June 16, 2010
Secure development: why security awareness is a failure

I have finished reading a nice article from Dark Reading about secure development or, said otherwise, taking security into account when developing software.

Two major problems are brought forward:

  • your average developer doesn’t have the right mindset for understanding security which doesn’t play well with his artistic skills.

  • security awareness and training programs are a failure. Besides the budget constraints, developers would never chose security over meeting their deadlines.

I can see the logic behind the (partial?) failure of security awareness and training programs. Think about Time to Market, competitiveness, frequent evolution of technologies and needs and you’ll get the idea. In this context, adding a security brick to an already unsteady building which is way behind the defined deadlines is unrealistic. According to Caleb Sima, CEO of Armorize, a secure development software vendor:

“If I’m a developer, as soon as I’ve been assigned a project, I’m already behind. If there’s a faster way to do something, they’re going to take it, because for them speed is more important than security.”

So what options do we have?

According to Fortify, another secure development software vendor, many development companies add a security specialist to their development team. This person is in charge of bridging the gaps between the security and development teams but also helps identifying and correcting the vulnerabilities.

This approach has however some serious limitations as the security specialist might not identify all vulnerabilities given the diversity of projects and programming languages. But more importantly, she might become a bottleneck in the team as everyone is waiting for her feedback before moving forward and/or rushing to her with urgent requests given the deadlines.

To solve this problem, some organizations opt for secure development frameworks such as BSIMM but these are pretty heavy to implement and they require a formalized development process.

According to many of the interviewed experts, one solution consists of using vulnerability identification tools that nicely integrate with the IDEs and automatically identify vulnerabilities as code is written. While the experts here are heavily biased given that they work for companies that provide such tools, I think the point is valid nonetheless.

Given the time and budget constraints that most (if not all) software development projects have to take into account, such tools might really help a lot as they act as your off-the-shelf debugger or code quality checker and integrate nicely into the existing toolchain, specially if their output is not some security mumbo jumbo.

This approach is indeed limited to code validation/checking. Some important phases of the development process such as use cases or design are not covered but if you think that you can easily take security into account during those stages, be my guest.

This is a step in the right direction and a pragmatic one that take into account developer needs and constraints instead of the other way around.

10:30pm  |   URL: http://blog.upbeat.fr/post/705521169/securedevel-awareness
(view comments
FILED UNDER: security security tool Secure Development Development Lifecycle Framework 
February 25, 2010
Keimpx, nifty tool for testing SMB credentials

Full description and usage, by Bernardo Damele A. G. the tool author. Thanks to Richard Bejtlich for the link.

10:27am  |   URL: http://blog.upbeat.fr/post/410882147/keimpx
(view comments
FILED UNDER: Security security tool SMB Windows Large Network Keimpx Credentials 
February 23, 2010
Automating scans on Nessus 4.2

With the release of Nessus 4.2, the nessus command-line client has been deprecated. Even if it still distributed with the new release, there is no new functionality introduced to it. Moreover, it is only able to generate Nessus v1 format reports and not the new Nessus v2 reports that are far easier to parse and better organized.

Automating scans with Nessus 4.2 can be performed by leveraging the new XMLRPC interface. All you need is something to generate HTTP POST requests with the right parameters and something to parse the XML responses you get back.

As of this writing, official Nessus documentation to do so is not available yet. However, a few mail exchanges with Renaud Deraison, Chief Research Officer at Tenable Security Inc. got me started and he provided very useful tips that I’d like to share with you in case you need to automate scans as I do.

To issue requests, you need to submit a login token (which you can think of as a cookie) to the Nessus scanner to prove your identity. So the first you need to do is to login to the scanner and retrieve a login token.

But first let me define a base URL that I am going to use throughout in this post: https://my.nessus.scanner:8834. Replace my.nessus.scanner with the FQDN of your Nesssus scanner, its IP address or even localhost if you are interacting with it on the same box that it is installed on.

Nessus uses a self-signed certificate so you’d need to make provisions in your programs/scripts for this. Also, please note that we are using the same TCP port that you’d use with a traditional browser.

Login to the scanner

When you issue a login request, Nessus will reply with a login token. You can think of this token as a cookie. This is all you need to authenticate to Nessus from now on. A login token looks like: 81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a

Launch a new scan

The policy_id parameter is the scan policy identifier. Obviously, you will need to use your browser to create a scan policy first so that you can have this ID. The scan_name is a human-friendly name for your scan. This is the same thing when you launch a scan using the Web UI. Please note that Nessus uses a unique scan identifier (uuid) that looks like this: 60c6eaa3-5063-0a70-bf33-c00b71d4cfaf97af24f344d0bfa1

To download or delete a scan report, you will need this uuid.

List current scans/reports

If a scan is completed (i.e. a scan report is ready), its status subnode in the XML response you receive back (each scan/report has a corresponding report node) is shown as completed.

Download a report

The report parameter is the report UUID.

Delete a report

This should be enough to get you started. In upcoming posts, I will give more detailed examples and some code snippets that might prove useful.

Big thanks to Renaud for providing some precious help!

EDITED TO ADD (2010.03.31): Apparently, you need to use a non administrator account to be able to interact with Nessus 4.2 the way I describe it as Chris Counselman pointed out in the comments below. Thanks Chris!

4:22pm  |   URL: http://blog.upbeat.fr/post/407107943/automating-scans-on-nessus-4-2
(view comments
FILED UNDER: Nessus Vulnerability Scanner Security I.T. Automation Scan Automation XML XMLRPC Security Tool Tenable Security Inc. 
Liked posts on Tumblr: More liked posts »