October 22, 2011 by mensming.

In security parlance, the following 3 points make up the "CIA Triad":

• Confidentiality
• Integrity
• Availability

The Wikipedia article on the CIA Triad describes confidentiality in this context as "prevent the disclosure of information to unauthorized individuals or systems"; integrity as "data cannot be modified without authorization"; and availability is described as when the information can be accessed.

Posted in security | No Comments »

April 30, 2011 by mensming.

I love cheat sheets. They jog my memory about things I need to do or should test for - especially when I have not done it for awhile.

From a test perspective, my favorite test value cheat sheet for cross site scripting (XSS) is http://ha.ckers.org/xss.html. If you have not tried out these samples (and variations on the themes) in your own web application, you need to do it now.

From a developer perspective, OWASP’s (Open Web Application Security Project) XSS (Cross Site Scripting) Prevention Cheat Sheet provides a set of rules to implement.

Posted in security | 1 Comment »

January 29, 2011 by mensming.

I was reading an article when I saw a reference to how NASA’s Jet Propulsion Laboratory (JPL) was using 10 simple coding guideline to develop safe code. The article referenced the following URL: http://spinroot.com/p10/. Going to this site, you will discover that the work was originally published in the June 2006 issue of IEEE Computer in The Power of Ten – Rules for Developing Safety Critical Code by Gerard J. Holzmann.

The paper and site describes 10 rules:

1. Restrict to simple control flow constructs.
2. Give all loops a fixed upper-bound.
3. Do not use dynamic memory allocation after initialization.
4. Limit functions to no more than 60 lines of text.
5. Use minimally two assertions per function on average.
6. Declare data objects at the smallest possible level of scope.
7. Check the return value of non-void functions, and check the validity of function parameters.
8. Limit the use of the preprocessor to file inclusion and simple macros.
9. Limit the use of pointers. Use no more than two levels of dereferencing per expression.
10. Compile with all warnings enabled, and use one or more source code analyzers.

Check the site and the paper out.

Posted in software engineering, process improvement, security | No Comments »

December 18, 2010 by mensming.

I was listening to Security Now 229: The Rational Rejection of Security Advice when there was a reference to site/conference that I found intriguing. The entire episode was based on a paper from the conference.

The site, www.nspw.org, is the companion to the "New Security Paradigms Workshop" events. The description of the workshop is what I find so fascinating:

The New Security Paradigms Workshop (NSPW) is an annual, small invitation-only workshop for researchers in information security and related disciplines. NSPW’s focus is on work that challenges the dominant approaches and perspectives in computer security. In the past, such challenges have taken the form of critiques of existing practice as well as novel, sometimes controversial, and often immature approaches to defending computer systems. By providing a forum for important security research that isn’t suitable for mainstream security venues, NSPW aims to foster paradigm shifts in information security.

It happens that all of the proceedings for the conference are available online. Well worth reviewing.

Posted in security | No Comments »

December 11, 2010 by mensming.

I was reading a press release for a security analysis program and there was a reference to the "Common Weakness Enumeration site". I was not interested in the product but did decide to investigate the site referenced.

The Common Weakness Enumeration (CWA) is subtitled "A Community-Developed Dictionary of Software Weakness Types." The site is hosted by MITRE”. The scope of the project is to "provides a unified, measurable set of software weaknesses."

It appears that the starting point of this taxonomy of software security weaknesses was quite a few of disparate standards, papers, proposals, etc. A pretty good list and links to original sources can be found on the sources page. Each item in the list includes a description, where the weakness may be introduced, whether it is applicable to particular platforms, examples and related items.

Posted in security | No Comments »

July 25, 2010 by mensming.

The following links were published in the March 2010 ACM SIGSOFT Software Engineering Notes in the "Surfing the Net for Software Engineering Notes" by Mark Doernhoefer. This issues topic was Cyber Security.

• SANS Institute
• US-CERT
• CERT
• Build Security In
• Information Assurance Technology Analysis Center (IATAC)
• National Institute of Standards and Technology (NIST) Computer Security Resource Center
• National Vulnerability Database
• Common Criteria
• NSA Security Configuration Guides
• Stay Safe Online
• Top 100 Network Security Tools
• European Network and Information Security Agency

Posted in security | No Comments »

July 17, 2010 by mensming.

A coworker pointed me to the following video: Quality Software Development by Yahoo Architect Douglas Crockford (181 MB). The presentation from from the Yahoo 2007 FrontEnd Engineering Summit (March 7-8, 2007).

Below are my notes of the slide titles.

