Security Assurance Tools
Amarendra Godbole
Software Security Analyst
Agenda
1
Security assurance and tools
2
Categories and usage
3
Host based
4
Network based
5
CVSS v2
Security Assurance Tools
2
Disclaimer
• Symantec does not endorse these tools
• If anything breaks, both parts are yours. ;-)
• Etc.
Security Assurance Tools
3
Security Assurance and Tools
• Ensure software operates at the designed level of security
• Partial, but invaluable help from tools
– Deep inspection
• Tools are not the “silver bullet”
– Find subset of issues
– Have false-positives (FPs’) and/or false-negative (FNs’)
– Analysis important – human intelligence
• Defensive tools
– More likely to be allowed in your organization
• Open source
– Check with your legal team for license compatibility.
Security Assurance Tools
4
Categories
• Host-based
– Find issues on the host (permission checkers, config checkers, debuggers)
– Standard system commands/tools being ignored in the light of more
exotic ones  (netstat, tcpdump, find, compiler flags anyone?)
• Network-based
– Tools for inspecting network packets (wireshark/ethereal, tcpdump)
– Protocol specific tools (burp proxy, ratproxy, SkipFish for web)
• Numerous other tools (see sectools.org)
Security Assurance Tools
5
Compiler Flags
• Flags enabling protection mechanisms during compile-time
– Visual Studio (VC++) defenses
• /GS
• /SafeSEH
• /DynamicBase
• /NXCompat
– GNU gcc
• -fstack-protector
• -Wformat -Wformat-security
Security Assurance Tools
6
BinScope
• Microsoft verification tool that analyzes binaries
• Checks for compliance with the Microsoft SDLC
• Stand-alone or can be integrated with Visual Studio 2008
Security Assurance Tools
7
SysInternal Tools
• Windows deep-inspection tools
– Runtime behavior
• Procmon, Filemon, ProcessExplorer, Regmon – more than 60
tools.
• Allow filtering of results.
Security Assurance Tools
8
find
• Unix command line utility for “finding” things
– World-writable files and directories
– Setuid binaries
find / -type f –perm 0002 –exec ls –lg {} \;
find / -type d \( -perm -0002 –a ! –perm -1000 \) –exec ls –ldg {} \;
find / -type f \( -perm -4000 –o –perm -2000 \) –exec ls –lg {} \;
Security Assurance Tools
9
base64 to ASCII encoder/decoder
• c3ltYW50ZWM=
• Many sites encode plain-text password to base64
– encoding, not encryption.
– offers no security
• http://www.hcidata.info/base64.htm
Security Assurance Tools
10
netstat
• Simple command line utility for Unix and Windows
• Lists the open sockets and socket connections
• List all TCP open ports:
Windows: netstat –an | findstr LISTENING
UNIX: netstat –an | grep LISTEN
Linux: netstat -anpt -A inet | grep LISTEN
Security Assurance Tools
11
tcpdump
• Capture and dump packets, analyze network traffic
• Large options, customized output
Security Assurance Tools
12
Wireshark – Network protocol analyzer
• Dissect well-known protocols via Dissectors
– “Follow TCP Stream” option
• Differentiate protocol headers and data/payload
• Filters
Security Assurance Tools
13
Web based tools
• WebScarab
– OWASP tool for use as web proxy
– Inspect and modify user-agent http/s data
• RatProxy
– Semi-automated, passive web application security tool
– Detects and prioritizes a broad range of web vulnerabilities (XSS, XSRF,
cookie issues, trust-model violations, etc.)
Security Assurance Tools
14
CVSS v2 Scores
• Framework to standardize vulnerability scores
Security Assurance Tools
15
Thank you!
Amarendra Godbole
amarendra_godbole@symantec.com
+91 20 4075 4401
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Security Assurance Tools
16