"The hardest thing of all is to find a black cat in a dark room, especially if there is no cat." – Confucius
Security code inspections is sort of searching in the dark. However, security vulnerabilities in many cases* are recurrent anti-patterns that can be identified by well defined set of string searches.
This post sheds a light into the dark room to help finding those black cats – security vulnerabilities.
Search Toolset
These are the tools I use to perform text searches.
Security Vulnerabilities Search Patterns
First, define what you want to search. Here is one example how to do it - Generate Your Own Security Code Review Checklist Document Using Outlook 2007. Then start searching. These are few search patterns that can help you getting on track of finding security vulnerabilities:
Related materials
Happy searching, alikl
________
*Searching for strings can lead to hotspots – potential security vulnerabilities – but not finding all the security vulnerabilities. Sometimes it hits the vulnerabilities right between the eyes, sometimes it misses it. But it surely helps narrowing the security inspection scope.
Several enterprises are increasingly investing time and money in building application security tasks into their existing SDLCs. Some of them have also reached the conclusion that proactive approaches , like threat modeling, have more ROI than reactive approaches. As a result, some enterprises with nascent appsec programs have turned to threat modeling as a panacea for their security problems. However, threat modeling may not be the solution to their immediate problems. Now I recognize that this may be a controversial statement.
Recently, I have been involved in several situations where organizations with their heart in the right place have made threat modeling mandatory as part of the development process, with limited success. My point is that threat modeling as part of a mature SDLC is a desired end state though not necessarily the initial step. Let's examine this argument. Read More...
Akshay Aggarwal
Practice Manager (North America & Latam)
After about an hour of nodding his head vigorously in agreement with some of our lessons learnt, my customer jumped up and exclaimed, " Great!! Now where do I find another 20 people like these?" (pointing to my team)...
I thought about it a while and so Mr. B here is your answer: Information security education has been pursued by several tertiary education (i.e. universities) for several decades now. Read more...
Akshay Aggarwal
Practice Manager (North America & LATAM)
I will be discussing Microsoft IT's approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th. This webcast will be part of the Microsoft's IT Manager Webcast series. This series aims to share deep knowledge focused on Enterprise IT orgs and ISVs.
Title: IT Manager Webcast: How Microsoft IT does Secure Application Development (Level 200)
Register Online
Audience: Technology Decision Maker.
Duration:60 Minutes
Start Date: Thursday, May 29, 2008 11:00 AM Pacific Time (US & Canada)
Event Overview
Join this webcast to learn how Microsoft IT’s Application Consulting and Engineering (ACE) team secures Microsoft’s internal business applications. The ACE team will share state of the industry, application security challenges, and how application security fits into the development lifecycle for IT. Learn about the ACE team’s methodology and processes developed in the areas of application security and performance optimization.
You can find more details here.
Akshay Aggarwal
Practice Manager (North America)
Threat Modeling is no longer the obscure magic is used to be. With the creation of tools like the Threat Analysis and Modeling tool from the ACE Team, Threat Modeling is now easier to implement, faster and more comprehensive. Threat Modeling is the cornerstone of any good Secure Development Lifecycle. One of the reasons it became such an important part of the process is because it provides visibility of the potential threats to an application, and how to defend against them before you start writing code. Many teams that implement Threat Modeling, create their threat models, get their list of countermeasures that they have to put into the code and then go make a system. People don’t realize just how valuable a threat model can be to the team, beyond the development stage. Another huge benefit of Threat Modeling is how it can help other teams during later phases of the development life cycle. Testing, Deployment and Incident Response are some of the areas that gain huge benefits from threat models.
Testing teams are often focused on feature tests, performance tests and acceptance testing. More and more they are checking for basic security vulnerabilities as part of the normal course of testing. A Threat Model is a very suitable guide to assist the security testing process. Not only does it increase the security awareness of the test team, but it will help the testers create tests to ensure that the countermeasures identified in the threat model were put in place correctly. After all, if you don’t test the countermeasure, how can you be sure you got it right?
The TAM tool can also be used to create work items in TFS for the testers to do exactly that. For each countermeasure work item that the tool generates for the developers to implement, TAM generates a corresponding test for the testers to execute to verify the countermeasure. This makes creating a test plan for the application much more comprehensive and valuable.
Beyond testing is the deployment phase. During deployment a threat model can greatly improve the deployment teams awareness of the security profile of the application, it’s attack surface, and the potential security hot spots of the application such as trust boundaries and critical data storage areas. All of this information helps the deployment team increase their ability to deploy the application correctly, and give it the proper attention it deserves. This will increase the efficiency of deployment, and any potential incident response activities.
