Now that you've decided (or battled) to set up an application security program you realize that it actually needs to get funded. You must master the art of delicately drinking from the fire hydrant of line of business applications.
In my experience helping organizations set up their application security programs funding was perhaps the most critical factor determining the level of impact that the appsec program would have. Lets go through the various permutations and combinations of these models and what they buy you Read More...
Akshay Aggarwal
Practice Manager (North America)
I will be speaking at the Front Range OWASP Conference (FROCo8) in Denver on June 10th. The focus of the conference to share the experiences that the speakers had around solving technical and management issues surrounding application security. I'll be sharing the podium with luminaries like Ed Bellis, Jeremiah Grossman, Melissa Tondi, Laz, Mike Walter & Robert Hansen.
My talk, Application Security Kung Fu: Threat Modeling your way to competitive advantage, will focus on how threat models can lead to better software translated to a competitive advantage. That will be followed by a security discussion on integrating security into the SDLC. Looking forward to this discussion on the topic I have been passionately blogging about.
Akshay Aggarwal
Practice Manager (North America & LATAM)
Large enterprises tend to have a number of line of business (LOB) applications supporting business operations. It becomes key for an application security program to help the organization manage the risk posed by each of these applications.Applications tend to be comprised of legacy applications, applications under development and application under planning.
To start an application security program, the org must set up a secure data center/environment to host secure applications. Read More...
Akshay Aggarwal
Practice Manager
- Are you web developer building high traffic web site?
- Are you performance engineer that lives and breaths performance reports?
- Are you production System Engineer supporting heavy traffic web site?
In either case you need an ad-hoc simple-to-use tool to analyze your web site behavior under load during development, testing, and maintenance phases.
I thought it would be useful to focus on performance analysis tools that analyze IIS logs.
ScottGu's post describes the features that are included with IIS7 Administration Pack Technical Preview 1. One of the features is Log Reports that relies on command line LogParser tool:
"Built-in report visualization with charting support for log files data. Full range selection and custom chart creation is supported, as well as the ability to print or save reports. Like the database manager you can use this module remotely over HTTP/SSL - which means it works in remote shared hosting scenarios."
I've installed PetShop Reference Implementation and quickly generated a load on my laptop with Vista SP1. Below is the performance report that was generated by IIS7 Admin Pack:
Very nice!
Quick and Easy Performance Reporting for IIS 6.0 logs
Using IIS 6.0? Need ad-hoc performance analysis reporting capability? Following are few options that worked for me so far:
My Related Posts
Enjoy.
How to anticipate or better off avoid performance related "surprises" during load and stress testing?
Apply performance engineering practices throughout SDLC (Software Development LifeCycle). Here are major talking points, tools, resources, and further reading.
Performance Engineering Frame
In order to focus and streamline Performance Engineering tasks throughout the development lifecycle ask the following questions
- How to cache data?
- How to handle communications?
- How to handle concurrency?
- How to handle components’ coupling/cohesion?
- How to perform data access?
- What algorithms to use?
- How to handle exceptions?
- How to handle resource management?
- How to handle state management?
More info - Performance Frame. Pay special attention to performance threats and performance vulnerabilities.
Development phases and related activities
- Envision Phase
- Architecture and Design Phase
- Implementation/Coding Phase
- Testing Phase
Tools
Related materials
Alik here.
Does the question sound rhetoric to you? Do you think the answer is “Yes” by default these days?
Think twice. Ask yourself the questions below. You may change your mind at the end.
Performance
Is performance important to you and your customers? Consider the following performance threats specifically applicable to distributed architectures.
- Network latency as a result of multiple round trips to perform a single operation.
- High network utilization by sending more data than is required.
- Increased serialization overhead.
- Performance costs as a result of security checks.
Security
Care to build security aware systems? Care to protect your and your customers mission critical assets? Consider the following security threats and challenges specifically related to distributed architectures.
- Parameters manipulation.
- Network eavesdropping and information disclosure.
- Credential theft.
- Data tampering.
- Unauthorized access to administration interfaces.
- Denial of service.
- Identity flow across physical tiers.
- Unauthorized access due to lack of network protection.
