SlideShare uma empresa Scribd logo

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym

Transferir como PPT, PDF
n|u - The Open Security Community
n|u - The Open Security Community

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym by Cassio Goldschmidt

Tecnologia
1 de 31
Tracking the Progress of an SDL Program - Cassio Goldschmidt nullcon Goa 2010 http://nullcon.net
Who am I? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Typical Project Lifecycle
 
Exercise type: CWE
Number of Reps: Number of Findings
Exercise Intensity: CVSS
 
nullcon Goa 2010 http://nullcon.net Common Weakness Enumeration
Common Weakness Enumeration What is it? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Common Weakness Enumeration Portion of CWE structure
What data is available for each CWE? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Link to CWE Page on XSS
How useful is this information? Pie Chart showing the frequency of CWEs found in penetration tests
nullcon Goa 2010 http://nullcon.net Common Vulnerability Scoring System
Common Vulnerability Scoring System What is it? 0.0...3.9 4.0...6.9 7.0...10
Common Vulnerability Scoring System BASE Vector ,[object Object],[object Object],[object Object],Exploitability Impact Access Vector Access Complexity Authenti… Network High None Adjacent Network Medium Single Instance Local Low Mult. Instances Undefined Undefined Undefined Confident… Integrity Avail. None None None Partial Partial Partial Complete Complete Complete Undefined Undefined Undefined
Common Vulnerability Scoring System (CVSS) The Calculator
nullcon Goa 2010 http://nullcon.net Hands on Demo
CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char[length+1 ]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data.&quot; ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } What if I make length = -1? new char[0] calls malloc(0) which succeeds! Next, attacker-controlled data either overflows heap or crashes Doesn’t quite work – length is unsigned
CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char [length+1]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data.&quot; ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } Buffer Overflow CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
nullcon Goa 2010 http://nullcon.net Training and Metrics
Training and Metrics A special activity in the SDL ,[object Object],[object Object],[object Object],[object Object]
Training and Metrics Security Learning Process
Training and Metrics Security Learning Process ,[object Object],[object Object],[object Object],[object Object],[object Object]
Training and Metrics Security Learning Process ,[object Object],[object Object],[object Object],[object Object]
Training and Metrics Security Learning Process ,[object Object],[object Object],[object Object],[object Object]
Training and Metrics Security Learning Process ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Training and Metrics Security awareness is more than training
nullcon Goa 2010 http://nullcon.net Conclusions and final thoughts
Why This Approach Makes Sense? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
nullcon Goa 2010 http://nullcon.net Thank You!

Recomendados

Unlocking Value - Embrace Governance, Risk, and Compliance Practices
Unlocking Value - Embrace Governance, Risk, and Compliance PracticesUnlocking Value - Embrace Governance, Risk, and Compliance Practices
Unlocking Value - Embrace Governance, Risk, and Compliance Practices
Kelly Services
 
E informativo 2
E informativo 2E informativo 2
E informativo 2
Elton Chaves
 
Christian Liipfert Minimizing Risk, Maximizing Compliance, Information Govera...
Christian Liipfert Minimizing Risk, Maximizing Compliance, Information Govera...Christian Liipfert Minimizing Risk, Maximizing Compliance, Information Govera...
Christian Liipfert Minimizing Risk, Maximizing Compliance, Information Govera...
Christian Liipfert
 
KGWI 2014 Karriereentwicklung
KGWI 2014 KarriereentwicklungKGWI 2014 Karriereentwicklung
KGWI 2014 Karriereentwicklung
Kelly Services
 
An IT Governance program
An IT Governance programAn IT Governance program
An IT Governance program
John Goodpasture
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN's
n|u - The Open Security Community
 
Understanding the Routing Table Structure
Understanding the Routing Table StructureUnderstanding the Routing Table Structure
Understanding the Routing Table Structure
Makram Ghazzaoui
 
DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and Analysis
CSCJournals
 

Recomendados

Unlocking Value - Embrace Governance, Risk, and Compliance Practices
Unlocking Value - Embrace Governance, Risk, and Compliance PracticesUnlocking Value - Embrace Governance, Risk, and Compliance Practices
Unlocking Value - Embrace Governance, Risk, and Compliance Practices
Kelly Services
 
E informativo 2
E informativo 2E informativo 2
E informativo 2
Elton Chaves
 
Christian Liipfert Minimizing Risk, Maximizing Compliance, Information Govera...
Christian Liipfert Minimizing Risk, Maximizing Compliance, Information Govera...Christian Liipfert Minimizing Risk, Maximizing Compliance, Information Govera...
Christian Liipfert Minimizing Risk, Maximizing Compliance, Information Govera...
Christian Liipfert
 
KGWI 2014 Karriereentwicklung
KGWI 2014 KarriereentwicklungKGWI 2014 Karriereentwicklung
KGWI 2014 Karriereentwicklung
Kelly Services
 
An IT Governance program
An IT Governance programAn IT Governance program
An IT Governance program
John Goodpasture
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN's
n|u - The Open Security Community
 
Understanding the Routing Table Structure
Understanding the Routing Table StructureUnderstanding the Routing Table Structure
Understanding the Routing Table Structure
Makram Ghazzaoui
 
DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and Analysis
CSCJournals
 
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the GymTracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
OWASP
 
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
OWASP Russia
 
Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)
Aung Thu Rha Hein
 
How to Extend your Datacenter into the Cloud - 2nd Watch - Webinar
How to Extend your Datacenter into the Cloud - 2nd Watch - WebinarHow to Extend your Datacenter into the Cloud - 2nd Watch - Webinar
How to Extend your Datacenter into the Cloud - 2nd Watch - Webinar
Amazon Web Services
 
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
Barry Greene
 
AWS Webcast - What's New with Amazon Elastic Transcoder
AWS Webcast - What's New with Amazon Elastic TranscoderAWS Webcast - What's New with Amazon Elastic Transcoder
AWS Webcast - What's New with Amazon Elastic Transcoder
Amazon Web Services
 
Multi-master, multi-region MySQL deployment in Amazon AWS
Multi-master, multi-region MySQL deployment in Amazon AWSMulti-master, multi-region MySQL deployment in Amazon AWS
Multi-master, multi-region MySQL deployment in Amazon AWS
Continuent
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
High Availability Infrastructure for Cloud Computing
High Availability Infrastructure for Cloud ComputingHigh Availability Infrastructure for Cloud Computing
High Availability Infrastructure for Cloud Computing
Bob Rhubart
 
Route 53 Latency Based Routing
Route 53 Latency Based RoutingRoute 53 Latency Based Routing
Route 53 Latency Based Routing
Amazon Web Services
 
Amazon cloud search_vs_apache_solr_vs_elasticsearch_comparison_report_v11
Amazon cloud search_vs_apache_solr_vs_elasticsearch_comparison_report_v11Amazon cloud search_vs_apache_solr_vs_elasticsearch_comparison_report_v11
Amazon cloud search_vs_apache_solr_vs_elasticsearch_comparison_report_v11
Harish Ganesan
 
Erlang, LFE, Joxa and Elixir: Established and Emerging Languages in the Erlan...
Erlang, LFE, Joxa and Elixir: Established and Emerging Languages in the Erlan...Erlang, LFE, Joxa and Elixir: Established and Emerging Languages in the Erlan...
Erlang, LFE, Joxa and Elixir: Established and Emerging Languages in the Erlan...
Brian Troutwine
 
AWS Webcast - High Availability with Route 53 DNS Failover
AWS Webcast - High Availability with Route 53 DNS FailoverAWS Webcast - High Availability with Route 53 DNS Failover
AWS Webcast - High Availability with Route 53 DNS Failover
Amazon Web Services
 
Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Web Services
 
Routing table and routing algorithms
Routing table and routing algorithmsRouting table and routing algorithms
Routing table and routing algorithms
lavanyapathy
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Amazon Web Services
 
Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...
Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...
Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...
Amazon Web Services
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
Alan Quayle
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform down
Sandro Gauci
 
