Hi everyone, if you’re headed to RSA next week be sure to check out these sessions featuring SDL team members:
Wednesday, March 3, 9:10 AM
Katie Moussouris and Bryan Sullivan
(A preview of this session is available as a podcast at https://365.rsaconference.com/blogs/podcast-series-rsa-conference-2010/2010/02/19/and-202-microsoft-sdl-tools-automating-the-security-development-lifecycle-pk-session.)
David Ladd, Eric Baize (EMC), Gary McGraw (Cigital), Richard Pethia (Carnegie Mellon University)
Wednesday, March 3, 10:40 AM
Katie Moussouris, Martin McKeay (Network Security Blog), Brad Arkin (Adobe Systems), Tim Stanley (Continental Airlines), Steve Dispensa (PhoneFactor), Michael Barrett (PayPal), HD Moore (The Metasploit Project)
(A preview of Katie Moussouris speaking on the topic of Responsible Disclosure can be found at https://admin.secure.streamos.com/streamos/player/flv/?url=http://rsa.edgeboss.net/flash/rsa/rsaconference/2010/us/podcasts/rsac_02-03-10-hot-203-moussouris.mp3.)
Thursday, March 4, 1:00 PM
Adam Shostack and Danny Dhillon (EMC)
Hi everyone, Bryan here. We’ve written here before about Casaba Security’s Watcher tool and how it can help you verify compliance with several of the SDL web application security requirements, such as:
· User controlled open redirects
· Insecure domain references in Silverlight client access policy files
· Use of the Javascript eval method
· More…
I’m excited to report that Casaba has just released Watcher v1.3.0, which adds even more useful checks and also integrates with the SDL and MSF-A+SDL process templates. In addition, it can also tell you which of its checks map to SDL requirements.
Watcher is available for free download on Codeplex, and Katie will be demonstrating Watcher during our presentation at RSA next week (AND-202: Microsoft SDL Tools: Automating the Security Development Lifecycle).
Hi, Michael here,
As you might be aware, a collaboration of industry experts and academia worked together on the CWE/SANS Top 25 Most Dangerous Programming Errors for a second year to define and describe the most significant programming errors that can lead to some of the most serious software vulnerabilities. As we did last year, Microsoft was involved helping define the CWE/SANS Top 25 for 2010.
As the process to define the Top 25 started to draw to a close and the draft top 40 candidates were selected to be whittled down to 25, we decided, as we did in 2009, to see how the SDL processes and tasks map to the Top 25.
As we expected, the SDL maps very nicely to the 2010 Top 25, just as it did in 2009. Every one of the Top 25 is covered by one or more SDL requirements, and most of them are also covered by an automated SDL verification tool or secure coding library. Even CWE 98, "PHP File Inclusion," is covered by the SDL in our required security training classes, which is especially remarkable when you consider that virtually no PHP code is written at Microsoft!
The reason that we address issues like PHP file inclusion in the SDL is that we don't simply wait for new vulnerability taxonomies to be released and then rush to add mitigations to our security processes; rather, we structure the SDL to provide developers with fundamentally sound, secure programming practices. As a result, we cover not just the known vulnerabilities of today (like the Top 25) but also many of the unknown vulnerabilities that will be discovered tomorrow. The fact that all of the Top 25 are addressed by the SDL is a great validation, but it is the result of the content of our process and not the cause.
CWE
Title
Education
Manual Process
Library, tool or code gen Fix?
Threat Model
120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Y
129
Improper Validation of Array Index
131
Incorrect Calculation of Buffer Size
805
Buffer Access with Incorrect Length Value
209
Information Exposure Through an Error Message
754
Improper Check for Exceptional Conditions
22
Path Traversal
98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
434
Unrestricted File Upload
770
Allocation of Resources Without Limits or Throttling
78
Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
79
Failure to Preserve Web Page Structure ('Cross site Scripting')
89
Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
352
Cross Site Request Forgery (CSRF)
362
Race Condition
494
Download of Code Without Integrity Check
601
URL Redirection to Untrusted Site ('Open Redirect')
190
Integer Overflow or Wraparound
807
Reliance on Untrusted Inputs in a Security Decision
285
Improper Access Control (Authorization)
306
Missing Authentication for Critical Function
311
Missing Encryption of Sensitive Data
327
Use of a Broken or Risky Cryptographic Algorithm
732
Incorrect Permission Assignment for Critical Resource
798
Use of Hard coded Credentials
A year ago, I wrote a short post about us banning memcpy in the SDL for new code. Well, I’m happy to announce that in VC++ 2010, we have made it much easier to remove potentially insecure calls to memcpy and replace them with more secure calls to memcpy_s; it’s automagic, just like we do did for other banned functions!
As I said in a previous post, I am a huge fan of adding defenses to code automatically, and making such changes as easy as possible for software engineers, and this auto-migration is a great example.
In short, if your code has a call to memcpy, and the compiler can determine the destination buffer size at compile time, the compiler will replace the call to memcpy with a call to memcpy_s.