Operations
Care to respond to production incidents quickly? Want to keep up with tight SLA's? Have a small talk with your production IT guys who are supposed to support your system in production. I am sure they will ask you the following questions. Do you have a good answers?
- What do I check when end users ask me the following questions?
- Why it is not working?
- Why it works so slow?
- Why I am not allowed to do this operation?
- How do I configure this?
- What alerts your system raises when it fails?
- Where all alerts are sent?
- How do I roll back the version?
- What should I do when I see specific alert?
- How do I distribute patches for your system?
- How do I know what is the source of the incident?
- How do I get detailed information regarding the incident?
- How do I recognizes the trends that usually lead to incident?
- How do I back up the configuration?
Benefits
What are the benefits of SOA?
"Service-oriented architecture is, first and foremost, a means of attaining greater business agility from existing IT investments. SOA-based solutions connect systems and thereby automate previously manual information-transfer processes whether the goal is to develop new applications; to connect systems, workgroups, or geographically distributed subsidiaries; or to collaborate with trading partners."
Are you building next Google or Flickr or just building departmental HR system? Do you really achieve the benefits creating your distributed architecture? Do you really automate the process or add more operational costs?
Case studies
More questions and answers
- Do you conduct security code reviews? - [Yes/No]
- Do you want to streamline the process of the review? – [Yes/No]
- Do you want to save time and achieve results with much less efforts? – [Yes/No]
- Do you hate writing documents? - [Yes/No]
If the answer is Yes to the questions above then this post is for you. In this post I am going to show how to generate Security Code Review Checklist using patterns & practices Guidance Explorer and Outlook 2007.
Note - Checklist documents can be generated without Outlook 2007 by only using the Guidance Explorer client that is freely available for download here. I am just a big fan of looking for new ways to utilize familiar tools.
Summary of Steps
- Step #1 – Configure your Outlook 2007 to consume patterns & practices Guidance Explorer.
- Step #2 – Customize Outlook 2007 for easier search.
- Step #3 – Identify Security Code Review items among 4000 items.
- Step #4 – Generate Security Code Review Checklist Document.
Next section describes each step in detail.
Step #1 – Configure your Outlook 2007 to consume patterns & practices Guidance Explorer. patterns & practices team has recently released a version of their Guidance Explorer that exposes its online store via RSS. Guidance Explorer consolidates all the guidance patterns & practices ever released covering Security, Performance, and Visual Studio areas. That means you can consume something like 4000 items using RSS reader of your choice. My choice is Outlook 2007. Follow instructions in Consume patterns&practices Guidance Explorer Via RSS Using Outlook 2007 to download all 4000 items for offline use inside Outlook 2007.
Step #2 – Customize Outlook 2007 for easier search. Once Guidance Explorer items downloaded you can start consuming it directly from Outlook 2007. To make it more usable I recommend creating predefined search folders focusing on different disciplines. For example – Security, Performance, and Visual Studio. Follow instructions in Customize Guidance Explorer Inside Outlook 2007 – Find Tech Gold Nuggets Instantly to make it more usable and easy to access relevant information.
Step #3 – Identify Security Code Review items among 4000 others. Now that we are all set let’s build a list of security code inspection items. It is pretty easy with Outlook 2007 built-in instant search capability. Paste “Type: Inspection Question” into search box including the quotes, you should see something similar to this:
Highlight desired items and copy it into the clipboard by pressing Ctrl + C. Create a new folder in Outlook 2007 and paste the items using Ctrl + V. You’ve just created a working checklist ready to be used with the code you want to review. If you have your own insights and want to add it to the checklist – it is easy, just follow instructions in Create Your Own Guidance Explorer Items Inside Outlook 2007.
Step #4 – Generate Security Code Review Checklist Document. Once you are happy with the checklist items you are ready to generate the document. Outlook 2007 does not have such built-in capability, so I developed it by myself. It is really easy with Visual Studio 2005 and Visual Studio Tools For Office [VSTO] or just with Visual Studio 2008. For more information check my post Generate Documents Out Of Mail Items Directly From Outlook 2007. I’ve uploaded a sample checklist document with a few items in it in Word 2003 format with a few items. The document was generated purely using the described approach.