As much as we would like to believe that applications survive well on their own after they are deployed, there is always something that comes up. We would all like to think that our applications are hack-proof and that they will never suffer a security incident. But we don’t know what we don’t know, and can’t be sure that some new attack won’t be created. In these situations, we need to be able to respond quickly and effectively to these sorts of incidents. With a good application threat model responding to security incidents is much more efficient.
With a good threat modeling practice in place, when a new attack type appears the security team examines the attack, scrutinizes it, formulates appropriate defenses, and generates awareness of the attack. They can update the Attack Library in the TAM tool, and instruct teams to re-generate their threats to see if their application is subject to the new threat or not. This will very quickly tell you if you have to start getting your emergency patching process rolling, or if you are safe from this new type of attack. This may not seem like much but consider what this provides in the bigger picture.
With the click of a button, in the case of the TAM tool, you will instantly know if you have to patch your application immediately, or if you aren’t affected by the attack. With the Enterprise version of TAM, you can even see if applications you are dependent on are subject to the new attack or not. If you are, the threat modeling process will notify you, provide you the countermeasure you need to implement and provide the test you need to ensure the countermeasure is implemented correctly It will also create updated reports so that the entire team is aware of the issues, their responsibilities and compliance requirements very quickly. What this all means is that your patching cycles are much shorter, the application is maintained in a secure manner, which all results in increased customer satisfaction and loyalty.
Ultimately, you can say that good Threat Modeling practices = more customer satisfaction and loyalty. After all, isn’t that what we’re really after?
This is a link to an article I recently published through InterGovWorld.com in Canada.
http://www.intergovworld.com/article/de76c0610a0104080164a05db0878ff1/pg1.htm
Todd Kutzke
The other day I was subject to the assertion that the only asset an IT security organizations should care about is data. Now being in the application security business, I should have been jumping at this validation but couldn't.
The IT security org needs to understand what threats the business faces from its technology systems. In many cases this is not a direct threat to the confidentiality or availability of data. Some attacks may be focused on other aspects of the systems like integrity or even cost. Read more...
Akshay Aggarwal
Practice Manager
Now that you've decided (or battled) to set up an application security program you realize that it actually needs to get funded. You must master the art of delicately drinking from the fire hydrant of line of business applications.
In my experience helping organizations set up their application security programs funding was perhaps the most critical factor determining the level of impact that the appsec program would have. Lets go through the various permutations and combinations of these models and what they buy you Read More...
Akshay Aggarwal
Practice Manager (North America)
I will be speaking at the Front Range OWASP Conference (FROCo8) in Denver on June 10th. The focus of the conference to share the experiences that the speakers had around solving technical and management issues surrounding application security. I'll be sharing the podium with luminaries like Ed Bellis, Jeremiah Grossman, Melissa Tondi, Laz, Mike Walter & Robert Hansen.
My talk, Application Security Kung Fu: Threat Modeling your way to competitive advantage, will focus on how threat models can lead to better software translated to a competitive advantage. That will be followed by a security discussion on integrating security into the SDLC. Looking forward to this discussion on the topic I have been passionately blogging about.
Akshay Aggarwal
Practice Manager (North America & LATAM)
Large enterprises tend to have a number of line of business (LOB) applications supporting business operations. It becomes key for an application security program to help the organization manage the risk posed by each of these applications.Applications tend to be comprised of legacy applications, applications under development and application under planning.
To start an application security program, the org must set up a secure data center/environment to host secure applications. Read More...
Akshay Aggarwal
Practice Manager
- Are you web developer building high traffic web site?
- Are you performance engineer that lives and breaths performance reports?
- Are you production System Engineer supporting heavy traffic web site?
In either case you need an ad-hoc simple-to-use tool to analyze your web site behavior under load during development, testing, and maintenance phases.
I thought it would be useful to focus on performance analysis tools that analyze IIS logs.
ScottGu's post describes the features that are included with IIS7 Administration Pack Technical Preview 1. One of the features is Log Reports that relies on command line LogParser tool:
"Built-in report visualization with charting support for log files data. Full range selection and custom chart creation is supported, as well as the ability to print or save reports. Like the database manager you can use this module remotely over HTTP/SSL - which means it works in remote shared hosting scenarios."
I've installed PetShop Reference Implementation and quickly generated a load on my laptop with Vista SP1. Below is the performance report that was generated by IIS7 Admin Pack:
Very nice!
