a larger framework solution is required to stop this class of vulnerabilities. After all, 62% of all vulnerabilties found are related to this vulnerability class.

Metric 3: Vulnerability counts with how the vulnerability was found, over time


What story does this tell?

  • Our customers tested our products for us. To an Executive, it clearly shows that in 2010, all reported security issues were from customers. The company's security testing was extremely inadequate.
  • A turnaround is in effect. That's the point of this entire article. To demonstrate you are righting the ship. Security defects leaking to customers are disappearing and the other detection methods you have brought in are beginning to show promise in 2011 and have been a break-through in 2012 and 2013. 

Metric 4: Defect Removal Efficiency, over time

Defect Removal Efficiency measures your ability to detect a defect before it gets to your customers. What's a good number? Depends on your industry and the criticality of your product. A common number to beat is between 85% and 95% for medium risk systems. Obviously, if this is medical software or military grade software, you probably want to be near 100%.

Metric 4: Defect Removal Efficiency
What story does it tell?
Depending on your goal percentage (85-95% is a common goal -- see Capers Jones for benchmarks by industry), similar to Metric 3, this shows how far off your organization is from your peers. 

0% says a great deal -- all vulnerabilities were detected by customers - this is terrible for your organization's reputation. This also easily shows how your security program has turned things around. Evidence that a security turnaround is in effect.

Formula
Defect Removal Efficiency (DRE) = 
(Total # of Third Party-reported Issues) / (Grand Total of Issues)

Corresponding Data Table
Product Release Dateb
Internal - Dynamic Analysis
Internal - Static Analysis
Third Party
Grand Total
Defect Removal Efficiency
3/30/2011
32
32
0.00%
9/30/2011
7
7
21.88%
3/30/2012
11
2
7
20
40.63%
9/30/2012
10
10
31.25%
3/30/2013
2
9
11
34.38%
9/30/2013
18
1
19
56.25%

References

  1. Watkins, Michael D. "January 2009." Picking the Right Transition Strategy. Harvard Business Review, Jan. 2009. Web. 07 Sept. 2013.
  2. MITRE's Common Weakness Enumeration: http://cwe.mitre.org/
  3. Number of the Week: http://blogs.wsj.com/economics/category/number-of-the-week/
  4. Capers Jones' Applied Software Measurement book: http://www.mcgraw-hill.com.au/html/9780071502443.html

Friday, August 16, 2013

Committing to Github From a Local Branch to a Different Remote Branch

So you've made your changes and your are ready to commit them to not only your local branch, but also Github. 

Step 1: Group the files you added and modified to a single pending changelist

Grouping files together make your Github pull requests much easier to handle -- especially if you are looking to resolve a specific issue or make a specific enhancement. git add . is the equivalent of a recursive add for everything from the current directory downwards [More Information].
$ git add .
This will show everything that has been marked as a change. A good sanity check that the pending changelist contains everything you expect. The "-s" means short output.
$ git status -s

Step 2: Commit the changelist to your local branch. 

This will commit your pending changelist it to whichever is the active branch
$ git commit

Step 3: Push the committed changes from your current active local branch to the upstream remote branch.

Note: "origin" is your local repository

$ git push origin example-local-branch:new-remote-branch
Username for 'https://github.com': xxxx@boldersecurity.com
Password for 'https://xxxx@boldersecurity.com@github.com':
To https://github.com/boldersecurity/gauntlt.git
* [new branch]      example-local-branch -> new-remote-branch

Thursday, March 29, 2012

Installing and Running BeEF on Linux

What is BeEF?
BeEF = Browser Exploitation Framework


Its purpose is primarily for Security Awareness Training. It is a great tool (website) to show the impact of a single seemingly innocent vulnerability - reflective or persistent cross-site scripting - caused by a lack of input validation and/or output escaping.


About BeEF

Excerpt from http://beefproject.com/ :

BeEF is a Security Tool The Browser Exploitation Framework (BeEF) is a powerful professional security tool. BeEF is pioneering techniques that provide the experienced penetration tester with practical client side attack vectors. 
Unlike other security frameworks, BeEF focuses on leveraging browser vulnerabilities to assess the security posture of a target. This project is developed solely for lawful research and penetration testing. 
BeEF hooks one or more web browsers as beachheads for the launching of directed command modules. Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors.


Instructions to Setup BeEF on Linux
These instructions are for Red Hat Linux but much of it will likely extend to your environment. 
In order to install BeEF, you will need to get the latest BeEF source from git. Our Linux builds do not come with "git" so we will need to install it. BeEF also requires Ruby so we will also obtain, compile, and install the latest version of Ruby. Our Linux builds already have sqllite so no need to install there.


