Professional, Intermediate, Novice User Guide for all of Us

19 Deadly Sins

August 22nd, 2008 chris

About 95 percent of software security bugs come from 19 “common, well-understood” programming mistakes also called the 19 Deadly Sins of Software Security and they are the following:

  1. Buffer Overruns
  2. Format String Problems
  3. Integer Overflows
  4. SQL Injection
  5. Command Injection
  6. Failing to Handle Errors
  7. Cross-Site Scripting
  8. Failing to Protect Network Traffic
  9. Use of Magic URLs and Hidden Form Fields
  10. Improper Use of SSL and TLS
  11. Use of Weak Password-Based Systems
  12. Failing to Store and Protect Data Securely
  13. Information Leakage
  14. Improper File Access
  15. Trusting Network Name Resolution
  16. Race Conditions
  17. Unauthenticated Key Exchange
  18. Cryptographically Strong Random Numbers
  19. Poor Usability

Posted in Software Security

Working Out, Sweating it Out - Cigital Workbench

August 18th, 2008 chris

Doing Risk Management is a tedious process without automation. A key requirement for putting a Risk Management Framework into practice is automating aspects of the process. Those aspects best suited for automation include tracking, storing, and manipulating data about risks; displaying and measuring data about risks; and providing critical information and automation regarding processes.

Cigital provides professional services based on applying the Risk Management Framework philosophy. Using a toolset called the Workbench makes our jobs as consultants more efficient, effective, and consistent. It is a combination of simple tools and automated processes used to help consultants assess software quality.

The Workbench has three major components:

  1. Quality workflows and knowledge

    • Automated RMF

    • Process models and detailed descriptions of software assurance methods (called “the Matrix” internally)

    • Deliverable templates, reporting, and metrics

  2. Project communication and collaboration tools

    • A risk management dashboard, used to communicate risk mitigation status and progress

    • A complete knowledge management and document management system

    • Decision criteria and guidance

  3. Process evolution and knowledge capture

    • Process models built to be instantiated and adjusted in particular projects

    • History and knowledge catalogs

Posted in Software Security

The Five Stages of Activity

August 11th, 2008 chris

The Risk Management Framework consists of the five fundamental activity stages:

  1. Understand the business context

  2. Identify the business and technical risks

  3. Synthesize and prioritize the risks, producing a ranked set

  4. Define the risk mitigation strategy

  5. Carry out required fixes and validate that they are correct

Posted in Software Security

Risk Management Framework

August 10th, 2008 chris

Risk Management Framework(RMF) is at its heart a philosophy for software security. Following the RMF is by definition a full lifecycle activity, no matter whether you’re working on a little project or a huge corporate application strategy. The key to reasonable risk management is to identify and keep track of risks over time as a software project unfolds. As touchpoints are applied and risks are uncovered, for example, an RMF allows us to track them and display information about status. Risk management is a high-level approach to iterative risk management that is deeply integrated throughout the software development lifecycle (SDLC) and unfolds over time. The basic idea is simple: identify, rank, track, and understand software security risk as it changes over time.

Posted in Software Security

Three Pillars of Software Security

July 29th, 2008 chris

Insecure networks are caused by insecure systems which are built on insecure software methodology. Yes, the problem of security for today is caused by the bad practices of organizations who built the software that runs the corporate system and networks. To fix this practice, one needs to revamp old habits, dig deep under the foundation and pour on high grade cement practices on software development. Build up heavy duty pillars to carry the ceiling which will secure the shielding roof from storm threats in your organization. These pillars that carries the load to keep you safe and secure are the following:

  1. Applied Risk Management
  2. Software Security Touchpoints
  3. Knowledge

Posted in Software Security

Trinity of Trouble

July 23rd, 2008 chris

Security nowadays is more of a necessity than a luxury. Due to the influx of networks and the internet, every system is a sitting duck for the predator. There are three trends that have a great influence on the growth and evolution of the security problem. They are called the Trinity of Trouble and they are the following:

  1. Connectivity
  2. Extensibility
  3. Complexity

Posted in Software Security

Security Issues on Shared Hosting

July 23rd, 2008 chris

The following are the five issues to watch for on Shared Hosting

  1. Exposed Source Code
  2. Exposed Session Data
  3. Session Injection
  4. Filesystem Browsing
  5. Safe Mode

Posted in Software Security

Security Issues on Authentication and Authorization

July 23rd, 2008 chris

The following are the four issues to watch for on Authentication and Authorization

  1. Brute Force Attacks
  2. Password Sniffing
  3. Replay Attacks
  4. Persistent Logins

Posted in Software Security

Security Issues on Files and Commands

July 23rd, 2008 chris

The following are the three issues to watch for on Files and Commands

  1. Transversing the Filesystem
  2. Remote File Risks
  3. Command Injection

Posted in Software Security

Security Issues on Includes

July 23rd, 2008 chris

The following are the four issues to watch for on Includes

  1. Exposed Source Code
  2. Backdoor URLs
  3. Filename Manipulation
  4. Code Injection

Posted in Software Security

« Previous Entries