Quick and Easy Performance Reporting for IIS 6.0 logs
Using IIS 6.0? Need ad-hoc performance analysis reporting capability? Following are few options that worked for me so far:
My Related Posts
Enjoy.
How to anticipate or better off avoid performance related "surprises" during load and stress testing?
Apply performance engineering practices throughout SDLC (Software Development LifeCycle). Here are major talking points, tools, resources, and further reading.
Performance Engineering Frame
In order to focus and streamline Performance Engineering tasks throughout the development lifecycle ask the following questions
- How to cache data?
- How to handle communications?
- How to handle concurrency?
- How to handle components’ coupling/cohesion?
- How to perform data access?
- What algorithms to use?
- How to handle exceptions?
- How to handle resource management?
- How to handle state management?
More info - Performance Frame. Pay special attention to performance threats and performance vulnerabilities.
Development phases and related activities
- Envision Phase
- Architecture and Design Phase
- Implementation/Coding Phase
- Testing Phase
Tools
Related materials
Alik here.
Does the question sound rhetoric to you? Do you think the answer is “Yes” by default these days?
Think twice. Ask yourself the questions below. You may change your mind at the end.
Performance
Is performance important to you and your customers? Consider the following performance threats specifically applicable to distributed architectures.
- Network latency as a result of multiple round trips to perform a single operation.
- High network utilization by sending more data than is required.
- Increased serialization overhead.
- Performance costs as a result of security checks.
Security
Care to build security aware systems? Care to protect your and your customers mission critical assets? Consider the following security threats and challenges specifically related to distributed architectures.
- Parameters manipulation.
- Network eavesdropping and information disclosure.
- Credential theft.
- Data tampering.
- Unauthorized access to administration interfaces.
- Denial of service.
- Identity flow across physical tiers.
- Unauthorized access due to lack of network protection.
Operations
Care to respond to production incidents quickly? Want to keep up with tight SLA's? Have a small talk with your production IT guys who are supposed to support your system in production. I am sure they will ask you the following questions. Do you have a good answers?
- What do I check when end users ask me the following questions?
- Why it is not working?
- Why it works so slow?
- Why I am not allowed to do this operation?
- How do I configure this?
- What alerts your system raises when it fails?
- Where all alerts are sent?
- How do I roll back the version?
- What should I do when I see specific alert?
- How do I distribute patches for your system?
- How do I know what is the source of the incident?
- How do I get detailed information regarding the incident?
- How do I recognizes the trends that usually lead to incident?
- How do I back up the configuration?
Benefits
What are the benefits of SOA?
"Service-oriented architecture is, first and foremost, a means of attaining greater business agility from existing IT investments. SOA-based solutions connect systems and thereby automate previously manual information-transfer processes whether the goal is to develop new applications; to connect systems, workgroups, or geographically distributed subsidiaries; or to collaborate with trading partners."
Are you building next Google or Flickr or just building departmental HR system? Do you really achieve the benefits creating your distributed architecture? Do you really automate the process or add more operational costs?
Case studies
More questions and answers
- Do you conduct security code reviews? - [Yes/No]
- Do you want to streamline the process of the review? – [Yes/No]
- Do you want to save time and achieve results with much less efforts? – [Yes/No]
- Do you hate writing documents? - [Yes/No]
If the answer is Yes to the questions above then this post is for you. In this post I am going to show how to generate Security Code Review Checklist using patterns & practices Guidance Explorer and Outlook 2007.
Note - Checklist documents can be generated without Outlook 2007 by only using the Guidance Explorer client that is freely available for download here. I am just a big fan of looking for new ways to utilize familiar tools.
Summary of Steps
- Step #1 – Configure your Outlook 2007 to consume patterns & practices Guidance Explorer.
- Step #2 – Customize Outlook 2007 for easier search.
- Step #3 – Identify Security Code Review items among 4000 items.
- Step #4 – Generate Security Code Review Checklist Document.
Next section describes each step in detail.
Step #1 – Configure your Outlook 2007 to consume patterns & practices Guidance Explorer. patterns & practices team has recently released a version of their Guidance Explorer that exposes its online store via RSS. Guidance Explorer consolidates all the guidance patterns & practices ever released covering Security, Performance, and Visual Studio areas. That means you can consume something like 4000 items using RSS reader of your choice. My choice is Outlook 2007. Follow instructions in Consume patterns&practices Guidance Explorer Via RSS Using Outlook 2007 to download all 4000 items for offline use inside Outlook 2007.