Install git on Linux

Step
Linux Command
Go to the root directory (or wherever you would like to install git)cd /root/
Download the latest version of git (you can go the website to find out if there is a version newer than what i have here)wget http://git-core.googlecode.com/files/git-1.7.9.5.tar.gz
Unzip the downloadgunzip git-1.7.9.5.tar.gz
Untar the downloadtar xvf git-1.7.9.5.tar
Delete the tar file since it is no longer neededrm git-1.7.9.5.tar
Go into the new git foldercd git-1.7.9.5
Build gitmake prefix=/usr all
Once install completes, verify it is working./git --version

Install Ruby on Linux

Ruby is required to run BeEF. Most versions of Red Hat Linux do not come with this. This will show you how to download, compile, and install the latest version of Ruby.

Step
Linux Command
Go to where you would like to install ruby (e.g. root folder)cd /root/
Download the latest version of ruby. You can go to the website to see if there is a newer version available. This is the latest version at the time of this blog postwget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p125.tar.gz
Unzip the downloadgunzip ruby-1.9.3-p125.tar.gz
Untar the downloadtar xvf ruby-1.9.3-p125.tar
Remove the tar file since you no longer need itrm ruby-1.9.3-p125.tar
Go to the new directorycd ruby-1.9.3-p125
Compiling ruby: run configure./configure
Compiling ruby: run makemake
Compiling ruby: installmake install
Verify the installation was successful by checking the version numberruby -v

[root@server ruby-1.9.3-p125]# ruby -v
ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux]

Obtain BeEF via git

Step
Linux Command
Go to the folder you would want the latest beef code to be downloaded to (e.g. /root)d /root/
Run the git command (you may need to tailor this to wherever you installed git and the version number you installed). This will download the latest version of beef./root/git-1.7.9.5/git clone http://github.com/beefproject/beef

Install BeEF on Linux

Step
Linux Command
Go to wherever you installed beef (e.g. /root/beef)cd /root/beef/)
Install the bundler tool, which will be used to install beef in the next stepgem install bundler

[root@server beef]# gem install bundler
/usr/local/lib/ruby/1.9.1/yaml.rb:56:in `':
It seems your ruby installation is missing psych (for YAML output).
To eliminate this warning, please install libyaml and reinstall your ruby.
Fetching: bundler-1.1.3.gem (100%)
Successfully installed bundler-1.1.3
1 gem installed
Installing ri documentation for bundler-1.1.3...
Installing RDoc documentation for bundler-1.1.3...
Install beef using "bundler"bundle install


[root@server beef]# bundle install
/usr/local/lib/ruby/1.9.1/yaml.rb:56:in `<top (required)>':
It seems your ruby installation is missing psych (for YAML output).
To eliminate this warning, please install libyaml and reinstall your ruby.
Fetching gem metadata from http://rubygems.org/.........
Installing addressable (2.2.7)
Installing ansi (1.4.2)
Installing daemons (1.1.8)
Installing data_objects (0.10.8)
Installing dm-core (1.2.0)
Installing dm-do-adapter (1.2.0)
Installing dm-migrations (1.2.0)
Installing do_sqlite3 (0.10.8) with native extensions
Installing dm-sqlite-adapter (1.2.0)
Installing erubis (2.7.0)
Installing eventmachine (0.12.10) with native extensions
Installing json (1.6.6) with native extensions
Installing librex (0.0.65)
Installing msgpack (0.4.6) with native extensions
Installing msfrpc-client (1.0.1)
Installing parseconfig (0.5.2)
Installing rack (1.4.1)
Installing rack-protection (1.2.0)
Installing tilt (1.3.3)
Installing sinatra (1.3.2)
Installing term-ansicolor (1.0.7)
Installing thin (1.3.1) with native extensions
Using bundler (1.1.3)
Your bundle is complete! Use `bundle show [gemname]` to see where a bundled gem  

Configure BeEF

Configure BeEF to run on port 80 and also start directly from the server you have it installed on. Otherwise, you have to enter http://server/ui/authentication thus making it easier to access the site.
Note: I could not get the path to access beef reduced from http://server/ui/authentication to http://server/ -- perhaps this is an issue with the version of BeEF I installed with

Step
Linux Command
Modify the configuration file. Change port: "3000" to "80"vi /root/beef/config.yaml

http:
debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
host: "0.0.0.0"
port: "80" <-----CHANGED
# if running behind a nat set the public ip address here
#public: ""
dns: "localhost"
panel_path: "/ui/panel" <-----I'D LIKE TO CHANGE THIS BUT IT ISN'T TAKING EFFECT
hook_file: "/hook.js"
hook_session_name: "BEEFHOOK"
session_cookie_name: "BEEFSESSION"

Run BeEF in Background

Step
Linux Command
Go to beef installation folder (e.g. /root/beef)cd /root/beef/
Start beef in background (by adding &) ./beef &

