OWASP Spain Barcelona 2014

Similar documents

AppSecUSA New York City 2013

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Bypassing Memory Protections: The Future of Exploitation

BLACK HAT ASIA Singapore, March 2014

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Bypassing Browser Memory Protections in Windows Vista

Why should I care about PDF application security?

Turn the Page: Why now is the time to migrate off Windows Server 2003

The SDL Progress Report. Progress reducing software vulnerabilities and developing threat mitigations at Microsoft

Creating a More Secure Device with Windows Embedded Compact 7. Douglas Boling Boling Consulting Inc.

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Modern Binary Exploitation Course Syllabus

Software Development: The Next Security Frontier

90% of data breaches are caused by software vulnerabilities.

Enterprise Application Security Program

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

SAFECode Security Development Lifecycle (SDL)

Security & Exploitation

Adobe Flash Player and Adobe AIR security

WHITEPAPER. Nessus Exploit Integration

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

CCA CYBER SECURITY TRACK

The Hacker Strategy. Dave Aitel Security Research

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

Computer Security: Principles and Practice

Complete Patch Management

Smartphone Apps Are Not That Smart: Insecure Development Practices

Developing Secure Software in the Age of Advanced Persistent Threats

Custom Penetration Testing

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

CPA SECURITY CHARACTERISTIC ENTERPRISE MANAGEMENT OF DATA AT REST ENCRYPTION

Enterprise Application Security Workshop Series

Vulnerability Intelligence & 3 rd party patch management

EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21

CPA SECURITY CHARACTERISTIC MIKEY-SAKKE SECURE VOIP GATEWAY

Medical Device Security Health Group Digital Output

ensuring security the way how we do it

Session ID: Session Classification:

Secure Development LifeCycles (SDLC)

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication

Cyber R &D Research Roundtable

Background. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.

What is Web Security? Motivation

Web Application Security

OPEN SOURCE SECURITY

SecureNinja. SecureNinja. The CyberSecurity Experts

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Standard: Web Application Development

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Securing Secure Browsers

WebGoat for testing your Application Security tools

Testing Control Systems

Developing A Successful Patch Management Process

Security Testing in Critical Systems

Red Hat. By Karl Wirth

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Creating Dynamics User Model Dynamic Linked Library (DLL) for Various PSS E Versions

UNCLASSIFIED CPA SECURITY CHARACTERISTIC WEB APPLICATION FIREWALLS. Version 1.3. Crown Copyright 2011 All Rights Reserved

DEVELOPING SECURE SOFTWARE

ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Practical Applications of Software Security Model Chris Nagel

OSMOSIS. Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Guidance Regarding Skype and Other P2P VoIP Solutions

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

The Epic Turla Operation: Information on Command and Control Server infrastructure

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

Microsoft SDL: Agile Development

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

PE Explorer. Heaventools. Malware Code Analysis Made Easy

Reverse Engineering and Computer Security

Developing secure software A practical approach

Java-Web-Security Anti-Patterns

External Supplier Control Requirements

Top Signs You re Prime for a Data Breach in 2014

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

NERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements

Code Signing for Source Code

Application Security Policy

Application Security Testing How to find software vulnerabilities before you ship or procure code

Hotpatching and the Rise of Third-Party Patches

Security Testing and Vulnerability Management Process. e-governance

PCI-DSS Penetration Testing

CDM Software Asset Management (SWAM) Capability

Application Security and the SDLC. Dan Cornell Denim Group, Ltd.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

How to Build a Trusted Application. John Dickson, CISSP

Transcription:

OWASP Spain Barcelona 2014

ME & VULNEX Simon Roses Femerling Founder & CEO, VULNEX www.vulnex.com @simonroses @vulnexsl Former Microsoft, PwC, @Stake Black Hat, RSA, OWASP, SOURCE, AppSec, DeepSec, TECHNET, HITB CISSP, CSSLP & CEH VULNEX CyberSecurity Startup Services & Training Product development: BinSecSweeper and Computer Forensics Solution http://www.simonroses.com/es/2014/06/mi-visita-al-pentagono/

TALK OBJECTIVES Secure development Verification technologies Assess software security posture

AGENDA 1. Secure Development: Verification 2. BinSecSweeper 3. Case Studies 4. Conclusions

1. SOFTWARE == HOUSE

1. SECURE DEVELOPMENT: VERIFICATION MS SDL This phase involves a comprehensive effort to ensure that the code meets the security and privacy tenets established in the previous phases. Software Assurance Maturity Model (SAMM) Verification is focused on the processes and activities related to how an organization checks and tests artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities.

1. OPENSAMM

1. MICROSOFT SDL

1. IT S ABOUT SAVING MONEY!

1. OTHER VERIFICATION TOOLS Microsoft BinScope http://www.microsoft.com/enus/download/details.aspx?id=11910 RECX Binary Assurance for Windows http://www.recx.co.uk/products/exeaudit.p hp ErrataSec Looking Glass http://blog.erratasec.com/search/label/look ingglass#.uodwxj2dn9a

1. BINSCOPE

1. CURRENT VERIFICATION TOOLS Platform specific Windows: BinScope, Looking Glass & Binary Assurance Linux: checksec.sh and custom scripts Limited set of checks Check for defenses but what about: Compiler used External libs used Malware You name it Not easy to extend

1. BINARY INTELLIGENCE File Information Size Hash Timestamp Strings Compiler Name Version Security Mitigations DEP ASLR Stack Cookies Vulnerabilities Unsafe API Weak Crypto Backdoors

2. WHY BINSECSWEEPER? BinSecSweeper is VULNEX binary security verification tool to ensure applications have been built in compliance with Application Assurance best practices The goal for BinSecSweeper is a tool: Developers can use to verify their output binaries are safe after compilation and before releasing their products IT security pros to scan their infrastructure to identify binaries with weak security defenses or vulnerabilities. BinSecSweeper is a cross platform tool (works on Windows and Linux) and can scan different file formats: PE and ELF.