Guidance Explorer comes with an offline client that can do everything I’ve described above including document generation. To learn more about Guidance Explorer watch these cool videos below:
Have fun, Alik Levin
Hi! This is Hassan Khan. As promissed, here the FAQs on XSSDetect:
Q. What is XSSDetect?
A. XSSDetect is stripped down version of the Code Analysis Tool for .NET used by the ACE team to help find security vulnerabilities in software applications. It has been made available for free on Microsoft downloads. XSSDetect comes as a Visual Studio Add-in that can identify non-persistent XSS vulnerabilities in ASP.NET web-applications.
Q. What is CAT.NET?
A. (Code Analysis Tool for .NET) CAT.NET is the complete version of the dataflow analysis solution built by the ACE Team. Information on how to get CAT.NET will be posted later. It includes the following features:
1. Ability to detect more security vulnerabilities like persistent XSS, SQL Injection, Redirection to User Controlled Websites, Process Command Execution, LDPA/XPATH Injection etc.
2. Ability to create custom rules (to detect new vulnerabilities) and filters (to reduce false positives).
3. Includes a Command line version that does not require Visual Studio
4. Integration with FXCOP and MSBuild
5. Ability to create work Items for Visual Studio Team System and generate reports.
6. Ability to analyze large applications.
Q. Does XSSDetect require Visual Studio to be run in admin privileges?
A. Yes. Running XSSDetect Addin without Admin privileges may cause it to crash or display messages to regarding missing or expired license.
Q. Why does XSSDetect run of memory?
A. XSSDetect creates a huge dataflow graph in memory for all the targeted assemblies. In order to prevent XSSDetect from running out of memory, please remove some of the target assemblies from the target setting tabs. Please also see the blog entry title “XSSDetect: Analyzing large applications.”
Q. What is the scope of the XSSDetect analysis?
A. XSSDetect will analyze code that can be compiled into .NET assemblies irrespective of language. This includes web site projects and any server side code in .aspx files. For example, vulnerabilities like:
<%=Request.QueryString["name"] %>
in the aspx files will be caught.
Q. What versions of Visual Studio does XSSDetect work on?
A. XSSDetect has been tested to work on Visual Studio 2005. It does not , however, work on any the VS Express Edition. The current version avialable download does not work with Visual Studio 2008. If you would like to analyze applications in VS2008 running then open the XSSDetect.addin file in Documents and Settings\<username>\Application Data\Microsoft\MSEnvShared\Addins directory on XP or \users\<your alias>\AppData\Roaming\Microsoft\MSEnvShared\Addins on Vista, and insert the following line under HostApplication:
<Version>9.0</Version>
Q. Can XSSDetect analyze release builds without any debug info?
A. Yes, the analysis will not be affected by the availability of the debug info, however, the results will not include information on the location of the vulnerabilities.
Q. How can error 2869 be avoided when installing XSSDetect on Vista?
A. Please launch the installation process using the setup.exe instead of setup.msi on Vista.
In a recent MS internal performance gig we encountered an interesting issue with the maxconnection setting in the Machine.Config. Essentially the application we were testing consisted of a web application using classic ASP, COM+ business objects and a .NET wrapper proxy that consumed web services on a separate web server using integrated authentication and SSL.
We used VSTS to apply load to the web server and measure throughput, after a minute we noticed that the server throughput dropped and ASP requests per seconds fell to zero. RPS would stay at zero for exactly 1 minute 40 seconds then they would resume, this behavior would repeat itself every minute or so. Even more troubling were the exceptions in the application event viewer. They looked like this: System.Net.WebException: The operation has timed out…
Fast forwarding a bit, we decided to try live debugging. Fortunately for us we found an excellent blog entry that contained a step by step walkthrough on a similar issue: http://blogs.msdn.com/tess/archive/2006/02/23/asp-net-performance-case-study-web-service-calls-taking-forever.aspx
While the system was under load we took a dump of the DLLHOST process. We used WINDBG to analyze the memory dump and very similar to the blog entry above, we found that many of the threads in our process are waiting. Here’s an example.
Switching to thread 39 we can see multiple System.Net.HttpWebRequest objects that are used to make our Web Service calls.
Looking at one of the HttpWebRequest objects we see something interesting called _ServicePoint. The ServicePoint class provides connection management for HTTP connections.