Start BeEF by Default on Linux

Step
Linux Command
Modify the /etc/rc.d/rc.local file. This file is for add-on startup scripts that run when the system reboots. This is important to ensure beef is always runningvi /etc/rc.d/rc.local
Add two lines: one to tell it to go inside the beef directory (for some reason you can't run it directly since it has hard-coded relative links thus must already be inside that directory) and then run beef in the backgroundcd /root/beef
./beef &


Update BeEF on Linux
Step
Linux Command
Go to directory beef is installed in (e.g. /root/beef).cd /root/beef
Run 'git pull' to update to the latest revision. You may need to alter this to wherever you installed git and the specific version/root/git-1.7.9.5/git pull

Thursday, April 28, 2011

Analyzing Skype Chat and Call Logs

Introduction
Skype chat and call logs are stored in the main.db file. These .db files are in SQLite database format.
To read the main.db file, you need to use a SQLite database browser.


Obtain a SQLite database browser
I like to use the Mozilla Firefox browser called SQLite Manager
  • Download Mozilla Firefox
  • Once installed, go to Tools > Add-ons
  • Search for SQLite and install the SQLite Manager
  • Reopen the Firefox browser after install


Location of Files
On Mac OS X
/Users/<current user>/Library/Application Support/Skype/<skype id>/main.db
On Windows
C:\Documents and Settings\<current user>\Application Data\Skype\<skype id>\main.db
On Windows Vista and 2008
C:\Documents and Settings\<current user>\AppData\Roaming\Skype\<skype id>\main.db


Review data in SQLite Manager


Call Logs
There are two tables in main.db that contain the call logs, whether they are skype-to-phone or skype-to-skype. It will display the phone number calls, call durations, source of call, and destination of call.


The two tables are similar but not quite. CallMembers table shows skype-to-phone calls but shows skype-to-skype calls as well however it misses any calls that were disconnected (abnormal ending).
Calls table does not show skype-to-phone calls but does show skype-to-skype calls, even those that were disconnected.


CallMembers Table
  • identity - destination of the call
  • guid - unique identifier and shows source of call
  • start_timestamp - date/time converted from unix epoch time to local time
  • call_duration - number of seconds of the call

SELECT identity as source,guid,strftime('%Y-%m-%d %H:%M:%S', start_timestamp,'unixepoch','localtime') as start_time,call_duration/60 as num_minutes FROM CallMembers order by id

Calls Table
  • host_identity - source of call
  • current_video_audience - destination of call
  • begin_timestamp - date/time converted from unix epoch time to local time
  • duration - number of seconds of the call
SELECT host_identity as source, current_video_audience as destination,strftime('%Y-%m-%d %H:%M:%S', begin_timestamp,'unixepoch','localtime') as start_time,duration/60 as num_minutes FROM Calls order by id

Chat Logs
The Messages table in the main.db contains the chat log. 


Messages Table
  • author - source of chat
  • chatname - unique identifier and shows source of chat
  • timestamp - date/time converted from unix epoch time to local time
  • body_xml - chat messages
SELECT author as source,chatname,strftime('%Y-%m-%d %H:%M:%S', timestamp,'unixepoch','localtime') as start_time,body_xml as message from messages

Export SQL Query Results to CSV
When you execute the query, adjacent to the Run Query button is Actions. You may select to save CSV to file.

Backups
Regularly backup the main.db file

Friday, December 3, 2010

Managing Expectations for Security

Whether you are leading a new security program or leading an existing one that left many with sour memories, or worse both, Management may have a perception that you are a heroine here to save the day. Similarly, as a security professional, we oftentimes think a product we purchase may do just that (more about this later).

Nevertheless, it is of immeasurable importance to manage expectations as early as possible, best when you broadcast the chart you course (or your Security Roadmap).

Suppose your company does not give anyone the sense that you are secure or safe. Just because you have been appointed doesn't mean the change will happen overnight, in a month, a year, or even two years. Furthermore, you need to reinforce to Management that very expectation.

Why?

Changing brand perception is one of the most difficult things any company can do. Whether it is to change a perception that this Company can perform services or products very different from what is done today. Think about the American auto industry. It was over 10 years ago that they delivered some of the worst quality products to date. However now, Ford is one of the top rated manufacturers of quality yet many Americans, previously trusting then horridly burned (some literally), are hesitant to return to Ford. Changing a brand perception takes years. Microsoft has been working on it since Windows 95 and now in Windows 2003, 2008, (let's not think about Vista), and Windows 7, they have begun to show they can help set the pace in software security (how many others have modeled their vulnerability management program using Microsoft as an example to improve upon).

If changing brand perception takes years, losing it takes only days or months (think about BP). Reputation is easy to destroy, hard to build and maintain.

