Friday, 11 June 2010

The First Step towards Hybrid Analysis

In the past couple of months we've had several blog posts on hybrid analysis, including Jacob West’s preview of his RSA talk with Jeremiah Grossman on Correlating Static and Dynamic Security Results and Fredrick Lee's pointer to HP's writeup on the benefits of hybrid analysis. While the first one introduced the idea of correlating static and dynamic analysis results and the second emphasized that such correlation leads to a more complete analysis of the application, better prioritized results, as well as reduction of time and cost of fixing vulnerabilities, this current post is a follow-up that goes into a bit more detail with regards to implementing the first step necessary to do such correlation.

The fact of the matter is these two types of analyses work on two different types of input: while static analysis looks at source code, dynamic analysis looks at web traffic. Thus, in order to do correlation between the two there has to exist or be generated a common link that connects two types of findings. While implementing a correlation mechanism by looking at web traffic seems hard, doing it on the static analysis side is a lot more promising. Static analyzer can infer URLs for the findings by analyzing various configuration files. The generated URLs can be included as auxiliary data in as many static findings as possible. This can later serve two purposes, namely assist in matching dynamic and static findings and also provide inputs to dynamic analyzers. The first will lead to better prioritized results and reduction of time and cost to fix vulnerabilities, while the second -- to a more complete analysis of the application.

As of Q2 2010 rulepack update release, Fortify SCA generates URLs for four different Java frameworks: standard J2EE servlets, JSF, and Struts 1 and 2. Generating these URLs turned out to be trickier than it seemed at first due to heavy usage of wild cards and reliance on default context root, which makes it difficult to identify statically scanned application's web root. In general, in order to generate the URLs, SCA (with assistance from rules) looks at the following configuration files (as well as all others that have different names, but the same structure): web.xml, faces-config.xml, struts-config.xml, and struts.xml. We analyze URL patterns as well as direct and indirect URL mappings when possible. We also look at forms and navigation rules to collect information about the page flow of the application. Then we match these up with regular SCA findings based on the source code location of sources and sinks of the findings.

To give a better idea of what I am talking about, here is a concrete example. Fortify SCA finds the following privacy violation vulnerability in PerformRegistration.java class, which is part of an application written with Struts 2 Java framework:

...
Profile profile = new Profile(username, password, firstName, lastName, email, ssn);
System.out.println("added profile for " + profile.getUsername() + " (" + profile.getSsno() + ")");
...

In the code above, an SSN (private information) gets printed to the screen and therefore exposed to the outside world. From struts.xml configuration file we learn that PerformRegistration class is a struts action in a /login namespace:

...
<package name="login" namespace="/login" extends="struts-default,tiles-default">
    <action name="PerformRegistration" class="com.fortify.samples.riches.PerformRegistration">
    ...
    </action>
</package>
...

From web.xml configuration file we learn that struts actions have a .action extension:

...
<filter>
    <filter-name>struts2</filter-name>
    <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
    <filter-name>struts2</filter-name>
    <url-pattern>*.action</url-pattern>
</filter-mapping>
...

Using these two pieces of information we construct the URL for the PerformRegistration action by concatenating the action’s namespace, name, and extension. Now we know that /login/PerformRegistration.action URL triggers the privacy violation vulnerability described above, and include the URL in the dataflow path for the finding.

While this is just the first step (a.k.a. Hybrid 1.0), we plan on expanding URL generation for static findings to other frameworks and building a much more sophisticated technology on top of it later this year. Once static and dynamic findings are matched up, they can be automatically re-prioritized by taking both analyses into account. Plus, the evidence generated by both types of analyses can be aggregated in one place for each correlated issue, thus demonstrating an exploit of a statically identified finding on the one hand, and a source location for fixing a dynamically identified finding on the other. And this is exactly what Hybrid 2.0 will offer.

Posted by yoneil at 2:19 PM in Fortify
Responses (0)

Thursday, 20 May 2010

The True Cost of a Hack

Albert Gonzalez, the hacker who stole over 170 million credit card records from top retailers and credit card processors was sentenced to 20 years in prison a few months ago. Preparing for a presentation recently, I was reminded of just how huge the impact this hacker, working with what appears to have been a small group of accomplices, had on the US economy. As part of the court proceedings the US Department of Justice applied multiple calculations with legal precedent for estimating the losses the hacker’s exploits caused. These estimates range from $400-$780 million USD. Heartland, one of the worst affected targets, claims losses of over $130 million USD already due to legal fees, settlements, and fines.

