-
Presentation: Problems you’ll face when building a software security program
A video for a talk I gave at LASCON last year made it online that some folks may find interesting. I rarely give public talks, but felt this information would have been useful to learn earlier in my career. Basically it goes through problems I've had to deal with building out appsec programs at companies…
-
Google’s intentions are good, but implementation leave MORE users vulnerable to hacking than before
In 2010 I wrote an article about a flaw Google discovered, and published working exploit code when no fix or mitigation existed. This allowed attackers to immediately start using the flaw to hack Google's own users (in this case, the world). Since then Google has announced a new program 'Project Zero' which from the project…
-
My experience with developer security training
I've been busy this past year which has resulted in almost no updates to this site. Consider this one of many rants/posts of my experience/s in the industry during this time. This post covers a topic I think many people implement poorly, which is security training targeting developers. How most people implement developer focused…
-
Poll: How do you rank the importance of a vulnerability?
I've added a new poll to the WASC linkedin group that a few of you may be interested in. Specifically asking how people rank the importance of vulnerabilities. Poll Linkhttp://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
-
Five pieces of advice for those new to the infosec industry
I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry. Things are worse than you expect The reality is that companies, even large ones, are…
-
WASC Announcement: ‘Static Analysis Tool Evaluation Criteria’ Call For Participants
I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics, vendors, software developers…
-
NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals that wish to…
-
Tracking and understanding security related defects: Useful data points for shaping your SDLC program
In addition to CGISecurity, I also run a website called QASEC.com where I post SDLC related content. I've just published a lightweight article discussing tips and tricks for tracking software level vulnerabilities in larger organizations. Abstract:"If you work in infosec for a large organization it can be difficult to easily track the state of every…
-
CGISecurity.com Turns 10!: A short appsec history of the last decade
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started this site I…
-
Announcement: WASC Threat Classification v2 is Out!
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is pleased to announce…
-
Adobe on Fuzzing Adobe Reader For Security Defects
Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however is rarely discussed…
-
Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC
Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper "On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new framework based on…
-
Microsoft publishes BinScope and MiniFuzz
From the download pages. BinScope"BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place,…
-
Static Analysis Tools and the SDL (Part Two)
"Hi, Bryan here. Michael wrote last week on static analysis for native C/C++ code, and this week I’ll be following up by covering the tools we use for managed static analysis. The SDL requires teams writing managed code to use two static analysis tools: FxCop and CAT.NET. Both of these tools are freely available to…
-
Static Analysis Tools and the SDL (Part One)
"This is part one of a two part series of posts by myself and Bryan Sullivan; I will cover the static analysis tools we use at Microsoft (and make available publicly) for analyzing unmanaged (ie; Native) C and C++ code, and Bryan will cover managed code static analysis in a later post. I’m a huge…
-
Article: The Problem of “Too Many Problems”
Rafal has a good post on the challenges security folks/sdl folks have when presenting their findings to business folks. "The presentation the next day kicked off as expected… we presented our executive summary, the methodology of our product validation and moved on to the specific findings. In this case, since there was so much wrong…
-
Article: ‘Setting the appropriate security defect handling expectations in development and QA
I have just published the following article on handling application security defects (vulnerabilities) in development and QA. "If you've worked in information security you've likely had to report a security defect to development in an effort to remediate the issue. Depending on your organization and its culture this can be a rather difficult task. As…
-
PayPal Software Security Podcast
Gary McGraw posted the following to the secure coding mailing list today. "Episode 6 of the Reality Check security podcast features our own Andy Steingruebl chatting with me about Paypal's software security initiative. This was a fun episode for me, because though I have known Andy for a while I had little insight into his…
-
Microsoft bans Memcpy() in their SDL program
"Memcpy() and brethren, your days are numbered. At least in development shops that aspire to secure coding. Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C language. Effective later…
-
Building Security In Maturity Model is online
"The Building Security In Maturity Model (BSIMM) described on this website is designed to help you understand and plan a software security initiative. BSIMM was created through a process of understanding and analyzing real-world data from nine leading software security initiatives. Though particular methodologies differ (think OWASP CLASP, Microsoft SDL, or the Cigital Touchpoints), many…
-
Application Security Vendors Need Help With Reporting
I've been reading web application vulnerability reports from tools and services for 6-7 years and found that 99% of these reports are geared towards security engineers or system administrators. Many of the reports I see focus on The type of flaw and what it its impact is The URL affected Links to references and additional…
-
The security industry needs to re-align its training expectations for QA
I've been involved in the security community for over 10 years and have worked for small, medium, andlarge companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and conferences discussing the need…
-
Microsoft’s SDL and the CWE/SANS Top 25
"Bryan here. The security community has been buzzing since SANS and MITRE’s joint announcement earlier this month of their list of the Top 25 Most Dangerous Programming Errors. Now, I don’t want to get into a debate in this blog about whether this new list will become the new de facto standard for analyzing security…
-
OWASP interviews Gary McGraw
Gary posted the following to the SC-L list today. "hi sc-l, OWASP just posted an interview with me as part of their budding podcast series. It's nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It's also nice to be able to answer some of the questions that…
-
Security metrics on flaws detected during architectural review?
I recently attended a private event where there was a talk on security metrics. Security metrics can be used to determine if action x is reducing risk y. Software security metrics typically involve counting the number of defects discovered over time to see if things are getting better. Most of these metrics involve issues discovered…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack