Friday, February 27, 2009

Getting the CSSLP

I am pleased to report that I'm now a Certified Secure Software Lifecycle Professional, or CSSLP. This is an (ISC)2 certification introduced late last year. The name doesn't exactly roll off the tongue, but my employer was kind enough to pay the $550 fee (normally $650) for me to go through the gauntlet required to get this cert. Actually, it wasn't that bad. Up until March 31, 2009, CSSLP candidates are not required to take and pass an exam. Instead, you have to submit and pass the CSSLP Experience Assessment. Essentially, this consists of submitting your current resume, writing four essays of 250-500 words each, and getting an endorsement from an (ISC)2 credential holder.

The four essays are not difficult if you have the right experience, but they were time consuming for me. I spent about an hour on each one. The essays must describe your professional experience in 4 of 7 different topic areas:
  1. Applying Security Concepts To Software Development
  2. Software Requirements
  3. Software Design
  4. Software Implementation/Coding
  5. Software Testing
  6. Software Acceptance
  7. Deployment,Operations, Maintenance And Disposal
I have experience in all of these areas, but I chose #1, #3, #4, and #5 for my essays. These topic areas correspond to the domains that represent the CSSLP Common Body of Knowledge (CBK). I'm looking forward to using my experience and knowledge in this area more as time goes on. There seems to be a nascent trend in the industry to be more proactive about developing secure applications, hence a new cert like CSSLP. I believe assessments and penetration testing will continue to be important, but introducing security elements earlier in the process is bound to pay off in more secure software. Hopefully, my new certification will pay off my company and for me.
Posted by at
Labels:

Thursday, February 19, 2009

DirBuster Shoots and Scores!

There's a new tool I'm using as part of my security assessments and it is DirBuster. Developed by James Fisher and now available from OWASP, DirBuster's purpose is to sniff out the existence of directories and files on a server. Nothing more and nothing less. I did not have high expectations when grabbing a copy of DirBuster from the OWASP site. I was shocked at how many features it provides and how well it performs! Don't let the version number of 0.12 fool you. It's a very capable and polished tool.

DirBuster is written in Java (requires v1.6 or above), and the user interface is simple and intuitive. Even the look and feel is top-notch - much better than WebScarab or Burp Suite, for example, which use the default Swing look and feel. James wisely chose to use JGoodies, an open source library designed to make a more esthetically-pleasing Java user interface.

Once you start a scan, DirBuster goes to work. It lists directories and files as they are found. Since some servers don't return 404/Not Found for non-existent directories and files, DirBuster identifies positive hits by comparing each response to a base response for a known, non-existent resource.
Some of the bells and whistles in DirBuster include:
  • configurable number of threads and ability to throttle up or down while a scan is running
  • ability to scan for directories, files, or both
  • file checks are done using extension(s) of your choice
  • ability to narrow a scan to a particular subdirectory
  • ability to do recursive scanning
  • ability to load payloads from a file or to configure pure brute forcing
  • customizable request headers
  • support for basic, digest, and NTLM authentication
  • fuzzing capability for resources that are referenced by URL parameter
  • ability to send traffic through a proxy
  • an informative scan status screen
  • report generation (text files)
  • automatic update feature
For being so polished, DirBuster has some quizzical misspellings. Another small quibble is that the tool's "advanced options" are not saved after you close it down. The author told me there is a new version in the works, and both of these issues will be addressed.
Posted by at
Labels:

Wednesday, February 4, 2009

CSRF in Novell GroupWise WebAccess

Adrian Pastor found some nasty CSRF issues in Novell GroupWise WebAccess. The one that is truly evil genius is being able to use CSRF to create a forwarding rule in the victim's email settings, allowing an attacker to get a copy of every email the victim receives. Imagine if an executive in a company fell victim. Talk about information leakage!

The point about CSRF that many people do not understand is that you can fall victim
  • without knowing it has happened
  • without clicking a malicious link
  • without JavaScript enabled in your browser
  • with your company having an iron-clad perimeter firewall
The vulnerabilities were responsibly disclosed and Novell has a patch available. It'd be nice to know how the remediation was done. Alas, I do not have a GroupWise system into which I could dive.
Posted by at
Labels:
Subscribe to: Posts (Atom)