We verified that we were looking at the correct object by checking the _Uri value. It was also interesting to note in the System.Net.HttpWebRequest properties that the _Timeout value of 100000 milliseconds corresponds with the timeout we are seeing during our load testing. After 1 minute 40 seconds the timeout occurs.
Finally we took a look at ServicePoint and found that the m_ConnectionLimit and m_CurrentConnectins were set to 2 in System.Net.ServicePoint.
Immediately we checked the Machine.Config on the web server and located the connectionManagement section. In it we saw that the maxconnection was set to 24 per the best practice (12 * # of processors)
<connectionManagement>
<add address="*" maxconnection="24"/>
</connectionManagement>
We also tried a simple test, since we were able to reproduce the issue on demand; we ran our VSTS load test and reproduced the problem again. On the web server we used the netstat command to check the number of connections to the web services server; we found that 2 connections were made on port 443 to the web services server. Somehow the connection settings in the machine.config were being ignored and the webserver was constrained to 2 total web service connections to our web services server.
Since the maxconnection setting was ignored we needed a way to set the maxconnections programmatically in our code . The way to do this is with the System.Net.ServicePointManager class. Here is a sample of how to set the DefaultConnectionLimit in code:
System.Net.ServicePointManager.DefaultConnectionLimit = nn;
//Where nn is the recommended connection value in integer.
Using this class in our .NET wrapper code we set the .DefaultConnectionLimit property before any HTTP/HTTPS web service calls are made. After making the code change we retested and the problem was resolved!
NOTE: Special thanks to Tess Ferrandez for the awesome blog mentioned above, Edmund Wong for Windbg help and PSS Developer Support for help with the resolution.
For More information on ServicePointManager see the following: http://msdn2.microsoft.com/en-us/library/system.net.servicepointmanager.defaultconnectionlimit(vs.80).aspx
James Beeson
Performance Technologist
Microsoft – ACE Team
XSSDetect is a static binary analysis tool. In the first step of analysis it reads target binaries to create a directed graph where nodes represent statements while the edges represent flow of data. This graph can get huge for large applications and users can sometimes run into the “out of memory exception.” Read this blog if you are experiencing this issue and would like to resolve it.
First of all, having lots of RAM and swap space does not help in this particular scenario. In a 32 bit Windows operating system, a process can address only 4GB of memory address space, 2GB of which is used by the kernel. In practice, a process will throw an out of memory exception after having used a little over 1GB because it fails to allocate anymore contiguous memory. In the case of XSSDetect, we found two successful ways of overcoming this limitation.
One solution is to analyze the large application on a 64bit Windows OS. A version of XSSDetect especially compiled for this platform is also required. The XSSDetect Beta 1.0 that is available on the Internet, however, does not currently support 64bit processing. Please look for support for analyzing large applications to become available very soon.
The other solution is to choose the target analysis binaries intelligently. When you open a solution, XSSDetect adds all managed binaries built by the solution to the targets list by default. However, a user can choose to run analysis on only one or few projects at a time. In order to remove some of the binaries from this list, hit the ‘Target Assemblies’ button in the XSSDetect toolbar and then click Add/Remove button to go to Advanced Targets Settings.
In the Advanced targets Settings dialog box, a user can select each target and click ‘Read’ assembly to view the approximate memory required for analysis and also view its dependencies. Using this information a user can decide which projects to analyze in one go. It is important to realize that if data flows from one project assembly to another and the two assemblies are not analyzed together then vulnerabilities can get missed. Therefore, while it is not necessary to add .NET framework dependencies like mscorelib.dll to the target assemblies list, a user should attempt to select solution projects that reference each other and then keep repeating the process until all binaries have been analyzed.
64Bit machines are still not very common in Microsoft which is why the last work around is used extensively by all our application teams. However, if the target assemblies are chosen carefully the results can be as accurate as running the analysis on the entire solution together. XSSDetect's UI is especially designed to make this step easier.
Please keep using this tool and giving us feedback.
Just a brief update, Hassan Khan one of the lead developers of XSSDetect and part of our ACE Engineering team has posted up some technical details on how XSSDetect uses data flow analysis to do its magic. You can
read more about it here. Feel free to leave additional questions and I'm sure he'll follow up with more details in another post soon!