• The Software Crisis
• Craft vs Engineering
• Computer Science has not taught us how to manage software projects
• Software Construction (Good and Bad Analogy)
  
• Nature of Software
• Programming is Difficult
• Lack of Metrics
• Lines of Code - not good
• Programmers are optimists
• Programmers do not understand how they spend their time
• Actual time typing is pretty small
  
• Skeptical of anything that requires more keystrokes
• Programming is a social activity
• Cost of Innovation
• Legacy
• Leaps (of productivity? software capability?)
• Object Oriented Programming (History)
• Failed Leaps
• Software does not have enough self awareness to be afraid of bugs
• Bugs
• Snake Oil / Silver Bullets
• Mythical Man Month (1975)
• Literate Programming (Knuth)
• Significant difference in individual ability
• Surgical Team (Harlan Mills)
• Incrementalism
• Beta (Perpetually Unfinished)
• Application triad (skill, technology, requirements)
• Feature Cost
• Code Value
• Code Quality (Micro and Macro View)
• Simplest thing to enhance value of codebase - make more readable
• Yahoo Javascript coding convention
• Programs are a medium of intentional communications
• Good architecture - necessary structure to keep from collapsing
• How do we change a correct program into another correct program?
• Cruft - “Software Scar Tissue”
• Causes of Cruft
• Bloat - “Software Cancer”
• Insecurity
• Cruft accumulates -> complexity groups -> progress slows
• Refactoring
• Sometimes it is best to start over
• The pain of the crash
• The illusion of completion
• An experienced team can cross that ground again very quickly
• Conclusion

Posted in software engineering, process improvement, security, project management, requirements | No Comments »

February 27, 2010 by mensming.

The 2010 CWE (Common Weakness Enumeration) / SANS Top 25 Most Dangerous Programming Errors has been released. The full report should be required reading for all web programmers and testers. A pdf version is also available.

Here are the 25 items:

1. Failure to Preserve Web Page Structure (’Cross-site Scripting’)
2. Improper Sanitization of Special Elements used in an SQL Command (’SQL Injection’)
3. Buffer Copy without Checking Size of Input (’Classic Buffer Overflow’)
4. Cross-Site Request Forgery (CSRF)
5. Improper Access Control (Authorization)
6. Reliance on Untrusted Inputs in a Security Decision
7. Improper Limitation of a Pathname to a Restricted Directory (’Path Traversal’)
8. Unrestricted Upload of File with Dangerous Type
9. Improper Sanitization of Special Elements used in an OS Command (’OS Command Injection’)
10. Missing Encryption of Sensitive Data
11. Use of Hard-coded Credentials
12. Buffer Access with Incorrect Length Value
13. Improper Control of Filename for Include/Require Statement in PHP Program (’PHP File Inclusion’)
14. Improper Validation of Array Index
15. Improper Check for Unusual or Exceptional Conditions
16. Information Exposure Through an Error Message
17. Integer Overflow or Wraparound
18. Incorrect Calculation of Buffer Size
19. Missing Authentication for Critical Function
20. Download of Code Without Integrity Check
21. Incorrect Permission Assignment for Critical Resource
22. Allocation of Resources Without Limits or Throttling
23. URL Redirection to Untrusted Site (’Open Redirect’)
24. Use of a Broken or Risky Cryptographic Algorithm
25. Race Condition

Posted in security, web testing | No Comments »

January 10, 2009 by mensming.

In a prior post, I described how to use telnet to verify that the HTTP TRACE command is disabled. A commenter asked:

What if telnet is actively being blocked… is there another way to invoke the TRACE request in an attempt to verify whether the potential vulnerability exists?

My immediate reaction was that I needed to research how to do this. What a fool I am…

The fact of the matter is that if an HTTP connection is able to connect to the server than the method I described will still work. Because we are using telnet to impersonate a browser - connecting via port 80 - even if telnet is blocked (usually port 23), using telnet via port 80 will still work. If the browser can connect via this way, so can telnet via port 80.

Posted in security, web testing | No Comments »

December 8, 2008 by mensming.

In the past, the TRACE command in the HTTP specification was considered a “safe” command. However, due to the information disclosed combined with other cross-domain exploits, TRACE is no longer considered safe. See US-CERT Vulnerability Note VU#867593 for more information.

I was asked how to verify that the TRACE command (in Apache) is disabled. The easiest way to do this is to use telnet. Launch telnet.

telnet hostname 80

Now, we can issue the TRACE command for a given url.

TRACE /index.html HTTP/1.0



If TRACE is enabled, you will get output that looks something like this:

HTTP/1.1 200 OK
Date: Fri, 05 Dec 2008 05:59:45 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch
Connection: close
Content-Type: message/http

Connection closed by foreign host.


Now, if TRACE is disabled, the output will look like this:


HTTP/1.1 405 Method Not Allowed
Date: Mon, 08 Dec 2008 21:26:13 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch
Allow:
Content-Length: 347
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /index.html.</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch Server at localhost Port 80</address>
</body></html>
Connection closed by foreign host.


Posted in security, web testing | 6 Comments »