HPX and PVS-Studio
HPX and PVS-StudioHPX and PVS-Studio
HPX and PVS-Studio
PVS-Studio
 
Application Security
Application SecurityApplication Security
Application Security
UTD Computer Security Group
 

Mais conteúdo relacionado

Destaque

Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
OWASP Russia
 
How to Extend your Datacenter into the Cloud - 2nd Watch - Webinar
How to Extend your Datacenter into the Cloud - 2nd Watch - WebinarHow to Extend your Datacenter into the Cloud - 2nd Watch - Webinar
How to Extend your Datacenter into the Cloud - 2nd Watch - Webinar
Amazon Web Services
 
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
Barry Greene
 
Multi-master, multi-region MySQL deployment in Amazon AWS
Multi-master, multi-region MySQL deployment in Amazon AWSMulti-master, multi-region MySQL deployment in Amazon AWS
Multi-master, multi-region MySQL deployment in Amazon AWS
Continuent
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Web Services
 
Routing table and routing algorithms
Routing table and routing algorithmsRouting table and routing algorithms
Routing table and routing algorithms
lavanyapathy
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...
Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...
Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...
Amazon Web Services
 

Destaque (18)

Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the GymTracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
 
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
 
Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)
 
How to Extend your Datacenter into the Cloud - 2nd Watch - Webinar
How to Extend your Datacenter into the Cloud - 2nd Watch - WebinarHow to Extend your Datacenter into the Cloud - 2nd Watch - Webinar
How to Extend your Datacenter into the Cloud - 2nd Watch - Webinar
 
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
 
AWS Webcast - What's New with Amazon Elastic Transcoder
AWS Webcast - What's New with Amazon Elastic TranscoderAWS Webcast - What's New with Amazon Elastic Transcoder
AWS Webcast - What's New with Amazon Elastic Transcoder
 
Multi-master, multi-region MySQL deployment in Amazon AWS
Multi-master, multi-region MySQL deployment in Amazon AWSMulti-master, multi-region MySQL deployment in Amazon AWS
Multi-master, multi-region MySQL deployment in Amazon AWS
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
High Availability Infrastructure for Cloud Computing
High Availability Infrastructure for Cloud ComputingHigh Availability Infrastructure for Cloud Computing
High Availability Infrastructure for Cloud Computing
 
Route 53 Latency Based Routing
Route 53 Latency Based RoutingRoute 53 Latency Based Routing
Route 53 Latency Based Routing
 
Amazon cloud search_vs_apache_solr_vs_elasticsearch_comparison_report_v11
Amazon cloud search_vs_apache_solr_vs_elasticsearch_comparison_report_v11Amazon cloud search_vs_apache_solr_vs_elasticsearch_comparison_report_v11
Amazon cloud search_vs_apache_solr_vs_elasticsearch_comparison_report_v11
 
Erlang, LFE, Joxa and Elixir: Established and Emerging Languages in the Erlan...
Erlang, LFE, Joxa and Elixir: Established and Emerging Languages in the Erlan...Erlang, LFE, Joxa and Elixir: Established and Emerging Languages in the Erlan...
Erlang, LFE, Joxa and Elixir: Established and Emerging Languages in the Erlan...
 
AWS Webcast - High Availability with Route 53 DNS Failover
AWS Webcast - High Availability with Route 53 DNS FailoverAWS Webcast - High Availability with Route 53 DNS Failover
AWS Webcast - High Availability with Route 53 DNS Failover
 
Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015
 
Routing table and routing algorithms
Routing table and routing algorithmsRouting table and routing algorithms
Routing table and routing algorithms
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
 
Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...
Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...
Announcing Amazon Aurora with PostgreSQL Compatibility - January 2017 AWS Onl...
 

