Last 50 'SDL' Tagged Posts

Presentation: Problems you'll face when building a software security program

A video for a talk I gave at LASCON last year made it online that some folks may find interesting. I rarely give public talks, but felt this information would have been useful to learn earlier in my career. Basically it goes through problems I've had to deal with building out appsec...

Google's intentions are good, but implementation leave MORE users vulnerable to hacking than before

In 2010 I wrote an article about a flaw Google discovered, and published working exploit code when no fix or mitigation existed. This allowed attackers to immediately start using the flaw to hack Google's own users (in this case, the world). Since then Google has announced a new program 'Project Zero' which...

My experience with developer security training

I've been busy this past year which has resulted in almost no updates to this site. Consider this one of many rants/posts of my experience/s in the industry during this time. This post covers a topic I think many people implement poorly, which is security training targeting developers. How most people implement...

Poll: How do you rank the importance of a vulnerability?

I've added a new poll to the WASC linkedin group that a few of you may be interested in. Specifically asking how people rank the importance of vulnerabilities. Poll Link http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840

Five pieces of advice for those new to the infosec industry

I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry. Things are worse than you expect The reality is that companies, even large...

WASC Announcement: 'Static Analysis Tool Evaluation Criteria' Call For Participants

I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics,...

NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad

NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals...

Tracking and understanding security related defects: Useful data points for shaping your SDLC program

In addition to CGISecurity, I also run a website called QASEC.com where I post SDLC related content. I've just published a lightweight article discussing tips and tricks for tracking software level vulnerabilities in larger organizations. Abstract: "If you work in infosec for a large organization it can be difficult to easily track...

CGISecurity.com Turns 10!: A short appsec history of the last decade

Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...

Announcement: WASC Threat Classification v2 is Out!

I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is...

Adobe on Fuzzing Adobe Reader For Security Defects

Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however...

Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC

Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper "On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new...

Microsoft publishes BinScope and MiniFuzz

From the download pages. BinScope "BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build...

Static Analysis Tools and the SDL (Part Two)

"Hi, Bryan here. Michael wrote last week on static analysis for native C/C++ code, and this week I’ll be following up by covering the tools we use for managed static analysis. The SDL requires teams writing managed code to use two static analysis tools: FxCop and CAT.NET. Both of these tools are...

Static Analysis Tools and the SDL (Part One)

"This is part one of a two part series of posts by myself and Bryan Sullivan; I will cover the static analysis tools we use at Microsoft (and make available publicly) for analyzing unmanaged (ie; Native) C and C++ code, and Bryan will cover managed code static analysis in a later post....

Article: The Problem of "Too Many Problems"

Rafal has a good post on the challenges security folks/sdl folks have when presenting their findings to business folks. "The presentation the next day kicked off as expected... we presented our executive summary, the methodology of our product validation and moved on to the specific findings. In this case, since there was...

Article: 'Setting the appropriate security defect handling expectations in development and QA

I have just published the following article on handling application security defects (vulnerabilities) in development and QA. "If you've worked in information security you've likely had to report a security defect to development in an effort to remediate the issue. Depending on your organization and its culture this can be a rather...

PayPal Software Security Podcast

Gary McGraw posted the following to the secure coding mailing list today. "Episode 6 of the Reality Check security podcast features our own Andy Steingruebl chatting with me about Paypal's software security initiative. This was a fun episode for me, because though I have known Andy for a while I had little...

Microsoft bans Memcpy() in their SDL program

"Memcpy() and brethren, your days are numbered. At least in development shops that aspire to secure coding. Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C...

Building Security In Maturity Model is online

"The Building Security In Maturity Model (BSIMM) described on this website is designed to help you understand and plan a software security initiative. BSIMM was created through a process of understanding and analyzing real-world data from nine leading software security initiatives. Though particular methodologies differ (think OWASP CLASP, Microsoft SDL, or the...

Application Security Vendors Need Help With Reporting

I've been reading web application vulnerability reports from tools and services for 6-7 years and found that 99% of these reports are geared towards security engineers or system administrators. Many of the reports I see focus on The type of flaw and what it its impact is The URL affected Links to...

The security industry needs to re-align its training expectations for QA

I've been involved in the security community for over 10 years and have worked for small, medium, and large companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and...

Microsoft's SDL and the CWE/SANS Top 25

"Bryan here. The security community has been buzzing since SANS and MITRE’s joint announcement earlier this month of their list of the Top 25 Most Dangerous Programming Errors. Now, I don’t want to get into a debate in this blog about whether this new list will become the new de facto standard...

OWASP interviews Gary McGraw

Gary posted the following to the SC-L list today. "hi sc-l, OWASP just posted an interview with me as part of their budding podcast series. It's nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It's also nice to be able to answer some of...

Security metrics on flaws detected during architectural review?

I recently attended a private event where there was a talk on security metrics. Security metrics can be used to determine if action x is reducing risk y. Software security metrics typically involve counting the number of defects discovered over time to see if things are getting better. Most of these metrics...

Building a Web Application Security Program, Part 8: Putting It All Together

"Whew! This is our final post in this series on Building a Web Application Security Program (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7), and it’s time to put all the pieces together. Here are our guidelines for designing a program that meets the needs of...

MS08-078 and the SDL

Michael Howard from Microsoft has posted information on the recent IE bug and why Microsoft's SDL failed to discover it. "Every bug is an opportunity to learn, and the security update that fixed the data binding bug that affected Internet Explorer users is no exception. The Common Vulnerabilities and Exposures (CVE) entry...