One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE Team has been working on several projects to help mitigate and fix these issues, as well as detect them in the code bases that we review so that they can be fixed before going live.
XSSDetect runs as a Visual Studio plug-in and can detect potential XSS issues in managed code.
Here's a screenshot:
While the functionality may seem straight forward, many years of research and hard work have gone into making XSSDetect a reality. XSSDetect is a stripped down version of our enterprise ready Code Analysis Tool for .NET code bases (CAT.NET for short). CAT.NET adds such features as VSTF integration, centralized reporting using web services, customized rulesets and filters, integration with FXCop and MSBUILD as well as the ability to run from the command line to integrate with your build processes (or if you're just old school and rock it like that ;)
XSSDetect is currently in beta so we welcome your feedback! This current version of the beta will expire after 60 days. To send us your feedback, we encourage you to leave comments below or contact us via the 'Email' link above.
Click here to DOWNLOAD now!
From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/19/asp-net-validaterequest-does-not-mitigate-xss-completely.aspx
As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions. Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject dangerous inputs, and HttpRequestValidationException is thrown before the input is even processed by your code. For example, <script> would be caught by ValidateRequest.
During my security reviews, I routinely find that many web applications turn on ValidateRequest (It is on by default), and do not follow XSS mitigation techniques, such as output encoding by HTMLEncode or ACE Anti-XSS library. They believe that ValidateRequest can fix all XSS problems.
However, there are a couple downsides of relying on ValidateRequest:
1. ValidateRequest may miss some crafty inputs. Please read MS07-040 for a recent MSRC fix on ValidateRequest.
2. ValidateRequest cannot be turned on in all cases, as characters that trigger XSS may also be needed in valid user scenarios. For example, AJAX transmits XML blobs between client and server, but ValidateRequest will throw HttpRequestValidationException as it contains "dangerous" characters, such as < and >. Exchange 2007 OWA cannot run with ValidateRequest turned on.
In conclusion, ValidateRequest should be turned on if it does not block valid user scenarios. However, even with ValidateRequest turned on, it MUST not be regarded as a sure-fire way to mitigate XSS. Please read http://msdn2.microsoft.com/en-us/library/ms998274.aspx for full XSS mitigation.
From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/19/is-microsoft-office-isolated-conversion-environment-moice-mocha-on-ice.aspx
MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security. Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious documents. Office team strives to enhance their security, and MOICE is another evidence that they are committed to security.
MOICE converts Office 2003 documents of supported types to Office 2007 XML formats (Metro) in an isolated environment. Granted that the same conversion engine is used in the Microsoft Office Compatibility Pack, how does running in an isolated environment enhance security?
Think of wearing pads and helmets while playing American football. It is the nature of American football that players will get hit hard. Wearing pads and helmets does not change the nature of American football, but it does lessen the chance of inflicting serious injuries on players
The same principle applies to MOICE. MOICE does not alter the fact that malicious documents are out there to exploit vulnerable machines. MOICE is like a pad and a helmet to reduce the chance of Office softwares being being exploited. Exploitation may still happen, but isolated environment provided by MOICE reduces possible damages inflicted by the malicious documents.
In addition, applying MOICE is as simple as putting on a pad and a helmet. MOICE can be installed as a recommended update via Microsoft Update, and execution of ASSOC replaces regular rendering with MOICE. For more information, please visit http://support.microsoft.com/kb/935865.
Last but not least, MOICE is not a replacement of properly patching your machines. Now, go patch your machines, enjoy a cup of MOICE and most importantly, don't click on suspicious Office documents via emails.
From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/11/given-enough-eyeballs-all-bugs-are-shallow-true-or-false.aspx
"Given enough eyeballs all bugs are shallow." I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs. This premise is built on the assumption that all reviewers have the best intentions in mind. However, do all people have the best intentions in mind? If all do, we will not need law enforcement officials.
Obviously there will be some malicious and devious "eyeballs" out there. Rather than identifying bugs, they plant bugs in open source softwares. This attack is named "Cross-Build Injection". Fortify just published an article with reported incidents related to OpenSSH, SendMail and IRSSI. Check out http://www.fortifysoftware.com/servlet/downloads/public/fortify_attacking_the_build.pdf.