Wednesday, January 31, 2007

CERT Secure Coding Standards

From www.cert.org/secure-coding,
As part of the CERT Secure Coding Initiative, the Computer Emergency Response Team (CERT) has deployed a new collaborative web site, SecureCoding, dedicated to developing secure coding standards for various programming languages. CERT's initial efforts are focused on the development of secure coding practices for the C and C++ programming languages. Rules and recommendations for secure coding practices in the C and C++ programming languages are now available in the website. The purpose of this project is that the practices can be used by software developers for professional development and as the basis for organizational coding standards supporting the quality of their products. Software producers can use this information as they develop strategies to avoid vulnerabilities when they code new software.

The development of secure coding practices is a necessary step to stem the ever-increasing threat from software vulnerabilities. CERT's goal is that the enumeration of secure code practices will allow for a common set of criteria that can be used to measure and evaluate software development efforts.
read more ...

Monday, October 23, 2006

CWE - Common Weakness Enumeration

From cwe.mitre.org
CWE is a community-developed dictionary of common software weaknesses targeted to developers and security practitioners.
"...
CWE is a community-developed formal list of common software weaknesses. It serves as a common language for describing software security weaknesses, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for weakness identification, mitigation, and prevention efforts.

Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
..."
The CWE project provides a Classification Tree of the full list of software vulnerabilities along with a Full CWE Dictionary.

'Vulnerability Type Distributions in CVE', published as part of the CWE project provides research results on publicly reported vulnerabilities. This technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion.

The paper identifies and explains trends such as the rapid rise of web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories.

read more ...

Build Security In - BSI

From, buildsecurityin.us-cert.gov
Build Security In (BSI) is a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team and other contributors develop and collect software assurance and software security information that helps software developers, architects, and security practitioners to create secure systems.

BSI content is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software development life cycle. BSI contains and links to a broad range of best practices, tools, guidelines, rules, principles, and other knowledge that can be used to build security into software in every phase of its development.
read more ...

An Illustrated Guide to IPsec

From, Steve Friedl's Unixwiz.net Tech Tips, unixwiz.net
"...
IPsec is a suite of protocols for securing network connections, but the details and many variations quickly become overwhelming. This is particularly the case when trying to interoperate between disparate systems, causing more than one engineer to just mindlessly turn the knobs when attempting to bring up a new connection.

This Tech Tip means to give bottom-up coverage of the low-level protocols used in an IPv4 context (we provide no coverage of IPv6). This is not a deployment guide or best-practices document — we're looking at it strictly at the protocol level on up, rather than from the big picture on down.
..."
read more ...

Netdude - a Framework for Packet Trace Manipulation

Netdude is a framework for inspection, visualization, and modification of tcpdump packet trace files. Its modular design allows users to interact with the framework at different abstraction levels: a low-level trace navigation wrapper for libpcap called libpcapnav, a high-level API with convenient types for performing common packet manipulation tasks in libnetdude, and a GUI application that allows both small- and large-scale editing previously impossible without writing code. The framework is readily extensible at the libnetdude and GUI levels through its plugin architecture, making it a workbench for the creation of new packet trace tools.
read more ...

SQL Injection Walkthrough

From SecuriTeam.com
SQL Injection is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

The following article from SecuritTeam tries to help beginners with grasping the problems facing them while trying to utilize SQL Injection techniques, to successfully utilize them, and to protect themselves from such attacks.
read more ...

HTTP Request Smuggling attack

From Prashant Gawade, Palisade Magazine.
"...
HTTP Request Smuggling (HRS) attack is the result of a device failure to properly handle deformed inbound HTTP requests. HRS works by taking benefit of the discrepancies in HTTP request parsing when one or more HTTP devices are in the data flow between the user and the web server. HTTP Request smuggling leads to various attacks like web cache poisoning, session hijacking, cross-site scripting etc.
..."

read more ...