Semelhante a nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym

4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
phanleson
 
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
CODE BLUE
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Training report anish
Training report anishTraining report anish
Training report anish
Anish Yadav
 
Software engineering
Software engineeringSoftware engineering
Software engineering
Fahe Em
 
Software engineering
Software engineeringSoftware engineering
Software engineering
Fahe Em
 
Measuring Your Code
Measuring Your CodeMeasuring Your Code
Measuring Your Code
Nate Abele
 

Semelhante a nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym (20)

How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform down
 
HPX and PVS-Studio
HPX and PVS-StudioHPX and PVS-Studio
HPX and PVS-Studio
 
Application Security
Application SecurityApplication Security
Application Security
 
Chapter 2 program-security
Chapter 2 program-securityChapter 2 program-security
Chapter 2 program-security
 
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
 
AUTOCODECOVERGEN: PROTOTYPE OF DATA DRIVEN UNIT TEST GENRATION TOOL THAT GUAR...
AUTOCODECOVERGEN: PROTOTYPE OF DATA DRIVEN UNIT TEST GENRATION TOOL THAT GUAR...AUTOCODECOVERGEN: PROTOTYPE OF DATA DRIVEN UNIT TEST GENRATION TOOL THAT GUAR...
AUTOCODECOVERGEN: PROTOTYPE OF DATA DRIVEN UNIT TEST GENRATION TOOL THAT GUAR...
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
 
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
SE2023 0401 Software Coding and Testing.pptx
SE2023 0401 Software Coding and Testing.pptxSE2023 0401 Software Coding and Testing.pptx
SE2023 0401 Software Coding and Testing.pptx
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
Training report anish
Training report anishTraining report anish
Training report anish
 
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
 
Software engineering
Software engineeringSoftware engineering
Software engineering
 
Software engineering
Software engineeringSoftware engineering
Software engineering
 
Automating The Process For Building Reliable Software
Automating The Process For Building Reliable SoftwareAutomating The Process For Building Reliable Software
Automating The Process For Building Reliable Software
 
gnaneshwar.resume
gnaneshwar.resumegnaneshwar.resume
gnaneshwar.resume
 
Resume
ResumeResume
Resume
 
Measuring Your Code
Measuring Your CodeMeasuring Your Code
Measuring Your Code
 

Mais de n|u - The Open Security Community

Mais de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

nullcon 2010 - Tracking the progress of an SDL program: lessons from the gym

  • 1. Tracking the Progress of an SDL Program - Cassio Goldschmidt nullcon Goa 2010 http://nullcon.net
  • 2.
  • 4.  
  • 6. Number of Reps: Number of Findings
  • 8.  
  • 9. nullcon Goa 2010 http://nullcon.net Common Weakness Enumeration
  • 10.
  • 11. Common Weakness Enumeration Portion of CWE structure
  • 12.
  • 13. How useful is this information? Pie Chart showing the frequency of CWEs found in penetration tests
  • 14. nullcon Goa 2010 http://nullcon.net Common Vulnerability Scoring System
  • 15. Common Vulnerability Scoring System What is it? 0.0...3.9 4.0...6.9 7.0...10
  • 16.
  • 17. Common Vulnerability Scoring System (CVSS) The Calculator
  • 18. nullcon Goa 2010 http://nullcon.net Hands on Demo
  • 19. CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char[length+1 ]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data.&quot; ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } What if I make length = -1? new char[0] calls malloc(0) which succeeds! Next, attacker-controlled data either overflows heap or crashes Doesn’t quite work – length is unsigned
  • 20. CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char [length+1]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data.&quot; ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } Buffer Overflow CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
  • 21. nullcon Goa 2010 http://nullcon.net Training and Metrics
  • 22.
  • 23. Training and Metrics Security Learning Process
  • 24.
  • 25.
  • 26.
  • 27.
  • 28. Training and Metrics Security awareness is more than training
  • 29. nullcon Goa 2010 http://nullcon.net Conclusions and final thoughts
  • 30.
  • 31. nullcon Goa 2010 http://nullcon.net Thank You!

Notas do Editor

  1. Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 13 years of technical and managerial experience in the software industry.  During the seven years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests. Cassio is also internationally known for leading the OWASP chapter in Los Angeles. Cassio represents Symantec on the SAFECode technical committee and (ISC) 2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.