Oftentimes, customers don't demand security or explicitly ask for it. They expect it. It's something they don't think about or necessarily ask for unless they are already quite aware of the need for and importance of security. Thus, it is a frivolous point to say that we don't need security because not a lot of people ask for it. Or we don't need to fix this because not a lot of people reported it. Security vulnerabilities are defects but defects are not security vulnerabilities.

These are one of many expectations that must be managed and concepts instilled.

Thursday, November 4, 2010

SecureSDLC - Building Security into the Software Lifecycle Part 2

Event Agenda
This was a well-run and well-attended event considering it was free for ISC2 members. Surprisingly, ISC2 provided refreshments and bagged lunch (or perhaps it comes free when you rent a space in the Ronald Reagan Center in DC). One of the last two session leads had a personal issue and was not able to make it. I'm not sure which since I had to leave after session 4.

Highlights of the Day

Session 1: Avoiding the Most Dangerous Software Security Weaknesses – the 2010 Top 25
As I had mentioned in a previous post, I was interested in hearing this session. While the seminar description alluded to how it might discuss security in contract language, it was only discussed in about 30 seconds. Essentially, it is heavily forthcoming from customers at least a line in contracts or RFPs that ask how a software vendor handles the Top 25 vulnerabilities.

Security Products that use CWE
The session lead, Robert Martin, described his experience in working with the major security software vendors in getting their input for the CWE and getting them to use CWE content in their products (static and dynamic security scanners). In doing this, he discovered that application security scanners don't have much in common. While they all scan for cross-site scripting and SQL Injection well, they do not have much overlap. This is consistent with what I described in an earlier post where each aspect of security testing is only able to detect a portion of the total population of vulnerabilities. We all laughed that perhaps they shouldn't call each other competitors since that would imply they have almost the same products. I would like to see some test report on what each major software vendor was able to find - I suppose that would be much like a Gartner Magic Quadrant report but I would like to see the test results since what Gartner says is a leader doesn't mean it will work for you since your applications may need focus on other vulnerabilities. Nevertheless, it would be worthwhile to use multiple tools.

CWE Compatibility List

Cross-site scripting (XSS) and SQL injection - battle for #1

XSS beats our SQL injection as top vulnerability of this era in web application security because there are 17 ways to attack it while SQL injection has 5 different ways (as of this post). Furthermore, XSS is more difficult to fix since there are so many different entry points and a larger attack surface.

XSS Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.5)
232Exploitation of Privilege/Trust
85Client Network Footprinting (using AJAX/XSS)
86Embedding Script (XSS ) in HTTP Headers
32Embedding Scripts in HTTP Query Strings
18Embedding Scripts in Nonscript Elements
19Embedding Scripts within Scripts
63Simple Script Injection
91XSS in IMG Tags
106Cross Site Scripting through Log Files
198Cross-Site Scripting in Error Pages
199Cross-Site Scripting Using Alternate Syntax
209Cross-Site Scripting Using MIME Type Mismatch
243Cross-Site Scripting in Attributes
244Cross-Site Scripting via Encoded URI Schemes
245Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript
246Cross-Site Scripting Using Flash
247Cross-Site Scripting with Masking through Invalid Characters in Identifiers

SQL Injection Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.5)
7Blind SQL Injection
66SQL Injection
108Command Line Execution through SQL Injection
109Object Relational Mapping Injection
110SQL Injection through SOAP Parameter Tampering

Wednesday, November 3, 2010

SecureSDLC - Building Security into the Software Lifecycle

I will be at the SecureSDLC in Washington, DC tomorrow.

Software professionals need the latest tools and information to ensure that software is being built with security in mind starting with the requirements phase.

This program will arm those stakeholders involved with the planning, development, design, coding and deploying of applications about the need for secure software, what should be considered in securing each phase of the software lifecycle and how organizations can create their own software assurance program. Additionally, there will be a look at the regulatory landscape and what professionals need to be aware of concerning this.

Session: Avoiding the Most Dangerous Software Security Weaknesses – the 2010 Top 25
Hosted by MITRE, I'm particularly interested in attending this session. The session description suggests it will talk about application security requirements in procurement contracts. Back at The Mortgage Company, we would often have detailed security requirements and test criteria for any procured software. At The Product Company, I anticipate our customers will soon delineate these and see what the industry de facto due-care is.

Session: Security’s KPIs – Measuring a Successful Web Application Security Program
Hosted by HP. I'm wary of this session since most security conferences that cover KPI's or metrics often leave much to be desired. I hope this one will be different. Just give us something to react to!

I wish they would cover
Embedding secure activities into an Agile life cycle. Microsoft wrote about this but I'd like to hear a talk about it since as I understand it, this may be a contentious issue and I'd like to hear it presented by someone who has gone through it.