1 / 16

Security Assurance Tools

Security Assurance Tools. Amarendra Godbole. Software Security Analyst. Agenda. Security assurance and tools . 1. Categories and usage. 2. Host based . 3. Network based . 4. CVSS v2. 5. Disclaimer. Symantec does not endorse these tools

myrrh
Download Presentation

Security Assurance Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Assurance Tools Amarendra Godbole Software Security Analyst

  2. Agenda Security assurance and tools 1 Categories and usage 2 Host based 3 Network based 4 CVSS v2 5 Security Assurance Tools

  3. Disclaimer • Symantec does not endorse these tools • If anything breaks, both parts are yours. ;-) • Etc. Security Assurance Tools

  4. Security Assurance and Tools • Ensure software operates at the designed level of security • Partial, but invaluable help from tools • Deep inspection • Tools are not the “silver bullet” • Find subset of issues • Have false-positives (FPs’) and/or false-negative (FNs’) • Analysis important – human intelligence • Defensive tools • More likely to be allowed in your organization • Open source • Check with your legal team for license compatibility. Security Assurance Tools

  5. Categories • Host-based • Find issues on the host (permission checkers, config checkers, debuggers) • Standard system commands/tools being ignored in the light of more exotic ones  (netstat, tcpdump, find, compiler flags anyone?) • Network-based • Tools for inspecting network packets (wireshark/ethereal, tcpdump) • Protocol specific tools (burp proxy, ratproxy, SkipFish for web) • Numerous other tools (see sectools.org) Security Assurance Tools

  6. Compiler Flags • Flags enabling protection mechanisms during compile-time • Visual Studio (VC++) defenses • /GS • /SafeSEH • /DynamicBase • /NXCompat • GNU gcc • -fstack-protector • -Wformat -Wformat-security Security Assurance Tools

  7. BinScope • Microsoft verification tool that analyzes binaries • Checks for compliance with the Microsoft SDLC • Stand-alone or can be integrated with Visual Studio 2008 Security Assurance Tools

  8. SysInternal Tools • Windows deep-inspection tools • Runtime behavior • Procmon, Filemon, ProcessExplorer, Regmon – more than 60 tools. • Allow filtering of results. Security Assurance Tools

  9. find • Unix command line utility for “finding” things • World-writable files and directories • Setuid binaries find / -type f –perm 0002 –exec ls –lg {} \; find / -type d \( -perm -0002 –a ! –perm -1000 \) –exec ls –ldg {} \; find / -type f \( -perm -4000 –o –perm -2000 \) –exec ls –lg {} \; Security Assurance Tools

  10. base64 to ASCII encoder/decoder • c3ltYW50ZWM= • Many sites encode plain-text password to base64 • encoding, not encryption. • offers no security • http://www.hcidata.info/base64.htm Security Assurance Tools

  11. netstat • Simple command line utilityfor Unix and Windows • Lists the open sockets and socket connections • List all TCP open ports: Windows: netstat–an | findstr LISTENING UNIX: netstat–an | grep LISTEN Linux: netstat-anpt -A inet | grep LISTEN Security Assurance Tools

  12. tcpdump • Capture and dump packets, analyze network traffic • Large options, customized output Security Assurance Tools

  13. Wireshark – Network protocol analyzer • Dissect well-known protocols via Dissectors • “Follow TCP Stream” option • Differentiate protocol headers and data/payload • Filters Security Assurance Tools

  14. Web based tools • WebScarab • OWASP tool for use as web proxy • Inspect and modify user-agent http/s data • RatProxy • Semi-automated, passive web application security tool • Detects and prioritizes a broad range of web vulnerabilities (XSS, XSRF, cookie issues, trust-model violations, etc.) Security Assurance Tools

  15. CVSS v2 Scores • Framework to standardize vulnerability scores Security Assurance Tools

  16. Amarendra Godbole amarendra_godbole@symantec.com +91 20 4075 4401 Security Assurance Tools

More Related