These calculations got me thinking? How should we measure the cost of a breach like this? Most mechanisms focus on the amount of money the hacker gets out of the stolen accounts, could feasibly get out of the accounts, or in other ways try to measure direct monetary loss to the victim or gain to the hacker. But what about the tens of thousands of identities that could be stolen because of information gathered in the attacks? These soft costs seem to be the true risk of insecure software and they are much, much greater than any financial loss. Until we place some legally-relevant value on them we won't truly be able to measure the impact and justify investments to counter risk.

Posted by jwest at 5:02 PM in Fortify
Responses (0)

Wednesday, 12 May 2010

BSIMM2

BSIMM2 has landed! We have excellent data on the inner workings of 30 major software security initiatives. Download the full pdf report here, or get the quick summary here. The 20 participants that have graciously allowed us to use their names are:
  • Adobe
  • Aon
  • Bank of America
  • Capital One
  • EMC
  • Google
  • Intel
  • Intuit
  • Microsoft
  • Nokia
  • QUALCOMM
  • Sallie Mae
  • Standard Life
  • SWIFT
  • Symantec
  • Telecom Italia
  • DTCC
  • Thomson Reuters
  • Vmware
  • Wells Fargo
Posted by bchess at 3:16 PM in Fortify
Responses (0)

Friday, 7 May 2010

Expansion of Domain Names to Include Non-latin Characters

Recently, Internet Corporation for Assigned Names and Numbers (ICANN) approved the addition of non-Latin domain names to the Internet’s master directory of domain names. As a result, Arabic users will soon be able to access websites with URL’s written entirely in Arabic characters. Companies will be able to reach out to new audiences.

In the short term, there will be more opportunity for attackers to conduct phishing attacks against sites registered within these new domains. The domains are relatively new with a lot of unregistered space. As a result, attackers should be able to register plenty of unclaimed space for subsequent phishing attacks. With an expanded web audience and domains, the volume of phishing attacks should continue to rise.

In the long term, the security community will need to focus on finding better solutions to detecting phishing sites using methods beyond blacklisting. Blacklisting will be an increasingly unmaintainable solution to prevent users from visiting an ever-increasing and diverse set of phishing sites. Many different solutions have been proposed. Check out this article that provides a good overview of various solutions.

Here is the original article that inspired this blog post.

Technorati Tags:

Posted by jcarter at 11:50 AM in Fortify
Responses (0)

Wednesday, 14 April 2010

Static Analysis: A Science or An Art?

Last Monday marked the beginning of my seventh year at Fortify. During the last six years, I’ve been participating in several efforts to perform scientific experiments in the area of static analysis. Some focus on comparing different static analysis tools. Others have a goal of establishing guidelines for the code that should be analyzable by static analysis. While others want to define the notion of compliance as it is applied to the tools – that is, define a set of requirements that the tools need to meet in terms of the kinds of vulnerabilities they detect and results they generate. I think static analysis is still a little bit of an art, so while the knowledge we gain from such efforts is potentially amazingly useful, the challenges we face must be addressed before the outcomes of similar endeavors become beneficial. Some of the challenges I personally ran into are discussed below.

- Different tools generate different results. Time and time again, we witness differences in the output generated by static (ant not just static) analysis tools. Even though the tools claim to be looking for the same kinds of problems, techniques they use differ enough to generate results with very little overlap. In fact, even if they do overlap, it is very difficult to correlate them because they differ in format and metadata that is associated with each finding.

- Evaluating generated results is not enough. When comparing static analysis tools, evaluating generated results is definitely important, but considering other aspects of the product’s usage is critical. The tool might be producing excellent findings with low false positive rates, but be completely unusable because it does not integrate well into build systems, does a poor job of managing and tracking results, or cannot be customized to fit specific user needs.

- Definition of false positive is highly subjective. To some, false positive means reporting something that is not true under any circumstances, while to others a result that is not interesting in the current context is also a false positive. Which brings me to the last and probably most interesting challenge:

- Tools perform differently in different contexts. The same tool can perform very poorly in one situation and amazingly well under different circumstances. It all depends on the kinds of constructs and libraries used in the code, the size of the codebase, build system used for building the code, application profile (whether it is internal or externally facing), whether the user wants to treat the database as a source of untrusted data, and a lot of other factors that we sometimes don’t even think about in advance. Obviously, it is impossible to build one tool that understands different contexts equally well out-of-the-box. That’s why it’s so important to build a product that is extremely flexible -- can be easily customized, configured, and extended in various ways that make the most sense. It is not easy!