Step #2 – Customize Outlook 2007 for easier search. Once Guidance Explorer items downloaded you can start consuming it directly from Outlook 2007. To make it more usable I recommend creating predefined search folders focusing on different disciplines. For example – Security, Performance, and Visual Studio. Follow instructions in Customize Guidance Explorer Inside Outlook 2007 – Find Tech Gold Nuggets Instantly to make it more usable and easy to access relevant information.
Step #3 – Identify Security Code Review items among 4000 others. Now that we are all set let’s build a list of security code inspection items. It is pretty easy with Outlook 2007 built-in instant search capability. Paste “Type: Inspection Question” into search box including the quotes, you should see something similar to this:
Highlight desired items and copy it into the clipboard by pressing Ctrl + C. Create a new folder in Outlook 2007 and paste the items using Ctrl + V. You’ve just created a working checklist ready to be used with the code you want to review. If you have your own insights and want to add it to the checklist – it is easy, just follow instructions in Create Your Own Guidance Explorer Items Inside Outlook 2007.
Step #4 – Generate Security Code Review Checklist Document. Once you are happy with the checklist items you are ready to generate the document. Outlook 2007 does not have such built-in capability, so I developed it by myself. It is really easy with Visual Studio 2005 and Visual Studio Tools For Office [VSTO] or just with Visual Studio 2008. For more information check my post Generate Documents Out Of Mail Items Directly From Outlook 2007. I’ve uploaded a sample checklist document with a few items in it in Word 2003 format with a few items. The document was generated purely using the described approach.
Guidance Explorer comes with an offline client that can do everything I’ve described above including document generation. To learn more about Guidance Explorer watch these cool videos below:
Have fun, Alik Levin
Hi! This is Hassan Khan. As promissed, here the FAQs on XSSDetect:
Q. What is XSSDetect?
A. XSSDetect is stripped down version of the Code Analysis Tool for .NET used by the ACE team to help find security vulnerabilities in software applications. It has been made available for free on Microsoft downloads. XSSDetect comes as a Visual Studio Add-in that can identify non-persistent XSS vulnerabilities in ASP.NET web-applications.
Q. What is CAT.NET?
A. (Code Analysis Tool for .NET) CAT.NET is the complete version of the dataflow analysis solution built by the ACE Team. Information on how to get CAT.NET will be posted later. It includes the following features:
1. Ability to detect more security vulnerabilities like persistent XSS, SQL Injection, Redirection to User Controlled Websites, Process Command Execution, LDPA/XPATH Injection etc.
2. Ability to create custom rules (to detect new vulnerabilities) and filters (to reduce false positives).
3. Includes a Command line version that does not require Visual Studio
4. Integration with FXCOP and MSBuild
5. Ability to create work Items for Visual Studio Team System and generate reports.
6. Ability to analyze large applications.
Q. Does XSSDetect require Visual Studio to be run in admin privileges?
A. Yes. Running XSSDetect Addin without Admin privileges may cause it to crash or display messages to regarding missing or expired license.
Q. Why does XSSDetect run of memory?
A. XSSDetect creates a huge dataflow graph in memory for all the targeted assemblies. In order to prevent XSSDetect from running out of memory, please remove some of the target assemblies from the target setting tabs. Please also see the blog entry title “XSSDetect: Analyzing large applications.”
Q. What is the scope of the XSSDetect analysis?
A. XSSDetect will analyze code that can be compiled into .NET assemblies irrespective of language. This includes web site projects and any server side code in .aspx files. For example, vulnerabilities like:
<%=Request.QueryString["name"] %>
in the aspx files will be caught.
Q. What versions of Visual Studio does XSSDetect work on?
A. XSSDetect has been tested to work on Visual Studio 2005. It does not , however, work on any the VS Express Edition. The current version avialable download does not work with Visual Studio 2008. If you would like to analyze applications in VS2008 running then open the XSSDetect.addin file in Documents and Settings\<username>\Application Data\Microsoft\MSEnvShared\Addins directory on XP or \users\<your alias>\AppData\Roaming\Microsoft\MSEnvShared\Addins on Vista, and insert the following line under HostApplication:
<Version>9.0</Version>
Q. Can XSSDetect analyze release builds without any debug info?
A. Yes, the analysis will not be affected by the availability of the debug info, however, the results will not include information on the location of the vulnerabilities.
Q. How can error 2869 be avoided when installing XSSDetect on Vista?
A. Please launch the installation process using the setup.exe instead of setup.msi on Vista.