For example, if you compile the code below with:
cl /D_CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES_MEMORY=1 foo.cpp
#include <memory.h>
int main() {
int src[100]; const size_t src_size = _countof(src) * sizeof(int);
memset(src, 12, src_size);
const size_t dst_size_int = _countof(src); int dst[dst_size_int];
memcpy(dst, src, src_size);
return 0;
}
You’ll see that the calls to memcpy are replaced with memcpy_s courtesy of this code in memory.h:
#if defined(__cplusplus) && _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES_MEMORY
extern "C++" {
#ifndef _CRT_ENABLE_IF_DEFINED
#define _CRT_ENABLE_IF_DEFINED
template<bool _Enable, typename _Ty>
struct _CrtEnableIf;
template<typename _Ty>
struct _CrtEnableIf<true, _Ty>
{
typedef _Ty _Type;
};
#endif
template <size_t _Size, typename _DstType>
inline
typename _CrtEnableIf<(_Size > 1), void *>::_Type __cdecl memcpy(_DstType (&_Dst)[_Size], _In_opt_bytecount_(_SrcSize) const void *_Src, _In_ size_t _SrcSize) _CRT_SECURE_CPP_NOTHROW
return memcpy_s(_Dst, _Size * sizeof(_DstType), _Src, _SrcSize) == 0 ? _Dst : 0;
Note that for this to work, you must define a preprocessor variable:
_CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES_MEMORY = 1
This is another great example of why migrating your C++ code to Visual C++ 2010 can help improve the security of the code with virtually no engineering effort.
(Big thanks to the C++ folks over in the Developer Division for getting this work done in time for VC++ 2010)
- Michael
The SDL pond may have seemed quiet over the holidays, but we have three new announcements we hope will make ripples for developers and organization who want to adopt the SDL. We are announcing three new releases at the Black Hat conference in Washington DC today:
1. a new white paper: Simplified Implementation of the Microsoft SDL
2. a new program: SDL Pro Network Tools category and new members
3. a new tool: MSF for Agile Software Development + SDL Process Template for VSTS 2008
Simplified SDL whitepaper
First up is the release of the Simplified Implementation of the Microsoft SDL white paper. One of the common misconceptions about the Microsoft SDL is that you have to be an organization the size of Microsoft in order to be able to implement it. Another misconception is that the SDL is only appropriate for Microsoft languages and Microsoft platforms, and that you need to use some other methodology if you’re writing code with Ruby for OS X. The Simplified SDL white paper helps address these misconceptions by explaining how the SDL can be implemented with limited resources and applied to any platform. By outlining a minimum threshold that stays true to the core attributes of the SDL, this paper provides an effective model for building an effective security development lifecycle in any organization.
SDL Pro Network Security Tools category and new members
Our second announcement is the expansion of the SDL Pro Network to include a new category of membership, Tools, which will complement the existing Consulting and Training categories. Tools member organizations are able to deploy security tools such as static analysis tools, fuzzers, or dynamic and binary analysis tools. Security tooling is a critical piece of the SDL and we’re excited to have this new Pro Network category to help organizations use their tools and their time more effectively.
We’re also announcing an expansion of the Pro Network to include seven new members:
· Fortify (Tool Member)
· Veracode (Tool Member)
· Codenomicon (Tool Member)
· Booz-Allen Hamilton (Consulting Member)
· Casaba Security (Consulting Member)
· Consult2Comply (Consulting Member)
· Safelight Security Advisors (Training Member)
We welcome our new members and hope you will consider them or our other Pro Network members for your security training, consulting, and tooling needs.
MSF for Agile + SDL Process Template
Last, but not least, we’re releasing the first public beta of the new MSF for Agile Software Development plus SDL Process Template for VSTS 2008, or “MSF-A+SDL” for short. Like the SDL Process Template we released last year, this template helps teams to integrate secure development processes directly into their Visual Studio Team System development environment. However, the MSF-A+SDL template is based on the new SDL-Agile process. MSF-A+SDL also has some completely new features from our previous SDL Process Template offering:
· Automatic generation of SDL task work items for new iterations. Given that Agile projects can live forever (as in the case of web applications or cloud services with no defined “end date”), these projects need to periodically re-complete SDL requirements as defined in the SDL-Agile process. The MSF-A+SDL template accomplishes this by creating new security tasks for the project whenever a user adds a new iteration.
· Automatic generation of SDL task work items for new code. Whenever new Visual Studio projects or web sites are checked into an MSF-A+SDL project’s source control repository, the template will generate new SDL requirements appropriate to that project. For example, if the user creates a new C# web site, the template will add requirements such as disabling ASP.NET tracing, and applying the AntiXss library.
· Much more, that we’ll be posting about here soon
If you’re attending Black Hat this week and would like to see MSF-A+SDL in person, come to Bryan’s talk “Agile Security; or, How to Defend Applications with Five-Day-Long Release Cycles” on Wednesday February 3 at 1:45.
Just in case you missed them inline, here are some handy links:
SDL Pro Network page
Simplified Implementation of the Microsoft SDL white paper
MSF for Agile Software Development plus SDL Process Template for VSTS 2008 free download