Software [In]security: Software Security Top 10 Surprises

"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working...

Budgeting for Web Application Security

Jeremiah has published an entry on budgeting for web application security in your company. "“Budgeting” is a word I’ve been hearing a lot of questions about recently, which is another data point demonstrating that Web application security and software security are increasingly becoming a top of mind issue. The challenge that many...

Understanding How to Use the Microsoft's Exploitability Index

"On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment process....

Threat Models Improve Your Security Process

"This column proposes a way to think about secure design from a more holistic perspective by using threat models to drive your security engineering process, primarily helping you prioritize code review, fuzz testing, and attack surface analysis tasks. As a setup for this column, you might want to first read Jeremy Dallman's...

Agile SDL Streamline Security Practices For Agile Development

"In the September 2008 issue of MSDN Magazine, I wrote a column about the additions that Microsoft has made to the Security Development Lifecycle (SDL) process to address security vulnerabilities in online services. I talked about the importance of input validation and output encoding in order to prevent cross-site scripting attacks; about...

Why Microsoft's SDL Missed MS08-067 in their own words

"No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape future versions of the Security Development Lifecycle (SDL). Before I get into some of...

Article: SDL Embraces The Web

Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications. "The Security Development Lifecycle (SDL) team recently released details of the SDL process that has been so successful in helping to make Microsoft products more secure. You can find these documents at microsoft.com/sdl. As you read through...

Most Corporations Lack Proper SDLC

"The current state of secure software development by corporations both large and small is a mess. Software vendors need to realize that they must begin exercising due diligence when producing their software products. Microsoft dedicated itself to secure development practices some years ago, yet its developers are still taking months to fix...

Elevator pitch for explaining security risks to executives

Lenny Zeltser has posted an entry on sans on how to pitch security risks to upper management. "How to catch the attention of a busy executive, to highlight an important security risk? An elevator pitch is a persuasive statement delivered verbally in the time you would share with the listener in an...

Getting started with Web application misuse cases

"When developing applications it isn't enough to think about how they will be used. You must also consider how they will be misused -- or abused -- so that you can prevent attacks. Kevin Beaver gives some examples of Web application weak spo ts that your development team should consider." Article Link:...

The essentials of Web application threat modeling

"A critical part of Web application security is mapping out what's at risk -- a process called threat modelling. The term "threat" modelling is actually a misnomer. It's more like "vulnerability" or "risk" modelling, since we're technically looking at weaknesses and their consequences -- not the actual indication of intent to cause...

Using industry best practices for effective security training

"Improved employee understanding of appropriate behaviors and best practices for enhanced information security reduces security risks and helps ensure compliance with regulations such as Sarbanes-Oxley, HIPAA, the Payment Card Industry Data Security Standards (PCI DSS) and others. But merely providing security training is not enough. Organizations need to know if training programs...

Your Next Security Frontier? Software!

"Software testing generally falls under the purview of the quality assurance (QA) test team. The problem is that QA testers test the products for compliance with its functional requirements and specifications. Put another way, they test how the software works, not how someone can break or misuse software for illicit purposes. To...

Building Secure Applications: Consistent Logging

"This article examines the dismal state of application-layer logging as observed from the authors� years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time...

Halvar Flake vs. Michael Howard on memcpy

"Halvar�s reaction to Microsoft�s Michael Howard hinting that memcpy may soon be verboten in Redmond code: This is an excellent idea - and along with memcpy, malloc() should be banned. While we are at it, the addition and multiplication operators have caused so much grief over the last years, I think it...

Article: The business case for security frameworks

I've written a new article for The Web Application Security Consortium's Guest Article Project. From the paper "One of the reasons why vulnerabilities are still common-place is because new generations of developers are making the same mistakes. I don't put the majority of the blame on them because they may not know...

A Software Call To Arms: Where are source control repository security scanning tools?

<rant> We've heard of source code analysis tools, and blackbox scanning tools and they have value to help secure your application. Unfortunately they have a major downside, they require the discipline of using them. If your developers don't run them they can still check in vulnerable code to your source code repository....

Security Development Lifecycle (SDL) Banned Function Calls

Michael Howard has a very good article on bad API calls to use when developing c/c++ applications. "When the C runtime library (CRT) was first created about 25 years ago, the threats to computers were different; machines were not as interconnected as they are today, and attacks were not as prevalent. With...

Building Secure Applications: Consistent Logging

"This article examines the dismal state of application-layer logging as observed from the authors� years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time...

Detect Your Web Application's Vulnerabilities Early with Ruby

"Web application fuzzing is a method of detecting a web application's vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application's security posture. Users also can apply fuzzing to perform tests on...

Using Fuzzers in Software Testing: Identifying Application Risks

I've written a short blurb on my other site QASEC.com on why using fuzzers in QA can pay off. This is a new site focused on speaking to the various people involved in a development cycle using a language that they are familiar with in short to the point articles. "Fuzzers are...

Writing Software Security Test Cases: Putting security test cases into your test plan

Besides CGISecurity.com I'm involved with my other project QASec.com a new website aimed at teaching security throughout the development cycle with a heavy focus on security testing I've just written an article explaining how Quality Assurance Engineers can include security testing into their test plans. "Part of software testing involves replicating customer...

The lack of security enabled frameworks is why we're vulnerable

We've been stating for years 'developers need to learn to code securely' sure this is great, however is essentially limited to skilled professionals. This isn't to say we shouldn't keep teaching however rather than simply focusing on those paying attention we should start babysitting the remaining majority. So how do you watch...