Thursday, November 4, 2010

SecureSDLC - Building Security into the Software Lifecycle Part 2

Event Agenda
This was a well-run and well-attended event considering it was free for ISC2 members. Surprisingly, ISC2 provided refreshments and bagged lunch (or perhaps it comes free when you rent a space in the Ronald Reagan Center in DC). One of the last two session leads had a personal issue and was not able to make it. I'm not sure which since I had to leave after session 4.

Highlights of the Day

Session 1: Avoiding the Most Dangerous Software Security Weaknesses – the 2010 Top 25
As I had mentioned in a previous post, I was interested in hearing this session. While the seminar description alluded to how it might discuss security in contract language, it was only discussed in about 30 seconds. Essentially, it is heavily forthcoming from customers at least a line in contracts or RFPs that ask how a software vendor handles the Top 25 vulnerabilities.

Security Products that use CWE
The session lead, Robert Martin, described his experience in working with the major security software vendors in getting their input for the CWE and getting them to use CWE content in their products (static and dynamic security scanners). In doing this, he discovered that application security scanners don't have much in common. While they all scan for cross-site scripting and SQL Injection well, they do not have much overlap. This is consistent with what I described in an earlier post where each aspect of security testing is only able to detect a portion of the total population of vulnerabilities. We all laughed that perhaps they shouldn't call each other competitors since that would imply they have almost the same products. I would like to see some test report on what each major software vendor was able to find - I suppose that would be much like a Gartner Magic Quadrant report but I would like to see the test results since what Gartner says is a leader doesn't mean it will work for you since your applications may need focus on other vulnerabilities. Nevertheless, it would be worthwhile to use multiple tools.

CWE Compatibility List

Cross-site scripting (XSS) and SQL injection - battle for #1

XSS beats our SQL injection as top vulnerability of this era in web application security because there are 17 ways to attack it while SQL injection has 5 different ways (as of this post). Furthermore, XSS is more difficult to fix since there are so many different entry points and a larger attack surface.

XSS Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.5)
232Exploitation of Privilege/Trust
85Client Network Footprinting (using AJAX/XSS)
86Embedding Script (XSS ) in HTTP Headers
32Embedding Scripts in HTTP Query Strings
18Embedding Scripts in Nonscript Elements
19Embedding Scripts within Scripts
63Simple Script Injection
91XSS in IMG Tags
106Cross Site Scripting through Log Files
198Cross-Site Scripting in Error Pages
199Cross-Site Scripting Using Alternate Syntax
209Cross-Site Scripting Using MIME Type Mismatch
243Cross-Site Scripting in Attributes
244Cross-Site Scripting via Encoded URI Schemes
245Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript
246Cross-Site Scripting Using Flash
247Cross-Site Scripting with Masking through Invalid Characters in Identifiers

SQL Injection Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.5)
7Blind SQL Injection
66SQL Injection
108Command Line Execution through SQL Injection
109Object Relational Mapping Injection
110SQL Injection through SOAP Parameter Tampering

Wednesday, November 3, 2010

SecureSDLC - Building Security into the Software Lifecycle

I will be at the SecureSDLC in Washington, DC tomorrow.

Software professionals need the latest tools and information to ensure that software is being built with security in mind starting with the requirements phase.

This program will arm those stakeholders involved with the planning, development, design, coding and deploying of applications about the need for secure software, what should be considered in securing each phase of the software lifecycle and how organizations can create their own software assurance program. Additionally, there will be a look at the regulatory landscape and what professionals need to be aware of concerning this.

Session: Avoiding the Most Dangerous Software Security Weaknesses – the 2010 Top 25
Hosted by MITRE, I'm particularly interested in attending this session. The session description suggests it will talk about application security requirements in procurement contracts. Back at The Mortgage Company, we would often have detailed security requirements and test criteria for any procured software. At The Product Company, I anticipate our customers will soon delineate these and see what the industry de facto due-care is.

Session: Security’s KPIs – Measuring a Successful Web Application Security Program
Hosted by HP. I'm wary of this session since most security conferences that cover KPI's or metrics often leave much to be desired. I hope this one will be different. Just give us something to react to!

I wish they would cover
Embedding secure activities into an Agile life cycle. Microsoft wrote about this but I'd like to hear a talk about it since as I understand it, this may be a contentious issue and I'd like to hear it presented by someone who has gone through it.

The Marathon

This past weekend I ran a marathon. I tirelessly did so (for the second time) like I was carrying a 50 lb sack up a hill (saying courtesy of The Mortgage Company).

Today, for The Product Company, I had to expeditiously release a communication. Our lawyers suggested an edit where the security team would work "tirelessly" to resolve issues. It made me think not only of the mental exhaustion to put the communication together, but also the physical exhaustion still lingering from the marathon. I quipped - "How about diligently? Tirelessly makes me feel abused and exhausted." Not sure if it was as amusing to anyone else but we ended up with:

Whether publicly or privately communicated, we will work diligently to ensure that any confirmed vulnerabilities are addressed.

Screenshot of Marathon Time Projector Spreadsheet
Nevertheless, if you want to project your marathon time, I created a handy Excel spreadsheet. You can adjust your mile-by-mile pace, project your finish time, project your mile-by-mile time, and more! I protected the spreadsheet (thus locking the cells) without a password only so it is clear you only need to edit the fields highlighted in yellow.

Link to the greatest Marathon Time Projector spreadsheet