BINSECSWEEPER FEATURES 100% in Python Easy to use Cross-platform: works on Windows & Linux Scans Windows (PE) and Unix (ELF) files for security checks Analysis Engine Extensible by plugins Visualizations Reporting Perform mass binary scanning Configurable Supported files: exe, dll, sys, msi, so, a, scr, cpl, ocx, dry

2. BINSECSWEEPER IN ACTION (I)

2. BINSECSWEEPER IN ACTION (II)

2. BINSECSWEEPER IN ACTION (III)

2. CURRENT WINDOWS CHECKS CHECK DESCRIPTION Address space layout randomization (ASLR) Stack Cookies (GS) HotPatch Compatible with Data Execution Prevention (NXCOMPAT) Structured Exception Handling (SEH) Abobe Malware Classifier Visual Studio Compiler Fingerprinting Packer Checks if binary has opted the ASLR. Link with /DYNAMICBASE Verifies if binary was compiled with Stack Cookies protection. Compile with /GS Checks if binary is prepared for hot patching. Compile with /hotpatch Validates if binary has opted hardware Data Execution Prevention (DEP). Link with /NXCOMPAT Checks if binary was linked with SafeSEH. Link with /SAFESEH Analyzes binary for malware behavior using machine learning algorithms Identifies if binary was compiled with Visual Studio and version (2008, 2010 & 2012) Checks if binary has been packed Insecure API Check if binary uses banned API VM Detection Check if binaries contains VM detection code

2. CURRENT LINUX CHECKS CHECK Fortify Source Never execute (NX) Position Independent Code (PIE) RELocation Read-Only (RELRO) Stack Canary DESCRIPTION Checks if binary was compiled with buffer overflow protection (bounds checking). Compile with D_FORTIFY_SOURCE=X Verifies if binary was compiled with NX to reduce the area an attacker can use to perform arbitrary code execution. Checks if binary was compiled with PIE to protects against "return-to-text" and generally frustrates memory corruption attacks. Compile with fpie -pie Validates if binary was compiled with RELRO (partial/full) to harden data sections. Compile with z,relro,-z,now Checks if binary was compiled with stack protector to protect against stack overflows. Compile with fstackprotector

2. PLUGIN EXAMPLE: WINDOWS ASLR

2. PLUGIN EXAMPLE: LINUX FORTIFY_SOURCE

2. BINSECSWEEPER: WHERE? Sorry, not yet available! Download BinSecSweeper software from http://www.vulnex.com/en/binsecsweeper.html

BINSECSWEEPER USE CASES Developers Verify product complies with Software Assurance policies before releasing IT Pros Can assess software in systems for the security posture InfoSec & Researchers Perform file forensics & analyze malware

3. TIME FOR SOME ACTION Case Study I: Verify your own software Case Study II: Software Security Posture, ACME inc Case Study III: Misc.

3. CASE STUDY I: VERIFY YOUR OWN SOFTWARE Is your in-house software following a secure development framework? Is your software being checked for: 1. Compiled with a modern compiler? 2. Security defenses enabled for Windows or Linux? 3. No malware included in product? 4. Using external libraries (DLL, etc.) and what is their security?

3. CASE STUDY I: VERIFY YOUR OWN SOFTWARE BinSecSweeper can verify that product (used by development teams): What Visual Studio version has been used? (Windows Only) (MS SDL) What defenses have been enabled?: Windows Stack Cookies ASLR DEP SAFESEH HotPacthing Linux Stack Canary NX Fortify Source PIE RELRO Will audit all files in the project? Program security posture: will it Pass / Fail?

3. CASE STUDY II: SOFTWARE SECURITY POSTURE, AMCE INC Do IT know the security posture of all software? You can assess your vendors Now you know where EMET is needed!

3. CASE STUDY II: SOFTWARE SECURITY POSTURE, AMCE INC VLC SKYPE itunes Dropbox

3. CASE STUDY III: ARE YOU COMPILING YOUR APP WITH ZLIB.DLL? 33

3. CASE STUDY III: ARE YOUR 3 RD PARTY COMPONENTS IMPROVING? Python 2.7 -> sqlite3.dll Python 3.3 -> sqlite3.dll 34

3. CASE STUDY III: A DLL INSIDE A WELL-KNOWN SOFTWARE 35

3. CASE STUDY III: THE MOST COMMON WORD INSIDE A MICROSOFT BINARY? 36

4. VERIFYING SOFTWARE SECURITY POSTURE MATTERS! Binaries contain a lot of information! The security posture of the software developed by you is important: Security improves Quality Branding (show you care about security) How is the security posture of software vendors you use?

4. Q&A Thanks! B @BinSecSweeper @simonroses @vulnexsl www.vulnex.com