Perhaps, in the future things will change -- different techniques the tools use to perform analysis and interfaces for interacting with the tools will converge, but I think we’re not there yet. That’s why, before we attempt to compare tools in a scientific fashion and try to define binary compliance guidelines for the products by requiring them to generate a set of specific results on a set of specific benchmarks, we need to acknowledge and address the challenges current state of the art (pun intended) presents.

Posted by yoneil at 9:59 AM in Fortify
Responses (0)

Friday, 2 April 2010

Top 3 Reasons You Need Hybrid Analysis.

HP has a nice write-up posted about the benefits of the HP/Fortify Hybrid Analysis 2.0. Check it out!
Posted by flee at 5:06 PM in Fortify
Responses (0)

Wednesday, 31 March 2010

Schneier on Software Security Assurance

In a recent post titled Should the Government Stop Outsourcing Code Development?, Bruce Schneier dismisses the connection between where code is written and, instead, rightly focuses attention on how code is written. Specifically, he describes assurance as being "less about developing new security techniques than about using the ones we already have."

At Fortify, we couldn't agree more. Our Software Security Assurance (SSA) program is all about helping organizations bring together their people, process, and technology to deliver software that has security built-in from the ground up. As Schneier points out, security can't just be a requirement, it needs to be a priority! Give the blog post a read and see if it doesn't leave you agreeing that security has more to do with how your software is built than where it is built.

Posted by jwest at 1:27 PM in Fortify
Responses (0)

Monday, 22 March 2010

Q1 release from Fortify SRG

If you're a Fortify customer you already know we released updates in three main areas at the end of February (we always release the last business day of the second month of the quarter). If you haven't seen these updates, I decided to post a summary of what we've been up to here. As of this release, the Fortify Secure Coding Rulepacks detect 439 unique categories of vulnerabilities across 18 languages and over 650,000 individual APIs. In brief, our latest releases include:

Fortify Secure Coding Rulepacks
  • Oracle Application Framework – Support for Oracle Application Framework (OA Framework), the Oracle Applications development and deployment platform for HTML-based business applications.
  • CakePHP – Support for the CakePHP rapid development framework, which includes the model-view-controller framework and simplifies database interaction.
  • SANS/CWE, OWASP, FISMA Standards Support – Vulnerabilities generated by this rulepack now include a reference to like issues found in the 2009 SANS/CWE Top 25, OWASP 2010 Top 10, and FISMA (specifically FIPS-200).
  • 4 New Categories – New categories include Race Condition: Format Flaw, Process Control: Invoker Servlet, and CakePHP Misconfiguration vulnerabilities.
  • 50+ Enhancements – Over 50 internally and externally requested minor enhancements.

    Fortify RTA Rulepack Kit
  • Spring Security 2 – Provides support for identifying brute force logins and report Spring Security authorization failures and privilege changes at runtime.

    Premium Content
  • Microsoft SDL – Process templates for Fortify 360 Governance users implementing the four security maturity models in the Microsoft Security Development Lifecycle (MS SDL): Basic, Standardized, Advanced, and Dynamic.
  • CVSS – Project templates for auditors using Fortify SCA and Audit Workbench to annotate vulnerabilities using the Common Vulnerability Scoring System (CVSS).
    • Posted by jwest at 12:18 PM in Fortify
    Responses (0)

    Monday, 1 March 2010

    BSIMM2

    Planning a software security initiative can benefit from understanding and analyzing real-world software security initiatives. That is exactly the purpose of the BSIMM project which gathers data from leading software security initiatives. The number of initiatives studied thus far reached 30 which means that applying statistical analysis on the data makes sense. But before going that route, can’t there be anything simpler derived from the data that gives a useful insight in to it? Well, I think that ranking the activities by what was observed the most is simple and very useful. The top 15 activities can be found in the latest informIT column on the BSIMM and is definitely worth a read!
    Posted by mmadou at 7:04 PM in Fortify
    Responses (0)

    Wednesday, 24 February 2010

    Hitler and Cloud Computing Security

    Props to Marcus Ranum and Gunnar Peterson for a brilliant rendition of this YouTube standard.
    Posted by bchess at 8:58 PM in Fortify
    Responses (0)